1. 26 Jan, 2017 40 commits
    • David Matlack's avatar
      KVM: x86: flush pending lapic jump label updates on module unload · b4086064
      David Matlack authored
      commit cef84c30 upstream.
      
      KVM's lapic emulation uses static_key_deferred (apic_{hw,sw}_disabled).
      These are implemented with delayed_work structs which can still be
      pending when the KVM module is unloaded. We've seen this cause kernel
      panics when the kvm_intel module is quickly reloaded.
      
      Use the new static_key_deferred_flush() API to flush pending updates on
      module unload.
      Signed-off-by: default avatarDavid Matlack <dmatlack@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b4086064
    • David Matlack's avatar
      jump_labels: API for flushing deferred jump label updates · a53623a6
      David Matlack authored
      commit b6416e61 upstream.
      
      Modules that use static_key_deferred need a way to synchronize with
      any delayed work that is still pending when the module is unloaded.
      Introduce static_key_deferred_flush() which flushes any pending
      jump label updates.
      
      [js] no STATIC_KEY_CHECK_USE in 3.12 -> remove it
      Signed-off-by: default avatarDavid Matlack <dmatlack@google.com>
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a53623a6
    • Paolo Bonzini's avatar
      KVM: x86: fix emulation of "MOV SS, null selector" · f043f20c
      Paolo Bonzini authored
      commit 33ab9110 upstream.
      
      This is CVE-2017-2583.  On Intel this causes a failed vmentry because
      SS's type is neither 3 nor 7 (even though the manual says this check is
      only done for usable SS, and the dmesg splat says that SS is unusable!).
      On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.
      
      The fix fabricates a data segment descriptor when SS is set to a null
      selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
      Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
      this in turn ensures CPL < 3 because RPL must be equal to CPL.
      
      Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
      the bug and deciphering the manuals.
      
      [js] backport to 3.12
      Reported-by: default avatarXiaohan Zhang <zhangxiaohan1@huawei.com>
      Fixes: 79d5b4c3Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f043f20c
    • Mike Kravetz's avatar
      mm/hugetlb.c: fix reservation race when freeing surplus pages · 980a34c3
      Mike Kravetz authored
      commit e5bbc8a6 upstream.
      
      return_unused_surplus_pages() decrements the global reservation count,
      and frees any unused surplus pages that were backing the reservation.
      
      Commit 7848a4bf ("mm/hugetlb.c: add cond_resched_lock() in
      return_unused_surplus_pages()") added a call to cond_resched_lock in the
      loop freeing the pages.
      
      As a result, the hugetlb_lock could be dropped, and someone else could
      use the pages that will be freed in subsequent iterations of the loop.
      This could result in inconsistent global hugetlb page state, application
      api failures (such as mmap) failures or application crashes.
      
      When dropping the lock in return_unused_surplus_pages, make sure that
      the global reservation count (resv_huge_pages) remains sufficiently
      large to prevent someone else from claiming pages about to be freed.
      
      Analyzed by Paul Cassella.
      
      Fixes: 7848a4bf ("mm/hugetlb.c: add cond_resched_lock() in return_unused_surplus_pages()")
      Link: http://lkml.kernel.org/r/1483991767-6879-1-git-send-email-mike.kravetz@oracle.comSigned-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Reported-by: default avatarPaul Cassella <cassella@cray.com>
      Suggested-by: default avatarMichal Hocko <mhocko@kernel.org>
      Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
      Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Aneesh Kumar <aneesh.kumar@linux.vnet.ibm.com>
      Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      980a34c3
    • Eric Ren's avatar
      ocfs2: fix crash caused by stale lvb with fsdlm plugin · 762f213c
      Eric Ren authored
      commit e7ee2c08 upstream.
      
      The crash happens rather often when we reset some cluster nodes while
      nodes contend fiercely to do truncate and append.
      
