1. 20 Nov, 2016 40 commits
    • Tejun Heo's avatar
      kernfs: don't depend on d_find_any_alias() when generating notifications · 01324354
      Tejun Heo authored
      commit df6a58c5 upstream.
      
      kernfs_notify_workfn() sends out file modified events for the
      scheduled kernfs_nodes.  Because the modifications aren't from
      userland, it doesn't have the matching file struct at hand and can't
      use fsnotify_modify().  Instead, it looked up the inode and then used
      d_find_any_alias() to find the dentry and used fsnotify_parent() and
      fsnotify() directly to generate notifications.
      
      The assumption was that the relevant dentries would have been pinned
      if there are listeners, which isn't true as inotify doesn't pin
      dentries at all and watching the parent doesn't pin the child dentries
      even for dnotify.  This led to, for example, inotify watchers not
      getting notifications if the system is under memory pressure and the
      matching dentries got reclaimed.  It can also be triggered through
      /proc/sys/vm/drop_caches or a remount attempt which involves shrinking
      dcache.
      
      fsnotify_parent() only uses the dentry to access the parent inode,
      which kernfs can do easily.  Update kernfs_notify_workfn() so that it
      uses fsnotify() directly for both the parent and target inodes without
      going through d_find_any_alias().  While at it, supply the target file
      name to fsnotify() from kernfs_node->name.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarEvgeny Vereshchagin <evvers@ya.ru>
      Fixes: d911d987 ("kernfs: make kernfs_notify() trigger inotify events too")
      Cc: John McCutchan <john@johnmccutchan.com>
      Cc: Robert Love <rlove@rlove.org>
      Cc: Eric Paris <eparis@parisplace.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      01324354
    • Eric Biggers's avatar
      dm crypt: fix free of bad values after tfm allocation failure · afa82093
      Eric Biggers authored
      commit 5d0be84e upstream.
      
      If crypt_alloc_tfms() had to allocate multiple tfms and it failed before
      the last allocation, then it would call crypt_free_tfms() and could free
      pointers from uninitialized memory -- due to the crypt_free_tfms() check
      for non-zero cc->tfms[i].  Fix by allocating zeroed memory.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      afa82093
    • Trond Myklebust's avatar
      NFSv4.x: Fix a refcount leak in nfs_callback_up_net · c512940b
      Trond Myklebust authored
      commit 98b0f80c upstream.
      
      On error, the callers expect us to return without bumping
      nn->cb_users[].
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c512940b
    • Vegard Nossum's avatar
      ALSA: timer: fix NULL pointer dereference on memory allocation failure · e5170157
      Vegard Nossum authored
      commit 8ddc0563 upstream.
      
      I hit this with syzkaller:
      
          kasan: CONFIG_KASAN_INLINE enabled
          kasan: GPF could be caused by NULL-ptr deref or user memory access
          general protection fault: 0000 [#1] PREEMPT SMP KASAN
          CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
          task: ffff88011278d600 task.stack: ffff8801120c0000
          RIP: 0010:[<ffffffff82c8ba07>]  [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
          RSP: 0018:ffff8801120c7a60  EFLAGS: 00010006
          RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007
          RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048
          RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790
          R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980
          R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286
          FS:  00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0
          Stack:
           ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0
           ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000
           ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0
          Call Trace:
           [<ffffffff82c81ab1>] snd_timer_start1+0x331/0x670
           [<ffffffff82c85bfd>] snd_timer_start+0x5d/0xa0
           [<ffffffff82c8795e>] snd_timer_user_ioctl+0x88e/0x2830
           [<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
           [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
           [<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
           [<ffffffff8132762f>] ? put_prev_entity+0x108f/0x21a0
           [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
           [<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
           [<ffffffff813510af>] ? cpuacct_account_field+0x12f/0x1a0
           [<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
           [<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
           [<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
           [<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
           [<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
           [<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
           [<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
           [<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
           [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
           [<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
          Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46
          RIP  [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
           RSP <ffff8801120c7a60>
          ---[ end trace 5955b08db7f2b029 ]---
      
      This can happen if snd_hrtimer_open() fails to allocate memory and
      returns an error, which is currently not checked by snd_timer_open():
      
          ioctl(SNDRV_TIMER_IOCTL_SELECT)
           - snd_timer_user_tselect()
      	- snd_timer_close()
      	   - snd_hrtimer_close()
      	      - (struct snd_timer *) t->private_data = NULL
              - snd_timer_open()
                 - snd_hrtimer_open()
                    - kzalloc() fails; t->private_data is still NULL
      
          ioctl(SNDRV_TIMER_IOCTL_START)
           - snd_timer_user_start()
      	- snd_timer_start()
      	   - snd_timer_start1()
      	      - snd_hrtimer_start()
      		- t->private_data == NULL // boom
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e5170157
    • Vegard Nossum's avatar
      ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE · b4782f57
      Vegard Nossum authored
      commit 6b760bb2 upstream.
      
