commit 72cb2a7f426ad822758cb2560f0522f6412f578e Author: Greg Kroah-Hartman Date: Sun Mar 30 21:40:45 2014 -0700 Linux 3.4.85 commit 79dd68bfe15ac3da7e76d2db7fdbccc74026e97f Author: Konstantin Khlebnikov Date: Wed Mar 26 14:12:19 2014 +0400 ipc/msg: fix race around refcount [fixed differently in 6062a8dc0517bce23e3c2f7d2fea5e22411269a3 upstream.] In older kernels (before v3.10) ipc_rcu_hdr->refcount was non-atomic int. There was possuble double-free bug: do_msgsnd() calls ipc_rcu_putref() under msq->q_perm->lock and RCU, while freequeue() calls it while it holds only 'rw_mutex', so there is no sinchronization between them. Two function decrements '2' non-atomically, they both can get '0' as result. do_msgsnd() freequeue() msq = msg_lock_check(ns, msqid); ... ipc_rcu_getref(msq); msg_unlock(msq); schedule(); (caller locks spinlock) expunge_all(msq, -EIDRM); ss_wakeup(&msq->q_senders, 1); msg_rmid(ns, msq); msg_unlock(msq); ipc_lock_by_ptr(&msq->q_perm); ipc_rcu_putref(msq); ipc_rcu_putref(msq); < both may get get --(...)->refcount == 0 > This patch locks ipc_lock and RCU around ipc_rcu_putref in freequeue. ( RCU protects memory for spin_unlock() ) Similar bugs might be in other users of ipc_rcu_putref(). In the mainline this has been fixed in v3.10 indirectly in commmit 6062a8dc0517bce23e3c2f7d2fea5e22411269a3 ("ipc,sem: fine grained locking for semtimedop") by Rik van Riel. That commit optimized locking and converted refcount into atomic. I'm not sure that anybody should care about this bug: it's very-very unlikely and no longer exists in actual mainline. I've found this just by looking into the code, probably this never happens in real life. Signed-off-by: Konstantin Khlebnikov commit ebaacf5c50f552d1bab829451d9bda5eb55fe337 Author: Sarah Sharp Date: Fri Jan 17 15:38:12 2014 -0800 xhci: Fix resume issues on Renesas chips in Samsung laptops commit 1aa9578c1a9450fb21501c4f549f5b1edb557e6d upstream. Don Zickus writes: Some co-workers of mine bought Samsung laptops that had mostly usb3 ports. Those ports did not resume correctly (the driver would timeout communicating and fail). This led to frustration as suspend/resume is a common use for laptops. Poking around, I applied the reset on resume quirk to this chipset and the resume started working. Reloading the xhci_hcd module had been the temporary workaround. Signed-off-by: Sarah Sharp Reported-by: Don Zickus Tested-by: Prarit Bhargava Signed-off-by: Greg Kroah-Hartman commit edc36cf320fc69bdf8906cd2de6aef5fe62e77b2 Author: Marcelo Tosatti Date: Fri Jan 3 17:00:51 2014 -0200 KVM: VMX: fix use after free of vmx->loaded_vmcs commit 26a865f4aa8e66a6d94958de7656f7f1b03c6c56 upstream. After free_loaded_vmcs executes, the "loaded_vmcs" structure is kfreed, and now vmx->loaded_vmcs points to a kfreed area. Subsequent free_loaded_vmcs then attempts to manipulate vmx->loaded_vmcs. Switch the order to avoid the problem. https://bugzilla.redhat.com/show_bug.cgi?id=1047892 Reviewed-by: Jan Kiszka Signed-off-by: Marcelo Tosatti Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit 86bbe6ac6eab65ac4346882cb26d91e8ca6c975d Author: Marcelo Tosatti Date: Thu Dec 19 15:28:51 2013 -0200 KVM: MMU: handle invalid root_hpa at __direct_map commit 989c6b34f6a9480e397b170cc62237e89bf4fdb9 upstream. It is possible for __direct_map to be called on invalid root_hpa (-1), two examples: 1) try_async_pf -> can_do_async_pf -> vmx_interrupt_allowed -> nested_vmx_vmexit 2) vmx_handle_exit -> vmx_interrupt_allowed -> nested_vmx_vmexit Then to load_vmcs12_host_state and kvm_mmu_reset_context. Check for this possibility, let fault exception be regenerated. BZ: https://bugzilla.redhat.com/show_bug.cgi?id=924916 Signed-off-by: Marcelo