]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/log
mirror_ubuntu-zesty-kernel.git
7 years agonet: use net->count to check whether a netns is alive or not
Andrey Vagin [Tue, 4 Apr 2017 07:26:00 +0000 (09:26 +0200)]
net: use net->count to check whether a netns is alive or not

BugLink: http://bugs.launchpad.net/bugs/1672144
The previous idea was to check whether a net namespace is in
net_exit_list or not. It doesn't work, because net->exit_list is used in
__register_pernet_operations and __unregister_pernet_operations where
all namespaces are added to a temporary list to make cleanup in a error
case, so list_empty(&net->exit_list) always returns false.

Reported-by: Mantas Mikulėnas <grawity@gmail.com>
Fixes: 002d8a1a6c11 ("net: skip genenerating uevents for network namespaces that are exiting")
Signed-off-by: Andrei Vagin <avagin@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
(back ported from commit 91864f5852f9996210fad400cf70fb85af091243)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Conflicts:
net/core/net-sysfs.c
Acked-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Acked-by: Marcelo Cerri <marcelo.cerri@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoblock: relax check on sg gap
Ming Lei [Thu, 13 Apr 2017 10:45:00 +0000 (12:45 +0200)]
block: relax check on sg gap

BugLink: http://bugs.launchpad.net/bugs/1682215
If the last bvec of the 1st bio and the 1st bvec of the next
bio are physically contigious, and the latter can be merged
to last segment of the 1st bio, we should think they don't
violate sg gap(or virt boundary) limit.

Both Vitaly and Dexuan reported lots of unmergeable small bios
are observed when running mkfs on Hyper-V virtual storage, and
performance becomes quite low. This patch fixes that performance
issue.

The same issue should exist on NVMe, since it sets virt boundary too.

Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Reported-by: Dexuan Cui <decui@microsoft.com>
Tested-by: Dexuan Cui <decui@microsoft.com>
Cc: Keith Busch <keith.busch@intel.com>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
(cherry picked from commit 729204ef49ec00b788ce23deb9eb922a5769f55d)
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agothermal/powerclamp: add back module device table
Jacob Pan [Thu, 13 Apr 2017 08:24:00 +0000 (10:24 +0200)]
thermal/powerclamp: add back module device table

BugLink: https://bugs.launchpad.net/bugs/1591641
Commit 3105f234e0aba43e44e277c20f9b32ee8add43d4 replaced module
cpu id table with a cpu feature check, which is logically correct.
But we need the module device table to allow module auto loading.

Cc: stable@vger.kernel.org # 4.8
Fixes:3105f234 thermal/powerclamp: correct cpu support check
Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
(cherry picked from commit ec638db8cb9ddd5ca08b23f2835b6c9c15eb616d)
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agothermal/powerclamp: correct cpu support check
Eric Ernst [Thu, 13 Apr 2017 08:24:00 +0000 (10:24 +0200)]
thermal/powerclamp: correct cpu support check

BugLink: https://bugs.launchpad.net/bugs/1591641
Initial logic for checking CPU match resulted in OR of CPU features
rather than the intended AND.

Updated to use boot_cpu_has macro rather than x86_match_cpu.

In addition, MWAIT is the only required CPU feature for idle
injection to work.  Drop other feature requirements since they are
only needed for optimal efficiency.

CC: stable@vger.kernel.org #v4.7
Signed-off-by: Eric Ernst <eric.ernst@linux.intel.com>
Acked-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
(cherry picked from commit 3105f234e0aba43e44e277c20f9b32ee8add43d4)
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agothermal/powerclamp: remove cpu whitelist
Jacob Pan [Thu, 13 Apr 2017 08:24:00 +0000 (10:24 +0200)]
thermal/powerclamp: remove cpu whitelist

BugLink: https://bugs.launchpad.net/bugs/1591641
Powerclamp works by aligning idle time to achieve package level
idle states, aka cstates. As long as one of the package cstates
is available, synchronized idle injection is meaningful.

This patch replaces the CPU whitelist with CPU feature and
package cstate counter check such that we don't have to modify
this whitelist for every new CPU.

Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
(cherry picked from commit b721ca0d192754deccb89fb01c77e41e6fd91ad9)
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoiio: st_pressure: initialize lps22hb bootime
Shrirang Bagul [Wed, 12 Apr 2017 12:23:00 +0000 (14:23 +0200)]
iio: st_pressure: initialize lps22hb bootime

BugLink: https://bugs.launchpad.net/bugs/1682103
This patch initializes the bootime in struct st_sensor_settings for
lps22hb sensor. Without this, sensor channels read from sysfs always
report stale values.

Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
(backported from commit 51f528a1636f352ad776a912ac86026ac7a89a2a)
Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoRevert "ACPI / video: Add force_native quirk for HP Pavilion dv6"
Hans de Goede [Mon, 10 Apr 2017 12:37:00 +0000 (14:37 +0200)]
Revert "ACPI / video: Add force_native quirk for HP Pavilion dv6"

BugLink: http://bugs.launchpad.net/bugs/1667323
Revert commit 6276e53fa8c0 (ACPI / video: Add force_native quirk for
HP Pavilion dv6).

In the commit message for the quirk this revert removes I wrote:

"Note that there are quite a few HP Pavilion dv6 variants, some
woth ATI and some with NVIDIA hybrid gfx, both seem to need this
quirk to have working backlight control. There are also some versions
with only Intel integrated gfx, these may not need this quirk, but it
should not hurt there."

Unfortunately that seems wrong, I've already received 2 reports of
this commit causing regressions on some dv6 variants (at least one
of which actually has a nvidia GPU). So it seems that HP has made a
mess here by using the same model-name both in marketing and in the
DMI data for many different variants. Some of which need
acpi_backlight=native for functional backlight control (as the
quirk this commit reverts was doing), where as others are broken by
it. So lets get back to the old sitation so as to avoid regressing
on models which used to work without any kernel cmdline arguments
before.

Fixes: 6276e53fa8c0 (ACPI / video: Add force_native quirk for HP Pavilion dv6)
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
(cherry picked from commit fd25ea29093e275195d0ae8b2573021a1c98959f)
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Acked-by: Marcelo Cerri <marcelo.cerri@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agopowercap/intel_rapl: Add support for Kabylake
Jacob Pan [Fri, 7 Apr 2017 15:19:00 +0000 (17:19 +0200)]
powercap/intel_rapl: Add support for Kabylake

BugLink: https://bugs.launchpad.net/bugs/1591640
Kabylake is similar to Skylake in terms of RAPL.

Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
(cherry picked from commit 6c51cc0203de25aeaff9d0236d6c2b497be93e3b)
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoLinux 4.4.61
Greg Kroah-Hartman [Wed, 12 Apr 2017 10:38:50 +0000 (12:38 +0200)]
Linux 4.4.61

BugLink: http://bugs.launchpad.net/bugs/1682140
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agomm/mempolicy.c: fix error handling in set_mempolicy and mbind.
Chris Salls [Sat, 8 Apr 2017 06:48:11 +0000 (23:48 -0700)]
mm/mempolicy.c: fix error handling in set_mempolicy and mbind.

BugLink: http://bugs.launchpad.net/bugs/1682140
commit cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 upstream.

In the case that compat_get_bitmap fails we do not want to copy the
bitmap to the user as it will contain uninitialized stack data and leak
sensitive data.

Signed-off-by: Chris Salls <salls@cs.ucsb.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoMIPS: Flush wrong invalid FTLB entry for huge page
Huacai Chen [Thu, 16 Mar 2017 13:00:27 +0000 (21:00 +0800)]
MIPS: Flush wrong invalid FTLB entry for huge page

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 0115f6cbf26663c86496bc56eeea293f85b77897 upstream.

On VTLB+FTLB platforms (such as Loongson-3A R2), FTLB's pagesize is
usually configured the same as PAGE_SIZE. In such a case, Huge page
entry is not suitable to write in FTLB.

Unfortunately, when a huge page is created, its page table entries
haven't created immediately. Then the TLB refill handler will fetch an
invalid page table entry which has no "HUGE" bit, and this entry may be
written to FTLB. Since it is invalid, TLB load/store handler will then
use tlbwi to write the valid entry at the same place. However, the
valid entry is a huge page entry which isn't suitable for FTLB.

Our solution is to modify build_huge_handler_tail. Flush the invalid
old entry (whether it is in FTLB or VTLB, this is in order to reduce
branches) and use tlbwr to write the valid new entry.

Signed-off-by: Rui Wang <wangr@lemote.com>
Signed-off-by: Huacai Chen <chenhc@lemote.com>
Cc: John Crispin <john@phrozen.org>
Cc: Steven J . Hill <Steven.Hill@caviumnetworks.com>
Cc: Fuxin Zhang <zhangfx@lemote.com>
Cc: Zhangjin Wu <wuzhangjin@gmail.com>
Cc: Huacai Chen <chenhc@lemote.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15754/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoMIPS: Lantiq: fix missing xbar kernel panic
Hauke Mehrtens [Wed, 15 Mar 2017 22:26:42 +0000 (23:26 +0100)]
MIPS: Lantiq: fix missing xbar kernel panic

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 6ef90877eee63a0d03e83183bb44b64229b624e6 upstream.

Commit 08b3c894e565 ("MIPS: lantiq: Disable xbar fpi burst mode")
accidentally requested the resources from the pmu address region
instead of the xbar registers region, but the check for the return
value of request_mem_region() was wrong. Commit 98ea51cb0c8c ("MIPS:
Lantiq: Fix another request_mem_region() return code check") fixed the
check of the return value of request_mem_region() which made the kernel
panics.
This patch now makes use of the correct memory region for the cross bar.

Fixes: 08b3c894e565 ("MIPS: lantiq: Disable xbar fpi burst mode")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Cc: John Crispin <john@phrozen.org>
Cc: james.hogan@imgtec.com
Cc: arnd@arndb.de
Cc: sergei.shtylyov@cogentembedded.com
Cc: john@phrozen.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15751
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoMIPS: End spinlocks with .insn
Paul Burton [Thu, 23 Feb 2017 14:50:24 +0000 (14:50 +0000)]
MIPS: End spinlocks with .insn

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 4b5347a24a0f2d3272032c120664b484478455de upstream.

When building for microMIPS we need to ensure that the assembler always
knows that there is code at the target of a branch or jump. Recent
toolchains will fail to link a microMIPS kernel when this isn't the case
due to what it thinks is a branch to non-microMIPS code.

mips-mti-linux-gnu-ld kernel/built-in.o: .spinlock.text+0x2fc: Unsupported branch between ISA modes.
mips-mti-linux-gnu-ld final link failed: Bad value

This is due to inline assembly labels in spinlock.h not being followed
by an instruction mnemonic, either due to a .subsection pseudo-op or the
end of the inline asm block.

Fix this with a .insn direction after such labels.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/15325/
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoMIPS: ralink: Fix typos in rt3883 pinctrl
John Crispin [Sat, 25 Feb 2017 10:54:23 +0000 (11:54 +0100)]
MIPS: ralink: Fix typos in rt3883 pinctrl

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 7c5a3d813050ee235817b0220dd8c42359a9efd8 upstream.

There are two copy & paste errors in the definition of the 5GHz LNA and
second ethernet pinmux.

Fixes: f576fb6a0700 ("MIPS: ralink: cleanup the soc specific pinmux data")
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15328/
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoMIPS: Force o32 fp64 support on 32bit MIPS64r6 kernels
James Hogan [Thu, 16 Feb 2017 12:39:01 +0000 (12:39 +0000)]
MIPS: Force o32 fp64 support on 32bit MIPS64r6 kernels

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 2e6c7747730296a6d4fd700894286db1132598c4 upstream.