      I got this:
      
          divide error: 0000 [#1] PREEMPT SMP KASAN
          CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
          task: ffff8801120a9580 task.stack: ffff8801120b0000
          RIP: 0010:[<ffffffff82c8bd9a>]  [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
          RSP: 0018:ffff88011aa87da8  EFLAGS: 00010006
          RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000
          RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001
          RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048
          R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00
          R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000
          FS:  00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0
          Stack:
           0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76
           ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0
           00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0
          Call Trace:
           <IRQ>
           [<ffffffff813abce7>] __hrtimer_run_queues+0x347/0xa00
           [<ffffffff82c8bbc0>] ? snd_hrtimer_close+0x130/0x130
           [<ffffffff813ab9a0>] ? retrigger_next_event+0x1b0/0x1b0
           [<ffffffff813ae1a6>] ? hrtimer_interrupt+0x136/0x4b0
           [<ffffffff813ae220>] hrtimer_interrupt+0x1b0/0x4b0
           [<ffffffff8120f91e>] local_apic_timer_interrupt+0x6e/0xf0
           [<ffffffff81227ad3>] ? kvm_guest_apic_eoi_write+0x13/0xc0
           [<ffffffff83c35086>] smp_apic_timer_interrupt+0x76/0xa0
           [<ffffffff83c3416c>] apic_timer_interrupt+0x8c/0xa0
           <EOI>
           [<ffffffff83c3239c>] ? _raw_spin_unlock_irqrestore+0x2c/0x60
           [<ffffffff82c8185d>] snd_timer_start1+0xdd/0x670
           [<ffffffff82c87015>] snd_timer_continue+0x45/0x80
           [<ffffffff82c88100>] snd_timer_user_ioctl+0x1030/0x2830
           [<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
           [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
           [<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
           [<ffffffff815aa4f8>] ? handle_mm_fault+0xbc8/0x27f0
           [<ffffffff815a9930>] ? __pmd_alloc+0x370/0x370
           [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
           [<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
           [<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
           [<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
           [<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
           [<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
           [<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
           [<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
           [<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
           [<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
           [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
           [<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
          Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00
          RIP  [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
           RSP <ffff88011aa87da8>
          ---[ end trace 6aa380f756a21074 ]---
      
      The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a
      completely new/unused timer -- it will have ->sticks == 0, which causes a
      divide by 0 in snd_hrtimer_callback().
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b4782f57
    • Mukesh Ojha's avatar
      powerpc/powernv : Drop reference added by kset_find_obj() · 91ed1914
      Mukesh Ojha authored
      commit a9cbf0b2 upstream.
      
      In a situation, where Linux kernel gets notified about duplicate error log
      from OPAL, it is been observed that kernel fails to remove sysfs entries
      (/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because,
      we currently search the error log/dump kobject in the kset list via
      'kset_find_obj()' routine. Which eventually increment the reference count
      by one, once it founds the kobject.
      
      So, unless we decrement the reference count by one after it found the kobject,
      we would not be able to release the kobject properly later.
      
      This patch adds the 'kobject_put()' which was missing earlier.
      Signed-off-by: default avatarMukesh Ojha <mukesh02@linux.vnet.ibm.com>
      Reviewed-by: default avatarVasant Hegde <hegdevasant@linux.vnet.ibm.com>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      91ed1914
    • Rob Clark's avatar
      drm/msm: protect against faults from copy_from_user() in submit ioctl · 1cc8a445
      Rob Clark authored
      commit d78d383a upstream.
      
      An evil userspace could try to cause deadlock by passing an unfaulted-in
      GEM bo as submit->bos (or submit->cmds) table.  Which will trigger
      msm_gem_fault() while we already hold struct_mutex.  See:
      
      https://github.com/freedreno/msmtest/blob/master/evilsubmittest.cSigned-off-by: default avatarRob Clark <robdclark@gmail.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1cc8a445
    • Rob Clark's avatar
      drm/msm: fix use of copy_from_user() while holding spinlock · b7ba904b
      Rob Clark authored
      commit 89f82cbb upstream.
      
      Use instead __copy_from_user_inatomic() and fallback to slow-path where
      we drop and re-aquire the lock in case of fault.
      Reported-by: default avatarVaishali Thakkar <vaishali.thakkar@oracle.com>
      Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b7ba904b
    • Rob Clark's avatar
      drm/msm: use mutex_lock_interruptible for submit ioctl · cc5fdd0c
      Rob Clark authored
      commit b5b4c264 upstream.
      
      Be kinder to things that do lots of signal handling (ie. Xorg)
      Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cc5fdd0c
    • Vegard Nossum's avatar
      fs/seq_file: fix out-of-bounds read · 20402281
      Vegard Nossum authored
      commit 088bf2ff upstream.
      
      seq_read() is a nasty piece of work, not to mention buggy.
      
      It has (I think) an old bug which allows unprivileged userspace to read
      beyond the end of m->buf.
      
      I was getting these:
      
          BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880
          Read of size 2713 by task trinity-c2/1329
          CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
          Call Trace:
            kasan_object_err+0x1c/0x80
            kasan_report_error+0x2cb/0x7e0
            kasan_report+0x4e/0x80
            check_memory_region+0x13e/0x1a0
            kasan_check_read+0x11/0x20
            seq_read+0xcd2/0x1480
            proc_reg_read+0x10b/0x260
            do_loop_readv_writev.part.5+0x140/0x2c0
            do_readv_writev+0x589/0x860
            vfs_readv+0x7b/0xd0
            do_readv+0xd8/0x2c0
            SyS_readv+0xb/0x10
            do_syscall_64+0x1b3/0x4b0
            entry_SYSCALL64_slow_path+0x25/0x25
          Object at ffff880116889100, in cache kmalloc-4096 size: 4096
          Allocated:
          PID = 1329
            save_stack_trace+0x26/0x80
            save_stack+0x46/0xd0
            kasan_kmalloc+0xad/0xe0
            __kmalloc+0x1aa/0x4a0
            seq_buf_alloc+0x35/0x40
            seq_read+0x7d8/0x1480
            proc_reg_read+0x10b/0x260
            do_loop_readv_writev.part.5+0x140/0x2c0
            do_readv_writev+0x589/0x860
            vfs_readv+0x7b/0xd0
            do_readv+0xd8/0x2c0
            SyS_readv+0xb/0x10
            do_syscall_64+0x1b3/0x4b0
            return_from_SYSCALL_64+0x0/0x6a
          Freed:
          PID = 0
          (stack is not available)
          Memory state around the buggy address:
           ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          >ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      		       ^
           ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
           ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
          ==================================================================
          Disabling lock debugging due to kernel taint
      
      This seems to be the same thing that Dave Jones was seeing here:
      
        https://lkml.org/lkml/2016/8/12/334
      
      There are multiple issues here:
      
        1) If we enter the function with a non-empty buffer, there is an attempt
           to flush it. But it was not clearing m->from after doing so, which
           means that if we try to do this flush twice in a row without any call
           to traverse() in between, we are going to be reading from the wrong
           place -- the splat above, fixed by this patch.
      
        2) If there's a short write to userspace because of page faults, the
           buffer may already contain multiple lines (i.e. pos has advanced by
           more than 1), but we don't save the progress that was made so the
           next call will output what we've already returned previously. Since
           that is a much less serious issue (and I have a headache after
           staring at seq_read() for the past 8 hours), I'll leave that for now.
      
      Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.comSigned-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      20402281
    • Nicolas Iooss's avatar
      printk: fix parsing of "brl=" option · dea3302c
      Nicolas Iooss authored
      commit ae6c33ba upstream.
      
      Commit bbeddf52 ("printk: move braille console support into separate
      braille.[ch] files") moved the parsing of braille-related options into
      _braille_console_setup(), changing the type of variable str from char*
      to char**.  In this commit, memcmp(str, "brl,", 4) was correctly updated
      to memcmp(*str, "brl,", 4) but not memcmp(str, "brl=", 4).
      
      Update the code to make "brl=" option work again and replace memcmp()
      with strncmp() to make the compiler able to detect such an issue.
      
      Fixes: bbeddf52 ("printk: move braille console support into separate braille.[ch] files")
      Link: http://lkml.kernel.org/r/20160823165700.28952-1-nicolas.iooss_linux@m4x.orgSigned-off-by: default avatarNicolas Iooss <nicolas.iooss_linux@m4x.org>
      Cc: Joe Perches <joe@perches.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dea3302c
    • Russell King's avatar
      ARM: sa1100: clear reset status prior to reboot · 60a9f376
      Russell King authored
      commit da60626e upstream.
      
      Clear the current reset status prior to rebooting the platform.  This
      adds the bit missing from 04fef228 ("[ARM] pxa: introduce
      reset_status and clear_reset_status for driver's usage").
      
      Fixes: 04fef228 ("[ARM] pxa: introduce reset_status and clear_reset_status for driver's usage")
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      60a9f376
    • Chen-Yu Tsai's avatar
      clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function · 4e12317c
      Chen-Yu Tsai authored
      commit b53e7d00 upstream.
      
      The bootloader (U-boot) sometimes uses this timer for various delays.
      It uses it as a ongoing counter, and does comparisons on the current
      counter value. The timer counter is never stopped.
      
      In some cases when the user interacts with the bootloader, or lets
      it idle for some time before loading Linux, the timer may expire,
      and an interrupt will be pending. This results in an unexpected
      interrupt when the timer interrupt is enabled by the kernel, at
      which point the event_handler isn't set yet. This results in a NULL
      pointer dereference exception, panic, and no way to reboot.
      
      Clear any pending interrupts after we stop the timer in the probe
      function to avoid this.
      Signed-off-by: default avatarChen-Yu Tsai <wens@csie.org>
      Signed-off-by: default avatarDaniel Lezcano <daniel.lezcano@linaro.org>
      Acked-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4e12317c
    • Sven Eckelmann's avatar
      batman-adv: Add missing refcnt for last_candidate · e0011c6c
      Sven Eckelmann authored
      commit 93652344 upstream.
      
      batadv_find_router dereferences last_bonding_candidate from
      orig_node without making sure that it has a valid reference. This reference
      has to be retrieved by increasing the reference counter while holding
      neigh_list_lock. The lock is required to avoid that
      batadv_last_bonding_replace removes the current last_bonding_candidate,
      reduces the reference counter and maybe destroys the object in this
      process.
      
      Fixes: f3b3d901 ("batman-adv: add bonding again")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      [bwh: Backported to 3.16:
       - s/kref_get/atomic_inc/
       - s/_put/_free_ref/]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e0011c6c
    • Simon Baatz's avatar
      ARM: kirkwood: ib62x0: fix size of u-boot environment partition · cc4b4278
      Simon Baatz authored
      commit a7789378 upstream.
      
      Commit 148c274e ("ARM: kirkwood: ib62x0: add u-boot environment
      partition") split the "u-boot" partition into "u-boot" and "u-boot
      environment".  However, instead of the size of the environment, an offset
      was given, resulting in overlapping partitions.
      Signed-off-by: default avatarSimon Baatz <gmbnomis@gmail.com>
      Fixes: 148c274e ("ARM: kirkwood: ib62x0: add u-boot environment partition")
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: Andrew Lunn <andrew@lunn.ch>
      Cc: Gregory Clement <gregory.clement@free-electrons.com>
      Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
      Cc: Luka Perkov <luka@openwrt.org>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cc4b4278
    • Eric Dumazet's avatar
      qdisc: fix a module refcount leak in qdisc_create_dflt() · 3b27f2ae
      Eric Dumazet authored
      commit 166ee5b8 upstream.
      
      Should qdisc_alloc() fail, we must release the module refcount
      we got right before.
      
      Fixes: 6da7c8fc ("qdisc: allow setting default queuing discipline")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
      Acked-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3b27f2ae
    • Felipe Balbi's avatar
      usb: gadget: udc: core: don't starve DMA resources · 2c825d45
      Felipe Balbi authored
      commit 23fd537c upstream.
      
      Always unmap all SG entries as required by DMA API
      
      Fixes: a698908d ("usb: gadget: add generic map/unmap request utilities")
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      [bwh: Backported to 3.16: adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2c825d45
    • Aleksandr Makarov's avatar
      USB: serial: option: add WeTelecom 0x6802 and 0x6803 products · 858ccdfd
      Aleksandr Makarov authored
      commit 40d9c325 upstream.
      
      These product IDs are listed in Windows driver.
      0x6803 corresponds to WeTelecom WM-D300.
      0x6802 name is unknown.
      Signed-off-by: default avatarAleksandr Makarov <aleksandr.o.makarov@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      858ccdfd
    • Wanpeng Li's avatar
      x86/apic: Do not init irq remapping if ioapic is disabled · 2ecd2605
      Wanpeng Li authored
      commit 2e63ad4b upstream.
      
      native_smp_prepare_cpus
        -> default_setup_apic_routing
          -> enable_IR_x2apic
            -> irq_remapping_prepare
              -> intel_prepare_irq_remapping
                -> intel_setup_irq_remapping
      
      So IR table is setup even if "noapic" boot parameter is added. As a result we
      crash later when the interrupt affinity is set due to a half initialized
      remapping infrastructure.
      
      Prevent remap initialization when IOAPIC is disabled.
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Joerg Roedel <joro@8bytes.org>
      Link: http://lkml.kernel.org/r/1471954039-3942-1-git-send-email-wanpeng.li@hotmail.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2ecd2605
    • John Stultz's avatar
      timekeeping: Cap array access in timekeeping_debug · e56b0b1a
      John Stultz authored
      commit a4f8f666 upstream.
      
      It was reported that hibernation could fail on the 2nd attempt, where the
      system hangs at hibernate() -> syscore_resume() -> i8237A_resume() ->
      claim_dma_lock(), because the lock has already been taken.
      
      However there is actually no other process would like to grab this lock on
      that problematic platform.
      
      Further investigation showed that the problem is triggered by setting
      /sys/power/pm_trace to 1 before the 1st hibernation.
      
      Since once pm_trace is enabled, the rtc becomes unmeaningful after suspend,
      and meanwhile some BIOSes would like to adjust the 'invalid' RTC (e.g, smaller
      than 1970) to the release date of that motherboard during POST stage, thus
      after resumed, it may seem that the system had a significant long sleep time
      which is a completely meaningless value.
      
      Then in timekeeping_resume -> tk_debug_account_sleep_time, if the bit31 of the
      sleep time happened to be set to 1, fls() returns 32 and we add 1 to
      sleep_time_bin[32], which causes an out of bounds array access and therefor
      memory being overwritten.
      
      As depicted by System.map:
      0xffffffff81c9d080 b sleep_time_bin
      0xffffffff81c9d100 B dma_spin_lock
      the dma_spin_lock.val is set to 1, which caused this problem.
      