Tosatti Signed-off-by: Paolo Bonzini Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit 037a05761d3ad2e7cbd417b421031a82de7f5c9f Author: Hans de Goede Date: Mon Dec 16 07:09:25 2013 -0800 Input: elantech - improve clickpad detection commit c15bdfd5b9831e4cab8cfc118243956e267dd30e upstream. The current assumption in the elantech driver that hw version 3 touchpads are never clickpads and hw version 4 touchpads are always clickpads is wrong. There are several bug reports for this, ie: https://bugzilla.redhat.com/show_bug.cgi?id=1030802 http://superuser.com/questions/619582/right-elantech-touchpad-button-not-working-in-linux I've spend a couple of hours wading through various bugzillas, launchpads and forum posts to create a list of fw-versions and capabilities for different laptop models to find a good method to differentiate between clickpads and versions with separate hardware buttons. Which shows that a device being a clickpad is reliable indicated by bit 12 being set in the fw_version. I've included the gathered list inside the driver, so that we've this info at hand if we need to revisit this later. Signed-off-by: Hans de Goede Reviewed-by: Benjamin Tissoires Signed-off-by: Dmitry Torokhov Cc: Josh Boyer Signed-off-by: Greg Kroah-Hartman commit a4d65b8421e38d420fcdaeb50feced86f3f6a5c5 Author: Rob Herring Date: Sat Aug 17 20:12:57 2013 -0500 ARM: move outer_cache declaration out of ifdef commit 0b53c11d533a8f6688d73fad0baf67dd08ec1b90 upstream. Move the outer_cache declaration of the CONFIG_OUTER_CACHE ifdef so that outer_cache can be used inside IS_ENABLED condition. Signed-off-by: Rob Herring Cc: Russell King Signed-off-by: Ian Campbell Signed-off-by: Greg Kroah-Hartman commit 714c034f82f17dd89b8b112375038d91bde4e129 Author: Jean Delvare Date: Tue Feb 25 09:43:13 2014 +0100 i7300_edac: Fix device reference count commit 75135da0d68419ef8a925f4c1d5f63d8046e314d upstream. pci_get_device() decrements the reference count of "from" (last argument) so when we break off the loop successfully we have only one device reference - and we don't know which device we have. If we want a reference to each device, we must take them explicitly and let the pci_get_device() walk complete to avoid duplicate references. This is serious, as over-putting device references will cause the device to eventually disappear. Without this fix, the kernel crashes after a few insmod/rmmod cycles. Tested on an Intel S7000FC4UR system with a 7300 chipset. Signed-off-by: Jean Delvare Link: http://lkml.kernel.org/r/20140224111656.09bbb7ed@endymion.delvare Cc: Mauro Carvalho Chehab Cc: Doug Thompson Cc: stable@vger.kernel.org Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman commit e78970f0d78cd83382381a6876534424f1d95da4 Author: Dan Carpenter Date: Mon Jan 13 22:05:23 2014 +0300 p54: clamp properly instead of just truncating commit 608cfbe4abaf76e9d732efd7ed1cfa3998163d91 upstream. The call to clamp_t() first truncates the variable signed 8 bit and as a result, the actual clamp is a no-op. Fixes: 0d78156eef1d ('p54: improve site survey') Signed-off-by: Dan Carpenter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c502e92f7cd92bd80ac0e754842d68fe3c2601f6 Author: Ben Hutchings Date: Thu Dec 5 14:37:35 2013 +0000 deb-pkg: Fix cross-building linux-headers package commit f8ce239dfc7ba9add41d9ecdc5e7810738f839fa upstream. builddeb generates a control file that says the linux-headers package can only be built for the build system primary architecture. This breaks cross-building configurations. We should use $debarch for this instead. Since $debarch is not yet set when generating the control file, set Architecture: any and use control file variables to fill in the description. Fixes: cd8d60a20a45 ('kbuild: create linux-headers package in deb-pkg') Reported-and-tested-by: "Niew, Sh." Signed-off-by: Ben Hutchings Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit 5f0a3f764bd1905f8579d781aff4c757d5d0978b Author: Alexei Starovoitov Date: Mon Mar 10 15:56:51 2014 -0700 x86: bpf_jit: support negative offsets commit fdfaf64e75397567257e1051931f9a3377360665 upstream. Commit a998d4342337 claimed to introduce negative offset support to x86 jit, but it couldn't be working, since at the time of the execution of LD+ABS or LD+IND instructions via call into bpf_internal_load_pointer_neg_helper() the %edx (3rd argument of this func) had junk value instead of access size in bytes (1 or 2 or 4). Store size into %edx instead of %ecx (what original commit intended to do) Fixes: a998d4342337 ("bpf jit: Let the x86 jit handle negative offsets") Signed-off-by: Alexei Starovoitov Cc: Jan Seiffert Cc: Eric Dumazet Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 904855a5c90e491a1700e7e6a9268ee00d9bdf39 Author: Ben Hutchings Date: Tue Mar 25 17:28:22 2014 +0000 iwlwifi: Complete backport of "iwlwifi: always copy first 16 bytes of commands" Linux 3.4.83 included an incomplete backport of commit 8a964f44e01ad3bbc208c3e80d931ba91b9ea786 ('iwlwifi: always copy first 16 bytes of commands') which causes a regression for this driver. This is the missing piece. Reported-by: Andreas Sturmlechner Cc: Johannes Berg Cc: Emmanuel Grumbach Cc: Jianguo Wu Cc: Andres Bertens Tested-by: Andreas Sturmlechner Signed-off-by: Ben Hutchings commit 542a39ac9dd4586a3b74958cadacb47aea3444b0 Author: Josh Durgin Date: Tue Dec 10 09:35:13 2013 -0800 libceph: resend all writes after the osdmap loses the full flag commit 9a1ea2dbff11547a8e664f143c1ffefc586a577a upstream. With the current full handling, there is a race between osds and clients getting the first map marked full. If the osd wins, it will return -ENOSPC to any writes, but the client may already have writes in flight. This results in the client getting the error and propagating it up the stack. For rbd, the block layer turns this into EIO, which can cause corruption in filesystems above it. To avoid this race, osds are being changed to drop writes that came from clients with an osdmap older than the last osdmap marked full. In order for this to work, clients must resend all writes after they encounter a full -> not full transition in the osdmap. osds will wait for an updated map instead of processing a request from a client with a newer map, so resent writes will not be dropped by the osd unless there is another not full -> full transition. This approach requires both osds and clients to be fixed to avoid the race. Old clients talking to osds with this fix may hang instead of returning EIO and potentially corrupting an fs. New clients talking to old osds have the same behavior as before if they encounter this race. Fixes: http://tracker.ceph.com/issues/6938 Reviewed-by: Sage Weil Signed-off-by: Josh Durgin Signed-off-by: Greg Kroah-Hartman commit 40dea3bd3714383856a1bf90a4c91d4cc2ef44d4 Author: Charles Keepax Date: Wed Mar 19 12:59:39 2014 +0000 ALSA: compress: Pass through return value of open ops callback commit 749d32237bf39e6576dd95bfdf24e4378e51716c upstream. The snd_compr_open function would always return 0 even if the compressed ops open function failed, obviously this is incorrect. Looks like this was introduced by a small typo in: commit a0830dbd4e42b38aefdf3fb61ba5019a1a99ea85 ALSA: Add a reference counter to card instance This patch returns the value from the compressed op as it should. Signed-off-by: Charles Keepax Acked-by: Vinod Koul Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman