commit 4cc3d6bf0b9a6df46702b73c0b99c300b4373897 Author: Jiri Slaby Date: Mon Jan 25 12:43:57 2016 +0100 Linux 3.12.53 commit 354b254af5c1350de9586af75fe5a821b35bfb33 Author: Ben Hutchings Date: Sun Nov 1 16:22:53 2015 +0000 ppp, slip: Validate VJ compression slot parameters completely commit 4ab42d78e37a294ac7bc56901d563c642e03c4ae upstream. Currently slhc_init() treats out-of-range values of rslots and tslots as equivalent to 0, except that if tslots is too large it will dereference a null pointer (CVE-2015-7799). Add a range-check at the top of the function and make it return an ERR_PTR() on error instead of NULL. Change the callers accordingly. Compile-tested only. Reported-by: 郭永刚 References: http://article.gmane.org/gmane.comp.security.oss.general/17908 Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit a4c5c2262fc842e0323043a23a84be706760d628 Author: Ben Hutchings Date: Sun Nov 1 16:21:24 2015 +0000 isdn_ppp: Add checks for allocation failure in isdn_ppp_open() commit 0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 upstream. Compile-tested only. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 0d279e487bfe3fb454611eb287e50463656a5072 Author: Vineet Gupta Date: Sat Nov 14 12:58:53 2015 +0530 ARC: Fix silly typo in MAINTAINERS file commit 30b9dbee895ff0d5cbf155bd1ef3f0f5992bca6f upstream. Signed-off-by: Jiri Slaby commit 2e465cd8cc0141cc897e4accfe71335bc1995858 Author: Vineet Gupta Date: Mon Oct 26 10:52:57 2015 +0530 MAINTAINERS: Add public mailing list for ARC commit 9acdc911b55569145034b01075adf658891afbd2 upstream. Signed-off-by: Vineet Gupta Signed-off-by: Jiri Slaby commit dee2c7a904e66fc6a16d6af91da98d1fd52bcdee Author: Takashi Iwai Date: Wed Nov 4 22:39:16 2015 +0100 ALSA: hda - Apply pin fixup for HP ProBook 6550b commit c932b98c1e47312822d911c1bb76e81ef50e389c upstream. HP ProBook 6550b needs the same pin fixup applied to other HP B-series laptops with docks for making its headphone and dock headphone jacks working properly. We just need to add the codec SSID to the list. Bugzilla: https://bugzilla.kernel.org/attachment.cgi?id=191971 Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 24986281035c2470caf8d637919b0b3b5e0adcb8 Author: Alexandra Yates Date: Wed Nov 4 15:56:09 2015 -0800 ALSA: hda - Add Intel Lewisburg device IDs Audio commit 5cf92c8b3dc5da59e05dc81bdc069cedf6f38313 upstream. Adding Intel codename Lewisburg platform device IDs for audio. [rearranged the position by tiwai] Signed-off-by: Alexandra Yates Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit e45713934b8ed19373443d74eb4ac4c0642b3e68 Author: Jan Stancek Date: Tue Dec 8 13:57:51 2015 -0500 ipmi: move timer init to before irq is setup commit 27f972d3e00b50639deb4cc1392afaeb08d3cecc upstream. We encountered a panic on boot in ipmi_si on a dell per320 due to an uninitialized timer as follows. static int smi_start_processing(void *send_info, ipmi_smi_t intf) { /* Try to claim any interrupts. */ if (new_smi->irq_setup) new_smi->irq_setup(new_smi); --> IRQ arrives here and irq handler tries to modify uninitialized timer which triggers BUG_ON(!timer->function) in __mod_timer(). Call Trace: [] start_new_msg+0x47/0x80 [ipmi_si] [] start_check_enables+0x4e/0x60 [ipmi_si] [] smi_event_handler+0x1e8/0x640 [ipmi_si] [] ? __rcu_process_callbacks+0x54/0x350 [] si_irq_handler+0x3c/0x60 [ipmi_si] [] handle_IRQ_event+0x60/0x170 [] handle_edge_irq+0xde/0x180 [] handle_irq+0x49/0xa0 [] do_IRQ+0x6c/0xf0 [] ret_from_intr+0x0/0x11 /* Set up the timer that drives the interface. */ setup_timer(&new_smi->si_timer, smi_timeout, (long)new_smi); The following patch fixes the problem. To: Openipmi-developer@lists.sourceforge.net To: Corey Minyard CC: linux-kernel@vger.kernel.org Signed-off-by: Jan Stancek Signed-off-by: Tony Camuso Signed-off-by: Corey Minyard Signed-off-by: Jiri Slaby commit a9166cbdee829d53723cf9324da0951ff9dd6802 Author: H.J. Lu Date: Mon Jan 4 10:17:09 2016 -0800 x86/boot: Double BOOT_HEAP_SIZE to 64KB commit 8c31902cffc4d716450be549c66a67a8a3dd479c upstream. When decompressing kernel image during x86 bootup, malloc memory for ELF program headers may run out of heap