When a 32-bit kernel is configured to support MIPS64r6 (CPU_MIPS64_R6),
MIPS_O32_FP64_SUPPORT won't be selected as it should be because
MIPS32_O32 is disabled (o32 is already the default ABI available on
32-bit kernels).

This results in userland FP breakage as CP0_Status.FR is read-only 1
since r6 (when an FPU is present) so __enable_fpu() will fail to clear
FR. This causes the FPU emulator to get used which will incorrectly
emulate 32-bit FPU registers.

Force o32 fp64 support in this case by also selecting
MIPS_O32_FP64_SUPPORT from CPU_MIPS64_R6 if 32BIT.

Fixes: 4e9d324d4288 ("MIPS: Require O32 FP64 support for MIPS64 with O32 compat")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15310/
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agos390/uaccess: get_user() should zero on failure (again)
Heiko Carstens [Mon, 27 Mar 2017 07:48:04 +0000 (09:48 +0200)]
s390/uaccess: get_user() should zero on failure (again)

BugLink: http://bugs.launchpad.net/bugs/1682140
commit d09c5373e8e4eaaa09233552cbf75dc4c4f21203 upstream.

Commit fd2d2b191fe7 ("s390: get_user() should zero on failure")
intended to fix s390's get_user() implementation which did not zero
the target operand if the read from user space faulted. Unfortunately
the patch has no effect: the corresponding inline assembly specifies
that the operand is only written to ("=") and the previous value is
discarded.

Therefore the compiler is free to and actually does omit the zero
initialization.

To fix this simply change the contraint modifier to "+", so the
compiler cannot omit the initialization anymore.

Fixes: c9ca78415ac1 ("s390/uaccess: provide inline variants of get_user/put_user")
Fixes: fd2d2b191fe7 ("s390: get_user() should zero on failure")
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agos390/decompressor: fix initrd corruption caused by bss clear
Marcelo Henrique Cerri [Mon, 13 Mar 2017 15:14:58 +0000 (12:14 -0300)]
s390/decompressor: fix initrd corruption caused by bss clear

BugLink: http://bugs.launchpad.net/bugs/1682140
commit d82c0d12c92705ef468683c9b7a8298dd61ed191 upstream.

Reorder the operations in decompress_kernel() to ensure initrd is moved
to a safe location before the bss section is zeroed.

During decompression bss can overlap with the initrd and this can
corrupt the initrd contents depending on the size of the compressed
kernel (which affects where the initrd is placed by the bootloader) and
the size of the bss section of the decompressor.

Also use the correct initrd size when checking for overlaps with
parmblock.

Fixes: 06c0dd72aea3 ([S390] fix boot failures with compressed kernels)
Reviewed-by: Joy Latten <joy.latten@canonical.com>
Reviewed-by: Vineetha HariPai <vineetha.hari.pai@canonical.com>
Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agonios2: reserve boot memory for device tree
Tobias Klauser [Mon, 3 Apr 2017 03:08:04 +0000 (20:08 -0700)]
nios2: reserve boot memory for device tree

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 921d701e6f31e1ffaca3560416af1aa04edb4c4f upstream.

Make sure to reserve the boot memory for the flattened device tree.
Otherwise it might get overwritten, e.g. when initial_boot_params is
copied, leading to a corrupted FDT and a boot hang/crash:

  bootconsole [early0] enabled
  Early console on uart16650 initialized at 0xf8001600
  OF: fdt: Error -11 processing FDT
  Kernel panic - not syncing: setup_cpuinfo: No CPU found in devicetree!

  ---[ end Kernel panic - not syncing: setup_cpuinfo: No CPU found in devicetree!

Guenter Roeck says:

> I think I found the problem. In unflatten_and_copy_device_tree(), with added
> debug information:
>
> OF: fdt: initial_boot_params=c861e400, dt=c861f000 size=28874 (0x70ca)
>
> ... and then initial_boot_params is copied to dt, which results in corrupted
> fdt since the memory overlaps. Looks like the initial_boot_params memory
> is not reserved and (re-)allocated by early_init_dt_alloc_memory_arch().

Reported-by: Guenter Roeck <linux@roeck-us.net>
Reference: http://lkml.kernel.org/r/20170226210338.GA19476@roeck-us.net
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Acked-by: Ley Foon Tan <ley.foon.tan@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agopowerpc: Don't try to fix up misaligned load-with-reservation instructions
Paul Mackerras [Tue, 4 Apr 2017 04:56:05 +0000 (14:56 +1000)]
powerpc: Don't try to fix up misaligned load-with-reservation instructions

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 48fe9e9488743eec9b7c1addd3c93f12f2123d54 upstream.

In the past, there was only one load-with-reservation instruction,
lwarx, and if a program attempted a lwarx on a misaligned address, it
would take an alignment interrupt and the kernel handler would emulate
it as though it was lwzx, which was not really correct, but benign since
it is loading the right amount of data, and the lwarx should be paired
with a stwcx. to the same address, which would also cause an alignment
interrupt which would result in a SIGBUS being delivered to the process.

We now have 5 different sizes of load-with-reservation instruction. Of
those, lharx and ldarx cause an immediate SIGBUS by luck since their
entries in aligninfo[] overlap instructions which were not fixed up, but
lqarx overlaps with lhz and will be emulated as such. lbarx can never
generate an alignment interrupt since it only operates on 1 byte.

To straighten this out and fix the lqarx case, this adds code to detect
the l[hwdq]arx instructions and return without fixing them up, resulting
in a SIGBUS being delivered to the process.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agopowerpc/mm: Add missing global TLB invalidate if cxl is active
Frederic Barrat [Wed, 29 Mar 2017 17:19:42 +0000 (19:19 +0200)]
powerpc/mm: Add missing global TLB invalidate if cxl is active

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 88b1bf7268f56887ca88eb09c6fb0f4fc970121a upstream.

Commit 4c6d9acce1f4 ("powerpc/mm: Add hooks for cxl") converted local
TLB invalidates to global if the cxl driver is active. This is necessary
because the CAPP snoops invalidations to forward them to the PSL on the
cxl adapter. However one path was forgotten. native_flush_hash_range()
still does local TLB invalidates, as found out the hard way recently.

This patch fixes it by following the same logic as previously: if the
cxl driver is active, the local TLB invalidates are 'upgraded' to
global.

Fixes: 4c6d9acce1f4 ("powerpc/mm: Add hooks for cxl")
Signed-off-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agometag/usercopy: Add missing fixups
James Hogan [Tue, 4 Apr 2017 07:51:34 +0000 (08:51 +0100)]
metag/usercopy: Add missing fixups

BugLink: http://bugs.launchpad.net/bugs/1682140
commit b884a190afcecdbef34ca508ea5ee88bb7c77861 upstream.

The rapf copy loops in the Meta usercopy code is missing some extable
entries for HTP cores with unaligned access checking enabled, where
faults occur on the instruction immediately after the faulting access.

Add the fixup labels and extable entries for these cases so that corner
case user copy failures don't cause kernel crashes.

Fixes: 373cd784d0fc ("metag: Memory handling")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agometag/usercopy: Fix src fixup in from user rapf loops
James Hogan [Mon, 3 Apr 2017 16:41:40 +0000 (17:41 +0100)]
metag/usercopy: Fix src fixup in from user rapf loops

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 2c0b1df88b987a12d95ea1d6beaf01894f3cc725 upstream.

The fixup code to rewind the source pointer in
__asm_copy_from_user_{32,64}bit_rapf_loop() always rewound the source by
a single unit (4 or 8 bytes), however this is insufficient if the fault
didn't occur on the first load in the loop, as the source pointer will
have been incremented but nothing will have been stored until all 4
register [pairs] are loaded.

Read the LSM_STEP field of TXSTATUS (which is already loaded into a
register), a bit like the copy_to_user versions, to determine how many
iterations of MGET[DL] have taken place, all of which need rewinding.

Fixes: 373cd784d0fc ("metag: Memory handling")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agometag/usercopy: Set flags before ADDZ
James Hogan [Tue, 4 Apr 2017 10:43:26 +0000 (11:43 +0100)]
metag/usercopy: Set flags before ADDZ

BugLink: http://bugs.launchpad.net/bugs/1682140
commit fd40eee1290ad7add7aa665e3ce6b0f9fe9734b4 upstream.

The fixup code for the copy_to_user rapf loops reads TXStatus.LSM_STEP
to decide how far to rewind the source pointer. There is a special case
for the last execution of an MGETL/MGETD, since it leaves LSM_STEP=0
even though the number of MGETLs/MGETDs attempted was 4. This uses ADDZ
which is conditional upon the Z condition flag, but the AND instruction
which masked the TXStatus.LSM_STEP field didn't set the condition flags
based on the result.

Fix that now by using ANDS which does set the flags, and also marking
the condition codes as clobbered by the inline assembly.

Fixes: 373cd784d0fc ("metag: Memory handling")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agometag/usercopy: Zero rest of buffer from copy_from_user
James Hogan [Fri, 31 Mar 2017 10:14:02 +0000 (11:14 +0100)]
metag/usercopy: Zero rest of buffer from copy_from_user

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 563ddc1076109f2b3f88e6d355eab7b6fd4662cb upstream.

Currently we try to zero the destination for a failed read from userland
in fixup code in the usercopy.c macros. The rest of the destination
buffer is then zeroed from __copy_user_zeroing(), which is used for both
copy_from_user() and __copy_from_user().

Unfortunately we fail to zero in the fixup code as D1Ar1 is set to 0
before the fixup code entry labels, and __copy_from_user() shouldn't even
be zeroing the rest of the buffer.

Move the zeroing out into copy_from_user() and rename
__copy_user_zeroing() to raw_copy_from_user() since it no longer does
any zeroing. This also conveniently matches the name needed for
RAW_COPY_USER support in a later patch.

Fixes: 373cd784d0fc ("metag: Memory handling")
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agometag/usercopy: Add early abort to copy_to_user
James Hogan [Fri, 31 Mar 2017 12:35:01 +0000 (13:35 +0100)]
metag/usercopy: Add early abort to copy_to_user

BugLink: http://bugs.launchpad.net/bugs/1682140
commit fb8ea062a8f2e85256e13f55696c5c5f0dfdcc8b upstream.

When copying to userland on Meta, if any faults are encountered
immediately abort the copy instead of continuing on and repeatedly
faulting, and worse potentially copying further bytes successfully to
subsequent valid pages.

Fixes: 373cd784d0fc ("metag: Memory handling")
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agometag/usercopy: Fix alignment error checking
James Hogan [Fri, 31 Mar 2017 10:23:18 +0000 (11:23 +0100)]
metag/usercopy: Fix alignment error checking

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 2257211942bbbf6c798ab70b487d7e62f7835a1a upstream.

Fix the error checking of the alignment adjustment code in
raw_copy_from_user(), which mistakenly considers it safe to skip the
error check when aligning the source buffer on a 2 or 4 byte boundary.

If the destination buffer was unaligned it may have started to copy
using byte or word accesses, which could well be at the start of a new
(valid) source page. This would result in it appearing to have copied 1
or 2 bytes at the end of the first (invalid) page rather than none at
all.

Fixes: 373cd784d0fc ("metag: Memory handling")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agometag/usercopy: Drop unused macros
James Hogan [Fri, 31 Mar 2017 09:37:44 +0000 (10:37 +0100)]
metag/usercopy: Drop unused macros

BugLink: http://bugs.launchpad.net/bugs/1682140
commit ef62a2d81f73d9cddef14bc3d9097a57010d551c upstream.

