1. 20 Feb, 2015 25 commits
    • Sujith Manoharan's avatar
      Bluetooth: ath3k: Add support for another AR3012 card · 94b83dc3
      Sujith Manoharan authored
      commit bd0fca1b upstream.
      
      T:  Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=04ca ProdID=300b Rev= 0.01
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      Reported-by: default avatarFace <falazemi@gmail.com>
      Signed-off-by: default avatarSujith Manoharan <sujith@msujith.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      94b83dc3
    • Sujith Manoharan's avatar
      Bluetooth: ath3k: Add support for a new AR3012 device · 8a40c76e
      Sujith Manoharan authored
      commit 35580d22 upstream.
      
      T:  Bus=02 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#=  9 Spd=12   MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0489 ProdID=e05f Rev= 0.02
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      Reported-by: default avatarJoshua Richenhagen <richenhagen@gmail.com>
      Signed-off-by: default avatarSujith Manoharan <sujith@msujith.org>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8a40c76e
    • Ken O'Brien's avatar
      Bluetooth: btusb: Add support for Belkin F8065bf · 9ea93ac7
      Ken O'Brien authored
      commit 5bcecf32 upstream.
      
      Add generic rule on encountering Belkin bluetooth usb device F8065bf.
      
      Relevant section from /sys/kernel/debug/usb/devices:
      
      T:  Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=050d ProdID=065a Rev= 1.12
      S:  Manufacturer=Broadcom Corp
      S:  Product=BCM20702A0
      S:  SerialNumber=0002723E2D29
      C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=100mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      Signed-off-by: default avatarKen O'Brien <kernel@kenobrien.org>
      Signed-off-by: default avatarGustavo Padovan <gustavo.padovan@collabora.co.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9ea93ac7
    • Robert Baldyga's avatar
      serial: samsung: wait for transfer completion before clock disable · 375c2b68
      Robert Baldyga authored
      commit 1ff383a4 upstream.
      
      This patch adds waiting until transmit buffer and shifter will be empty
      before clock disabling.
      
      Without this fix it's possible to have clock disabled while data was
      not transmited yet, which causes unproper state of TX line and problems
      in following data transfers.
      Signed-off-by: default avatarRobert Baldyga <r.baldyga@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      375c2b68
    • Dmitry Eremin-Solenikov's avatar
      mfd: tc6393xb: Fail ohci suspend if full state restore is required · 7010f0f3
      Dmitry Eremin-Solenikov authored
      commit 1a5fb99d upstream.
      
      Some boards with TC6393XB chip require full state restore during system
      resume thanks to chip's VCC being cut off during suspend (Sharp SL-6000
      tosa is one of them). Failing to do so would result in ohci Oops on
      resume due to internal memory contentes being changed. Fail ohci suspend
      on tc6393xb is full state restore is required.
      
      Recommended workaround is to unbind tmio-ohci driver before suspend and
      rebind it after resume.
      Signed-off-by: default avatarDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7010f0f3
    • Takashi Iwai's avatar
      uvcvideo: Fix destruction order in uvc_delete() · e9c1f59b
      Takashi Iwai authored
      commit 2228d80d upstream.
      