space, which leads to system halt. This patch doubles BOOT_HEAP_SIZE to 64KB. Tested with 32-bit kernel which failed to boot without this patch. Signed-off-by: H.J. Lu Acked-by: H. Peter Anvin Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Jiri Slaby commit 5dbeb6d5d20d4a037b68a1c75c13bdc88c1566e2 Author: Mario Kleiner Date: Fri Dec 18 20:24:06 2015 +0100 x86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[] commit 2f0c0b2d96b1205efb14347009748d786c2d9ba5 upstream. Without the reboot=pci method, the iMac 10,1 simply hangs after printing "Restarting system" at the point when it should reboot. This fixes it. Signed-off-by: Mario Kleiner Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Dave Jones Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1450466646-26663-1-git-send-email-mario.kleiner.de@gmail.com Signed-off-by: Ingo Molnar Signed-off-by: Jiri Slaby commit 32b1c9d19dbe74b98e572745bbd2452d6a1b6b09 Author: Paul Mackerras Date: Thu Nov 12 16:43:02 2015 +1100 KVM: PPC: Book3S HV: Prohibit setting illegal transaction state in MSR commit c20875a3e638e4a03e099b343ec798edd1af5cc6 upstream. Currently it is possible for userspace (e.g. QEMU) to set a value for the MSR for a guest VCPU which has both of the TS bits set, which is an illegal combination. The result of this is that when we execute a hrfid (hypervisor return from interrupt doubleword) instruction to enter the guest, the CPU will take a TM Bad Thing type of program interrupt (vector 0x700). Now, if PR KVM is configured in the kernel along with HV KVM, we actually handle this without crashing the host or giving hypervisor privilege to the guest; instead what happens is that we deliver a program interrupt to the guest, with SRR0 reflecting the address of the hrfid instruction and SRR1 containing the MSR value at that point. If PR KVM is not configured in the kernel, then we try to run the host's program interrupt handler with the MMU set to the guest context, which almost certainly causes a host crash. This closes the hole by making kvmppc_set_msr_hv() check for the illegal combination and force the TS field to a safe value (00, meaning non-transactional). Signed-off-by: Paul Mackerras Signed-off-by: Jiri Slaby commit 81e78751c716bad9c91161571c970f3d499d4124 Author: Ouyang Zhaowei (Charles) Date: Wed May 6 09:47:04 2015 +0800 x86/xen: don't reset vcpu_info on a cancelled suspend commit 6a1f513776b78c994045287073e55bae44ed9f8c upstream. On a cancelled suspend the vcpu_info location does not change (it's still in the per-cpu area registered by xen_vcpu_setup()). So do not call xen_hvm_init_shared_info() which would make the kernel think its back in the shared info. With the wrong vcpu_info, events cannot be received and the domain will hang after a cancelled suspend. Signed-off-by: Charles Ouyang Reviewed-by: Boris Ostrovsky Signed-off-by: David Vrabel Signed-off-by: Jiri Slaby commit b25820cd9b83637998a7a790f0b4ac5e34b5cbdc Author: Boris Ostrovsky Date: Tue Nov 10 15:10:33 2015 -0500 xen/gntdev: Grant maps should not be subject to NUMA balancing commit 9c17d96500f78d7ecdb71ca6942830158bc75a2b upstream. Doing so will cause the grant to be unmapped and then, during fault handling, the fault to be mistakenly treated as NUMA hint fault. In addition, even if those maps could partcipate in NUMA balancing, it wouldn't provide any benefit since we are unable to determine physical page's node (even if/when VNUMA is implemented). Marking grant maps' VMAs as VM_IO will exclude them from being part of NUMA balancing. Signed-off-by: Boris Ostrovsky Signed-off-by: David Vrabel Signed-off-by: Jiri Slaby commit ee5c3e7fa7af0cad695f5adc6c1ace432935520a Author: Dmitry V. Levin Date: Tue Dec 1 00:54:36 2015 +0300 x86/signal: Fix restart_syscall number for x32 tasks commit 22eab1108781eff09961ae7001704f7bd8fb1dce upstream. When restarting a syscall with regs->ax == -ERESTART_RESTARTBLOCK, regs->ax is assigned to a restart_syscall number. For x32 tasks, this syscall number must have __X32_SYSCALL_BIT set, otherwise it will be an x86_64 syscall number instead of a valid x32 syscall number. This issue has been there since