Metag's lib/usercopy.c has a bunch of copy_from_user macros for larger
copies between 5 and 16 bytes which are completely unused. Before fixing
zeroing lets drop these macros so there is less to fix.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-metag@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoring-buffer: Fix return value check in test_ringbuffer()
Wei Yongjun [Fri, 17 Jun 2016 17:33:59 +0000 (17:33 +0000)]
ring-buffer: Fix return value check in test_ringbuffer()

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 62277de758b155dc04b78f195a1cb5208c37b2df upstream.

In case of error, the function kthread_run() returns ERR_PTR()
and never returns NULL. The NULL test in the return value check
should be replaced with IS_ERR().

Link: http://lkml.kernel.org/r/1466184839-14927-1-git-send-email-weiyj_lk@163.com
Fixes: 6c43e554a ("ring-buffer: Add ring buffer startup selftest")
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoptrace: fix PTRACE_LISTEN race corrupting task->state
bsegall@google.com [Fri, 7 Apr 2017 23:04:51 +0000 (16:04 -0700)]
ptrace: fix PTRACE_LISTEN race corrupting task->state

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 5402e97af667e35e54177af8f6575518bf251d51 upstream.

In PT_SEIZED + LISTEN mode STOP/CONT signals cause a wakeup against
__TASK_TRACED.  If this races with the ptrace_unfreeze_traced at the end
of a PTRACE_LISTEN, this can wake the task /after/ the check against
__TASK_TRACED, but before the reset of state to TASK_TRACED.  This
causes it to instead clobber TASK_WAKING, allowing a subsequent wakeup
against TRACED while the task is still on the rq wake_list, corrupting
it.

Oleg said:
 "The kernel can crash or this can lead to other hard-to-debug problems.
  In short, "task->state = TASK_TRACED" in ptrace_unfreeze_traced()
  assumes that nobody else can wake it up, but PTRACE_LISTEN breaks the
  contract. Obviusly it is very wrong to manipulate task->state if this
  task is already running, or WAKING, or it sleeps again"

[akpm@linux-foundation.org: coding-style fixes]
Fixes: 9899d11f ("ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL")
Link: http://lkml.kernel.org/r/xm26y3vfhmkp.fsf_-_@bsegall-linux.mtv.corp.google.com
Signed-off-by: Ben Segall <bsegall@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoReset TreeId to zero on SMB2 TREE_CONNECT
Jan-Marek Glogowski [Mon, 20 Feb 2017 11:25:58 +0000 (12:25 +0100)]
Reset TreeId to zero on SMB2 TREE_CONNECT

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 806a28efe9b78ffae5e2757e1ee924b8e50c08ab upstream.

Currently the cifs module breaks the CIFS specs on reconnect as
described in http://msdn.microsoft.com/en-us/library/cc246529.aspx:

"TreeId (4 bytes): Uniquely identifies the tree connect for the
command. This MUST be 0 for the SMB2 TREE_CONNECT Request."

Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoiio: bmg160: reset chip when probing
Quentin Schulz [Tue, 21 Mar 2017 15:52:14 +0000 (16:52 +0100)]
iio: bmg160: reset chip when probing

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 4bdc9029685ac03be50b320b29691766d2326c2b upstream.

The gyroscope chip might need to be reset to be used.

Without the chip being reset, the driver stopped at the first
regmap_read (to get the CHIP_ID) and failed to probe.

The datasheet of the gyroscope says that a minimum wait of 30ms after
the reset has to be done.

This patch has been checked on a BMX055 and the datasheet of the BMG160
and the BMI055 give the same reset register and bits.

Signed-off-by: Quentin Schulz <quentin.schulz@free-electrons.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoarm/arm64: KVM: Take mmap_sem in kvm_arch_prepare_memory_region
Marc Zyngier [Thu, 16 Mar 2017 18:20:50 +0000 (18:20 +0000)]
arm/arm64: KVM: Take mmap_sem in kvm_arch_prepare_memory_region

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 72f310481a08db821b614e7b5d00febcc9064b36 upstream.

We don't hold the mmap_sem while searching for VMAs (via find_vma), in
kvm_arch_prepare_memory_region, which can end up in expected failures.

Fixes: commit 8eef91239e57 ("arm/arm64: KVM: map MMIO regions at creation time")
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Eric Auger <eric.auger@rehat.com>
Reviewed-by: Christoffer Dall <cdall@linaro.org>
[ Handle dirty page logging failure case ]
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoarm/arm64: KVM: Take mmap_sem in stage2_unmap_vm
Marc Zyngier [Thu, 16 Mar 2017 18:20:49 +0000 (18:20 +0000)]
arm/arm64: KVM: Take mmap_sem in stage2_unmap_vm

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 90f6e150e44a0dc3883110eeb3ab35d1be42b6bb upstream.

We don't hold the mmap_sem while searching for the VMAs when
we try to unmap each memslot for a VM. Fix this properly to
avoid unexpected results.

Fixes: commit 957db105c997 ("arm/arm64: KVM: Introduce stage2_unmap_vm")
Reviewed-by: Christoffer Dall <cdall@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agostaging: android: ashmem: lseek failed due to no FMODE_LSEEK.
Shuxiao Zhang [Thu, 6 Apr 2017 14:30:29 +0000 (22:30 +0800)]
staging: android: ashmem: lseek failed due to no FMODE_LSEEK.

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 97fbfef6bd597888485b653175fb846c6998b60c upstream.

vfs_llseek will check whether the file mode has
FMODE_LSEEK, no return failure. But ashmem can be
lseek, so add FMODE_LSEEK to ashmem file.

Comment From Greg Hackmann:
ashmem_llseek() passes the llseek() call through to the backing
shmem file.  91360b02ab48 ("ashmem: use vfs_llseek()") changed
this from directly calling the file's llseek() op into a VFS
layer call.  This also adds a check for the FMODE_LSEEK bit, so
without that bit ashmem_llseek() now always fails with -ESPIPE.

Fixes: 91360b02ab48 ("ashmem: use vfs_llseek()")
Signed-off-by: Shuxiao Zhang <zhangshuxiao@xiaomi.com>
Tested-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agosysfs: be careful of error returns from ops->show()
NeilBrown [Mon, 3 Apr 2017 01:30:34 +0000 (11:30 +1000)]
sysfs: be careful of error returns from ops->show()

BugLink: http://bugs.launchpad.net/bugs/1682140
commit c8a139d001a1aab1ea8734db14b22dac9dd143b6 upstream.

ops->show() can return a negative error code.
Commit 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.")
(in v4.4) caused this to be stored in an unsigned 'size_t' variable, so errors
would look like large numbers.
As a result, if an error is returned, sysfs_kf_read() will return the
value of 'count', typically 4096.

Commit 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs")
(in v4.8) extended this error to use the unsigned large 'len' as a size for
memmove().
Consequently, if ->show returns an error, then the first read() on the
sysfs file will return 4096 and could return uninitialized memory to
user-space.
If the application performs a subsequent read, this will trigger a memmove()
with extremely large count, and is likely to crash the machine is bizarre ways.

This bug can currently only be triggered by reading from an md
sysfs attribute declared with __ATTR_PREALLOC() during the
brief period between when mddev_put() deletes an mddev from
the ->all_mddevs list, and when mddev_delayed_delete() - which is
scheduled on a workqueue - completes.
Before this, an error won't be returned by the ->show()
After this, the ->show() won't be called.

I can reproduce it reliably only by putting delay like
usleep_range(500000,700000);
early in mddev_delayed_delete(). Then after creating an
md device md0 run
  echo clear > /sys/block/md0/md/array_state; cat /sys/block/md0/md/array_state

The bug can be triggered without the usleep.

Fixes: 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.")
Fixes: 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs")
Signed-off-by: NeilBrown <neilb@suse.com>
Acked-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Miroslav Benes <mbenes@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agodrm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
Li Qiang [Tue, 28 Mar 2017 03:10:53 +0000 (20:10 -0700)]
drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()

BugLink: http://bugs.launchpad.net/bugs/1682140
commit e7e11f99564222d82f0ce84bd521e57d78a6b678 upstream.

In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
'req->mip_levels' array. This array can be assigned any value from
the user space. As both the 'num_sizes' and the array is uint32_t,
it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
used as the loop count. This can lead an oob write. Add the check of
'req->mip_levels' to avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agodrm/vmwgfx: Remove getparam error message
Thomas Hellstrom [Mon, 27 Mar 2017 11:06:05 +0000 (13:06 +0200)]
drm/vmwgfx: Remove getparam error message

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 53e16798b0864464c5444a204e1bb93ae246c429 upstream.

The mesa winsys sometimes uses unimplemented parameter requests to
check for features. Remove the error message to avoid bloating the
kernel log.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agodrm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
Thomas Hellstrom [Mon, 27 Mar 2017 09:21:25 +0000 (11:21 +0200)]
drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces

BugLink: http://bugs.launchpad.net/bugs/1682140
commit fe25deb7737ce6c0879ccf79c99fa1221d428bf2 upstream.

Previously, when a surface was opened using a legacy (non prime) handle,
it was verified to have been created by a client in the same master realm.
Relax this so that opening is also allowed recursively if the client
already has the surface open.

This works around a regression in svga mesa where opening of a shared
surface is used recursively to obtain surface information.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agodrm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl()
Murray McAllister [Mon, 27 Mar 2017 09:15:12 +0000 (11:15 +0200)]
drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl()

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 63774069d9527a1aeaa4aa20e929ef5e8e9ecc38 upstream.

In vmw_get_cap_3d_ioctl(), a user can supply 0 for a size that is
used in vzalloc(). This eventually calls dump_stack() (in warn_alloc()),
which can leak useful addresses to dmesg.

Add check to avoid a size of 0.

Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agodrm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
Murray McAllister [Mon, 27 Mar 2017 09:12:53 +0000 (11:12 +0200)]
drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()

BugLink: http://bugs.launchpad.net/bugs/1682140
commit 36274ab8c596f1240c606bb514da329add2a1bcd upstream.

Before memory allocations vmw_surface_define_ioctl() checks the
upper-bounds of a user-supplied size, but does not check if the
supplied size is 0.

Add check to avoid NULL pointer dereferences.

Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agodrm/vmwgfx: Type-check lookups of fence objects
Thomas Hellstrom [Mon, 27 Mar 2017 09:09:08 +0000 (11:09 +0200)]
drm/vmwgfx: Type-check lookups of fence objects

BugLink: http://bugs.launchpad.net/bugs/1682140
commit f7652afa8eadb416b23eb57dec6f158529942041 upstream.

A malicious caller could otherwise hand over handles to other objects
causing all sorts of interesting problems.

Testing done: Ran a Fedora 25 desktop using both Xorg and
gnome-shell/Wayland.

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoLinux 4.4.60
Greg Kroah-Hartman [Sat, 8 Apr 2017 07:53:53 +0000 (09:53 +0200)]
Linux 4.4.60

BugLink: http://bugs.launchpad.net/bugs/1681862
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agopadata: avoid race in reordering
Jason A. Donenfeld [Thu, 23 Mar 2017 11:24:43 +0000 (12:24 +0100)]
padata: avoid race in reordering

BugLink: http://bugs.launchpad.net/bugs/1681862
commit de5540d088fe97ad583cc7d396586437b32149a5 upstream.

