Permalink
Commits on Feb 27, 2017
  1. Merge tag 'v4.4.52' into linux-4.4-at91

    This is the 4.4.52 stable release
    noglitch committed Feb 27, 2017
Commits on Feb 26, 2017
  1. Linux 4.4.52

    gregkh committed Feb 26, 2017
  2. kvm: vmx: ensure VMCS is current while enabling PML

    commit 4e59516 upstream.
    
    Between loading the new VMCS and enabling PML, the CPU was unpinned.
    If the vCPU thread were migrated to another CPU in the interim (e.g.,
    due to preemption or sleeping alloc_page), then the VMWRITEs to enable
    PML would target the wrong VMCS -- or no VMCS at all:
    
      [ 2087.266950] vmwrite error: reg 200e value 3fe1d52000 (err -506126336)
      [ 2087.267062] vmwrite error: reg 812 value 1ff (err 511)
      [ 2087.267125] vmwrite error: reg 401e value 12229c00 (err 304258048)
    
    This patch ensures that the VMCS remains current while enabling PML by
    doing the VMWRITEs while the CPU is pinned. Allocation of the PML buffer
    is hoisted out of the critical section.
    
    Signed-off-by: Peter Feiner <pfeiner@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Cc: "Herongguang (Stephen)" <herongguang.he@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    peterfeiner committed with gregkh Jul 7, 2016
  3. Revert "usb: chipidea: imx: enable CI_HDRC_SET_NON_ZERO_TTHA"

    commit 1bc7da8 upstream.
    
    This reverts commit e765bfb.
    
    In the most of cases, we only use one transaction per frame and the
    frame rate may be high, If the platforms want to support multiple
    transactions but less frame rate cases like [1] and [2], it can set
    "non-zero-ttctrl-ttha" at dts.
    
    [1] http://www.spinics.net/lists/linux-usb/msg123125.html
    [2] http://www.spinics.net/lists/linux-usb/msg118679.html
    
    Signed-off-by: Peter Chen <peter.chen@nxp.com>
    Cc: Martin Fuzzey <mfuzzey@parkeon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Peter Chen committed with gregkh Jan 29, 2016
  4. rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down

    commit 575ddce upstream.
    
    In the function rtl_usb_start we pre-allocate a certain number of urbs
    for RX path but they will not be freed when calling rtl_usb_stop. This
    results in leaking urbs when doing ifconfig up and down. Eventually,
    the system has no available urbs.
    
    Signed-off-by: Michael Schenk <michael.schenk@albis-elcon.com>
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Michael Schenk committed with gregkh Jan 26, 2017
  5. block: fix double-free in the failure path of cgwb_bdi_init()

    commit 5f478e4 upstream.
    
    When !CONFIG_CGROUP_WRITEBACK, bdi has single bdi_writeback_congested
    at bdi->wb_congested.  cgwb_bdi_init() allocates it with kzalloc() and
    doesn't do further initialization.  This usually works fine as the
    reference count gets bumped to 1 by wb_init() and the put from
    wb_exit() releases it.
    
    However, when wb_init() fails, it puts the wb base ref automatically
    freeing the wb and the explicit kfree() in cgwb_bdi_init() error path
    ends up trying to free the same pointer the second time causing a
    double-free.
    
    Fix it by explicitly initilizing the refcnt to 1 and putting the base
    ref from cgwb_bdi_destroy().
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Fixes: a13f35e ("writeback: don't embed root bdi_writeback_congested in bdi_writeback")
    Signed-off-by: Jens Axboe <axboe@fb.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    htejun committed with gregkh Feb 8, 2017
  6. goldfish: Sanitize the broken interrupt handler

    commit 6cf18e6 upstream.
    
    This interrupt handler is broken in several ways:
    
      - It loops forever when the op code is not decodeable
    
      - It never returns IRQ_HANDLED because the only way to exit the loop
        returns IRQ_NONE unconditionally.
    