the introduction of x32. Reported-by: strace/tests/restart_syscall.test Reported-and-tested-by: Elvira Khabirova Signed-off-by: Dmitry V. Levin Cc: Elvira Khabirova Link: http://lkml.kernel.org/r/20151130215436.GA25996@altlinux.org Signed-off-by: Thomas Gleixner Signed-off-by: Jiri Slaby commit c3bfbecb1bb575278ce4812746a29c04875a2926 Author: Eric Dumazet Date: Wed Dec 30 08:51:12 2015 -0500 udp: properly support MSG_PEEK with truncated buffers commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 upstream. Backport of this upstream commit into stable kernels : 89c22d8c3b27 ("net: Fix skb csum races when peeking") exposed a bug in udp stack vs MSG_PEEK support, when user provides a buffer smaller than skb payload. In this case, skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov); returns -EFAULT. This bug does not happen in upstream kernels since Al Viro did a great job to replace this into : skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); This variant is safe vs short buffers. For the time being, instead reverting Herbert Xu patch and add back skb->ip_summed invalid changes, simply store the result of udp_lib_checksum_complete() so that we avoid computing the checksum a second time, and avoid the problematic skb_copy_and_csum_datagram_iovec() call. This patch can be applied on recent kernels as it avoids a double checksumming, then backported to stable kernels as a bug fix. Signed-off-by: Eric Dumazet Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 6849cd97b0511913e17ef8bb53bd5558c4b51fc8 Author: Yevgeny Pats Date: Tue Jan 19 22:09:04 2016 +0000 KEYS: Fix keyring ref leak in join_session_keyring() commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 upstream. This fixes CVE-2016-0728. If a thread is asked to join as a session keyring the keyring that's already set as its session, we leak a keyring reference. This can be tested with the following program: #include #include #include #include int main(int argc, const char *argv[]) { int i = 0; key_serial_t serial; serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL) < 0) { perror("keyctl"); return -1; } for (i = 0; i < 100; i++) { serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } } return 0; } If, after the program has run, there something like the following line in /proc/keys: 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty with a usage count of 100 * the number of times the program has been run, then the kernel is malfunctioning. If leaked-keyring has zero usages or has been garbage collected, then the problem is fixed. Reported-by: Yevgeny Pats Signed-off-by: David Howells Acked-by: Don Zickus Acked-by: Prarit Bhargava Acked-by: Jarod Wilson Signed-off-by: James Morris Signed-off-by: Jiri Slaby commit 2d783600fdeafa5d7e5079c7aa79212116f60e51 Author: David Howells Date: Fri Dec 18 01:34:26 2015 +0000 KEYS: Fix race between read and revoke commit b4a1b4f5047e4f54e194681125c74c0aa64d637d upstream. This fixes CVE-2015-7550. There's a race between keyctl_read() and keyctl_revoke(). If the revoke happens between keyctl_read() checking the validity of a key and the key's semaphore being taken, then the key type read method will see a revoked key. This causes a problem for the user-defined key type because it assumes in its read method that there will always be a payload in a non-revoked key and doesn't check for a NULL pointer. Fix this by making keyctl_read() check the validity of a key after taking semaphore instead of before. I think the bug was introduced with the original keyrings code. This was discovered by a multithreaded test program generated by syzkaller (http://github.com/google/syzkaller). Here's a cleaned up version: #include #include #include void *thr0(void *arg) { key_serial_t key = (unsigned long)arg; keyctl_revoke(key); return 0; } void *thr1(void *arg) { key_serial_t key = (unsigned long)arg; char buffer[16]; keyctl_read(key, buffer, 16); return 0; } int main() { key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING); pthread_t