      We've got a bug report at disconnecting a Webcam, where the kernel
      spews warnings like below:
        WARNING: CPU: 0 PID: 8385 at ../fs/sysfs/group.c:219 sysfs_remove_group+0x87/0x90()
        sysfs group c0b2350c not found for kobject 'event3'
        CPU: 0 PID: 8385 Comm: queue2:src Not tainted 3.16.2-1.gdcee397-default #1
        Hardware name: ASUSTeK Computer INC. A7N8X-E/A7N8X-E, BIOS ASUS A7N8X-E Deluxe ACPI BIOS Rev 1013  11/12/2004
          c08d0705 ddc75cbc c0718c5b ddc75ccc c024b654 c08c6d44 ddc75ce8 000020c1
          c08d0705 000000db c03d1ec7 c03d1ec7 00000009 00000000 c0b2350c d62c9064
          ddc75cd4 c024b6a3 00000009 ddc75ccc c08c6d44 ddc75ce8 ddc75cfc c03d1ec7
        Call Trace:
          [<c0205ba6>] try_stack_unwind+0x156/0x170
          [<c02046f3>] dump_trace+0x53/0x180
          [<c0205c06>] show_trace_log_lvl+0x46/0x50
          [<c0204871>] show_stack_log_lvl+0x51/0xe0
          [<c0205c67>] show_stack+0x27/0x50
          [<c0718c5b>] dump_stack+0x3e/0x4e
          [<c024b654>] warn_slowpath_common+0x84/0xa0
          [<c024b6a3>] warn_slowpath_fmt+0x33/0x40
          [<c03d1ec7>] sysfs_remove_group+0x87/0x90
          [<c05a2c54>] device_del+0x34/0x180
          [<c05e3989>] evdev_disconnect+0x19/0x50
          [<c05e06fa>] __input_unregister_device+0x9a/0x140
          [<c05e0845>] input_unregister_device+0x45/0x80
          [<f854b1d6>] uvc_delete+0x26/0x110 [uvcvideo]
          [<f84d66f8>] v4l2_device_release+0x98/0xc0 [videodev]
          [<c05a25bb>] device_release+0x2b/0x90
          [<c04ad8bf>] kobject_cleanup+0x6f/0x1a0
          [<f84d5453>] v4l2_release+0x43/0x70 [videodev]
          [<c0372f31>] __fput+0xb1/0x1b0
          [<c02650c1>] task_work_run+0x91/0xb0
          [<c024d845>] do_exit+0x265/0x910
          [<c024df64>] do_group_exit+0x34/0xa0
          [<c025a76f>] get_signal_to_deliver+0x17f/0x590
          [<c0201b6a>] do_signal+0x3a/0x960
          [<c02024f7>] do_notify_resume+0x67/0x90
          [<c071ebb5>] work_notifysig+0x30/0x3b
          [<b7739e60>] 0xb7739e5f
         ---[ end trace b1e56095a485b631 ]---
      
      The cause is that uvc_status_cleanup() is called after usb_put_*() in
      uvc_delete().  usb_put_*() removes the sysfs parent and eventually
      removes the children recursively, so the later device_del() can't find
      its sysfs.  The fix is simply rearrange the call orders in
      uvc_delete() so that the child is removed before the parent.
      
      Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=897736Reported-and-tested-by: default avatarMartin Pluskal <mpluskal@suse.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e9c1f59b
    • Greg Kroah-Hartman's avatar
      USB: cdc-acm: check for valid interfaces · 3decfa6e
      Greg Kroah-Hartman authored
      commit 403dff4e upstream.
      
      We need to check that we have both a valid data and control inteface for both
      types of headers (union and not union.)
      
      References: https://bugzilla.kernel.org/show_bug.cgi?id=83551Reported-by: default avatarSimon Schubert <2+kernel@0x2c.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3decfa6e
    • Jens Axboe's avatar
      genhd: check for int overflow in disk_expand_part_tbl() · 44cee4aa
      Jens Axboe authored
      commit 5fabcb4c upstream.
      
      We can get here from blkdev_ioctl() -> blkpg_ioctl() -> add_partition()
      with a user passed in partno value. If we pass in 0x7fffffff, the
      new target in disk_expand_part_tbl() overflows the 'int' and we
      access beyond the end of ptbl->part[] and even write to it when we
      do the rcu_assign_pointer() to assign the new partition.
      Reported-by: default avatarDavid Ramos <daramos@stanford.edu>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      44cee4aa
    • Keerthy's avatar
      bus: omap_l3_noc: Correct returning IRQ_HANDLED unconditionally in the irq handler · 3cf6ed75
      Keerthy authored
      commit c4cf0935 upstream.
      