      This patch adds a sanity check in tk_debug_account_sleep_time()
      to ensure we don't index past the sleep_time_bin array.
      
      [jstultz: Problem diagnosed and original patch by Chen Yu, I've solved the
       issue slightly differently, but borrowed his excelent explanation of the
       issue here.]
      
      Fixes: 5c83545f "power: Add option to log time spent in suspend"
      Reported-by: default avatarJanek Kozicki <cosurgi@gmail.com>
      Reported-by: default avatarChen Yu <yu.c.chen@intel.com>
      Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Cc: linux-pm@vger.kernel.org
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Xunlei Pang <xpang@redhat.com>
      Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
      Cc: Zhang Rui <rui.zhang@intel.com>
      Link: http://lkml.kernel.org/r/1471993702-29148-3-git-send-email-john.stultz@linaro.orgSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e56b0b1a
    • Soheil Hassas Yeganeh's avatar
      tun: fix transmit timestamp support · b256d30b
      Soheil Hassas Yeganeh authored
      commit 7b996243 upstream.
      
      Instead of using sock_tx_timestamp, use skb_tx_timestamp to record
      software transmit timestamp of a packet.
      
      sock_tx_timestamp resets and overrides the tx_flags of the skb.
      The function is intended to be called from within the protocol
      layer when creating the skb, not from a device driver. This is
      inconsistent with other drivers and will cause issues for TCP.
      
      In TCP, we intend to sample the timestamps for the last byte
      for each sendmsg/sendpage. For that reason, tcp_sendmsg calls
      tcp_tx_timestamp only with the last skb that it generates.
      For example, if a 128KB message is split into two 64KB packets
      we want to sample the SND timestamp of the last packet. The current
      code in the tun driver, however, will result in sampling the SND
      timestamp for both packets.
      
      Also, when the last packet is split into smaller packets for
      retranmission (see tcp_fragment), the tun driver will record
      timestamps for all of the retransmitted packets and not only the
      last packet.
      
      Fixes: eda29772 (tun: Support software transmit time stamping.)
      Signed-off-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarFrancis Yan <francisyyan@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: call to sock_tx_timestamp() was different]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b256d30b
    • Vincent Stehlé's avatar
      ubifs: Fix assertion in layout_in_gaps() · 14c6d78d
      Vincent Stehlé authored
      commit c0082e98 upstream.
      
      An assertion in layout_in_gaps() verifies that the gap_lebs pointer is
      below the maximum bound. When computing this maximum bound the idx_lebs
      count is multiplied by sizeof(int), while C pointers arithmetic does take
      into account the size of the pointed elements implicitly already. Remove
      the multiplication to fix the assertion.
      
      Fixes: 1e51764a ("UBIFS: add new flash file system")
      Signed-off-by: default avatarVincent Stehlé <vincent.stehle@intel.com>
      Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      14c6d78d
    • Alan Stern's avatar
      USB: avoid left shift by -1 · d20e1b51
      Alan Stern authored
      commit 53e5f36f upstream.
      
      UBSAN complains about a left shift by -1 in proc_do_submiturb().  This
      can occur when an URB is submitted for a bulk or control endpoint on
      a high-speed device, since the code doesn't bother to check the
      endpoint type; normally only interrupt or isochronous endpoints have
      a nonzero bInterval value.
      
      Aside from the fact that the operation is illegal, it shouldn't matter
      because the result isn't used.  Still, in theory it could cause a
      hardware exception or other problem, so we should work around it.
      This patch avoids doing the left shift unless the shift amount is >= 0.
      
      The same piece of code has another problem.  When checking the device
      speed (the exponential encoding for interrupt endpoints is used only
      by high-speed or faster devices), we need to look for speed >=
      USB_SPEED_SUPER as well as speed == USB_SPEED HIGH.  The patch adds
      this check.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarVittorio Zecca <zeccav@gmail.com>
      Tested-by: default avatarVittorio Zecca <zeccav@gmail.com>
      Suggested-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d20e1b51
    • Peter Ujfalusi's avatar
      ASoC: omap-mcpdm: Fix irq resource handling · 707fb09b
      Peter Ujfalusi authored
      commit a8719670 upstream.
      
      Fixes: ddd17531 ("ASoC: omap-mcpdm: Clean up with devm_* function")
      
      Managed irq request will not doing any good in ASoC probe level as it is
      not going to free up the irq when the driver is unbound from the sound
      card.
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Reported-by: default avatarRussell King <linux@armlinux.org.uk>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      707fb09b
    • Alan Stern's avatar
      USB: fix typo in wMaxPacketSize validation · e81ec1eb
      Alan Stern authored
      commit 6c73358c upstream.
      
      The maximum value allowed for wMaxPacketSize of a high-speed interrupt
      endpoint is 1024 bytes, not 1023.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Fixes: aed9d65a ("USB: validate wMaxPacketValue entries in endpoint descriptors")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e81ec1eb
    • Masahiro Yamada's avatar
      Input: tegra-kbc - fix inverted reset logic · b05c14d1
      Masahiro Yamada authored
      commit fae16989 upstream.
      
      Commit fe6b0dfa ("Input: tegra-kbc - use reset framework")
      accidentally converted _deassert to _assert, so there is no code
      to wake up this hardware.
      
      Fixes: fe6b0dfa ("Input: tegra-kbc - use reset framework")
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Acked-by: default avatarThierry Reding <treding@nvidia.com>
      Acked-by: default avatarLaxman Dewangan <ldewangan@nvidia.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b05c14d1
    • Dan Carpenter's avatar
      usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() · a7f08d08
      Dan Carpenter authored
      commit f4693b08 upstream.
      
      We can't assign -EINVAL to a u16.
      
      Fixes: 3948f0e0 ('usb: add Freescale QE/CPM USB peripheral controller driver')
      Acked-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a7f08d08
    • Daniel Vetter's avatar
      drm: Reject page_flip for !DRIVER_MODESET · 3e16efd8
      Daniel Vetter authored
      commit 6f00975c upstream.
      
      Somehow this one slipped through, which means drivers without modeset
      support can be oopsed (since those also don't call
      drm_mode_config_init, which means the crtc lookup will chase an
      uninitalized idr).
      Reported-by: default avatarAlexander Potapenko <glider@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3e16efd8
    • Michael Ellerman's avatar
      powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support · 028750fc
      Michael Ellerman authored
      commit 66443efa upstream.
      
      When booting from an OpenFirmware which supports it, we use the
      "ibm,client-architecture-support" firmware call to communicate
      our capabilities to firmware.
      
      The format of the structure we pass to firmware is specified in
      PAPR (Power Architecture Platform Requirements), or the public version
      LoPAPR (Linux on Power Architecture Platform Reference).
      
      Referring to table 244 in LoPAPR v1.1, option vector 5 contains a 4 byte
      field at bytes 17-20 for the "Platform Facilities Enable". This is
      followed by a 1 byte field at byte 21 for "Sub-Processor Represenation
      Level".
      
      Comparing to the code, there we have the Platform Facilities
      options (OV5_PFO_*) at byte 17, but we fail to pad that field out to its
      full width of 4 bytes. This means the OV5_SUB_PROCESSORS option is
      incorrectly placed at byte 18.
      
      Fix it by adding zero bytes for bytes 18, 19, 20, and comment the bytes
      to hopefully make it clearer in future.
      
      As far as I'm aware nothing actually consumes this value at this time,
      so the effect of this bug is nil in practice.
      
      It does mean we've been incorrectly setting bit 15 of the "Platform
      Facilities Enable" option for the past ~3 1/2 years, so we should avoid
      allocating that bit to anything else in future.
      
      Fixes: df77c799 ("powerpc/pseries: Update ibm,architecture.vec for PAPR 2.7/POWER8")
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      [bwh: Backported to 3.16:
       - Adjust context
       - Length calculations don't use VECTOR_LENGTH()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      028750fc
    • Mauricio Faria de Oliveira's avatar
      powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb) · c3e74083
      Mauricio Faria de Oliveira authored
      commit 2dd9c11b upstream.
      
      This patch leverages 'struct pci_host_bridge' from the PCI subsystem
      in order to free the pci_controller only after the last reference to
      its devices is dropped (avoiding an oops in pcibios_release_device()
      if the last reference is dropped after pcibios_free_controller()).
      
      The patch relies on pci_host_bridge.release_fn() (and .release_data),
      which is called automatically by the PCI subsystem when the root bus
      is released (i.e., the last reference is dropped).  Those fields are
      set via pci_set_host_bridge_release() (e.g. in the platform-specific
      implementation of pcibios_root_bridge_prepare()).
      
      It introduces the 'pcibios_free_controller_deferred()' .release_fn()
      and it expects .release_data to hold a pointer to the pci_controller.
      
      The function implictly calls 'pcibios_free_controller()', so an user
      must *NOT* explicitly call it if using the new _deferred() callback.
      
      The functionality is enabled for pseries (although it isn't platform
      specific, and may be used by cxl).
      
      Details on not-so-elegant design choices:
      
       - Use 'pci_host_bridge.release_data' field as pointer to associated
         'struct pci_controller' so *not* to 'pci_bus_to_host(bridge->bus)'
         in pcibios_free_controller_deferred().
      
         That's because pci_remove_root_bus() sets 'host_bridge->bus = NULL'
         (so, if the last reference is released after pci_remove_root_bus()
         runs, which eventually reaches pcibios_free_controller_deferred(),
         that would hit a null pointer dereference).
      
         The cxl/vphb.c code calls pci_remove_root_bus(), and the cxl folks
         are interested in this fix.
      
      Test-case #1 (hold references)
      
        # ls -ld /sys/block/sd* | grep -m1 0021:01:00.0
        <...> /sys/block/sdaa -> ../devices/pci0021:01/0021:01:00.0/<...>
      
        # ls -ld /sys/block/sd* | grep -m1 0021:01:00.1
        <...> /sys/block/sdab -> ../devices/pci0021:01/0021:01:00.1/<...>
      
        # cat >/dev/sdaa & pid1=$!
        # cat >/dev/sdab & pid2=$!
      
        # drmgr -w 5 -d 1 -c phb -s 'PHB 33' -r
        Validating PHB DLPAR capability...yes.
        [  594.306719] pci_hp_remove_devices: PCI: Removing devices on bus 0021:01
        [  594.306738] pci_hp_remove_devices:    Removing 0021:01:00.0...
        ...
        [  598.236381] pci_hp_remove_devices:    Removing 0021:01:00.1...
        ...
        [  611.972077] pci_bus 0021:01: busn_res: [bus 01-ff] is released
        [  611.972140] rpadlpar_io: slot PHB 33 removed
      
        # kill -9 $pid1
        # kill -9 $pid2
        [  632.918088] pcibios_free_controller_deferred: domain 33, dynamic 1
      
      Test-case #2 (don't hold references)
      
        # drmgr -w 5 -d 1 -c phb -s 'PHB 33' -r
        Validating PHB DLPAR capability...yes.
        [  916.357363] pci_hp_remove_devices: PCI: Removing devices on bus 0021:01
        [  916.357386] pci_hp_remove_devices:    Removing 0021:01:00.0...
        ...
        [  920.566527] pci_hp_remove_devices:    Removing 0021:01:00.1...
        ...
        [  933.955873] pci_bus 0021:01: busn_res: [bus 01-ff] is released
        [  933.955977] pcibios_free_controller_deferred: domain 33, dynamic 1
        [  933.955999] rpadlpar_io: slot PHB 33 removed
      Suggested-By: default avatarGavin Shan <gwshan@linux.vnet.ibm.com>
      Signed-off-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Reviewed-by: default avatarGavin Shan <gwshan@linux.vnet.ibm.com>
      Reviewed-by: default avatarAndrew Donnellan <andrew.donnellan@au1.ibm.com>
      Tested-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com> # cxl
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c3e74083
    • Linus Walleij's avatar
      iio: accel: kxsd9: Fix raw read return · 2a59b4b0
      Linus Walleij authored
      commit 7ac61a06 upstream.
      
      Any readings from the raw interface of the KXSD9 driver will
      return an empty string, because it does not return
      IIO_VAL_INT but rather some random value from the accelerometer
      to the caller.
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2a59b4b0
    • Vignesh R's avatar
      iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access · 81e39515
      Vignesh R authored
      commit 90c43ec6 upstream.
      
      It is possible that two or more ADC channels can be simultaneously
      requested for raw samples, in which case there can be race in access to
      FIFO data resulting in loss of samples.
      If am335x_tsc_se_set_once() is called again from tiadc_read_raw(), when
      ADC is still acquired to sample one of the channels, the second process
      might be put into uninterruptible sleep state. Fix these issues, by
      protecting FIFO access and channel configurations with a mutex. Since
      tiadc_read_raw() might take anywhere between few microseconds to few
      milliseconds to finish execution (depending on averaging and delay
      values supplied via DT), its better to use mutex instead of spinlock.
      
      Fixes: 7ca6740c ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization")
      Signed-off-by: default avatarVignesh R <vigneshr@ti.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      81e39515
    • Ian Abbott's avatar
      staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility · 52932810
      Ian Abbott authored
      commit f0f4b0cc upstream.
      
      Commit ebb657ba ("staging: comedi: ni_mio_common: clarify the
      cmd->start_arg validation and use") introduced a backwards compatibility
      issue in the use of asynchronous commands on the AO subdevice when
      `start_src` is `TRIG_EXT`.  Valid values for `start_src` are `TRIG_INT`
      (for internal, software trigger), and `TRIG_EXT` (for external trigger).
      When set to `TRIG_EXT`.  In both cases, the driver relies on an
      internal, software trigger to set things up (allowing the user
      application to write sufficient samples to the data buffer before the
      trigger), so it acts as a software "pre-trigger" in the `TRIG_EXT` case.
      The software trigger is handled by `ni_ao_inttrig()`.
      
      Prior to the above change, when `start_src` was `TRIG_INT`, `start_arg`
      was required to be 0, and `ni_ao_inttrig()` checked that the software
      trigger number was also 0.  After the above change, when `start_src` was
      `TRIG_INT`, any value was allowed for `start_arg`, and `ni_ao_inttrig()`
      checked that the software trigger number matched this `start_arg` value.
      The backwards compatibility issue is that the internal trigger number
      now has to match `start_arg` when `start_src` is `TRIG_EXT` when it
      previously had to be 0.
      
      Fix the backwards compatibility issue in `ni_ao_inttrig()` by always
      allowing software trigger number 0 when `start_src` is something other
      than `TRIG_INT`.
      