th[5]; pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key); pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key); pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key); pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key); pthread_join(th[0], 0); pthread_join(th[1], 0); pthread_join(th[2], 0); pthread_join(th[3], 0); return 0; } Build as: cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread Run as: while keyctl-race; do :; done as it may need several iterations to crash the kernel. The crash can be summarised as: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [] user_read+0x56/0xa3 ... Call Trace: [] keyctl_read_key+0xb6/0xd7 [] SyS_keyctl+0x83/0xe0 [] entry_SYSCALL_64_fastpath+0x12/0x6f Reported-by: Dmitry Vyukov Signed-off-by: David Howells Tested-by: Dmitry Vyukov Signed-off-by: James Morris Signed-off-by: Jiri Slaby commit 43d444274cefce387585b71c61695f54e7c21c96 Author: Adrien Vergé Date: Tue Nov 24 16:02:04 2015 +0100 USB: quirks: Fix another ELAN touchscreen commit df36c5bede207f734e4750beb2b14fb892050280 upstream. Like other buggy models that had their fixes [1], the touchscreen with id 04f3:21b8 from ELAN Microelectronics needs the device-qualifier quirk. Otherwise, it fails to respond, blocks the boot for a random amount of time and pollutes dmesg with: [ 2887.373196] usb 1-5: new full-speed USB device number 41 using xhci_hcd [ 2889.502000] usb 1-5: unable to read config index 0 descriptor/start: -71 [ 2889.502005] usb 1-5: can't read configurations, error -71 [ 2889.654571] usb 1-5: new full-speed USB device number 42 using xhci_hcd [ 2891.783438] usb 1-5: unable to read config index 0 descriptor/start: -71 [ 2891.783443] usb 1-5: can't read configurations, error -71 [1]: See commits c68929f, 876af5d, d749947, a32c99e and dc703ec. Tested-by: Adrien Vergé Signed-off-by: Adrien Vergé Signed-off-by: Greg Kroah-Hartman Cc: Oliver Neukum Signed-off-by: Jiri Slaby commit 6b1a4c8425acde6b3725e9ca5dc7af544c656fda Author: Karl Heiss Date: Thu Sep 24 12:15:07 2015 -0400 sctp: Prevent soft lockup when sctp_accept() is called during a timeout event commit 635682a14427d241bab7bbdeebb48a7d7b91638e upstream. A case can occur when sctp_accept() is called by the user during a heartbeat timeout event after the 4-way handshake. Since sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the bh_sock_lock in sctp_generate_heartbeat_event() will be taken with the listening socket but released with the new association socket. The result is a deadlock on any future attempts to take the listening socket lock. Note that this race can occur with other SCTP timeouts that take the bh_lock_sock() in the event sctp_accept() is called. BUG: soft lockup - CPU#9 stuck for 67s! [swapper:0] ... RIP: 0010:[] [] _spin_lock+0x1e/0x30 RSP: 0018:ffff880028323b20 EFLAGS: 00000206 RAX: 0000000000000002 RBX: ffff880028323b20 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff880028323be0 RDI: ffff8804632c4b48 RBP: ffffffff8100bb93 R08: 0000000000000000 R09: 0000000000000000 R10: ffff880610662280 R11: 0000000000000100 R12: ffff880028323aa0 R13: ffff8804383c3880 R14: ffff880028323a90 R15: ffffffff81534225 FS: 0000000000000000(0000) GS:ffff880028320000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 00000000006df528 CR3: 0000000001a85000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 0, threadinfo ffff880616b70000, task ffff880616b6cab0) Stack: ffff880028323c40 ffffffffa01c2582 ffff880614cfb020 0000000000000000 0100000000000000 00000014383a6c44 ffff8804383c3880 ffff880614e93c00 ffff880614e93c00 0000000000000000 ffff8804632c4b00 ffff8804383c38b8 Call Trace: [] ? sctp_rcv+0x492/0xa10 [sctp] [] ? nf_iterate+0x69/0xb0 [] ? ip_local_deliver_finish+0x0/0x2d0 [] ? nf_hook_slow+0x76/0x120 [] ? ip_local_deliver_finish+0x0/0x2d0 [] ? ip_local_deliver_finish+0xdd/0x2d0 [] ? ip_local_deliver+0x98/0xa0 [] ? ip_rcv_finish+0x12d/0x440 [] ? ip_rcv+0x275/0x350 [] ? __netif_receive_skb+0x4ab/0x750 ... With lockdep debugging: ===================================== [ BUG: bad unlock balance detected! ] ------------------------------------- CslRx/12087 is trying to release lock (slock-AF_INET) at: [] sctp_generate_timeout_event+0x40/0xe0 [sctp] but there are no more locks to release! other info that might help us debug this: 2 locks held by CslRx/12087: #0: (&asoc->timers[i]){+.