Under extremely heavy uses of padata, crashes occur, and with list
debugging turned on, this happens instead:

[87487.298728] WARNING: CPU: 1 PID: 882 at lib/list_debug.c:33
__list_add+0xae/0x130
[87487.301868] list_add corruption. prev->next should be next
(ffffb17abfc043d0), but was ffff8dba70872c80. (prev=ffff8dba70872b00).
[87487.339011]  [<ffffffff9a53d075>] dump_stack+0x68/0xa3
[87487.342198]  [<ffffffff99e119a1>] ? console_unlock+0x281/0x6d0
[87487.345364]  [<ffffffff99d6b91f>] __warn+0xff/0x140
[87487.348513]  [<ffffffff99d6b9aa>] warn_slowpath_fmt+0x4a/0x50
[87487.351659]  [<ffffffff9a58b5de>] __list_add+0xae/0x130
[87487.354772]  [<ffffffff9add5094>] ? _raw_spin_lock+0x64/0x70
[87487.357915]  [<ffffffff99eefd66>] padata_reorder+0x1e6/0x420
[87487.361084]  [<ffffffff99ef0055>] padata_do_serial+0xa5/0x120

padata_reorder calls list_add_tail with the list to which its adding
locked, which seems correct:

spin_lock(&squeue->serial.lock);
list_add_tail(&padata->list, &squeue->serial.list);
spin_unlock(&squeue->serial.lock);

This therefore leaves only place where such inconsistency could occur:
if padata->list is added at the same time on two different threads.
This pdata pointer comes from the function call to
padata_get_next(pd), which has in it the following block:

next_queue = per_cpu_ptr(pd->pqueue, cpu);
padata = NULL;
reorder = &next_queue->reorder;
if (!list_empty(&reorder->list)) {
       padata = list_entry(reorder->list.next,
                           struct padata_priv, list);
       spin_lock(&reorder->lock);
       list_del_init(&padata->list);
       atomic_dec(&pd->reorder_objects);
       spin_unlock(&reorder->lock);

       pd->processed++;

       goto out;
}
out:
return padata;

I strongly suspect that the problem here is that two threads can race
on reorder list. Even though the deletion is locked, call to
list_entry is not locked, which means it's feasible that two threads
pick up the same padata object and subsequently call list_add_tail on
them at the same time. The fix is thus be hoist that lock outside of
that block.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoblk: Ensure users for current->bio_list can see the full list.
NeilBrown [Fri, 10 Mar 2017 06:00:47 +0000 (17:00 +1100)]
blk: Ensure users for current->bio_list can see the full list.

BugLink: http://bugs.launchpad.net/bugs/1681862
commit f5fe1b51905df7cfe4fdfd85c5fb7bc5b71a094f upstream.

Commit 79bd99596b73 ("blk: improve order of bio handling in generic_make_request()")
changed current->bio_list so that it did not contain *all* of the
queued bios, but only those submitted by the currently running
make_request_fn.

There are two places which walk the list and requeue selected bios,
and others that check if the list is empty.  These are no longer
correct.

So redefine current->bio_list to point to an array of two lists, which
contain all queued bios, and adjust various code to test or walk both
lists.

Signed-off-by: NeilBrown <neilb@suse.com>
Fixes: 79bd99596b73 ("blk: improve order of bio handling in generic_make_request()")
Signed-off-by: Jens Axboe <axboe@fb.com>
[jwang: backport to 4.4]
Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Restore changes in device-mapper from upstream version]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Conflicts:
block/blk-core.c

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoblk: improve order of bio handling in generic_make_request()
NeilBrown [Tue, 7 Mar 2017 20:38:05 +0000 (07:38 +1100)]
blk: improve order of bio handling in generic_make_request()

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 79bd99596b7305ab08109a8bf44a6a4511dbf1cd upstream.

To avoid recursion on the kernel stack when stacked block devices
are in use, generic_make_request() will, when called recursively,
queue new requests for later handling.  They will be handled when the
make_request_fn for the current bio completes.

If any bios are submitted by a make_request_fn, these will ultimately
be handled seqeuntially.  If the handling of one of those generates
further requests, they will be added to the end of the queue.

This strict first-in-first-out behaviour can lead to deadlocks in
various ways, normally because a request might need to wait for a
previous request to the same device to complete.  This can happen when
they share a mempool, and can happen due to interdependencies
particular to the device.  Both md and dm have examples where this happens.

These deadlocks can be erradicated by more selective ordering of bios.
Specifically by handling them in depth-first order.  That is: when the
handling of one bio generates one or more further bios, they are
handled immediately after the parent, before any siblings of the
parent.  That way, when generic_make_request() calls make_request_fn
for some particular device, we can be certain that all previously
submited requests for that device have been completely handled and are
not waiting for anything in the queue of requests maintained in
generic_make_request().

An easy way to achieve this would be to use a last-in-first-out stack
instead of a queue.  However this will change the order of consecutive
bios submitted by a make_request_fn, which could have unexpected consequences.
Instead we take a slightly more complex approach.
A fresh queue is created for each call to a make_request_fn.  After it completes,
any bios for a different device are placed on the front of the main queue, followed
by any bios for the same device, followed by all bios that were already on
the queue before the make_request_fn was called.
This provides the depth-first approach without reordering bios on the same level.

This, by itself, it not enough to remove all deadlocks.  It just makes
it possible for drivers to take the extra step required themselves.

To avoid deadlocks, drivers must never risk waiting for a request
after submitting one to generic_make_request.  This includes never
allocing from a mempool twice in the one call to a make_request_fn.

A common pattern in drivers is to call bio_split() in a loop, handling
the first part and then looping around to possibly split the next part.
Instead, a driver that finds it needs to split a bio should queue
(with generic_make_request) the second part, handle the first part,
and then return.  The new code in generic_make_request will ensure the
requests to underlying bios are processed first, then the second bio
that was split off.  If it splits again, the same process happens.  In
each case one bio will be completely handled before the next one is attempted.

With this is place, it should be possible to disable the
punt_bios_to_recover() recovery thread for many block devices, and
eventually it may be possible to remove it completely.

Ref: http://www.spinics.net/lists/raid/msg54680.html
Tested-by: Jinpu Wang <jinpu.wang@profitbricks.com>
Inspired-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
[jwang: backport to 4.4]
Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Conflicts:
block/blk-core.c

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agopower: reset: at91-poweroff: timely shutdown LPDDR memories
Alexandre Belloni [Tue, 25 Oct 2016 09:37:59 +0000 (11:37 +0200)]
power: reset: at91-poweroff: timely shutdown LPDDR memories

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 0b0408745e7ff24757cbfd571d69026c0ddb803c upstream.

LPDDR memories can only handle up to 400 uncontrolled power off. Ensure the
proper power off sequence is used before shutting down the platform.

Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Sebastian Reichel <sre@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoKVM: kvm_io_bus_unregister_dev() should never fail
David Hildenbrand [Thu, 23 Mar 2017 17:24:19 +0000 (18:24 +0100)]
KVM: kvm_io_bus_unregister_dev() should never fail

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 90db10434b163e46da413d34db8d0e77404cc645 upstream.

No caller currently checks the return value of
kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on
freeing their device. A stale reference will remain in the io_bus,
getting at least used again, when the iobus gets teared down on
kvm_destroy_vm() - leading to use after free errors.

There is nothing the callers could do, except retrying over and over
again.

So let's simply remove the bus altogether, print an error and make
sure no one can access this broken bus again (returning -ENOMEM on any
attempt to access it).

Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agortc: s35390a: improve irq handling
Uwe Kleine-König [Sat, 2 Jul 2016 15:28:10 +0000 (17:28 +0200)]
rtc: s35390a: improve irq handling

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 3bd32722c827d00eafe8e6d5b83e9f3148ea7c7e upstream.

On some QNAP NAS devices the rtc can wake the machine. Several people
noticed that once the machine was woken this way it fails to shut down.
That's because the driver fails to acknowledge the interrupt and so it
keeps active and restarts the machine immediatly after shutdown. See
https://bugs.debian.org/794266 for a bug report.

Doing this correctly requires to interpret the INT2 flag of the first read
of the STATUS1 register because this bit is cleared by read.

Note this is not maximally robust though because a pending irq isn't
detected when the STATUS1 register was already read (and so INT2 is not
set) but the irq was not disabled. But that is a hardware imposed problem
that cannot easily be fixed by software.

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agortc: s35390a: implement reset routine as suggested by the reference
Uwe Kleine-König [Sat, 2 Jul 2016 15:28:09 +0000 (17:28 +0200)]
rtc: s35390a: implement reset routine as suggested by the reference

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 8e6583f1b5d1f5f129b873f1428b7e414263d847 upstream.

There were two deviations from the reference manual: you have to wait
half a second when POC is active and you might have to repeat
initialization when POC or BLD are still set after the sequence.

Note however that as POC and BLD are cleared by read the driver might
not be able to detect that a reset is necessary. I don't have a good
idea how to fix this.

Additionally report the value read from STATUS1 to the caller. This
prepares the next patch.

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agortc: s35390a: make sure all members in the output are set
Uwe Kleine-König [Mon, 3 Apr 2017 21:32:38 +0000 (23:32 +0200)]
rtc: s35390a: make sure all members in the output are set

BugLink: http://bugs.launchpad.net/bugs/1681862
The rtc core calls the .read_alarm with all fields initialized to 0. As
the s35390a driver doesn't touch some fields the returned date is
interpreted as a date in January 1900. So make sure all fields are set
to -1; some of them are then overwritten with the right data depending
on the hardware state.

In mainline this is done by commit d68778b80dd7 ("rtc: initialize output
parameter for read alarm to "uninitialized"") in the core. This is
considered to dangerous for stable as it might have side effects for
other rtc drivers that might for example rely on alarm->time.tm_sec
being initialized to 0.

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agortc: s35390a: fix reading out alarm
Uwe Kleine-König [Sat, 2 Jul 2016 15:28:08 +0000 (17:28 +0200)]
rtc: s35390a: fix reading out alarm

BugLink: http://bugs.launchpad.net/bugs/1681862
commit f87e904ddd8f0ef120e46045b0addeb1cc88354e upstream.

There are several issues fixed in this patch:

 - When alarm isn't enabled, set .enabled to zero instead of returning
   -EINVAL.
 - Ignore how IRQ1 is configured when determining if IRQ2 is on.
 - The three alarm registers have an enable flag which must be
   evaluated.
 - The chip always triggers when the seconds register gets 0.

Note that the rtc framework however doesn't handle the result correctly
because it doesn't check wday being initialized and so interprets an
alarm being set for 10:00 AM in three days as 10:00 AM tomorrow (or
today if that's not over yet).

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoMIPS: Lantiq: Fix cascaded IRQ setup
Felix Fietkau [Thu, 19 Jan 2017 11:28:22 +0000 (12:28 +0100)]
MIPS: Lantiq: Fix cascaded IRQ setup

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 6c356eda225e3ee134ed4176b9ae3a76f793f4dd upstream.

With the IRQ stack changes integrated, the XRX200 devices started
emitting a constant stream of kernel messages like this:

[  565.415310] Spurious IRQ: CAUSE=0x1100c300

This is caused by IP0 getting handled by plat_irq_dispatch() rather than
its vectored interrupt handler, which is fixed by commit de856416e714
("MIPS: IRQ Stack: Fix erroneous jal to plat_irq_dispatch").

Fix plat_irq_dispatch() to handle non-vectored IPI interrupts correctly
by setting up IP2-6 as proper chained IRQ handlers and calling do_IRQ
for all MIPS CPU interrupts.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Acked-by: John Crispin <john@phrozen.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15077/
[james.hogan@imgtec.com: tweaked commit message]
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agomm, hugetlb: use pte_present() instead of pmd_present() in follow_huge_pmd()
Naoya Horiguchi [Fri, 31 Mar 2017 22:11:55 +0000 (15:11 -0700)]
mm, hugetlb: use pte_present() instead of pmd_present() in follow_huge_pmd()

BugLink: http://bugs.launchpad.net/bugs/1681862
commit c9d398fa237882ea07167e23bcfc5e6847066518 upstream.