    The whole concept of this is broken. Creating devices in an interrupt
    handler is beyond any point of sanity.
    
    Make it at least behave halfways sane so accidental users do not have to
    deal with a hard to debug lockup.
    
    Fixes: e809c22 ("goldfish: add the goldfish virtual bus")
    Reported-by: Gabriel C <nix.or.die@gmail.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Thomas Gleixner committed with gregkh Feb 15, 2017
  7. x86/platform/goldfish: Prevent unconditional loading

    commit 47512cf upstream.
    
    The goldfish platform code registers the platform device unconditionally
    which causes havoc in several ways if the goldfish_pdev_bus driver is
    enabled:
    
     - Access to the hardcoded physical memory region, which is either not
       available or contains stuff which is completely unrelated.
    
     - Prevents that the interrupt of the serial port can be requested
    
     - In case of a spurious interrupt it goes into a infinite loop in the
       interrupt handler of the pdev_bus driver (which needs to be fixed
       seperately).
    
    Add a 'goldfish' command line option to make the registration opt-in when
    the platform is compiled in.
    
    I'm seriously grumpy about this engineering trainwreck, which has seven
    SOBs from Intel developers for 50 lines of code. And none of them figured
    out that this is broken. Impressive fail!
    
    Fixes: ddd70cf ("goldfish: platform device for x86")
    Reported-by: Gabriel C <nix.or.die@gmail.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Thomas Gleixner committed with gregkh Feb 15, 2017
  8. USB: serial: ark3116: fix register-accessor error handling

    commit 9fef37d upstream.
    
    The current implementation failed to detect short transfers, something
    which could lead to bits of the uninitialised heap transfer buffer
    leaking to user space.
    
    Fixes: 149fc79 ("USB: ark3116: Setup some basic infrastructure for new ark3116 driver.")
    Fixes: f4c1e8d ("USB: ark3116: Make existing functions 16450-aware and add close and release functions.")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    jhovold committed with gregkh Jan 12, 2017
  9. USB: serial: opticon: fix CTS retrieval at open

    commit 2eee050 upstream.
    
    The opticon driver used a control request at open to trigger a CTS
    status notification to be sent over the bulk-in pipe. When the driver
    was converted to using the generic read implementation, an inverted test
    prevented this request from being sent, something which could lead to
    TIOCMGET reporting an incorrect CTS state.
    
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Fixes: 7a6ee2b ("USB: opticon: switch to generic read implementation")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    jhovold committed with gregkh Jan 13, 2017
  10. USB: serial: spcp8x5: fix modem-status handling

    commit 5ed8d41 upstream.
    
    Make sure to detect short control transfers and return zero on success
    when retrieving the modem status.
    
    This fixes the TIOCMGET implementation which since e1ed212 ("USB:
    spcp8x5: add proper modem-status support") has returned TIOCM_LE on
    successful retrieval, and avoids leaking bits from the stack on short
    transfers.
    
    This also fixes the carrier-detect implementation which since the above
    mentioned commit unconditionally has returned true.
    
    Fixes: e1ed212 ("USB: spcp8x5: add proper modem-status support")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    jhovold committed with gregkh Jan 12, 2017
  11. USB: serial: ftdi_sio: fix line-status over-reporting

    commit a6bb1e1 upstream.
    
    FTDI devices use a receive latency timer to periodically empty the
    receive buffer and report modem and line status (also when the buffer is
    empty).
    
    When a break or error condition is detected the corresponding status
    flags will be set on a packet with nonzero data payload and the flags
    are not updated until the break is over or further characters are
    received.
    
    In order to avoid over-reporting break and error conditions, these flags
    must therefore only be processed for packets with payload.
    
    This specifically fixes the case where after an overrun, the error
    condition is continuously reported and NULL-characters inserted until
    further data is received.
    
    Reported-by: Michael Walle <michael@walle.cc>
    Fixes: 72fda3c ("USB: serial: ftd_sio: implement sysrq handling on
    break")
    Fixes: 166ceb6 ("USB: ftdi_sio: clean up line-status handling")
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    jhovold committed with gregkh Feb 2, 2017
  12. USB: serial: ftdi_sio: fix extreme low-latency setting

    commit c6dce26 upstream.
    
    Since commit 557aaa7 ("ft232: support the ASYNC_LOW_LATENCY
    flag") the FTDI driver has been using a receive latency-timer value of
    1 ms instead of the device default of 16 ms.
    
    The latency timer is used to periodically empty a non-full receive
    buffer, but a status header is always sent when the timer expires
    including when the buffer is empty. This means that a two-byte bulk
    message is received every millisecond also for an otherwise idle port as
    long as it is open.
    
    Let's restore the pre-2009 behaviour which reduces the rate of the
    status messages to 1/16th (e.g. interrupt frequency drops from 1 kHz to
    62.5 Hz) by not setting ASYNC_LOW_LATENCY by default.
    
    Anyone willing to pay the price for the minimum-latency behaviour should
    set the flag explicitly instead using the TIOCSSERIAL ioctl or a tool
    such as setserial (e.g. setserial /dev/ttyUSB0 low_latency).
    
    Note that since commit 0cbd81a ("USB: ftdi_sio: remove
    tty->low_latency") the ASYNC_LOW_LATENCY flag has no other effects but
    to set a minimal latency timer.
    
    Reported-by: Antoine Aubert <a.aubert@overkiz.com>
    Fixes: 557aaa7 ("ft232: support the ASYNC_LOW_LATENCY flag")
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    jhovold committed with gregkh Jan 25, 2017
  13. USB: serial: ftdi_sio: fix modem-status error handling

    commit 427c3a9 upstream.
    
    Make sure to detect short responses when fetching the modem status in
    order to avoid parsing uninitialised buffer data and having bits of it
    leak to user space.
    
    Note that we still allow for short 1-byte responses.
    
    Fixes: 1da177e ("Linux-2.6.12-rc2")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    jhovold committed with gregkh Jan 12, 2017
  14. USB: serial: cp210x: add new IDs for GE Bx50v3 boards

    commit 9a59365 upstream.
    
    Add new USB IDs for cp2104/5 devices on Bx50v3 boards due to the design
    change.
    
    Signed-off-by: Ken Lin <yungching0725@gmail.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    yungching0725 committed with gregkh Feb 3, 2017
  15. USB: serial: mos7840: fix another NULL-deref at open

    commit 5182c2c upstream.
    
    Fix another NULL-pointer dereference at open should a malicious device
    lack an interrupt-in endpoint.
    
    Note that the driver has a broken check for an interrupt-in endpoint
    which means that an interrupt URB has never even been submitted.
    
    Fixes: 3f54297 ("USB: Moschip 7840 USB-Serial Driver")
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    jhovold committed with gregkh Feb 9, 2017
  16. tty: serial: msm: Fix module autoload

    commit abe81f3 upstream.
    
    If the driver is built as a module, autoload won't work because the module
    alias information is not filled. So user-space can't match the registered
    device with the corresponding module.
    
    Export the module alias information using the MODULE_DEVICE_TABLE() macro.
    
    Before this patch:
    
    $ modinfo drivers/tty/serial/msm_serial.ko | grep alias
    $
    
    After this patch:
    
    $ modinfo drivers/tty/serial/msm_serial.ko | grep alias
    alias:          of:N*T*Cqcom,msm-uartdmC*
    alias:          of:N*T*Cqcom,msm-uartdm
    alias:          of:N*T*Cqcom,msm-uartC*
    alias:          of:N*T*Cqcom,msm-uart
    
    Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
    Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    martinezjavier committed with gregkh Jan 2, 2017
  17. net: socket: fix recvmmsg not returning error from sock_error

    [ Upstream commit e623a9e ]
    
    Commit 34b88a6 ("net: Fix use after free in the recvmmsg exit path"),
    changed the exit path of recvmmsg to always return the datagrams
    variable and modified the error paths to set the variable to the error
    code returned by recvmsg if necessary.
    