-...}, at: [] run_timer_softirq+0x16f/0x3e0 #1: (slock-AF_INET){+.-...}, at: [] sctp_generate_timeout_event+0x23/0xe0 [sctp] Ensure the socket taken is also the same one that is released by saving a copy of the socket before entering the timeout event critical section. Signed-off-by: Karl Heiss Signed-off-by: David S. Miller Cc: Ben Hutchings Signed-off-by: Jiri Slaby commit 6415eac837c3d1baa9f80d87bbad1e2fef0eab5a Author: Finn Thain Date: Mon Jan 13 00:56:38 2014 +1100 m68k/mac: Make SCC reset work more reliably commit 56931d73697c99ecf7aba6ae86c94d3a2d15d596 upstream. For SCC initialization we cannot assume that the control register is in the correct state to accept a register pointer. So first read from the control register in order to "sync" up. Signed-off-by: Finn Thain Signed-off-by: Geert Uytterhoeven Cc: Oliver Neukum Signed-off-by: Jiri Slaby commit fbe21cee2531ce936d26561f3a507823935514ab Author: Geert Uytterhoeven Date: Tue Dec 10 11:35:47 2013 +0100 m68k/mm: Check for mm != NULL in do_page_fault() debug code commit 4e25c0e92f8eaf69bc51d1d523bcb7268e7dd162 upstream. When DEBUG is enabled, do_page_fault() may dereference a NULL pointer, causing recursive bus errors. Signed-off-by: Geert Uytterhoeven Cc: Oliver Neukum Signed-off-by: Jiri Slaby commit 598881da2122c95d2558927f0c3f09c0d283e895 Author: Kirill A. Shutemov Date: Thu Nov 14 14:31:18 2013 -0800 m32r: fix potential NULL-pointer dereference commit fecf3743b824ce4eb275ed4a1d6aee9494f6a966 upstream. Add missing check for memory allocation fail. Signed-off-by: Kirill A. Shutemov Cc: Hirokazu Takata Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Oliver Neukum Signed-off-by: Jiri Slaby commit ae36e1e259f167bb60a22e0fd3e76749e28c0614 Author: Scott Jiang Date: Mon Sep 16 00:53:09 2013 -0400 pm: use GFP_ATOMIC when pm core call this function commit aefefe92116b776203f95f3249ae61b94f73f170 upstream. We shouldn't sleep in atomic sections. Signed-off-by: Scott Jiang Cc: Oliver Neukum Signed-off-by: Jiri Slaby commit 39c9944afb08c26ff36ae1967497d44fcf5a87ed Author: Salva Peiró Date: Wed Oct 14 17:48:02 2015 +0200 staging/dgnc: fix info leak in ioctl commit 4b6184336ebb5c8dc1eae7f7ab46ee608a748b05 upstream. The dgnc_mgmt_ioctl() code fails to initialize the 16 _reserved bytes of struct digi_dinfo after the ->dinfo_nboards member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró Signed-off-by: Greg Kroah-Hartman Cc: Yuki Machida Signed-off-by: Jiri Slaby commit 1bf7e534ba65babb46a3d7f3cd9b3bdf41c27a4a Author: Rusty Russell Date: Mon Feb 3 11:15:13 2014 +1030 module: remove MODULE_GENERIC_TABLE commit cff26a51da5d206d3baf871e75778da44710219d upstream. MODULE_DEVICE_TABLE() calles MODULE_GENERIC_TABLE(); make it do the work directly. This also removes a wart introduced in the last patch, where the alias is defined to be an unknown struct type "struct type##__##name##_device_id" instead of "struct type##_device_id" (it's an extern so GCC doesn't care, but it's wrong). The other user of MODULE_GENERIC_TABLE (ISAPNP_CARD_TABLE) is unused, so delete it. Bryan: gcc v3.3.2 cares Signed-off-by: Rusty Russell Cc: Bryan Kadzban Signed-off-by: Jiri Slaby commit dd696629cf19191ac3e2a65643698e5b8916c68b Author: Saurav Kashyap Date: Wed Jun 10 11:05:17 2015 -0400 qla2xxx: Fix hardware lock/unlock issue causing kernel panic. commit ba9f6f64a0ff6b7ecaed72144c179061f8eca378 upstream. This patch fixes a kernel panic for qla2xxx Target core Module driver introduced by a fix in the qla2xxx initiator code. Commit ef86cb2 ("qla2xxx: Mark port lost when we receive an RSCN for it.") introduced the regression for qla2xxx Target driver. Stack trace will have following signature --- --- [ffff88081faa3cc8] _raw_spin_lock_irqsave at ffffffff815b1f03 [ffff88081faa3cd0] qlt_fc_port_deleted at ffffffffa096ccd0 [qla2xxx] [ffff88081faa3d20] qla2x00_schedule_rport_del at ffffffffa0913831[qla2xxx] [ffff88081faa3d50] qla2x00_mark_device_lost at ffffffffa09159c5[qla2xxx] [ffff88081faa3db0] qla2x00_async_event at ffffffffa0938d59 [qla2xxx] [ffff88081faa3e30] qla24xx_msix_default