      The crash backtrace is below:
      
         dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover_grant 1 locks on 971 resources
         dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover 9 generation 5 done: 4 ms
         ocfs2: Begin replay journal (node 318952601, slot 2) on device (253,18)
         ocfs2: End replay journal (node 318952601, slot 2) on device (253,18)
         ocfs2: Beginning quota recovery on device (253,18) for slot 2
         ocfs2: Finishing quota recovery on device (253,18) for slot 2
         (truncate,30154,1):ocfs2_truncate_file:470 ERROR: bug expression: le64_to_cpu(fe->i_size) != i_size_read(inode)
         (truncate,30154,1):ocfs2_truncate_file:470 ERROR: Inode 290321, inode i_size = 732 != di i_size = 937, i_flags = 0x1
         ------------[ cut here ]------------
         kernel BUG at /usr/src/linux/fs/ocfs2/file.c:470!
         invalid opcode: 0000 [#1] SMP
         Modules linked in: ocfs2_stack_user(OEN) ocfs2(OEN) ocfs2_nodemanager ocfs2_stackglue(OEN) quota_tree dlm(OEN) configfs fuse sd_mod    iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi af_packet iscsi_ibft iscsi_boot_sysfs softdog xfs libcrc32c ppdev parport_pc pcspkr parport      joydev virtio_balloon virtio_net i2c_piix4 acpi_cpufreq button processor ext4 crc16 jbd2 mbcache ata_generic cirrus virtio_blk ata_piix               drm_kms_helper ahci syscopyarea libahci sysfillrect sysimgblt fb_sys_fops ttm floppy libata drm virtio_pci virtio_ring uhci_hcd virtio ehci_hcd       usbcore serio_raw usb_common sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
         Supported: No, Unsupported modules are loaded
         CPU: 1 PID: 30154 Comm: truncate Tainted: G           OE   N  4.4.21-69-default #1
         Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
         task: ffff88004ff6d240 ti: ffff880074e68000 task.ti: ffff880074e68000
         RIP: 0010:[<ffffffffa05c8c30>]  [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]
         RSP: 0018:ffff880074e6bd50  EFLAGS: 00010282
         RAX: 0000000000000074 RBX: 000000000000029e RCX: 0000000000000000
         RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246
         RBP: ffff880074e6bda8 R08: 000000003675dc7a R09: ffffffff82013414
         R10: 0000000000034c50 R11: 0000000000000000 R12: ffff88003aab3448
         R13: 00000000000002dc R14: 0000000000046e11 R15: 0000000000000020
         FS:  00007f839f965700(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000
         CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
         CR2: 00007f839f97e000 CR3: 0000000036723000 CR4: 00000000000006e0
         Call Trace:
           ocfs2_setattr+0x698/0xa90 [ocfs2]
           notify_change+0x1ae/0x380
           do_truncate+0x5e/0x90
           do_sys_ftruncate.constprop.11+0x108/0x160
           entry_SYSCALL_64_fastpath+0x12/0x6d
         Code: 24 28 ba d6 01 00 00 48 c7 c6 30 43 62 a0 8b 41 2c 89 44 24 08 48 8b 41 20 48 c7 c1 78 a3 62 a0 48 89 04 24 31 c0 e8 a0 97 f9 ff <0f> 0b 3d 00 fe ff ff 0f 84 ab fd ff ff 83 f8 fc 0f 84 a2 fd ff
         RIP  [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]
      
      It's because ocfs2_inode_lock() get us stale LVB in which the i_size is
      not equal to the disk i_size.  We mistakenly trust the LVB because the
      underlaying fsdlm dlm_lock() doesn't set lkb_sbflags with
      DLM_SBF_VALNOTVALID properly for us.  But, why?
      
      The current code tries to downconvert lock without DLM_LKF_VALBLK flag
      to tell o2cb don't update RSB's LVB if it's a PR->NULL conversion, even
      if the lock resource type needs LVB.  This is not the right way for
      fsdlm.
      
      The fsdlm plugin behaves different on DLM_LKF_VALBLK, it depends on
      DLM_LKF_VALBLK to decide if we care about the LVB in the LKB.  If
      DLM_LKF_VALBLK is not set, fsdlm will skip recovering RSB's LVB from
      this lkb and set the right DLM_SBF_VALNOTVALID appropriately when node
      failure happens.
      