    However in the case sock_error returned an error, the error code was
    then ignored, and recvmmsg returned 0.
    
    Change the error path of recvmmsg to correctly return the error code
    of sock_error.
    
    The bug was triggered by using recvmmsg on a CAN interface which was
    not up. Linux 4.6 and later return 0 in this case while earlier
    releases returned -ENETDOWN.
    
    Fixes: 34b88a6 ("net: Fix use after free in the recvmmsg exit path")
    Signed-off-by: Maxime Jayat <maxime.jayat@mobile-devices.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Maxime Jayat committed with gregkh Feb 21, 2017
  18. ip: fix IP_CHECKSUM handling

    [ Upstream commit ca4ef45 ]
    
    The skbs processed by ip_cmsg_recv() are not guaranteed to
    be linear e.g. when sending UDP packets over loopback with
    MSGMORE.
    Using csum_partial() on [potentially] the whole skb len
    is dangerous; instead be on the safe side and use skb_checksum().
    
    Thanks to syzkaller team to detect the issue and provide the
    reproducer.
    
    v1 -> v2:
     - move the variable declaration in a tighter scope
    
    Fixes: ad6f939 ("ip: Add offset parameter to ip_cmsg_recv")
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Paolo Abeni committed with gregkh Feb 21, 2017
  19. irda: Fix lockdep annotations in hashbin_delete().

    [ Upstream commit 4c03b86 ]
    
    A nested lock depth was added to the hasbin_delete() code but it
    doesn't actually work some well and results in tons of lockdep splats.
    
    Fix the code instead to properly drop the lock around the operation
    and just keep peeking the head of the hashbin queue.
    
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    davem330 committed with gregkh Feb 17, 2017
  20. dccp: fix freeing skb too early for IPV6_RECVPKTINFO

    [ Upstream commit 5edabca ]
    
    In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
    is forcibly freed via __kfree_skb in dccp_rcv_state_process if
    dccp_v6_conn_request successfully returns.
    
    However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
    is saved to ireq->pktopts and the ref count for skb is incremented in
    dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
    in dccp_rcv_state_process.
    
    Fix by calling consume_skb instead of doing goto discard and therefore
    calling __kfree_skb.
    
    Similar fixes for TCP:
    
    fb7e239 [TCP]: skb is unexpectedly freed.
    0aea76d tcp: SYN packets are now
    simply consumed
    
    Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    xairy committed with gregkh Feb 16, 2017
  21. packet: Do not call fanout_release from atomic contexts

    [ Upstream commit 2bd624b ]
    
    Commit 6664498 ("packet: call fanout_release, while UNREGISTERING a
    netdev"), unfortunately, introduced the following issues.
    
    1. calling mutex_lock(&fanout_mutex) (fanout_release()) from inside
    rcu_read-side critical section. rcu_read_lock disables preemption, most often,
    which prohibits calling sleeping functions.
    
    [  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
    [  ]
    [  ] rcu_scheduler_active = 1, debug_locks = 0
    [  ] 4 locks held by ovs-vswitchd/1969:
    [  ]  #0:  (cb_lock){++++++}, at: [<ffffffff8158a6c9>] genl_rcv+0x19/0x40
    [  ]  #1:  (ovs_mutex){+.+.+.}, at: [<ffffffffa04878ca>] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
    [  ]  #2:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81564157>] rtnl_lock+0x17/0x20
    [  ]  #3:  (rcu_read_lock){......}, at: [<ffffffff81614165>] packet_notifier+0x5/0x3f0
    [  ]
    [  ] Call Trace:
    [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
    [  ]  [<ffffffff810c9077>] lockdep_rcu_suspicious+0x107/0x110
    [  ]  [<ffffffff810a2da7>] ___might_sleep+0x57/0x210
    [  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
    [  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
    [  ]  [<ffffffff810de93f>] ? vprintk_default+0x1f/0x30
    [  ]  [<ffffffff81186e88>] ? printk+0x4d/0x4f
    [  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
    [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
    
    2. calling mutex_lock(&fanout_mutex) inside spin_lock(&po->bind_lock).
    "sleeping function called from invalid context"
    
    [  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
    [  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
    [  ] INFO: lockdep is turned off.
    [  ] Call Trace:
    [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
    [  ]  [<ffffffff810a2f52>] ___might_sleep+0x202/0x210
    [  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
    [  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
    [  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
    [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
    
    3. calling dev_remove_pack(&fanout->prot_hook), from inside
    spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack()
    -> synchronize_net(), which might sleep.
    
    [  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
    [  ] INFO: lockdep is turned off.
    [  ] Call Trace:
    [  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
    [  ]  [<ffffffff81186274>] __schedule_bug+0x64/0x73
    [  ]  [<ffffffff8162b8cb>] __schedule+0x6b/0xd10
    [  ]  [<ffffffff8162c5db>] schedule+0x6b/0x80
    [  ]  [<ffffffff81630b1d>] schedule_timeout+0x38d/0x410
    [  ]  [<ffffffff810ea3fd>] synchronize_sched_expedited+0x53d/0x810
    [  ]  [<ffffffff810ea6de>] synchronize_rcu_expedited+0xe/0x10
    [  ]  [<ffffffff8154eab5>] synchronize_net+0x35/0x50
    [  ]  [<ffffffff8154eae3>] dev_remove_pack+0x13/0x20
    [  ]  [<ffffffff8161077e>] fanout_release+0xbe/0xe0
    [  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0
    
    4. fanout_release() races with calls from different CPU.
    
    To fix the above problems, remove the call to fanout_release() under
    rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and
    netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order
    to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
    __fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
    fanout->prot_hook is removed as well.
    
    Fixes: 6664498 ("packet: call fanout_release, while UNREGISTERING a netdev")
    Reported-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Anoob Soman <anoob.soman@citrix.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    anoobs committed with gregkh Feb 15, 2017
  22. packet: fix races in fanout_add()

    [ Upstream commit d199fab ]
    
    Multiple threads can call fanout_add() at the same time.
    
    We need to grab fanout_mutex earlier to avoid races that could
    lead to one thread freeing po->rollover that was set by another thread.
    
    Do the same in fanout_release(), for peace of mind, and to help us
    finding lockdep issues earlier.
    
    Fixes: dc99f60 ("packet: Add fanout support.")
    Fixes: 0648ab7 ("packet: rollover prepare: per-socket state")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Willem de Bruijn <willemb@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Eric Dumazet committed with gregkh Feb 14, 2017
  23. net/llc: avoid BUG_ON() in skb_orphan()

    [ Upstream commit 8b74d43 ]
    
    It seems nobody used LLC since linux-3.12.
    
    Fortunately fuzzers like syzkaller still know how to run this code,
    otherwise it would be no fun.
    
    Setting skb->sk without skb->destructor leads to all kinds of
    bugs, we now prefer to be very strict about it.
    
    Ideally here we would use skb_set_owner() but this helper does not exist yet,
    only CAN seems to have a private helper for that.
    
    Fixes: 376c731 ("net: add a temporary sanity check in skb_orphan()")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Eric Dumazet committed with gregkh Feb 12, 2017
  24. blk-mq: really fix plug list flushing for nomerge queues

    commit 87c279e upstream.
    
    Commit 0809e3a ("block: fix plug list flushing for nomerge queues")
    updated blk_mq_make_request() to set request_count even when
    blk_queue_nomerges() returns true. However, blk_mq_make_request() only
    does limited plugging and doesn't use request_count;
    blk_sq_make_request() is the one that should have been fixed. Do that
    and get rid of the unnecessary work in the mq version.
    
    Fixes: 0809e3a ("block: fix plug list flushing for nomerge queues")
    Signed-off-by: Omar Sandoval <osandov@fb.com>
    Reviewed-by: Ming Lei <tom.leiming@gmail.com>
    Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
    Signed-off-by: Jens Axboe <axboe@fb.com>
    Cc: Sumit Semwal <sumit.semwal@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    osandov committed with gregkh Jun 2, 2016
  25. rtc: interface: ignore expired timers when enqueuing new timers

    commit 2b2f5ff upstream.
    
    This patch fixes a RTC wakealarm issue, namely, the event fires during
    hibernate and is not cleared from the list, causing hwclock to block.
    
    The current enqueuing does not trigger an alarm if any expired timers
    already exist on the timerqueue. This can occur when a RTC wake alarm
    is used to wake a machine out of hibernate and the resumed state has
    old expired timers that have not been removed from the timer queue.
    This fix skips over any expired timers and triggers an alarm if there
    are no pending timers on the timerqueue. Note that the skipped expired
    timer will get reaped later on, so there is no need to clean it up
    immediately.
    
    The issue can be reproduced by putting a machine into hibernate and
    waking it with the RTC wakealarm.  Running the example RTC test program
    from tools/testing/selftests/timers/rtctest.c after the hibernate will
    block indefinitely.  With the fix, it no longer blocks after the
    hibernate resume.
    
    BugLink: http://bugs.launchpad.net/bugs/1333569
    
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
    Cc: Sumit Semwal <sumit.semwal@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    ColinIanKing committed with gregkh May 16, 2016
  26. rtlwifi: rtl_usb: Fix missing entry in USB driver's private data

    commit 60f59ce upstream.
    
    These drivers need to be able to reference "struct ieee80211_hw" from
    the driver's private data, and vice versa. The USB driver failed to
    store the address of ieee80211_hw in the private data. Although this
    bug has been present for a long time, it was not exposed until
    commit ba9f93f ("rtlwifi: Fix enter/exit power_save").
    
    Fixes: ba9f93f ("rtlwifi: Fix enter/exit power_save")
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Cc: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    lwfinger committed with gregkh Dec 21, 2016
Commits on Feb 23, 2017
  1. Merge tag 'v4.4.51' into linux-4.4-at91

    This is the 4.4.51 stable release
    noglitch committed Feb 23, 2017
  2. Linux 4.4.51

    gregkh committed Feb 23, 2017
  3. mmc: core: fix multi-bit bus width without high-speed mode

    commit 3d4ef32 upstream.
    
    Commit 577fb13 ("mmc: rework selection of bus speed mode")
    refactored bus width selection code to mmc_select_bus_width().
    
    However, it also altered the behavior to not call the selection code in
    non-high-speed modes anymore.
    
    This causes 1-bit mode to always be used when the high-speed mode is not
    enabled, even though 4-bit and 8-bit bus are valid bus widths in the
    backwards-compatibility (legacy) mode as well (see e.g. 5.3.2 Bus Speed
    Modes in JEDEC 84-B50). This results in a significant regression in
    transfer speeds.
    
    Fix the code to allow 4-bit and 8-bit widths even without high-speed
    mode, as before.
    
    Tested with a Zynq-7000 PicoZed 7020 board.
    
    Fixes: 577fb13 ("mmc: rework selection of bus speed mode")
    Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    [anssi.hannula@bitwise.fi: backported for the different err variable
     check on v4.4 and tested]
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    anssih committed with gregkh Feb 13, 2017
  4. bcache: Make gc wakeup sane, remove set_task_state()

    commit be628be upstream.
    
    Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    koverstreet committed with gregkh Oct 27, 2016
  5. ntb_transport: Pick an unused queue

    commit 8fcd095 upstream.
    
    Fix typo causing ntb_transport_create_queue to select the first
    queue every time, instead of using the next free queue.
    