      Correct returning IRQ_HANDLED unconditionally in the irq handler.
      Return IRQ_NONE for some interrupt which we do not expect to be
      handled in this handler. This prevents kernel stalling with back
      to back spurious interrupts.
      
      Fixes: 2722e56d ("OMAP4: l3: Introduce l3-interconnect error handling driver")
      Acked-by: default avatarNishanth Menon <nm@ti.com>
      Signed-off-by: default avatarKeerthy <j-keerthy@ti.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      [bwh: Backported to 3.2: adjust filename, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3cf6ed75
    • Hannes Reinecke's avatar
      scsi: correct return values for .eh_abort_handler implementations · 27bdcd72
      Hannes Reinecke authored
      commit b6c92b7e upstream.
      
      The .eh_abort_handler needs to return SUCCESS, FAILED, or
      FAST_IO_FAIL. So fixup all callers to adhere to this requirement.
      Reviewed-by: default avatarRobert Elliott <elliott@hp.com>
      Signed-off-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      [bwh: Backported to 3.2: drop changes to esas2r]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      27bdcd72
    • Myron Stowe's avatar
      PCI: Restore detection of read-only BARs · e316075b
      Myron Stowe authored
      commit 36e81648 upstream.
      
      Commit 6ac665c6 ("PCI: rewrite PCI BAR reading code") masked off
      low-order bits from 'l', but not from 'sz'.  Both are passed to pci_size(),
      which compares 'base == maxbase' to check for read-only BARs.  The masking
      of 'l' means that comparison will never be 'true', so the check for
      read-only BARs no longer works.
      
      Resolve this by also masking off the low-order bits of 'sz' before passing
      it into pci_size() as 'maxbase'.  With this change, pci_size() will once
      again catch the problems that have been encountered to date:
      
        - AGP aperture BAR of AMD-7xx host bridges: if the AGP window is
          disabled, this BAR is read-only and read as 0x00000008 [1]
      
        - BARs 0-4 of ALi IDE controllers can be non-zero and read-only [1]
      
        - Intel Sandy Bridge - Thermal Management Controller [8086:0103];
          BAR 0 returning 0xfed98004 [2]
      
        - Intel Xeon E5 v3/Core i7 Power Control Unit [8086:2fc0];
          Bar 0 returning 0x00001a [3]
      
      Link: [1] https://git.kernel.org/cgit/linux/kernel/git/tglx/history.git/commit/drivers/pci/probe.c?id=1307ef6621991f1c4bc3cec1b5a4ebd6fd3d66b9 ("PCI: probing read-only BARs" (pre-git))
      Link: [2] https://bugzilla.kernel.org/show_bug.cgi?id=43331
      Link: [3] https://bugzilla.kernel.org/show_bug.cgi?id=85991Reported-by: default avatarWilliam Unruh <unruh@physics.ubc.ca>
      Reported-by: default avatarMartin Lucina <martin@lucina.net>
      Signed-off-by: default avatarMyron Stowe <myron.stowe@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      CC: Matthew Wilcox <willy@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e316075b
    • Lars Ellenberg's avatar
      drbd: merge_bvec_fn: properly remap bvm->bi_bdev · e5c973e3
      Lars Ellenberg authored
      commit 3b9d35d7 upstream.
      
      This was not noticed for many years. Affects operation if
      md raid is used a backing device for DRBD.
      Signed-off-by: default avatarPhilipp Reisner <philipp.reisner@linbit.com>
      Signed-off-by: default avatarLars Ellenberg <lars.ellenberg@linbit.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      [bwh: Backported to 3.2: s/device/mdev/]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e5c973e3
    • Alex Williamson's avatar
      driver core: Fix unbalanced device reference in drivers_probe · 4ff42834
      Alex Williamson authored
      commit 0372ffb3 upstream.
      
      bus_find_device_by_name() acquires a device reference which is never
      released.  This results in an object leak, which on older kernels
      results in failure to release all resources of PCI devices.  libvirt
      uses drivers_probe to re-attach devices to the host after assignment
      and is therefore a common trigger for this leak.
      