      Thanks to Spencer Olson for reporting the issue.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Reported-by: default avatarSpencer Olson <olsonse@umich.edu>
      Fixes: ebb657ba ("staging: comedi: ni_mio_common: clarify the cmd->start_arg validation and use")
      Reviewed-by: default avatarH Hartley Sweeten <hsweeten@visionengravers.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      52932810
    • Ian Abbott's avatar
      staging: comedi: daqboard2000: bug fix board type matching code · 8368871e
      Ian Abbott authored
      commit 80e162ee upstream.
      
      `daqboard2000_find_boardinfo()` is supposed to check if the
      DaqBoard/2000 series model is supported, based on the PCI subvendor and
      subdevice ID.  The current code is wrong as it is comparing the PCI
      device's subdevice ID to an expected, fixed value for the subvendor ID.
      It should be comparing the PCI device's subvendor ID to this fixed
      value.  Correct it.
      
      Fixes: 7e8401b2 ("staging: comedi: daqboard2000: add back
      subsystem_device check")
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8368871e
    • Aleksandr Makarov's avatar
      USB: serial: option: add WeTelecom WM-D200 · 50c930ae
      Aleksandr Makarov authored
      commit 6695593e upstream.
      
      Add support for WeTelecom WM-D200.
      
      T:  Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#=  4 Spd=12  MxCh= 0
      D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=22de ProdID=6801 Rev=00.00
      S:  Manufacturer=WeTelecom Incorporated
      S:  Product=WeTelecom Mobile Products
      C:  #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I:  If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      I:  If#= 3 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
      Signed-off-by: default avatarAleksandr Makarov <aleksandr.o.makarov@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      50c930ae
    • Helge Deller's avatar
      parisc: Fix order of EREFUSED define in errno.h · 76039232
      Helge Deller authored
      commit 3eb53b20 upstream.
      
      When building gccgo in userspace, errno.h gets parsed and the go include file
      sysinfo.go is generated.
      
      Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED
      is defined later on in errno.h, this leads to go complaining that EREFUSED
      isn't defined yet.
      
      Fix this trivial problem by moving the define of EREFUSED down after
      ECONNREFUSED in errno.h (and clean up the indenting while touching this line).
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      76039232
    • Paul Blakey's avatar
      net/mlx5: Added missing check of msg length in verifying its signature · 568a35c8
      Paul Blakey authored
      commit 2c0f8ce1 upstream.
      
      Set and verify signature calculates the signature for each of the
      mailbox nodes, even for those that are unused (from cache). Added
      a missing length check to set and verify only those which are used.
      
      While here, also moved the setting of msg's nodes token to where we
      already go over them. This saves a pass because checksum is disabled,
      and the only useful thing remaining that set signature does is setting
      the token.
      
      Fixes: e126ba97 ('mlx5: Add driver for Mellanox Connect-IB
      adapters')
      Signed-off-by: default avatarPaul Blakey <paulb@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      568a35c8
    • Dmitry Torokhov's avatar
      Input: i8042 - set up shared ps2_cmd_mutex for AUX ports · 6bdcdce0
      Dmitry Torokhov authored
      commit 47af45d6 upstream.
      
      The commit 40974618 ("Input: i8042 - break load dependency ...")
      correctly set up ps2_cmd_mutex pointer for the KBD port but forgot to do
      the same for AUX port(s), which results in communication on KBD and AUX
      ports to clash with each other.
      
      Fixes: 40974618 ("Input: i8042 - break load dependency ...")
      Reported-by: default avatarBruno Wolff III <bruno@wolff.to>
      Tested-by: default avatarBruno Wolff III <bruno@wolff.to>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6bdcdce0
    • Christian König's avatar
      drm/radeon: fix radeon_move_blit on 32bit systems · 5b308d42
      Christian König authored
      commit 13f479b9 upstream.
      
      This bug seems to be present for a very long time.
      Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5b308d42
    • James Hogan's avatar
      MIPS: KVM: Check for pfn noslot case · 634ab2ea
      James Hogan authored
      commit ba913e4f upstream.
      
      When mapping a page into the guest we error check using is_error_pfn(),
      however this doesn't detect a value of KVM_PFN_NOSLOT, indicating an
      error HVA for the page. This can only happen on MIPS right now due to
      unusual memslot management (e.g. being moved / removed / resized), or
      with an Enhanced Virtual Memory (EVA) configuration where the default
      KVM_HVA_ERR_* and kvm_is_error_hva() definitions are unsuitable (fixed
      in a later patch). This case will be treated as a pfn of zero, mapping
      the first page of physical memory into the guest.
      
      It would appear the MIPS KVM port wasn't updated prior to being merged
      (in v3.10) to take commit 81c52c56 ("KVM: do not treat noslot pfn as
      a error pfn") into account (merged v3.8), which converted a bunch of
      is_error_pfn() calls to is_error_noslot_pfn(). Switch to using
      is_error_noslot_pfn() instead to catch this case properly.
      
      Fixes: 858dd5d4 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: kvm@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [james.hogan@imgtec.com: Backport to v4.7.y]
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      634ab2ea