Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.12.61 2016-06-15T13:51:48Z 2016-06-15T13:51:48Z Jiri Slaby jslaby@suse.cz 2016-06-15T07:29:33Z urn:sha1:1f3d0f528ecf863b11a0e594207ea925736cb791 2016-06-15T13:51:47Z Loic Poulain loic.poulain@intel.com 2016-04-04T08:48:13Z urn:sha1:b85483c524e3f8dda532b5c13b1fb22a5404554c commit 84cb3df02aea4b00405521e67c4c67c2d525c364 upstream. HCI_UART_PROTO_SET flag is set before hci_uart_set_proto call. If we receive data from tty layer during this procedure, proto pointer may not be assigned yet, leading to null pointer dereference in rx method hci_uart_tty_receive. This patch fixes this issue by introducing HCI_UART_PROTO_READY flag in order to avoid any proto operation before proto opening and assignment. Signed-off-by: Loic Poulain <loic.poulain@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2016-06-15T13:51:47Z Wei-Ning Huang wnhuang@chromium.org 2016-03-08T03:40:06Z urn:sha1:94e3230bf179f9700e160c0f4a05305cc5299a62 commit 9a01242dc7fc4d5fe3f722afbf35b33aa414cd2f upstream. In some case, the btmrvl_sdio firmware would fail to active within the polling time. Increase the polling interval to 100 msec to fix the issue. Signed-off-by: Wei-Ning Huang <wnhuang@chromium.org> Signed-off-by: Wei-Ning Huang <wnhuang@google.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2016-06-15T13:51:46Z Colin Ian King colin.king@canonical.com 2016-02-27T14:52:22Z urn:sha1:480268431f91855d05c419807793dd8b25ee4168 commit a75fa128236bc2fdaa5e412145cbd577e42e14c2 upstream. The error return err is not initialized for the case when pci_map_rom fails and no ROM can me mapped. Fix this by setting ret to -ENODATA; (this is the same error value that is returned if the ROM data is successfully mapped but does not match the expected ROM signature.). Issue found from static code analysis using CoverityScan. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2016-06-15T13:51:46Z Dan Bogdan Nechita dan.bogdan.nechita@gmail.com 2016-02-23T09:48:45Z urn:sha1:174c1dfbfc54facaa6fd45c28f7ae9adfe6d0f78 commit 1bb850a1b7f68b66361e658e334f9fdf8231f17d upstream. Currently writing the attributes with "echo" will result in comparing: "enabled\n" with "enabled\0" and attribute is always set to false. Use the sysfs_streq() instead because it treats both NUL and new-line-then-NUL as equivalent string terminations. Signed-off-by: Dan Bogdan Nechita <dan.bogdan.nechita@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2016-06-15T07:32:19Z Dave Chinner dchinner@redhat.com 2016-05-18T03:54:23Z urn:sha1:77b3964ccf07da318dcdec09d6d211ca2e793813 commit 7d3aa7fe970791f1a674b14572a411accf2f4d4e upstream. We don't write back stale inodes so we should skip them in xfs_iflush_cluster, too. Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2016-06-15T07:32:18Z Dave Chinner dchinner@redhat.com 2016-05-18T03:54:22Z urn:sha1:44597cbfb6b6c3a8429ccbadc1bc57c9a2691ba9 commit 51b07f30a71c27405259a0248206ed4e22adbee2 upstream. Some careless idiot(*) wrote crap code in commit 1a3e8f3 ("xfs: convert inode cache lookups to use RCU locking") back in late 2010, and so xfs_iflush_cluster checks the wrong inode for whether it is still valid under RCU protection. Fix it to lock and check the correct inode. (*) Careless-idiot: Dave Chinner <dchinner@redhat.com> Discovered-by: Brain Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2016-06-15T07:32:18Z Dave Chinner dchinner@redhat.com 2016-05-18T03:53:42Z urn:sha1:b431dee1be65181e09dd5f9e03366eebc1ab66d9 commit b1438f477934f5a4d5a44df26f3079a7575d5946 upstream. When a failure due to an inode buffer occurs, the error handling fails to abort the inode writeback correctly. This can result in the inode being reclaimed whilst still in the AIL, leading to use-after-free situations as well as filesystems that cannot be unmounted as the inode log items left in the AIL never get removed. Fix this by ensuring fatal errors from xfs_imap_to_bp() result in the inode flush being aborted correctly. [js] 3.12 needs EAGAIN, not -EAGAIN Reported-by: Shyam Kaushik <shyam@zadarastorage.com> Diagnosed-by: Shyam Kaushik <shyam@zadarastorage.com> Tested-by: Shyam Kaushik <shyam@zadarastorage.com> Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2016-06-15T07:32:17Z Ville Syrjälä ville.syrjala@linux.intel.com 2016-05-26T22:16:25Z urn:sha1:1b3466c61da00edf9736b94fc0c1eef1891b91ea commit 3017cd63f26fc655d56875aaf497153ba60e9edf upstream. With netconsole (at least) the pr_err("... disablingn") call can recurse back into the dma-debug code, where it'll try to grab free_entries_lock again. Avoid the problem by doing the printk after dropping the lock. Link: http://lkml.kernel.org/r/1463678421-18683-1-git-send-email-ville.syrjala@linux.intel.com Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2016-06-15T07:32:17Z Nicolai Stange nicstange@gmail.com 2016-05-05T23:46:19Z urn:sha1:e7551ef53f24b82b7bfd4fe38b156499025e6010 commit 935244cd54b86ca46e69bc6604d2adfb1aec2d42 upstream. Currently, in ext4_mb_init(), there's a loop like the following: do { ... offset += 1 << (sb->s_blocksize_bits - i); i++; } while (i <= sb->s_blocksize_bits + 1); Note that the updated offset is used in the loop's next iteration only. However, at the last iteration, that is at i == sb->s_blocksize_bits + 1, the shift count becomes equal to (unsigned)-1 > 31 (c.f. C99 6.5.7(3)) and UBSAN reports UBSAN: Undefined behaviour in fs/ext4/mballoc.c:2621:15 shift exponent 4294967295 is too large for 32-bit type 'int' [...] Call Trace: [<ffffffff818c4d25>] dump_stack+0xbc/0x117 [<ffffffff818c4c69>] ? _atomic_dec_and_lock+0x169/0x169 [<ffffffff819411ab>] ubsan_epilogue+0xd/0x4e [<ffffffff81941cac>] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254 [<ffffffff81941ab1>] ? __ubsan_handle_load_invalid_value+0x158/0x158 [<ffffffff814b6dc1>] ? kmem_cache_alloc+0x101/0x390 [<ffffffff816fc13b>] ? ext4_mb_init+0x13b/0xfd0 [<ffffffff814293c7>] ? create_cache+0x57/0x1f0 [<ffffffff8142948a>] ? create_cache+0x11a/0x1f0 [<ffffffff821c2168>] ? mutex_lock+0x38/0x60 [<ffffffff821c23ab>] ? mutex_unlock+0x1b/0x50 [<ffffffff814c26ab>] ? put_online_mems+0x5b/0xc0 [<ffffffff81429677>] ? kmem_cache_create+0x117/0x2c0 [<ffffffff816fcc49>] ext4_mb_init+0xc49/0xfd0 [...] Observe that the mentioned shift exponent, 4294967295, equals (unsigned)-1. Unless compilers start to do some fancy transformations (which at least GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the such calculated value of offset is never used again. Silence UBSAN by introducing another variable, offset_incr, holding the next increment to apply to offset and adjust that one by right shifting it by one position per loop iteration. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161 Signed-off-by: Nicolai Stange <nicstange@gmail.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Jiri Slaby <jslaby@suse.cz>