    Signed-off-by: Thomas VanSelus <tvanselus@xes-inc.com>
    Signed-off-by: Aaron Sierra <asierra@xes-inc.com>
    Acked-by: Allen Hubbe <Allen.Hubbe@dell.com>
    Fixes: fce8a7b ("PCI-Express Non-Transparent Bridge Support")
    Signed-off-by: Jon Mason <jdmason@kudzu.us>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Thomas VanSelus committed with gregkh Feb 13, 2017
  6. NTB: ntb_transport: fix debugfs_remove_recursive

    commit dd62245 upstream.
    
    The call to debugfs_remove_recursive(qp->debugfs_dir) of the sub-level
    directory must not be later than
    debugfs_remove_recursive(nt_debugfs_dir) of the top-level directory.
    Otherwise, the sub-level directory will not exist, and it would be
    invalid (panic) to attempt to remove it.  This removes the top-level
    directory last, after sub-level directories have been cleaned up.
    
    Signed-off-by: Allen Hubbe <Allen.Hubbe@dell.com>
    Fixes: e26a584 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
    Signed-off-by: Jon Mason <jdmason@kudzu.us>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Allen Hubbe committed with gregkh Dec 27, 2016
  7. printk: use rcuidle console tracepoint

    commit fc98c3c upstream.
    
    Use rcuidle console tracepoint because, apparently, it may be issued
    from an idle CPU:
    
      hw-breakpoint: Failed to enable monitor mode on CPU 0.
      hw-breakpoint: CPU 0 failed to disable vector catch
    
      ===============================
      [ ERR: suspicious RCU usage.  ]
      4.10.0-rc8-next-20170215+ #119 Not tainted
      -------------------------------
      ./include/trace/events/printk.h:32 suspicious rcu_dereference_check() usage!
    
      other info that might help us debug this:
    
      RCU used illegally from idle CPU!
      rcu_scheduler_active = 2, debug_locks = 0
      RCU used illegally from extended quiescent state!
      2 locks held by swapper/0/0:
       #0:  (cpu_pm_notifier_lock){......}, at: [<c0237e2c>] cpu_pm_exit+0x10/0x54
       #1:  (console_lock){+.+.+.}, at: [<c01ab350>] vprintk_emit+0x264/0x474
    
      stack backtrace:
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.10.0-rc8-next-20170215+ #119
      Hardware name: Generic OMAP4 (Flattened Device Tree)
        console_unlock
        vprintk_emit
        vprintk_default
        printk
        reset_ctrl_regs
        dbg_cpu_pm_notify
        notifier_call_chain
        cpu_pm_exit
        omap_enter_idle_coupled
        cpuidle_enter_state
        cpuidle_enter_state_coupled
        do_idle
        cpu_startup_entry
        start_kernel
    
    This RCU warning, however, is suppressed by lockdep_off() in printk().
    lockdep_off() increments the ->lockdep_recursion counter and thus
    disables RCU_LOCKDEP_WARN() and debug_lockdep_rcu_enabled(), which want
    lockdep to be enabled "current->lockdep_recursion == 0".
    
    Link: http://lkml.kernel.org/r/20170217015932.11898-1-sergey.senozhatsky@gmail.com
    Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
    Reported-by: Tony Lindgren <tony@atomide.com>
    Tested-by: Tony Lindgren <tony@atomide.com>
    Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
    Cc: Petr Mladek <pmladek@suse.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Tony Lindgren <tony@atomide.com>
    Cc: Russell King <rmk@armlinux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Sergey Senozhatsky committed with gregkh Feb 18, 2017
  8. ARM: 8658/1: uaccess: fix zeroing of 64-bit get_user()

    commit 9e34404 upstream.
    
    The 64-bit get_user() wasn't clearing the high word due to a typo in the
    error handler. The exception handler entry was already correct, though.
    Noticed during recent usercopy test additions in lib/test_user_copy.c.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    kees committed with gregkh Feb 16, 2017