      Example:
      
      # cd /sys/bus/pci/
      # dmesg -C
      # echo 1 > devices/0000\:01\:00.0/sriov_numvfs
      # echo 0 > devices/0000\:01\:00.0/sriov_numvfs
      # dmesg | grep 01:10
       pci 0000:01:10.0: [8086:10ca] type 00 class 0x020000
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_add_internal: parent: '0000:00:01.0', set: 'devices'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_cleanup, parent           (null)
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): calling ktype release
       kobject: '0000:01:10.0': free name
      
      [kobject freed as expected]
      
      # dmesg -C
      # echo 1 > devices/0000\:01\:00.0/sriov_numvfs
      # echo 0000:01:10.0 > drivers_probe
      # echo 0 > devices/0000\:01\:00.0/sriov_numvfs
      # dmesg | grep 01:10
       pci 0000:01:10.0: [8086:10ca] type 00 class 0x020000
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_add_internal: parent: '0000:00:01.0', set: 'devices'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
      
      [no free]
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4ff42834
    • Richard Weinberger's avatar
      UBI: Fix invalid vfree() · 83e1f583
      Richard Weinberger authored
      commit f38aed97 upstream.
      
      The logic of vfree()'ing vol->upd_buf is tied to vol->updating.
      In ubi_start_update() vol->updating is set long before vmalloc()'ing
      vol->upd_buf. If we encounter a write failure in ubi_start_update()
      before vmalloc() the UBI device release function will try to vfree()
      vol->upd_buf because vol->updating is set.
      Fix this by allocating vol->upd_buf directly after setting vol->updating.
      
      Fixes:
      [   31.559338] UBI warning: vol_cdev_release: update of volume 2 not finished, volume is damaged
      [   31.559340] ------------[ cut here ]------------
      [   31.559343] WARNING: CPU: 1 PID: 2747 at mm/vmalloc.c:1446 __vunmap+0xe3/0x110()
      [   31.559344] Trying to vfree() nonexistent vm area (ffffc90001f2b000)
      [   31.559345] Modules linked in:
      [   31.565620]  0000000000000bba ffff88002a0cbdb0 ffffffff818f0497 ffff88003b9ba148
      [   31.566347]  ffff88002a0cbde0 ffffffff8156f515 ffff88003b9ba148 0000000000000bba
      [   31.567073]  0000000000000000 0000000000000000 ffff88002a0cbe88 ffffffff8156c10a
      [   31.567793] Call Trace:
      [   31.568034]  [<ffffffff818f0497>] dump_stack+0x4e/0x7a
      [   31.568510]  [<ffffffff8156f515>] ubi_io_write_vid_hdr+0x155/0x160
      [   31.569084]  [<ffffffff8156c10a>] ubi_eba_write_leb+0x23a/0x870
      [   31.569628]  [<ffffffff81569b36>] vol_cdev_write+0x226/0x380
      [   31.570155]  [<ffffffff81179265>] vfs_write+0xb5/0x1f0
      [   31.570627]  [<ffffffff81179f8a>] SyS_pwrite64+0x6a/0xa0
      [   31.571123]  [<ffffffff818fde12>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      83e1f583
    • Christian Borntraeger's avatar
      KVM: s390: flush CPU on load control · 823f1402
      Christian Borntraeger authored
      commit 2dca485f upstream.
      
      some control register changes will flush some aspects of the CPU, e.g.
      POP explicitely mentions that for CR9-CR11 "TLBs may be cleared".
      Instead of trying to be clever and only flush on specific CRs, let
      play safe and flush on all lctl(g) as future machines might define
      new bits in CRs. Load control intercept should not happen that often.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Acked-by: default avatarCornelia Huck <cornelia.huck@de.ibm.com>
      Reviewed-by: default avatarDavid Hildenbrand <dahi@linux.vnet.ibm.com>
      [bwh: Backported to 3.2: adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      823f1402
    • Daniel Borkmann's avatar
      ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs · dd395f67
      Daniel Borkmann authored
      commit 4c672e4b upstream.
      