      The following diagram briefly illustrates how this crash happens:
      
      RSB1 is inode metadata lock resource with LOCK_TYPE_USES_LVB;
      
      The 1st round:
      
                   Node1                                    Node2
      RSB1: PR
                                                        RSB1(master): NULL->EX
      ocfs2_downconvert_lock(PR->NULL, set_lvb==0)
        ocfs2_dlm_lock(no DLM_LKF_VALBLK)
      
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      
      dlm_lock(no DLM_LKF_VALBLK)
        convert_lock(overwrite lkb->lkb_exflags
                     with no DLM_LKF_VALBLK)
      
      RSB1: NULL                                        RSB1: EX
                                                        reset Node2
      dlm_recover_rsbs()
        recover_lvb()
      
      /* The LVB is not trustable if the node with EX fails and
       * no lock >= PR is left. We should set RSB_VALNOTVALID for RSB1.
       */
      
       if(!(kb_exflags & DLM_LKF_VALBLK)) /* This means we miss the chance to
                 return;                   * to invalid the LVB here.
                                           */
      
      The 2nd round:
      
               Node 1                                Node2
      RSB1(become master from recovery)
      
      ocfs2_setattr()
        ocfs2_inode_lock(NULL->EX)
          /* dlm_lock() return the stale lvb without setting DLM_SBF_VALNOTVALID */
          ocfs2_meta_lvb_is_trustable() return 1 /* so we don't refresh inode from disk */
        ocfs2_truncate_file()
            mlog_bug_on_msg(disk isize != i_size_read(inode))  /* crash! */
      
      The fix is quite straightforward.  We keep to set DLM_LKF_VALBLK flag
      for dlm_lock() if the lock resource type needs LVB and the fsdlm plugin
      is uesed.
      
      Link: http://lkml.kernel.org/r/1481275846-6604-1-git-send-email-zren@suse.comSigned-off-by: default avatarEric Ren <zren@suse.com>
      Reviewed-by: default avatarJoseph Qi <jiangqi903@gmail.com>
      Cc: Mark Fasheh <mfasheh@versity.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      762f213c
    • Rolf Eike Beer's avatar
      selftests: do not require bash to run netsocktests testcase · 069f2e25
      Rolf Eike Beer authored
      commit 3659f98b upstream.
      
      Nothing in this minimal script seems to require bash. We often run these
      tests on embedded devices where the only shell available is the busybox
      ash. Use sh instead.
      Signed-off-by: default avatarRolf Eike Beer <eb@emlix.com>
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      069f2e25
    • Marcos Paulo de Souza's avatar
      Input: i8042 - add Pegatron touchpad to noloop table · 8e9a83df
      Marcos Paulo de Souza authored
      commit 41c567a5 upstream.
      
      Avoid AUX loopback in Pegatron C15B touchpad, so input subsystem is able
      to recognize a Synaptics touchpad in the AUX port.
      
      Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=93791
      (Touchpad is not detected on DNS 0801480 notebook (PEGATRON C15B))
      Suggested-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarMarcos Paulo de Souza <marcos.souza.org@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8e9a83df
    • Pavel Rojtberg's avatar
      Input: xpad - use correct product id for x360w controllers · 242f3176
      Pavel Rojtberg authored
      commit b6fc513d upstream.
      
      currently the controllers get the same product id as the wireless
      receiver. However the controllers actually have their own product id.
      
      The patch makes the driver expose the same product id as the windows
      driver.
      
      This improves compatibility when running applications with WINE.
      
      see https://github.com/paroj/xpad/issues/54Signed-off-by: default avatarPavel Rojtberg <rojtberg@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      242f3176
    • Oliver O'Halloran's avatar
      mm/init: fix zone boundary creation · aae53753
      Oliver O'Halloran authored
      commit 90cae1fe upstream.
      
      As a part of memory initialisation the architecture passes an array to
      free_area_init_nodes() which specifies the max PFN of each memory zone.
      This array is not necessarily monotonic (due to unused zones) so this
      array is parsed to build monotonic lists of the min and max PFN for each
      zone.  ZONE_MOVABLE is special cased here as its limits are managed by
      the mm subsystem rather than the architecture.  Unfortunately, this
      special casing is broken when ZONE_MOVABLE is the not the last zone in
      the zone list.  The core of the issue is:
      
      	if (i == ZONE_MOVABLE)
      		continue;
      	arch_zone_lowest_possible_pfn[i] =
      		arch_zone_highest_possible_pfn[i-1];
      
      As ZONE_MOVABLE is skipped the lowest_possible_pfn of the next zone will
      be set to zero.  This patch fixes this bug by adding explicitly tracking
      where the next zone should start rather than relying on the contents
      arch_zone_highest_possible_pfn[].
      
      Thie is low priority.  To get bitten by this you need to enable a zone
      that appears after ZONE_MOVABLE in the zone_type enum.  As far as I can
      tell this means running a kernel with ZONE_DEVICE or ZONE_CMA enabled,
      so I can't see this affecting too many people.
      
      I only noticed this because I've been fiddling with ZONE_DEVICE on
      powerpc and 4.6 broke my test kernel.  This bug, in conjunction with the
      changes in Taku Izumi's kernelcore=mirror patch (d91749c1) and
      powerpc being the odd architecture which initialises max_zone_pfn[] to
      ~0ul instead of 0 caused all of system memory to be placed into
      ZONE_DEVICE at boot, followed a panic since device memory cannot be used
      for kernel allocations.  I've already submitted a patch to fix the
      powerpc specific bits, but I figured this should be fixed too.
      
      Link: http://lkml.kernel.org/r/1462435033-15601-1-git-send-email-oohall@gmail.comSigned-off-by: default avatarOliver O'Halloran <oohall@gmail.com>
      Cc: Anton Blanchard <anton@samba.org>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      aae53753
    • Larry Finger's avatar
      powerpc: Fix build warning on 32-bit PPC · 5a968cb0
      Larry Finger authored
      commit 8ae679c4 upstream.
      
      I am getting the following warning when I build kernel 4.9-git on my
      PowerBook G4 with a 32-bit PPC processor:
      
          AS      arch/powerpc/kernel/misc_32.o
        arch/powerpc/kernel/misc_32.S:299:7: warning: "CONFIG_FSL_BOOKE" is not defined [-Wundef]
      
      This problem is evident after commit 989cea5c ("kbuild: prevent
      lib-ksyms.o rebuilds"); however, this change in kbuild only exposes an
      error that has been in the code since 2005 when this source file was
      created.  That was with commit 9994a338 ("powerpc: Introduce
      entry_{32,64}.S, misc_{32,64}.S, systbl.S").
      
      The offending line does not make a lot of sense.  This error does not
      seem to cause any errors in the executable, thus I am not recommending
      that it be applied to any stable versions.
      
      Thanks to Nicholas Piggin for suggesting this solution.
      
      Fixes: 9994a338 ("powerpc: Introduce entry_{32,64}.S, misc_{32,64}.S, systbl.S")
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: linuxppc-dev@lists.ozlabs.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5a968cb0
    • Greg Kroah-Hartman's avatar
      HID: hid-cypress: validate length of report · 5bc00ccf
      Greg Kroah-Hartman authored
      commit 1ebb7114 upstream.
      
      Make sure we have enough of a report structure to validate before
      looking at it.
      Reported-by: default avatarBenoit Camredon <benoit.camredon@airbus.com>
      Tested-by: default avatarBenoit Camredon <benoit.camredon@airbus.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      5bc00ccf
    • Herbert Xu's avatar
      gro: Disable frag0 optimization on IPv6 ext headers · eaefead3
      Herbert Xu authored
      [ Upstream commit 57ea52a8 ]
      
      The GRO fast path caches the frag0 address.  This address becomes
      invalid if frag0 is modified by pskb_may_pull or its variants.
      So whenever that happens we must disable the frag0 optimization.
      
      This is usually done through the combination of gro_header_hard
      and gro_header_slow, however, the IPv6 extension header path did
      the pulling directly and would continue to use the GRO fast path
      incorrectly.
      
      This patch fixes it by disabling the fast path when we enter the
      IPv6 extension header path.
      
      Fixes: 78a478d0 ("gro: Inline skb_gro_header and cache frag0 virtual address")
      Reported-by: default avatarSlava Shwartsman <slavash@mellanox.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      eaefead3
    • Eric Dumazet's avatar
      gro: use min_t() in skb_gro_reset_offset() · bb7927f5
      Eric Dumazet authored
      [ Upstream commit 7cfd5fd5 ]
      
      On 32bit arches, (skb->end - skb->data) is not 'unsigned int',
      so we shall use min_t() instead of min() to avoid a compiler error.
      
      Fixes: 1272ce87 ("gro: Enter slow-path if there is no tailroom")
      Reported-by: default avatarkernel test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bb7927f5
    • Herbert Xu's avatar
      gro: Enter slow-path if there is no tailroom · 40e60967
      Herbert Xu authored
      [ Upstream commit 1272ce87 ]
      
      The GRO path has a fast-path where we avoid calling pskb_may_pull
      and pskb_expand by directly accessing frag0.  However, this should
      only be done if we have enough tailroom in the skb as otherwise
      we'll have to expand it later anyway.
      
      This patch adds the check by capping frag0_len with the skb tailroom.
      
      Fixes: cb18978c ("gro: Open-code final pskb_may_pull")
      Reported-by: default avatarSlava Shwartsman <slavash@mellanox.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      40e60967
    • Michal Tesar's avatar
      igmp: Make igmp group member RFC 3376 compliant · f075c748
      Michal Tesar authored
      [ Upstream commit 7ababb78 ]
      
      5.2. Action on Reception of a Query
      
       When a system receives a Query, it does not respond immediately.
       Instead, it delays its response by a random amount of time, bounded
       by the Max Resp Time value derived from the Max Resp Code in the
       received Query message.  A system may receive a variety of Queries on
       different interfaces and of different kinds (e.g., General Queries,
       Group-Specific Queries, and Group-and-Source-Specific Queries), each
       of which may require its own delayed response.
      
       Before scheduling a response to a Query, the system must first
       consider previously scheduled pending responses and in many cases
       schedule a combined response.  Therefore, the system must be able to
       maintain the following state:
      
       o A timer per interface for scheduling responses to General Queries.
      
       o A per-group and interface timer for scheduling responses to Group-
         Specific and Group-and-Source-Specific Queries.
      
       o A per-group and interface list of sources to be reported in the
         response to a Group-and-Source-Specific Query.
      
       When a new Query with the Router-Alert option arrives on an
       interface, provided the system has state to report, a delay for a
       response is randomly selected in the range (0, [Max Resp Time]) where
       Max Resp Time is derived from Max Resp Code in the received Query
       message.  The following rules are then used to determine if a Report
       needs to be scheduled and the type of Report to schedule.  The rules
       are considered in order and only the first matching rule is applied.
      
       1. If there is a pending response to a previous General Query
          scheduled sooner than the selected delay, no additional response
          needs to be scheduled.
      
       2. If the received Query is a General Query, the interface timer is
          used to schedule a response to the General Query after the
          selected delay.  Any previously pending response to a General
          Query is canceled.
      --8<--
      
      Currently the timer is rearmed with new random expiration time for
      every incoming query regardless of possibly already pending report.
      Which is not aligned with the above RFE.
      It also might happen that higher rate of incoming queries can
      postpone the report after the expiration time of the first query
      causing group membership loss.
      
      Now the per interface general query timer is rearmed only
      when there is no pending report already scheduled on that interface or
      the newly selected expiration time is before the already pending
      scheduled report.
      Signed-off-by: default avatarMichal Tesar <mtesar@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f075c748
    • Reiter Wolfgang's avatar
      drop_monitor: consider inserted data in genlmsg_end · abdddd2c
      Reiter Wolfgang authored
      [ Upstream commit 3b48ab22 ]
      
      Final nlmsg_len field update must reflect inserted net_dm_drop_point
      data.
      
      This patch depends on previous patch:
      "drop_monitor: add missing call to genlmsg_end"
      Signed-off-by: default avatarReiter Wolfgang <wr0112358@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      abdddd2c
    • Reiter Wolfgang's avatar
      drop_monitor: add missing call to genlmsg_end · 5dd1048c
      Reiter Wolfgang authored
      [ Upstream commit 4200462d ]
      
      Update nlmsg_len field with genlmsg_end to enable userspace processing
      using nlmsg_next helper. Also adds error handling.
      Signed-off-by: default avatarReiter Wolfgang <wr0112358@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5dd1048c
    • Florian Fainelli's avatar
      net: stmmac: Fix race between stmmac_drv_probe and stmmac_open · 28f4d6c7
      Florian Fainelli authored
      [ Upstream commit 57016590 ]
      
      There is currently a small window during which the network device registered by
      stmmac can be made visible, yet all resources, including and clock and MDIO bus
      have not had a chance to be set up, this can lead to the following error to
      occur:
      
      [  473.919358] stmmaceth 0000:01:00.0 (unnamed net_device) (uninitialized):
                      stmmac_dvr_probe: warning: cannot get CSR clock
      [  473.919382] stmmaceth 0000:01:00.0: no reset control found
      [  473.919412] stmmac - user ID: 0x10, Synopsys ID: 0x42
      [  473.919429] stmmaceth 0000:01:00.0: DMA HW capability register supported
      [  473.919436] stmmaceth 0000:01:00.0: RX Checksum Offload Engine supported
      [  473.919443] stmmaceth 0000:01:00.0: TX Checksum insertion supported
      [  473.919451] stmmaceth 0000:01:00.0 (unnamed net_device) (uninitialized):
                      Enable RX Mitigation via HW Watchdog Timer
      [  473.921395] libphy: PHY stmmac-1:00 not found
      [  473.921417] stmmaceth 0000:01:00.0 eth0: Could not attach to PHY
      [  473.921427] stmmaceth 0000:01:00.0 eth0: stmmac_open: Cannot attach to
                      PHY (error: -19)
      [  473.959710] libphy: stmmac: probed
      [  473.959724] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 0 IRQ POLL
                      (stmmac-1:00) active
      [  473.959728] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 1 IRQ POLL
                      (stmmac-1:01)
      [  473.959731] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 2 IRQ POLL
                      (stmmac-1:02)
      [  473.959734] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 3 IRQ POLL
                      (stmmac-1:03)
      
      Fix this by making sure that register_netdev() is the last thing being done,
      which guarantees that the clock and the MDIO bus are available.
      
      Fixes: 4bfcbd7a ("stmmac: Move the mdio_register/_unregister in probe/remove")
      Reported-by: default avatarKweh, Hock Leong <hock.leong.kweh@intel.com>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      28f4d6c7
    • Daniel Borkmann's avatar
      net, sched: fix soft lockup in tc_classify · cf5a64b5
      Daniel Borkmann authored
      [ Upstream commit 628185cf ]
      
      Shahar reported a soft lockup in tc_classify(), where we run into an
      endless loop when walking the classifier chain due to tp->next == tp
      which is a state we should never run into. The issue only seems to
      trigger under load in the tc control path.
      
      What happens is that in tc_ctl_tfilter(), thread A allocates a new
      tp, initializes it, sets tp_created to 1, and calls into tp->ops->change()
      with it. In that classifier callback we had to unlock/lock the rtnl
      mutex and returned with -EAGAIN. One reason why we need to drop there
      is, for example, that we need to request an action module to be loaded.
      
      This happens via tcf_exts_validate() -> tcf_action_init/_1() meaning
      after we loaded and found the requested action, we need to redo the
      whole request so we don't race against others. While we had to unlock
      rtnl in that time, thread B's request was processed next on that CPU.
      Thread B added a new tp instance successfully to the classifier chain.
      When thread A returned grabbing the rtnl mutex again, propagating -EAGAIN
      and destroying its tp instance which never got linked, we goto replay
      and redo A's request.
      
      This time when walking the classifier chain in tc_ctl_tfilter() for
      checking for existing tp instances we had a priority match and found
      the tp instance that was created and linked by thread B. Now calling
      again into tp->ops->change() with that tp was successful and returned
      without error.
      
      tp_created was never cleared in the second round, thus kernel thinks
      that we need to link it into the classifier chain (once again). tp and
      *back point to the same object due to the match we had earlier on. Thus
      for thread B's already public tp, we reset tp->next to tp itself and
      link it into the chain, which eventually causes the mentioned endless
      loop in tc_classify() once a packet hits the data path.
      