I found the race condition which triggers the following bug when
move_pages() and soft offline are called on a single hugetlb page
concurrently.

    Soft offlining page 0x119400 at 0x700000000000
    BUG: unable to handle kernel paging request at ffffea0011943820
    IP: follow_huge_pmd+0x143/0x190
    PGD 7ffd2067
    PUD 7ffd1067
    PMD 0
        [61163.582052] Oops: 0000 [#1] SMP
    Modules linked in: binfmt_misc ppdev virtio_balloon parport_pc pcspkr i2c_piix4 parport i2c_core acpi_cpufreq ip_tables xfs libcrc32c ata_generic pata_acpi virtio_blk 8139too crc32c_intel ata_piix serio_raw libata virtio_pci 8139cp virtio_ring virtio mii floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: cap_check]
    CPU: 0 PID: 22573 Comm: iterate_numa_mo Tainted: P           OE   4.11.0-rc2-mm1+ #2
    Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
    RIP: 0010:follow_huge_pmd+0x143/0x190
    RSP: 0018:ffffc90004bdbcd0 EFLAGS: 00010202
    RAX: 0000000465003e80 RBX: ffffea0004e34d30 RCX: 00003ffffffff000
    RDX: 0000000011943800 RSI: 0000000000080001 RDI: 0000000465003e80
    RBP: ffffc90004bdbd18 R08: 0000000000000000 R09: ffff880138d34000
    R10: ffffea0004650000 R11: 0000000000c363b0 R12: ffffea0011943800
    R13: ffff8801b8d34000 R14: ffffea0000000000 R15: 000077ff80000000
    FS:  00007fc977710740(0000) GS:ffff88007dc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffffea0011943820 CR3: 000000007a746000 CR4: 00000000001406f0
    Call Trace:
     follow_page_mask+0x270/0x550
     SYSC_move_pages+0x4ea/0x8f0
     SyS_move_pages+0xe/0x10
     do_syscall_64+0x67/0x180
     entry_SYSCALL64_slow_path+0x25/0x25
    RIP: 0033:0x7fc976e03949
    RSP: 002b:00007ffe72221d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000117
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc976e03949
    RDX: 0000000000c22390 RSI: 0000000000001400 RDI: 0000000000005827
    RBP: 00007ffe72221e00 R08: 0000000000c2c3a0 R09: 0000000000000004
    R10: 0000000000c363b0 R11: 0000000000000246 R12: 0000000000400650
    R13: 00007ffe72221ee0 R14: 0000000000000000 R15: 0000000000000000
    Code: 81 e4 ff ff 1f 00 48 21 c2 49 c1 ec 0c 48 c1 ea 0c 4c 01 e2 49 bc 00 00 00 00 00 ea ff ff 48 c1 e2 06 49 01 d4 f6 45 bc 04 74 90 <49> 8b 7c 24 20 40 f6 c7 01 75 2b 4c 89 e7 8b 47 1c 85 c0 7e 2a
    RIP: follow_huge_pmd+0x143/0x190 RSP: ffffc90004bdbcd0
    CR2: ffffea0011943820
    ---[ end trace e4f81353a2d23232 ]---
    Kernel panic - not syncing: Fatal exception
    Kernel Offset: disabled

This bug is triggered when pmd_present() returns true for non-present
hugetlb, so fixing the present check in follow_huge_pmd() prevents it.
Using pmd_present() to determine present/non-present for hugetlb is not
correct, because pmd_present() checks multiple bits (not only
_PAGE_PRESENT) for historical reason and it can misjudge hugetlb state.

Fixes: e66f17ff7177 ("mm/hugetlb: take page table lock in follow_huge_pmd()")
Link: http://lkml.kernel.org/r/1490149898-20231-1-git-send-email-n-horiguchi@ah.jp.nec.com
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agodrm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags
Michel Dänzer [Fri, 24 Mar 2017 10:01:09 +0000 (19:01 +0900)]
drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags

BugLink: http://bugs.launchpad.net/bugs/1681862
commit ce4b4f228e51219b0b79588caf73225b08b5b779 upstream.

We were accidentally only overriding the first VRAM placement. For BOs
with the RADEON_GEM_NO_CPU_ACCESS flag set,
radeon_ttm_placement_from_domain creates a second VRAM placment with
fpfn == 0. If VRAM is almost full, the first VRAM placement with
fpfn > 0 may not work, but the second one with fpfn == 0 always will
(the BO's current location trivially satisfies it). Because "moving"
the BO to its current location puts it back on the LRU list, this
results in an infinite loop.

Fixes: 2a85aedd117c ("drm/radeon: Try evicting from CPU accessible to
                      inaccessible VRAM first")
Reported-by: Zachary Michaels <zmichaels@oblong.com>
Reported-and-Tested-by: Julien Isorce <jisorce@oblong.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoKVM: x86: clear bus pointer when destroyed
Peter Xu [Wed, 15 Mar 2017 08:01:17 +0000 (16:01 +0800)]
KVM: x86: clear bus pointer when destroyed

BugLink: http://bugs.launchpad.net/bugs/1681862
commit df630b8c1e851b5e265dc2ca9c87222e342c093b upstream.

When releasing the bus, let's clear the bus pointers to mark it out. If
any further device unregister happens on this bus, we know that we're
done if we found the bus being released already.

Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoUSB: fix linked-list corruption in rh_call_control()
Alan Stern [Fri, 24 Mar 2017 17:38:28 +0000 (13:38 -0400)]
USB: fix linked-list corruption in rh_call_control()

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 1633682053a7ee8058e10c76722b9b28e97fb73f upstream.

Using KASAN, Dmitry found a bug in the rh_call_control() routine: If
buffer allocation fails, the routine returns immediately without
unlinking its URB from the control endpoint, eventually leading to
linked-list corruption.

This patch fixes the problem by jumping to the end of the routine
(where the URB is unlinked) when an allocation failure occurs.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agotty/serial: atmel: fix TX path in atmel_console_write()
Nicolas Ferre [Mon, 20 Mar 2017 15:38:57 +0000 (16:38 +0100)]
tty/serial: atmel: fix TX path in atmel_console_write()

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 497e1e16f45c70574dc9922c7f75c642c2162119 upstream.

A side effect of 89d8232411a8 ("tty/serial: atmel_serial: BUG: stop DMA
from transmitting in stop_tx") is that the console can be called with
TX path disabled. Then the system would hang trying to push charecters
out in atmel_console_putchar().

Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Fixes: 89d8232411a8 ("tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agotty/serial: atmel: fix race condition (TX+DMA)
Richard Genoud [Mon, 20 Mar 2017 10:52:41 +0000 (11:52 +0100)]
tty/serial: atmel: fix race condition (TX+DMA)

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 31ca2c63fdc0aee725cbd4f207c1256f5deaabde upstream.

If uart_flush_buffer() is called between atmel_tx_dma() and
atmel_complete_tx_dma(), the circular buffer has been cleared, but not
atmel_port->tx_len.
That leads to a circular buffer overflow (dumping (UART_XMIT_SIZE -
atmel_port->tx_len) bytes).

Tested-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoACPI: Do not create a platform_device for IOAPIC/IOxAPIC
Joerg Roedel [Wed, 22 Mar 2017 17:33:25 +0000 (18:33 +0100)]
ACPI: Do not create a platform_device for IOAPIC/IOxAPIC

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 08f63d97749185fab942a3a47ed80f5bd89b8b7d upstream.

No platform-device is required for IO(x)APICs, so don't even
create them.

[ rjw: This fixes a problem with leaking platform device objects
  after IOAPIC/IOxAPIC hot-removal events.]

Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoACPI: Fix incompatibility with mcount-based function graph tracing
Josh Poimboeuf [Thu, 16 Mar 2017 13:56:28 +0000 (08:56 -0500)]
ACPI: Fix incompatibility with mcount-based function graph tracing

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 61b79e16c68d703dde58c25d3935d67210b7d71b upstream.

Paul Menzel reported a warning:

  WARNING: CPU: 0 PID: 774 at /build/linux-ROBWaj/linux-4.9.13/kernel/trace/trace_functions_graph.c:233 ftrace_return_to_handler+0x1aa/0x1e0
  Bad frame pointer: expected f6919d98, received f6919db0
    from func acpi_pm_device_sleep_wake return to c43b6f9d

The warning means that function graph tracing is broken for the
acpi_pm_device_sleep_wake() function.  That's because the ACPI Makefile
unconditionally sets the '-Os' gcc flag to optimize for size.  That's an
issue because mcount-based function graph tracing is incompatible with
'-Os' on x86, thanks to the following gcc bug:

  https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42109

I have another patch pending which will ensure that mcount-based
function graph tracing is never used with CONFIG_CC_OPTIMIZE_FOR_SIZE on
x86.

But this patch is needed in addition to that one because the ACPI
Makefile overrides that config option for no apparent reason.  It has
had this flag since the beginning of git history, and there's no related
comment, so I don't know why it's there.  As far as I can tell, there's
no reason for it to be there.  The appropriate behavior is for it to
honor CONFIG_CC_OPTIMIZE_FOR_{SIZE,PERFORMANCE} like the rest of the
kernel.

Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoASoC: atmel-classd: fix audio clock rate
Songjun Wu [Fri, 24 Feb 2017 07:10:43 +0000 (15:10 +0800)]
ASoC: atmel-classd: fix audio clock rate

BugLink: http://bugs.launchpad.net/bugs/1681862
commit cd3ac9affc43b44f49d7af70d275f0bd426ba643 upstream.

Fix the audio clock rate according to the datasheet.

Reported-by: Dushara Jayasinghe <dushara@successful.com.au>
Signed-off-by: Songjun Wu <songjun.wu@microchip.com>
Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoALSA: hda - fix a problem for lineout on a Dell AIO machine
Hui Wang [Fri, 31 Mar 2017 02:31:40 +0000 (10:31 +0800)]
ALSA: hda - fix a problem for lineout on a Dell AIO machine

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 2f726aec19a9d2c63bec9a8a53a3910ffdcd09f8 upstream.

On this Dell AIO machine, the lineout jack does not work.

We found the pin 0x1a is assigned to lineout on this machine, and in
the past, we applied ALC298_FIXUP_DELL1_MIC_NO_PRESENCE to fix the
heaset-set mic problem for this machine, this fixup will redefine
the pin 0x1a to headphone-mic, as a result the lineout doesn't
work anymore.

After consulting with Dell, they told us this machine doesn't support
microphone via headset jack, so we add a new fixup which only defines
the pin 0x18 as the headset-mic.

[rearranged the fixup insertion position by tiwai in order to make the
 merge with other branches easier -- tiwai]

Fixes: 59ec4b57bcae ("ALSA: hda - Fix headset mic detection problem for two dell machines")
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoALSA: seq: Fix race during FIFO resize
Takashi Iwai [Fri, 24 Mar 2017 16:07:57 +0000 (17:07 +0100)]
ALSA: seq: Fix race during FIFO resize

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 2d7d54002e396c180db0c800c1046f0a3c471597 upstream.

When a new event is queued while processing to resize the FIFO in
snd_seq_fifo_clear(), it may lead to a use-after-free, as the old pool
that is being queued gets removed.  For avoiding this race, we need to
close the pool to be deleted and sync its usage before actually
deleting it.