      It has been reported that generating an MLD listener report on
      devices with large MTUs (e.g. 9000) and a high number of IPv6
      addresses can trigger a skb_over_panic():
      
      skbuff: skb_over_panic: text:ffffffff80612a5d len:3776 put:20
      head:ffff88046d751000 data:ffff88046d751010 tail:0xed0 end:0xec0
      dev:port1
       ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:100!
      invalid opcode: 0000 [#1] SMP
      Modules linked in: ixgbe(O)
      CPU: 3 PID: 0 Comm: swapper/3 Tainted: G O 3.14.23+ #4
      [...]
      Call Trace:
       <IRQ>
       [<ffffffff80578226>] ? skb_put+0x3a/0x3b
       [<ffffffff80612a5d>] ? add_grhead+0x45/0x8e
       [<ffffffff80612e3a>] ? add_grec+0x394/0x3d4
       [<ffffffff80613222>] ? mld_ifc_timer_expire+0x195/0x20d
       [<ffffffff8061308d>] ? mld_dad_timer_expire+0x45/0x45
       [<ffffffff80255b5d>] ? call_timer_fn.isra.29+0x12/0x68
       [<ffffffff80255d16>] ? run_timer_softirq+0x163/0x182
       [<ffffffff80250e6f>] ? __do_softirq+0xe0/0x21d
       [<ffffffff8025112b>] ? irq_exit+0x4e/0xd3
       [<ffffffff802214bb>] ? smp_apic_timer_interrupt+0x3b/0x46
       [<ffffffff8063f10a>] ? apic_timer_interrupt+0x6a/0x70
      
      mld_newpack() skb allocations are usually requested with dev->mtu
      in size, since commit 72e09ad1 ("ipv6: avoid high order allocations")
      we have changed the limit in order to be less likely to fail.
      
      However, in MLD/IGMP code, we have some rather ugly AVAILABLE(skb)
      macros, which determine if we may end up doing an skb_put() for
      adding another record. To avoid possible fragmentation, we check
      the skb's tailroom as skb->dev->mtu - skb->len, which is a wrong
      assumption as the actual max allocation size can be much smaller.
      
      The IGMP case doesn't have this issue as commit 57e1ab6e
      ("igmp: refine skb allocations") stores the allocation size in
      the cb[].
      
      Set a reserved_tailroom to make it fit into the MTU and use
      skb_availroom() helper instead. This also allows to get rid of
      igmp_skb_size().
      Reported-by: default avatarWei Liu <lw1a2.jing@gmail.com>
      Fixes: 72e09ad1 ("ipv6: avoid high order allocations")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Cc: David L Stevens <david.stevens@oracle.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dd395f67
    • Herbert Xu's avatar
      ipv6: Remove all uses of LL_ALLOCATED_SPACE · 19ad5b89
      Herbert Xu authored
      commit a7ae1992 upstream.
      
      ipv6: Remove all uses of LL_ALLOCATED_SPACE
      
      The macro LL_ALLOCATED_SPACE was ill-conceived.  It applies the
      alignment to the sum of needed_headroom and needed_tailroom.  As
      the amount that is then reserved for head room is needed_headroom
      with alignment, this means that the tail room left may be too small.
      
      This patch replaces all uses of LL_ALLOCATED_SPACE in net/ipv6
      with the macro LL_RESERVED_SPACE and direct reference to
      needed_tailroom.
      