at ffffffffa093a326 [qla2xxx] [ffff88081faa3e90] handle_irq_event_percpu at ffffffff810a7b8d [ffff88081faa3ee0] handle_irq_event at ffffffff810a7d32 [ffff88081faa3f10] handle_edge_irq at ffffffff810ab6b9 [ffff88081faa3f30] handle_irq at ffffffff8100619c [ffff88081faa3f70] do_IRQ at ffffffff815b4b1c --- --- Signed-off-by: Saurav Kashyap Signed-off-by: Himanshu Madhani Reviewed-by: Nicholas Bellinger Signed-off-by: Nicholas Bellinger Cc: Michal Marek Fixes: ef86cb205 ("qla2xxx: Mark port lost when we receive an RSCN for it.") Signed-off-by: Jiri Slaby commit a7c0ba06670f99c252d5bb74258dddbf50fef837 Author: Vladis Dronov Date: Tue Dec 1 13:09:17 2015 -0800 Input: aiptek - fix crash on detecting device without endpoints commit 8e20cf2bce122ce9262d6034ee5d5b76fbb92f96 upstream. The aiptek driver crashes in aiptek_probe() when a specially crafted USB device without endpoints is detected. This fix adds a check that the device has proper configuration expected by the driver. Also an error return value is changed to more matching one in one of the error paths. Reported-by: Ralf Spenneberg Signed-off-by: Vladis Dronov Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 052bd81382379ccaf002ae7a0c3d4ff6f058428b Author: Hannes Reinecke Date: Thu Nov 26 08:46:57 2015 +0100 block: Always check queue limits for cloned requests commit bf4e6b4e757488dee1b6a581f49c7ac34cd217f8 upstream. When a cloned request is retried on other queues it always needs to be checked against the queue limits of that queue. Otherwise the calculations for nr_phys_segments might be wrong, leading to a crash in scsi_init_sgtable(). To clarify this the patch renames blk_rq_check_limits() to blk_cloned_rq_check_limits() and removes the symbol export, as the new function should only be used for cloned requests and never exported. Cc: Mike Snitzer Cc: Ewan Milne Cc: Jeff Moyer Signed-off-by: Hannes Reinecke Fixes: e2a60da74 ("block: Clean up special command handling logic") Acked-by: Mike Snitzer Signed-off-by: Jens Axboe Signed-off-by: Jiri Slaby commit 5a8fe8431e479268502daaa4265ee1a7644f1c7d Author: James Smart Date: Tue Apr 7 15:07:20 2015 -0400 lpfc: Fix null ndlp dereference in target_reset_handler commit 63e480fd2f598e9ad37f89e79c36834e7dd60ba0 upstream. Signed-off-by: Dick Kennedy Signed-off-by: James Smart Reviewed-by: Hannes Reinecke Signed-off-by: James Bottomley Acked-by: Johannes Thumshirn Signed-off-by: Jiri Slaby commit e6a19aae9192e71b33cd94da2508ed9ae29f2fe2 Author: Chris Wilson Date: Fri Sep 12 07:37:42 2014 +0100 drm/i915: Fix SRC_COPY width on 830/845g commit 611a7a4fd8b5fb6b25ab1f8bdcde61800a7feacf upstream. One small change I forgot to make in commit c4d69da167fa967749aeb70bc0e94a457e5d00c1 Author: Chris Wilson Date: Mon Sep 8 14:25:41 2014 +0100 drm/i915: Evict CS TLBs between batches was to update the copy width for the compact BLT copy instruction. Reported-by: Thomas Richter Signed-off-by: Chris Wilson Cc: Thomas Richter Cc: Jani Nikula Tested-by: Thomas Richter Acked-by: Daniel Vetter Signed-off-by: Jani Nikula Signed-off-by: Jiri Slaby commit 171ba055c5d8d36e9bd8fb6d442b09cd688e24fe Author: Corey Minyard Date: Wed Jul 16 14:07:13 2014 -0500 ring-buffer: Always run per-cpu ring buffer resize with schedule_work_on() commit 021c5b34452d52e51664f09b98cd50c5495e74b6 upstream. The code for resizing the trace ring buffers has to run the per-cpu resize on the CPU itself. The code was using preempt_off() and running the code for the current CPU directly, otherwise calling schedule_work_on(). At least on RT this could result in the following: |BUG: sleeping function called from invalid context at kernel/rtmutex.c:673 |in_atomic(): 1, irqs_disabled(): 0, pid: 607, name: bash |3 locks held by bash/607: |CPU: 0 PID: 607 Comm: bash Not tainted 3.12.15-rt25+ #124 |(rt_spin_lock+0x28/0x68) |(free_hot_cold_page+0x84/0x3b8) |(free_buffer_page+0x14/0x20) |(rb_update_pages+0x280/0x338) |(ring_buffer_resize+0x32c/0x3dc) |(free_snapshot+0x18/0x38) |(tracing_set_tracer+0x27c/0x2ac) probably via |cd /sys/kernel/debug/tracing/ |echo 1 > events/enable ; sleep 2 |echo 1024 > buffer_size_kb