The issue was spotted by syzkaller.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoscsi: libsas: fix ata xfer length
John Garry [Thu, 16 Mar 2017 15:07:28 +0000 (23:07 +0800)]
scsi: libsas: fix ata xfer length

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 9702c67c6066f583b629cf037d2056245bb7a8e6 upstream.

The total ata xfer length may not be calculated properly, in that we do
not use the proper method to get an sg element dma length.

According to the code comment, sg_dma_len() should be used after
dma_map_sg() is called.

This issue was found by turning on the SMMUv3 in front of the hisi_sas
controller in hip07. Multiple sg elements were being combined into a
single element, but the original first element length was being use as
the total xfer length.

Fixes: ff2aeb1eb64c8a4770a6 ("libata: convert to chained sg")
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoscsi: sg: check length passed to SG_NEXT_CMD_LEN
peter chang [Wed, 15 Feb 2017 22:11:54 +0000 (14:11 -0800)]
scsi: sg: check length passed to SG_NEXT_CMD_LEN

BugLink: http://bugs.launchpad.net/bugs/1681862
commit bf33f87dd04c371ea33feb821b60d63d754e3124 upstream.

The user can control the size of the next command passed along, but the
value passed to the ioctl isn't checked against the usable max command
size.

Signed-off-by: Peter Chang <dpf@google.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoscsi: mpt3sas: fix hang on ata passthrough commands
James Bottomley [Sun, 1 Jan 2017 17:39:24 +0000 (09:39 -0800)]
scsi: mpt3sas: fix hang on ata passthrough commands

BugLink: http://bugs.launchpad.net/bugs/1681862
commit ffb58456589443ca572221fabbdef3db8483a779 upstream.

mpt3sas has a firmware failure where it can only handle one pass through
ATA command at a time.  If another comes in, contrary to the SAT
standard, it will hang until the first one completes (causing long
commands like secure erase to timeout).  The original fix was to block
the device when an ATA command came in, but this caused a regression
with

commit 669f044170d8933c3d66d231b69ea97cb8447338
Author: Bart Van Assche <bart.vanassche@sandisk.com>
Date:   Tue Nov 22 16:17:13 2016 -0800

    scsi: srp_transport: Move queuecommand() wait code to SCSI core

So fix the original fix of the secure erase timeout by properly
returning SAM_STAT_BUSY like the SAT recommends.  The original patch
also had a concurrency problem since scsih_qcmd is lockless at that
point (this is fixed by using atomic bitops to set and test the flag).

[mkp: addressed feedback wrt. test_bit and fixed whitespace]

Fixes: 18f6084a989ba1b (mpt3sas: Fix secure erase premature termination)
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Acked-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reported-by: Ingo Molnar <mingo@kernel.org>
Tested-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Joe Korty <joe.korty@ccur.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Conflicts:
drivers/scsi/mpt3sas/mpt3sas_base.h

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoxen/setup: Don't relocate p2m over existing one
Ross Lagerwall [Mon, 12 Dec 2016 14:35:13 +0000 (14:35 +0000)]
xen/setup: Don't relocate p2m over existing one

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 7ecec8503af37de6be4f96b53828d640a968705f upstream.

When relocating the p2m, take special care not to relocate it so
that is overlaps with the current location of the p2m/initrd. This is
needed since the full extent of the current location is not marked as a
reserved region in the e820.

This was seen to happen to a dom0 with a large initial p2m and a small
reserved region in the middle of the initial p2m.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agolibceph: force GFP_NOIO for socket allocations
Ilya Dryomov [Tue, 21 Mar 2017 12:44:28 +0000 (13:44 +0100)]
libceph: force GFP_NOIO for socket allocations

BugLink: http://bugs.launchpad.net/bugs/1681862
commit 633ee407b9d15a75ac9740ba9d3338815e1fcb95 upstream.

sock_alloc_inode() allocates socket+inode and socket_wq with
GFP_KERNEL, which is not allowed on the writeback path:

    Workqueue: ceph-msgr con_work [libceph]
    ffff8810871cb018 0000000000000046 0000000000000000 ffff881085d40000
    0000000000012b00 ffff881025cad428 ffff8810871cbfd8 0000000000012b00
    ffff880102fc1000 ffff881085d40000 ffff8810871cb038 ffff8810871cb148
    Call Trace:
    [<ffffffff816dd629>] schedule+0x29/0x70
    [<ffffffff816e066d>] schedule_timeout+0x1bd/0x200
    [<ffffffff81093ffc>] ? ttwu_do_wakeup+0x2c/0x120
    [<ffffffff81094266>] ? ttwu_do_activate.constprop.135+0x66/0x70
    [<ffffffff816deb5f>] wait_for_completion+0xbf/0x180
    [<ffffffff81097cd0>] ? try_to_wake_up+0x390/0x390
    [<ffffffff81086335>] flush_work+0x165/0x250
    [<ffffffff81082940>] ? worker_detach_from_pool+0xd0/0xd0
    [<ffffffffa03b65b1>] xlog_cil_force_lsn+0x81/0x200 [xfs]
    [<ffffffff816d6b42>] ? __slab_free+0xee/0x234
    [<ffffffffa03b4b1d>] _xfs_log_force_lsn+0x4d/0x2c0 [xfs]
    [<ffffffff811adc1e>] ? lookup_page_cgroup_used+0xe/0x30
    [<ffffffffa039a723>] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [<ffffffffa03b4dcf>] xfs_log_force_lsn+0x3f/0xf0 [xfs]
    [<ffffffffa039a723>] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [<ffffffffa03a62c6>] xfs_iunpin_wait+0xc6/0x1a0 [xfs]
    [<ffffffff810aa250>] ? wake_atomic_t_function+0x40/0x40
    [<ffffffffa039a723>] xfs_reclaim_inode+0xa3/0x330 [xfs]
    [<ffffffffa039ac07>] xfs_reclaim_inodes_ag+0x257/0x3d0 [xfs]
    [<ffffffffa039bb13>] xfs_reclaim_inodes_nr+0x33/0x40 [xfs]
    [<ffffffffa03ab745>] xfs_fs_free_cached_objects+0x15/0x20 [xfs]
    [<ffffffff811c0c18>] super_cache_scan+0x178/0x180
    [<ffffffff8115912e>] shrink_slab_node+0x14e/0x340
    [<ffffffff811afc3b>] ? mem_cgroup_iter+0x16b/0x450
    [<ffffffff8115af70>] shrink_slab+0x100/0x140
    [<ffffffff8115e425>] do_try_to_free_pages+0x335/0x490
    [<ffffffff8115e7f9>] try_to_free_pages+0xb9/0x1f0
    [<ffffffff816d56e4>] ? __alloc_pages_direct_compact+0x69/0x1be
    [<ffffffff81150cba>] __alloc_pages_nodemask+0x69a/0xb40
    [<ffffffff8119743e>] alloc_pages_current+0x9e/0x110
    [<ffffffff811a0ac5>] new_slab+0x2c5/0x390
    [<ffffffff816d71c4>] __slab_alloc+0x33b/0x459
    [<ffffffff815b906d>] ? sock_alloc_inode+0x2d/0xd0
    [<ffffffff8164bda1>] ? inet_sendmsg+0x71/0xc0
    [<ffffffff815b906d>] ? sock_alloc_inode+0x2d/0xd0
    [<ffffffff811a21f2>] kmem_cache_alloc+0x1a2/0x1b0
    [<ffffffff815b906d>] sock_alloc_inode+0x2d/0xd0
    [<ffffffff811d8566>] alloc_inode+0x26/0xa0
    [<ffffffff811da04a>] new_inode_pseudo+0x1a/0x70
    [<ffffffff815b933e>] sock_alloc+0x1e/0x80
    [<ffffffff815ba855>] __sock_create+0x95/0x220
    [<ffffffff815baa04>] sock_create_kern+0x24/0x30
    [<ffffffffa04794d9>] con_work+0xef9/0x2050 [libceph]
    [<ffffffffa04aa9ec>] ? rbd_img_request_submit+0x4c/0x60 [rbd]
    [<ffffffff81084c19>] process_one_work+0x159/0x4f0
    [<ffffffff8108561b>] worker_thread+0x11b/0x530
    [<ffffffff81085500>] ? create_worker+0x1d0/0x1d0
    [<ffffffff8108b6f9>] kthread+0xc9/0xe0
    [<ffffffff8108b630>] ? flush_kthread_worker+0x90/0x90
    [<ffffffff816e1b98>] ret_from_fork+0x58/0x90
    [<ffffffff8108b630>] ? flush_kthread_worker+0x90/0x90

Use memalloc_noio_{save,restore}() to temporarily force GFP_NOIO here.

Link: http://tracker.ceph.com/issues/19309
Reported-by: Sergey Jerusalimov <wintchester@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoUBUNTU: Start new release
Thadeu Lima de Souza Cascardo [Thu, 27 Apr 2017 12:56:49 +0000 (09:56 -0300)]
UBUNTU: Start new release

Ignore: yes
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: Ubuntu-4.4.0-77.98
Kleber Sacilotto de Souza [Wed, 26 Apr 2017 08:04:08 +0000 (10:04 +0200)]
UBUNTU: Ubuntu-4.4.0-77.98

Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
7 years agoUBUNTU: [Config] updating configs to match redpine driver changes
Kleber Sacilotto de Souza [Tue, 25 Apr 2017 18:44:16 +0000 (20:44 +0200)]
UBUNTU: [Config] updating configs to match redpine driver changes

Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
7 years agoUBUNTU: SAUCE: pci-hyperv: Use only 16 bit integer for PCI domain
Haiyang Zhang [Mon, 24 Apr 2017 23:38:08 +0000 (19:38 -0400)]
UBUNTU: SAUCE: pci-hyperv: Use only 16 bit integer for PCI domain

BugLink: http://bugs.launchpad.net/bugs/1684971
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
7 years agoUBUNTU: SAUCE: Redpine: add copyright to kernel packages
Andy Whitcroft [Wed, 26 Apr 2017 07:47:50 +0000 (09:47 +0200)]
UBUNTU: SAUCE: Redpine: add copyright to kernel packages

BugLink: http://bugs.launchpad.net/bugs/1669672
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
7 years agoUBUNTU: [Config] Update CONFIG_VEN_RSI_* configs
Shrirang Bagul [Fri, 21 Apr 2017 04:27:41 +0000 (12:27 +0800)]
UBUNTU: [Config] Update CONFIG_VEN_RSI_* configs

BugLink: http://bugs.launchpad.net/bugs/1669672
This patch updates the kernel config for latest Redpine Wifi-BT combo
chip driver ver. 1.2.RC4

Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
7 years agoUBUNTU: SAUCE: Redpine: Upgrade to ver. 1.2.RC4
Shrirang Bagul [Tue, 7 Mar 2017 07:19:32 +0000 (15:19 +0800)]
UBUNTU: SAUCE: Redpine: Upgrade to ver. 1.2.RC4

BugLink: http://bugs.launchpad.net/bugs/1669672
Vendor release ver: 1.2.RC4

Changelog:

1.2.RC4 -
    WLAN Bug Fixes:
    ---------------
    1) Buffer status interrupt handling improved.
    2) Scan results update in sta+bt dual mode issue resolved

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) S5 with WoWLAN does not work.
    2) For GTK rekey, wakeup trigger send to host.