      This also fixes the problem with needed_headroom changing between
      allocating the skb and reserving the head room.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      19ad5b89
    • Herbert Xu's avatar
      ipv4: Remove all uses of LL_ALLOCATED_SPACE · b3410f43
      Herbert Xu authored
      commit 66088243 upstream.
      
      ipv4: Remove all uses of LL_ALLOCATED_SPACE
      
      The macro LL_ALLOCATED_SPACE was ill-conceived.  It applies the
      alignment to the sum of needed_headroom and needed_tailroom.  As
      the amount that is then reserved for head room is needed_headroom
      with alignment, this means that the tail room left may be too small.
      
      This patch replaces all uses of LL_ALLOCATED_SPACE in net/ipv4
      with the macro LL_RESERVED_SPACE and direct reference to
      needed_tailroom.
      
      This also fixes the problem with needed_headroom changing between
      allocating the skb and reserving the head room.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b3410f43
    • Kazuya Mizuguchi's avatar
      usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable() · d2c49ee9
      Kazuya Mizuguchi authored
      commit 11432050 upstream.
      
      This patch fixes an issue that the NULL pointer dereference happens
      when we uses g_audio driver. Since the g_audio driver will call
      usb_ep_disable() in afunc_set_alt() before it calls usb_ep_enable(),
      the uep->pipe of renesas usbhs driver will be NULL. So, this patch
      adds a condition to avoid the oops.
      Signed-off-by: default avatarKazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
      Signed-off-by: default avatarTakeshi Kihara <takeshi.kihara.df@renesas.com>
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Fixes: 2f98382d (usb: renesas_usbhs: Add Renesas USBHS Gadget)
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d2c49ee9
    • Tejun Heo's avatar
      writeback: fix a subtle race condition in I_DIRTY clearing · 89d23204
      Tejun Heo authored
      commit 9c6ac78e upstream.
      
      After invoking ->dirty_inode(), __mark_inode_dirty() does smp_mb() and
      tests inode->i_state locklessly to see whether it already has all the
      necessary I_DIRTY bits set.  The comment above the barrier doesn't
      contain any useful information - memory barriers can't ensure "changes
      are seen by all cpus" by itself.
      
      And it sure enough was broken.  Please consider the following
      scenario.
      
       CPU 0					CPU 1
       -------------------------------------------------------------------------------
      
      					enters __writeback_single_inode()
      					grabs inode->i_lock
      					tests PAGECACHE_TAG_DIRTY which is clear
       enters __set_page_dirty()
       grabs mapping->tree_lock
       sets PAGECACHE_TAG_DIRTY
       releases mapping->tree_lock
       leaves __set_page_dirty()
      
       enters __mark_inode_dirty()
       smp_mb()
       sees I_DIRTY_PAGES set
       leaves __mark_inode_dirty()
      					clears I_DIRTY_PAGES
      					releases inode->i_lock
      
      Now @inode has dirty pages w/ I_DIRTY_PAGES clear.  This doesn't seem
      to lead to an immediately critical problem because requeue_inode()
      later checks PAGECACHE_TAG_DIRTY instead of I_DIRTY_PAGES when
      deciding whether the inode needs to be requeued for IO and there are
      enough unintentional memory barriers inbetween, so while the inode
      ends up with inconsistent I_DIRTY_PAGES flag, it doesn't fall off the
      IO list.
      
      The lack of explicit barrier may also theoretically affect the other
      I_DIRTY bits which deal with metadata dirtiness.  There is no
      guarantee that a strong enough barrier exists between
      I_DIRTY_[DATA]SYNC clearing and write_inode() writing out the dirtied
      inode.  Filesystem inode writeout path likely has enough stuff which
      can behave as full barrier but it's theoretically possible that the
      writeout may not see all the updates from ->dirty_inode().
      
      Fix it by adding an explicit smp_mb() after I_DIRTY clearing.  Note
      that I_DIRTY_PAGES needs a special treatment as it always needs to be
      cleared to be interlocked with the lockless test on
      __mark_inode_dirty() side.  It's cleared unconditionally and
      reinstated after smp_mb() if the mapping still has dirty pages.
      