If we just always use schedule_work_on(), there's no need for the preempt_off(). So do that. Link: http://lkml.kernel.org/p/1405537633-31518-1-git-send-email-cminyard@mvista.com Reported-by: Stanislav Meduna Signed-off-by: Corey Minyard Signed-off-by: Steven Rostedt Signed-off-by: Jiri Slaby commit 1e5e5552388516c400586fc95f745a9d1ad60545 Author: Ditang Chen Date: Fri Mar 7 13:27:57 2014 +0800 SUNRPC: Fix oops when trace sunrpc_task events in nfs client commit 2ca310fc4160ed0420da65534a21ae77b24326a8 upstream. When tracking sunrpc_task events in nfs client, the clnt pointer may be NULL. [ 139.269266] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 [ 139.269915] IP: [] ftrace_raw_event_rpc_task_running+0x86/0xf0 [sunrpc] [ 139.269915] PGD 1d293067 PUD 1d294067 PMD 0 [ 139.269915] Oops: 0000 [#1] SMP [ 139.269915] Modules linked in: nfsv4 dns_resolver nfs lockd sunrpc fscache sg ppdev e1000 serio_raw pcspkr parport_pc parport i2c_piix4 i2c_core microcode xfs libcrc32c sd_mod sr_mod cdrom ata_generic crc_t10dif crct10dif_common pata_acpi ahci libahci ata_piix libata dm_mirror dm_region_hash dm_log dm_mod [ 139.269915] CPU: 0 PID: 59 Comm: kworker/0:2 Not tainted 3.10.0-84.el7.x86_64 #1 [ 139.269915] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 139.269915] Workqueue: rpciod rpc_async_schedule [sunrpc] [ 139.269915] task: ffff88001b598000 ti: ffff88001b632000 task.ti: ffff88001b632000 [ 139.269915] RIP: 0010:[] [] ftrace_raw_event_rpc_task_running+0x86/0xf0 [sunrpc] [ 139.269915] RSP: 0018:ffff88001b633d70 EFLAGS: 00010206 [ 139.269915] RAX: ffff88001dfc5338 RBX: ffff88001cc37a00 RCX: ffff88001dfc5334 [ 139.269915] RDX: ffff88001dfc5338 RSI: 0000000000000000 RDI: ffff88001dfc533c [ 139.269915] RBP: ffff88001b633db0 R08: 000000000000002c R09: 000000000000000a [ 139.269915] R10: 0000000000062180 R11: 00000020759fb9dc R12: ffffffffa0292c20 [ 139.269915] R13: ffff88001dfc5334 R14: 0000000000000000 R15: 0000000000000000 [ 139.269915] FS: 0000000000000000(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000 [ 139.269915] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 139.269915] CR2: 0000000000000004 CR3: 000000001d290000 CR4: 00000000000006f0 [ 139.269915] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 139.269915] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 139.269915] Stack: [ 139.269915] 000000001b633d98 0000000000000246 ffff88001df1dc00 ffff88001cc37a00 [ 139.269915] ffff88001bc35e60 0000000000000000 ffff88001ffa0a48 ffff88001bc35ee0 [ 139.269915] ffff88001b633e08 ffffffffa02704b5 0000000000010000 ffff88001cc37a70 [ 139.269915] Call Trace: [ 139.269915] [] __rpc_execute+0x1d5/0x400 [sunrpc] [ 139.269915] [] rpc_async_schedule+0x26/0x30 [sunrpc] [ 139.269915] [] process_one_work+0x17b/0x460 [ 139.269915] [] worker_thread+0x11b/0x400 [ 139.269915] [] ? rescuer_thread+0x3e0/0x3e0 [ 139.269915] [] kthread+0xc0/0xd0 [ 139.269915] [] ? kthread_create_on_node+0x110/0x110 [ 139.269915] [] ret_from_fork+0x7c/0xb0 [ 139.269915] [] ? kthread_create_on_node+0x110/0x110 [ 139.269915] Code: 4c 8b 45 c8 48 8d 7d d0 89 4d c4 41 89 c9 b9 28 00 00 00 e8 9d b4 e9 e0 48 85 c0 49 89 c5 74 a2 48 89 c7 e8 9d 3f e9 e0 48 89 c2 <41> 8b 46 04 48 8b 7d d0 4c 89 e9 4c 89 e6 89 42 0c 0f b7 83 d4 [ 139.269915] RIP [] ftrace_raw_event_rpc_task_running+0x86/0xf0 [sunrpc] [ 139.269915] RSP [ 139.269915] CR2: 0000000000000004 [ 140.946406] ---[ end trace ba486328b98d7622 ]--- Signed-off-by: Ditang Chen Signed-off-by: Trond Myklebust Signed-off-by: Jiri Slaby commit 5519638906c93668aad764644f83172a2442df22 Author: Herbert Xu Date: Tue Apr 28 11:43:15 2015 +0800 route: Use ipv4_mtu instead of raw rt_pmtu commit cb6ccf09d6b94bec4def1ac5cf4678d12b216474 upstream. The commit 3cdaa5be9e81a914e633a6be7b7d2ef75b528562 ("ipv4: Don't increase PMTU with Datagram Too Big message") broke PMTU in cases where the rt_pmtu value has expired but is smaller than the new PMTU value. This obsolete rt_pmtu then prevents the new PMTU value from being installed. Fixes: 3cdaa5be9e81 ("ipv4: Don't increase PMTU with Datagram Too Big message") Reported-by: Gerd v. Egidy Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 563922c43933710e70ac9c28ff1c5d724ddecf07 Author: Li Wei Date: Thu Jan 29 16:09:03 2015 +0800 ipv4: Don't increase PMTU with Datagram Too Big message. commit 3cdaa5be9e81a914e633a6be7b7d2ef75b528562 upstream. RFC 1191 said, "a host MUST not increase its estimate of the Path MTU in response to the contents of a Datagram Too Big message." Signed-off-by: Li Wei Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 8e38535241128cb6b91bac6a115062d325d3c4b4 Author: Bjorn Helgaas Date: Mon Sep 23 15:25:26 2013 -0600 PCI: Drop "setting latency timer" messages commit a006482b67a96c16dfefc558e36863c51e1829bf upstream. This message isn't useful any more, so drop it. Reference: https://bugzilla.kernel.org/show_bug.cgi?id=60636 Reported-by: Oleksil Shevchuk Reference: http://lkml.kernel.org/r/CALCETrWkr53ZjqdN3t7rTTfr=+ZKZXJoYsuBcwPf0kN_33GfAw@mail.gmail.com Reported-by: Andy Lutomirski Signed-off-by: Bjorn Helgaas Signed-off-by: Jiri Slaby commit b7835830beaccae462cedde91d1a4807d2ad8b02 Author: Eric Ren Date: Wed Oct 14 23:28:26 2015 +0800 dlm: make posix locks interruptible commit a6b1533e9a57d76cd3d9b7649d29ac604b1874b8 upstream. Replace wait_event_killable with wait_event_interruptible so that a program waiting for a posix lock can be interrupted by a signal. With the killable version, a program was not interruptible by a signal if it had a signal handler set for it, overriding the default action of terminating the process. Signed-off-by: Eric Ren Signed-off-by: David Teigland Signed-off-by: Jiri Slaby commit 81280c35b66fbaeb6cca74e4a2618eb2428a0f78 Author: Takashi Iwai Date: Wed Dec 9 15:17:43 2015 +0100 ALSA: hda - Fix noise problems on Thinkpad T440s commit 9a811230481243f384b8036c6a558bfdbd961f78 upstream. Lenovo Thinkpad T440s suffers from constant background noises, and it seems to be a generic hardware issue on this model: https://forums.lenovo.com/t5/ThinkPad-T400-T500-and-newer-T/T440s-speaker-noise/td-p/1339883 As the noise comes from the analog loopback path, disabling the path is the easy workaround. Also, the machine gives significant cracking noises at PM suspend. A workaround found by trial-and-error is to disable the shutup callback currently used for ALC269-variant. This patch addresses these noise issues by introducing a new fixup chain. Although the same workaround might be applicable to other Thinkpad models, it's applied only to T440s (17aa:220c) in this patch, so far, just to be safe (you chicken!). As a compromise, a new model option string "tp440" is provided now, though, so that owners of other Thinkpad models can test it more easily. Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=958504 Reported-and-tested-by: Tim Hardeck Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit a4b1c6fd9108c2c35c9f391e9939f8f445d48ee7 Author: Kamal Mostafa Date: Wed Jan 6 15:37:04 2016 -0800 tools: Add a "make all" rule commit f6ba98c5dc78708cb7fd29950c4a50c4c7e88f95 upstream. Signed-off-by: Kamal Mostafa Acked-by: Pavel Machek Cc: Jiri Olsa Cc: Jonathan Cameron Cc: Pali Rohar Cc: Roberta Dobrescu Link: http://lkml.kernel.org/r/1447280736-2161-2-git-send-email-kamal@canonical.com Signed-off-by: Arnaldo Carvalho de Melo [ kamal: backport to 3.12-stable: build all tools for this version ] Signed-off-by: Kamal Mostafa Signed-off-by: Jiri Slaby commit d15adb13198353245e982527750b7f04cca1042b Author: Ingo Molnar Date: Tue Mar 3 07:34:33 2015 +0100 efi: Disable interrupts around EFI calls, not in the epilog/prolog calls commit 23a0d4e8fa6d3a1d7fb819f79bcc0a3739c30ba9 upstream. Tapasweni Pathak reported that we do a kmalloc() in efi_call_phys_prolog() on x86-64 while having interrupts disabled, which is a big no-no, as kmalloc() can sleep. Solve this by removing the irq disabling from the prolog/epilog calls around EFI calls: it's unnecessary, as in this stage we are single threaded in the boot thread, and we don't ever execute this from interrupt contexts. Reported-by: Tapasweni Pathak Signed-off-by: Ingo Molnar Signed-off-by: Matt Fleming [ luis: backported to 3.10: adjusted context ] Signed-off-by: Luis Henriques Signed-off-by: Jiri Slaby