    BT Limitations/Features NOT Supported:
    ----------------------------------------
    1) To connect multiple BT slaves, connection should be initiated
       from rsi module.
    2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC3 -
    WLAN Bug Fixes:
    ---------------
    1) WoWLAN multiple cycles issue resolved.
    2) Driver Version is correctly updated.
    3) Default operating mode for Caracalla board is corrected.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) S5 with WoWLAN does not work.
    2) For GTK rekey, wakeup trigger send to host.

    BT New Features:
    ----------------
    1) Multiple slaves issue in WLAN-BT coex mode resolved.

    BT Limitations/Features NOT Supported:
    --------------------------------------
    1) To connect multiple BT slaves, connection should be initiated
       from rsi module.
    2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC2 -
    WLAN Bug Fixes:
    ---------------
    1) Suspend/resume issues resolved.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) S5 with WoWLAN does not work.
    2) For GTK rekey, wakeup trigger send to host.
    3) EAP not tested

    BT Limitations/Features NOT Supported:
    --------------------------------------
    1) To connect multiple BT slaves, connection should be initiated
       from rsi module.
    2) In coex mode, BT file transfer fails at times with certain mobiles.

1.2.RC1 -
    WLAN New Features:
    ------------------
    1) Restrict functional modes as per device operating mode
    2) Default operating mode for Caracalla board is 13

    WLAN Bug Fixes:
    ---------------
    1) Driver oops issue if more than 4 clients try to connect in
       operating mode 14 resolved.
    2) Issue with connecting more than max clients and disconnection
       issue resolved.
    3) L2 test stop when wlan interface down issue resolved.
    4) Driver version corrected.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) S5 with WoWLAN does not work.
    2) For GTK rekey, wakeup trigger send to host.
    3) EAP not tested
    4) For channels 12 and 13 in US region max TX power is coming 0 in
       beacons.

    BT Limitations/Features NOT Supported:
    ----------------------------------------
    1) To connect multiple BT slaves, connection should be initiated
       from rsi module.
    2) In coex mode, BT file transfer fails at times with certain
       mobiles.

1.1 -
    Generic
    -------
    1) Firmware file name is displayed along with version information.
       at the driver load time.
    2) Device operating mode is made available in the below files:
       /sys/module/rsi_sdio/parameters/dev_oper_mode
       /sys/module/rsi_usb/parameters/dev_oper_mode
    3) Wi-Fi BT radio sharing has been improved.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) S5 with WoWLAN does not work.
    2) For GTK rekey, wakeup trigger send to host.
    3) EAP not tested
    4) For channels 12 and 13 in US region max TX power is coming 0 in beacons.

    BT Limitations/Features NOT Supported:
    --------------------------------------
    1) To connect multiple BT slaves, connection should be initiated from rsi module.
    2) In coex mode, BT file transfer fails at times with certain mobiles.

1.0.RC7 -
    Generic
    -------
    1) Driver version, Firmware version and operating mode information is displayed
       at the driver load time.
    2) Driver version is made available in the below files:
       /sys/module/rsi_91x/version
       /sys/module/rsi_sdio/version
       /sys/module/rsi_usb/version

    WLAN Bug Fixes:
    ---------------
    1) Power save latencies resolved

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) S5 with WoWLAN does not work.
    2) For GTK rekey, wakeup trigger send to host.
    3) EAP not tested

    BT Limitations/Features NOT Supported:
    --------------------------------------
    1) To connect multiple BT slaves, connection should be initiated from rsi module.
    2) In coex mode, BT file transfer fails at times with certain mobiles.

1.0 -
    WLAN New Features:
    ------------------
    1) Station mode
    2) All Security modes (WEP/WPA/WPA2)
    3) Station Power save (legacy and UAPSD)
    4) Bgscan and roaming
    5) External antenna selection
    6) Neighbour report request in RRM
    7) Regulatory (802)11d) support
    8) Management frame protection support (802)11w)
    9) Software RF-kill
    10) AP mode
    11) S3, S4 suspend and resume
    12) WoWLAN
    13) AP Power save
    14) Wi-Fi direct

    WLAN Bug Fixes:
    ---------------
    1) Allowed channels 12 and 13 in FCC region.
    2) For the allowed channels 12 and 13 in any region, power configuration
       updated as per Caracalla regulatory rules.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) S5 with WoWLAN does not work.
    2) For GTK rekey, wakeup trigger send to host.
    3) EAP not tested

    BT New Features:
    ----------------
    1) BT EDR mode
    2) BT LE mode
    3) BT coex mode (All the coex modes))
    4) Multi-slave mode supported)

    BT Limitations/Features NOT Supported:
    ----------------------------------------
    1) To connect multiple BT slaves, connection should be initiated from rsi module.
    2) In coex mode, BT file transfer fails at times with certain mobiles.

1.0_RC3 -
    Gerenic:
    --------
    1) Device operating mode is changed as module parameter. Please check
       README or TRM on how to configure this while loading the modules.
    2) Max number of stations supported in Wi-Fi AP alone mode is 32, and AP +
       BT coex mode is 4.
    3) AP + BT-EDR + BLE support added.

    WLAN Bug Fixes:
    ---------------
    1) Bgscan probe request issue resolved.
    2) WoWLAN before association issue resolved.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) S4 with and without WoWLAN works with the work-around implemented by Canonical.
    2) S5 with WoWLAN does not work.
    3) For GTK rekey, wakeup trigger send to host.
    4) EAP not tested
    5) To connect multiple BT slaves, connection should be initiated from rsi module.
    6) In coex mode, BT file transfer fails at times with certain mobiles.

    BT New Features:
    ----------------
    1) Multi-slave mode supported.

    BT Bug Fixes:
    -------------
    1) Radio sharing of coex modes improved.

1.0.RC2 -
    WLAN Bug Fixes:
    ---------------
    1) PVB preparation issue in AP mode resolved.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) EAP not supported
    2) Issue while Resume in S4 with or without WoWLAN.
    3) S5 with WoWLAN does not work.
    4) For GTK rekey, wakeup trigger send to host.

    BT Bug Fixes:
    -------------
    1) BT dual mode disconnection issue resolved
    2) AP BT dual mode issue resolved

1.0_RC1 -
    WLAN Bug Fixes:
    ---------------
    1) WoWLAN in Co-ex mode issue resolved.
    2) AP beacon DTIM count update issue resolved.
    3) Firmware assertion (0x5d) in bgscan issue is resolved.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) EAP not supported
    2) Issue while Resume in S4 with or without WoWLAN.
    3) S5 with WoWLAN does not work.
    4) For GTK rekey, wakeup trigger send to host.

0.9.8.5_RC6 -
    WLAN Bug Fixes:
    ---------------
    1) Firmware CRC check fail issue resolved
    2) Compilation fails on 4.10.1 kernel issue resolved
    3) BG scan issues resolved
    4) AP mode regulatory fixes
    5) WoWLAN issues resolved.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) EAP not supported
    2) Issue while Resume in S4 with or without WoWLAN.
    3) S5 with WoWLAN does not work.
    4) For GTK rekey, wakeup trigger send to host.

0.9.8.5_RC4 -
    WLAN Bug Fixes:
    -------------------
    1) AP mode configuration in channels 12 and 13 for EU region issue resolved.
    2) Data latencies in AP mode issue resolved.
    3) Roaming issues resolved.
    4) AP WEP mode issue resolved.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) EAP not supported
    2) Issue while Resume in S4 with or without WoWLAN.
    3) S5 with WoWLAN does not work.
    4) For GTK rekey, wakeup trigger send to host.
    5) WoWLAN does not work in WEP mode.

    Others:
    -------
    1) USB binds only to RS9113, let upstream kernel driver handle other RSI chips

0.9.8.5_RC3 -
    WLAN Bug Fixes:
    -------------------
    1) Power save issue in station mode (By default UAPSD is enabled on
    Caracalla board) fixed.
    2) WoWLAN with S3 issue resolved

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) EAP not supported
    2) Not verified removing SDIO interrupt polling
    3) S4/S5 sleep states not supported (with and without WoWLAN)

0.9.8.5_RC2 -
    WLAN Bug Fixes:
    -------------------
    1) Power save issue in station mode (By default UAPSD is enabled on
    Caracalla board) fixed.
    2) Firmware assert 0x71 (while doing bgscan) issue fixed.
    3) Keep alive functionality in station mode issue fixed.
    4) Data traffic stops when connected to multiple stations issue resolved
    5) WoWLAN not working issue is resolved

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) EAP not supported
    2) Not verified removing SDIO interrupt polling
    3) S4/S5 sleep states not supported (with and without WoWLAN)
    4) Wi-Fi direct testing is in progress

0.9.8.5_RC1 -
    WLAN Bug Fixes:
    -------------------
    1) Observed unicast probe requests during bgscan issue fixed
    2) Firmware assert 0x71 (while doing bgscan) issue fixed.
    3) Crash when doing rmmod while data traffic is going on issue resolved.
    4) Beacons stopped after 5 minutes of data traffic issue fixed.
    5) Keep alive functionality in station mode issue fixed
    6) 11n data rates issue in station mode resolved.

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) EAP not supported
    2) Not verified removing SDIO interrupt polling
    3) S4/S5 sleep states not supported (with.without WoWLAN)
    4) power save is not working consistently
    5) WoWLAN is not working consistently

0.9.8.3 -
    WLAN New Features:
    -----------------------------------------
    1) AP Mode
    2) S3, S4 suspend and resume
    3) WoWLAN [Testing in progress]

    WLAN Bug Fixes:
    -------------------
    1) First EAPOL drop issue is resolved
    2) Firmware Assert while roaming issue is resolved
       (Provide driver bgsan should be enabled along with supplicant bgscan)
    3) Roaming takes longer time issue is resolved
    4) Added polling support as a work-around for the SDIO interrupt issue
       on some platforms

    WLAN Limitations/Features NOT Supported:
    ----------------------------------------
    1) Wi-Fi Direct mode not supported
    2) EAP not supported
    3) SDIO interrupts are not being delivered to the 9113 driver
    4) In S4 state 9113 device gets reset but device isn't getting re-enumerated.

Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
7 years agoUBUNTU: SAUCE: sdhci: use PCI ID to identify Dell IoT gateways
Shrirang Bagul [Sat, 25 Mar 2017 05:51:06 +0000 (13:51 +0800)]
UBUNTU: SAUCE: sdhci: use PCI ID to identify Dell IoT gateways

BugLink: http://bugs.launchpad.net/bugs/1669672
This patch adds a guard against changes in commit 2171e55 being applied
to the complete SDHCI sub-system. PCI Subsystem ID 1028:07b9 is used to
uniquely identify Dell IoT gateway.

Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
7 years agoUBUNTU: SAUCE: xr-usb-serial: Update driver for Exar USB serial ports
Shrirang Bagul [Wed, 8 Mar 2017 10:35:00 +0000 (18:35 +0800)]
UBUNTU: SAUCE: xr-usb-serial: Update driver for Exar USB serial ports

BugLink: http://bugs.launchpad.net/bugs/1685133
This patch adds the vendor release version on the Exar USB serial
device. Features include:
1. Fix for RX fail after wake-up from sleep (S3/S4)
2. Removes unnecessary debug messages

Changelog:

Version 1B, 11/6/2015
Fixed Bug: The conditional logic to support kernel 3.9 was
incorrect(line 396 in xr_usb_serial_common.c).

Version 1A, 1/9/2015
This driver will work with any USB UART function in these Exar devices:
XR21V1410/1412/1414
XR21B1411
XR21B1420/1422/1424
XR22801/802/804

Exar serial devices are typically enuremated as /dev/ttyXRUSB[0-3].

Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
7 years agoUBUNTU: Start new release
Kleber Sacilotto de Souza [Tue, 25 Apr 2017 17:32:03 +0000 (19:32 +0200)]
UBUNTU: Start new release

Ignore: yes
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
7 years agoUBUNTU: Ubuntu-4.4.0-75.96
Stefan Bader [Thu, 20 Apr 2017 07:53:52 +0000 (09:53 +0200)]
UBUNTU: Ubuntu-4.4.0-75.96

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoDrivers: hv: util: move waiting for release to hv_utils_transport itself
Vitaly Kuznetsov [Thu, 13 Apr 2017 21:09:00 +0000 (23:09 +0200)]
Drivers: hv: util: move waiting for release to hv_utils_transport itself

BugLink: http://bugs.launchpad.net/bugs/1682561
Waiting for release_event in all three drivers introduced issues on release
as on_reset() hook is not always called. E.g. if the device was never
opened we will never get the completion.

Move the waiting code to hvutil_transport_destroy() and make sure it is
only called when the device is open. hvt->lock serialization should
guarantee the absence of races.

Fixes: 5a66fecbf6aa ("Drivers: hv: util: kvp: Fix a rescind processing issue")
Fixes: 20951c7535b5 ("Drivers: hv: util: Fcopy: Fix a rescind processing issue")
Fixes: d77044d142e9 ("Drivers: hv: util: Backup: Fix a rescind processing issue")
Reported-by: Dexuan Cui <decui@microsoft.com>
Tested-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit e9c18ae6eb2b312f16c63e34b43ea23926daa398)
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoUBUNTU: Start new release
Stefan Bader [Wed, 19 Apr 2017 15:14:25 +0000 (17:14 +0200)]
UBUNTU: Start new release

Ignore: yes
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoUBUNTU: Ubuntu-4.4.0-74.95
Stefan Bader [Wed, 12 Apr 2017 08:51:32 +0000 (10:51 +0200)]
UBUNTU: Ubuntu-4.4.0-74.95

7 years agoDrivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
Vitaly Kuznetsov [Tue, 11 Apr 2017 23:42:00 +0000 (01:42 +0200)]
Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()

BugLink: http://bugs.launchpad.net/bugs/1681893
DoS protection conditions were altered in WS2016 and now it's easy to get
-EAGAIN returned from vmbus_post_msg() (e.g. when we try changing MTU on a
netvsc device in a loop). All vmbus_post_msg() callers don't retry the
operation and we usually end up with a non-functional device or crash.

While host's DoS protection conditions are unknown to me my tests show that
it can take up to 10 seconds before the message is sent so doing udelay()
is not an option, we really need to sleep. Almost all vmbus_post_msg()
callers are ready to sleep but there is one special case:
vmbus_initiate_unload() which can be called from interrupt/NMI context and
we can't sleep there. I'm also not sure about the lonely
vmbus_send_tl_connect_request() which has no in-tree users but its external
users are most likely waiting for the host to reply so sleeping there is
also appropriate.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c0bb03924f1a80e7f65900e36c8e6b3dc167c5f8)
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Marcelo Cerri <marcelo.cerri@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoUBUNTU: Start new release
Stefan Bader [Wed, 12 Apr 2017 08:30:03 +0000 (10:30 +0200)]
UBUNTU: Start new release

Ignore: yes
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
7 years agoUBUNTU: Ubuntu-4.4.0-73.94
Thadeu Lima de Souza Cascardo [Thu, 6 Apr 2017 11:29:29 +0000 (12:29 +0100)]
UBUNTU: Ubuntu-4.4.0-73.94

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agosctp: deny peeloff operation on asocs with threads sleeping on it
Marcelo Ricardo Leitner [Tue, 21 Mar 2017 19:54:15 +0000 (16:54 -0300)]
sctp: deny peeloff operation on asocs with threads sleeping on it

commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
attempted to avoid a BUG_ON call when the association being used for a
sendmsg() is blocked waiting for more sndbuf and another thread did a
peeloff operation on such asoc, moving it to another socket.

As Ben Hutchings noticed, then in such case it would return without
locking back the socket and would cause two unlocks in a row.

Further analysis also revealed that it could allow a double free if the
application managed to peeloff the asoc that is created during the
sendmsg call, because then sctp_sendmsg() would try to free the asoc
that was created only for that call.

This patch takes another approach. It will deny the peeloff operation
if there is a thread sleeping on the asoc, so this situation doesn't
exist anymore. This avoids the issues described above and also honors
the syscalls that are already being handled (it can be multiple sendmsg
calls).

Joint work with Xin Long.

Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
Cc: Alexander Popov <alex.popov@linux.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit dfcb9f4f99f1e9a49e43398a7bfbf56927544af1)
CVE-2017-6353
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
7 years agoUBUNTU: [Config] NLS_ISO8859_1=y
Paolo Pisati [Wed, 29 Mar 2017 13:53:07 +0000 (15:53 +0200)]
UBUNTU: [Config] NLS_ISO8859_1=y

BugLink: http://bugs.launchpad.net/bugs/1677230
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list
Tim Gardner [Mon, 3 Apr 2017 16:07:30 +0000 (17:07 +0100)]
UBUNTU: [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list

BugLink: http://bugs.launchpad.net/bugs/1678099
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: SAUCE: apparmor: fix link auditing failure due to, uninitialized var
John Johansen [Fri, 31 Mar 2017 13:25:36 +0000 (06:25 -0700)]
UBUNTU: SAUCE: apparmor: fix link auditing failure due to, uninitialized var

The lperms struct is uninitialized for use with auditing if there is
an early failure due to a path name error. This can result in incorrect
logging or in the extreme case apparmor killing the task with a signal
which results in the failure in the referenced bug.

BugLink: http://bugs.launchpad.net/bugs/1664912
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: SAUCE: fix regression with domain change in complain mode
John Johansen [Fri, 31 Mar 2017 13:25:35 +0000 (06:25 -0700)]
UBUNTU: SAUCE: fix regression with domain change in complain mode

The patch
Fix no_new_privs blocking change_onexec when using stacked namespaces

changed when the no_new_privs checks is processed so the test could
be correctly applied in a stacked profile situation.

However it changed the behavior of the error returned in complain mode,
which will have both @error and @new set.

Fix this by introducing a new var to indicate the no_new_privs condition
instead of relying on error. While doing this allow the new label under
no new privs to be audited, by having its reference put in the error path,
instead of in the no_new_privs condition check.

BugLink: http://bugs.launchpad.net/bugs/1661030
BugLink: http://bugs.launchpad.net/bugs/1648903
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
7 years agoUBUNTU: SAUCE: apparmor: null profiles should inherit parent control flags
John Johansen [Fri, 31 Mar 2017 13:25:34 +0000 (06:25 -0700)]
UBUNTU: SAUCE: apparmor: null profiles should inherit parent control flags

null profiles that don't have the same control flags as the parent
behave in unexpected ways and can cause failures.

BugLink: http://bugs.launchpad.net/bugs/1656121
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: SAUCE: apparmor: fix ns ref count link when removing profiles from policy
John Johansen [Fri, 31 Mar 2017 13:25:33 +0000 (06:25 -0700)]
UBUNTU: SAUCE: apparmor: fix ns ref count link when removing profiles from policy

BugLink: http://bugs.launchpad.net/bugs/1660849
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked...
John Johansen [Fri, 31 Mar 2017 13:25:32 +0000 (06:25 -0700)]
UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked namespaces

Push the no_new_privs logic into the per profile transition fns, so
that the no_new_privs check can be done at the ns level instead of the
aggregate stack level.

BugLink: http://bugs.launchpad.net/bugs/1648143
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails
John Johansen [Fri, 31 Mar 2017 13:25:31 +0000 (06:25 -0700)]
UBUNTU: SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

Bind mounts can oops when devname lookup fails because the devname is
uninitialized and used in auditing the denial.

BugLink: http://bugs.launchpad.net/bugs/1660840
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: SAUCE: apparmor: Don't audit denied access of special apparmor .null file
John Johansen [Fri, 31 Mar 2017 13:25:30 +0000 (06:25 -0700)]
UBUNTU: SAUCE: apparmor: Don't audit denied access of special apparmor .null file

When an fd is disallowed from being inherited during exec, instead of
closed it is duped to a special apparmor/.null file. This prevents the
fd from being reused by another file in case the application expects
the original file on a give fd (eg stdin/stdout etc). This results in
a denial message like
[32375.561535] audit: type=1400 audit(1478825963.441:358): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-t_<var-lib-lxd>" profile="/sbin/dhclient" name="/dev/pts/1" pid=16795 comm="dhclient" requested_mask="wr" denied_mask="wr" fsuid=165536 ouid=165536

Further access to the fd is resultin in the rather useless denial message
of
[32375.566820] audit: type=1400 audit(1478825963.445:359): apparmor="DENIED" operation="file_perm" namespace="root//lxd-t_<var-lib-lxd>" profile="/sbin/dhclient" name="/apparmor/.null" pid=16795 comm="dhclient" requested_mask="w" denied_mask="w" fsuid=165536 ouid=0

since we have the original denial, the noisy and useless .null based
denials can be skipped.

BugLink: http://bugs.launchpad.net/bugs/1660836
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: SAUCE: apparmor: fix label leak when new label is unused
John Johansen [Fri, 31 Mar 2017 13:25:29 +0000 (06:25 -0700)]
UBUNTU: SAUCE: apparmor: fix label leak when new label is unused

When a new label is created, it is created with a proxy in a circular
ref count that is broken by replacement. However if the label is not
used it will never be replaced and the circular ref count will never
be broken resulting in a leak.

BugLink: http://bugs.launchpad.net/bugs/1660834
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: SAUCE: apparmor: fix reference count bug in label_merge_insert()
John Johansen [Fri, 31 Mar 2017 13:25:28 +0000 (06:25 -0700)]
UBUNTU: SAUCE: apparmor: fix reference count bug in label_merge_insert()

@new does not have a reference taken locally and should not have its
reference put locally either.

BugLink: http://bugs.launchpad.net/bugs/1660833
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: SAUCE: apparmor: fix replacement race in reading rawdata
John Johansen [Fri, 31 Mar 2017 13:25:27 +0000 (06:25 -0700)]
UBUNTU: SAUCE: apparmor: fix replacement race in reading rawdata

The reading of rawdata is subject to a replacement race when the
rawdata is read in chunks smaller than the data size.

For each read the profile proxy is rechecked for the newest profile;
Which means if a profile is replaced between reads later chunks will
contain data from the new version of the profile while the earlier
reads will contain data from the previous version. This can result in
data that is inconsistent and corrupt.

Instead of rechecking for the current profile at each read. Get the
current profile at the time of the open and use the rawdata of the
profile for the lifetime that the file handle is open.

BugLink: http://bugs.launchpad.net/bugs/1638996
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoUBUNTU: SAUCE: apparmor: fix cross ns perm of unix domain sockets
John Johansen [Fri, 31 Mar 2017 13:25:26 +0000 (06:25 -0700)]
UBUNTU: SAUCE: apparmor: fix cross ns perm of unix domain sockets

When using nested namespaces policy within the nested namespace is trying
to cross validate with policy outside of the namespace that is not
visible to it. This results the access being denied and with no way to
add a rule to policy that would allow it.

The check should only be done again policy that is visible.

BugLink: http://bugs.launchpad.net/bugs/1660832
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
7 years agoLinux 4.4.59
Greg Kroah-Hartman [Fri, 31 Mar 2017 08:17:09 +0000 (10:17 +0200)]
Linux 4.4.59

BugLink: http://bugs.launchpad.net/bugs/1678960
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>