      Also add comments explaining how and why the barriers are paired.
      
      Lightly tested.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Mikulas Patocka <mpatocka@redhat.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      89d23204
    • Jan Kara's avatar
      writeback: Move I_DIRTY_PAGES handling · 4467c35f
      Jan Kara authored
      commit 6290be1c upstream.
      
      Instead of clearing I_DIRTY_PAGES and resetting it when we didn't succeed in
      writing them all, just clear the bit only when we succeeded writing all the
      pages. We also move the clearing of the bit close to other i_state handling to
      separate it from writeback list handling. This is desirable because list
      handling will differ for flusher thread and other writeback_single_inode()
      callers in future. No filesystem plays any tricks with I_DIRTY_PAGES (like
      checking it in ->writepages or ->write_inode implementation) so this movement
      is safe.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4467c35f
    • Frank Schaefer's avatar
      af9005: fix kernel panic on init if compiled without IR · e12e4960
      Frank Schaefer authored
      commit 22799487 upstream.
      
      This patches fixes an ancient bug in the dvb_usb_af9005 driver, which
      has been reported at least in the following threads:
      https://lkml.org/lkml/2009/2/4/350
      https://lkml.org/lkml/2014/9/18/558
      
      If the driver is compiled in without any IR support (neither
      DVB_USB_AF9005_REMOTE nor custom symbols), the symbol_request calls in
      af9005_usb_module_init() return pointers != NULL although the IR
      symbols are not available.
      
      This leads to the following oops:
      ...
      [    8.529751] usbcore: registered new interface driver dvb_usb_af9005
      [    8.531584] BUG: unable to handle kernel paging request at 02e00000
      [    8.533385] IP: [<7d9d67c6>] af9005_usb_module_init+0x6b/0x9d
      [    8.535613] *pde = 00000000
      [    8.536416] Oops: 0000 [#1] PREEMPT PREEMPT DEBUG_PAGEALLOCDEBUG_PAGEALLOC
      [    8.537863] CPU: 0 PID: 1 Comm: swapper Not tainted 3.15.0-rc6-00151-ga5c075cf #1
      [    8.539827] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
      [    8.541519] task: 89c9a670 ti: 89c9c000 task.ti: 89c9c000
      [    8.541519] EIP: 0060:[<7d9d67c6>] EFLAGS: 00010206 CPU: 0
      [    8.541519] EIP is at af9005_usb_module_init+0x6b/0x9d
      [    8.541519] EAX: 02e00000 EBX: 00000000 ECX: 00000006 EDX: 00000000
      [    8.541519] ESI: 00000000 EDI: 7da33ec8 EBP: 89c9df30 ESP: 89c9df2c
      [    8.541519]  DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
      [    8.541519] CR0: 8005003b CR2: 02e00000 CR3: 05a54000 CR4: 00000690
      [    8.541519] Stack:
      [    8.541519]  7d9d675b 89c9df90 7d992a49 7d7d5914 89c9df4c 7be3a800 7d08c58c 8a4c3968
      [    8.541519]  89c9df80 7be3a966 00000192 00000006 00000006 7d7d3ff4 8a4c397a 00000200
      [    8.541519]  7d6b1280 8a4c3979 00000006 000009a6 7da32db8 b13eec81 00000006 000009a6
      [    8.541519] Call Trace:
      [    8.541519]  [<7d9d675b>] ? ttusb2_driver_init+0x16/0x16
      [    8.541519]  [<7d992a49>] do_one_initcall+0x77/0x106
      [    8.541519]  [<7be3a800>] ? parameqn+0x2/0x35
      [    8.541519]  [<7be3a966>] ? parse_args+0x113/0x25c
      [    8.541519]  [<7d992bc2>] kernel_init_freeable+0xea/0x167
      [    8.541519]  [<7cf01070>] kernel_init+0x8/0xb8
      [    8.541519]  [<7cf27ec0>] ret_from_kernel_thread+0x20/0x30
      [    8.541519]  [<7cf01068>] ? rest_init+0x10c/0x10c
      [    8.541519] Code: 08 c2 c7 05 44 ed f9 7d 00 00 e0 02 c7 05 40 ed f9 7d 00 00 e0 02 c7 05 3c ed f9 7d 00 00 e0 02 75 1f b8 00 00 e0 02 85 c0 74 16 <a1> 00 00 e0 02 c7 05 54 84 8e 7d 00 00 e0 02 a3 58 84 8e 7d eb
      [    8.541519] EIP: [<7d9d67c6>] af9005_usb_module_init+0x6b/0x9d SS:ESP 0068:89c9df2c
      [    8.541519] CR2: 0000000002e00000
      [    8.541519] ---[ end trace 768b6faf51370fc7 ]---
      
      The prefered fix would be to convert the whole IR code to use the kernel IR
      infrastructure (which wasn't available at the time this driver had been created).
      
      Until anyone who still has this old hardware steps up an does the conversion,
      fix it by not calling the symbol_request calls if the driver is compiled in
      without the default IR symbols (CONFIG_DVB_USB_AF9005_REMOTE).
      Due to the IR related pointers beeing NULL by default, IR support will then be disabled.
      
      The downside of this solution is, that it will no longer be possible to
      compile custom IR symbols (not using CONFIG_DVB_USB_AF9005_REMOTE) in.
      
      Please note that this patch has NOT been tested with all possible cases.
      I don't have the hardware and could only verify that it fixes the reported
      bug.
      Reported-by: default avatarFengguag Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarFrank Schäfer <fschaefer.oss@googlemail.com>
      Acked-by: default avatarLuca Olivetti <luca@ventoso.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e12e4960
    • Mauro Carvalho Chehab's avatar
      sound: Update au0828 quirks table · eb013220
      Mauro Carvalho Chehab authored
      commit 678fa12f upstream.
      
      The au0828 quirks table is currently not in sync with the au0828
      media driver.
      
      Syncronize it and put them on the same order as found at au0828
      driver, as all the au0828 devices with analog TV need the
      same quirks.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      eb013220
    • Mauro Carvalho Chehab's avatar
      sound: simplify au0828 quirk table · b625b987
      Mauro Carvalho Chehab authored
      commit 5d1f00a2 upstream.
      
      Add a macro to simplify au0828 quirk table. That makes easier
      to check it against the USB IDs at drivers/media/usb/au0828/au0828-cards.c.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      [bwh: Backported to 3.2:
       - Adjust filename
       - Quirks were in a different order]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b625b987
    • Tyler Hicks's avatar
      eCryptfs: Force RO mount when encrypted view is enabled · e340a90b
      Tyler Hicks authored
      commit 332b122d upstream.
      
      The ecryptfs_encrypted_view mount option greatly changes the
      functionality of an eCryptfs mount. Instead of encrypting and decrypting
      lower files, it provides a unified view of the encrypted files in the
      lower filesystem. The presence of the ecryptfs_encrypted_view mount
      option is intended to force a read-only mount and modifying files is not
      supported when the feature is in use. See the following commit for more
      information:
      
        e77a56dd [PATCH] eCryptfs: Encrypted passthrough
      
      This patch forces the mount to be read-only when the
      ecryptfs_encrypted_view mount option is specified by setting the
      MS_RDONLY flag on the superblock. Additionally, this patch removes some
      broken logic in ecryptfs_open() that attempted to prevent modifications
      of files when the encrypted view feature was in use. The check in
      ecryptfs_open() was not sufficient to prevent file modifications using
      system calls that do not operate on a file descriptor.
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Reported-by: default avatarPriya Bansal <p.bansal@samsung.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e340a90b
  2. 01 Jan, 2015 15 commits