      Fix is to clear tp_created at the beginning of each request, also when
      we replay it. On the paths that can cause -EAGAIN we already destroy
      the original tp instance we had and on replay we really need to start
      from scratch. It seems that this issue was first introduced in commit
      12186be7 ("net_cls: fix unconfigured struct tcf_proto keeps chaining
      and avoid kernel panic when we use cls_cgroup").
      
      Fixes: 12186be7 ("net_cls: fix unconfigured struct tcf_proto keeps chaining and avoid kernel panic when we use cls_cgroup")
      Reported-by: default avatarShahar Klein <shahark@mellanox.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Tested-by: default avatarShahar Klein <shahark@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      cf5a64b5
    • Dave Jones's avatar
      ipv6: handle -EFAULT from skb_copy_bits · 391ccf09
      Dave Jones authored
      [ Upstream commit a98f9175 ]
      
      By setting certain socket options on ipv6 raw sockets, we can confuse the
      length calculation in rawv6_push_pending_frames triggering a BUG_ON.
      
      RIP: 0010:[<ffffffff817c6390>] [<ffffffff817c6390>] rawv6_sendmsg+0xc30/0xc40
      RSP: 0018:ffff881f6c4a7c18  EFLAGS: 00010282
      RAX: 00000000fffffff2 RBX: ffff881f6c681680 RCX: 0000000000000002
      RDX: ffff881f6c4a7cf8 RSI: 0000000000000030 RDI: ffff881fed0f6a00
      RBP: ffff881f6c4a7da8 R08: 0000000000000000 R09: 0000000000000009
      R10: ffff881fed0f6a00 R11: 0000000000000009 R12: 0000000000000030
      R13: ffff881fed0f6a00 R14: ffff881fee39ba00 R15: ffff881fefa93a80
      
      Call Trace:
       [<ffffffff8118ba23>] ? unmap_page_range+0x693/0x830
       [<ffffffff81772697>] inet_sendmsg+0x67/0xa0
       [<ffffffff816d93f8>] sock_sendmsg+0x38/0x50
       [<ffffffff816d982f>] SYSC_sendto+0xef/0x170
       [<ffffffff816da27e>] SyS_sendto+0xe/0x10
       [<ffffffff81002910>] do_syscall_64+0x50/0xa0
       [<ffffffff817f7cbc>] entry_SYSCALL64_slow_path+0x25/0x25
      
      Handle by jumping to the failure path if skb_copy_bits gets an EFAULT.
      
      Reproducer:
      
      #include <stdio.h>
      #include <stdlib.h>
      #include <string.h>
      #include <unistd.h>
      #include <sys/types.h>
      #include <sys/socket.h>
      #include <netinet/in.h>
      
      #define LEN 504
      
      int main(int argc, char* argv[])
      {
      	int fd;
      	int zero = 0;
      	char buf[LEN];
      
      	memset(buf, 0, LEN);
      
      	fd = socket(AF_INET6, SOCK_RAW, 7);
      
      	setsockopt(fd, SOL_IPV6, IPV6_CHECKSUM, &zero, 4);
      	setsockopt(fd, SOL_IPV6, IPV6_DSTOPTS, &buf, LEN);
      
      	sendto(fd, buf, 1, 0, (struct sockaddr *) buf, 110);
      }
      Signed-off-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      391ccf09
    • Dan Carpenter's avatar
      ser_gigaset: return -ENOMEM on error instead of success · fce49ca9
      Dan Carpenter authored
      [ Upstream commit 93a97c50 ]
      
      If we can't allocate the resources in gigaset_initdriver() then we
      should return -ENOMEM instead of zero.
      
      Fixes: 2869b23e ("[PATCH] drivers/isdn/gigaset: new M101 driver (v2)")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      fce49ca9
    • stephen hemminger's avatar
      netvsc: reduce maximum GSO size · fa5e29d5
      stephen hemminger authored
      [ Upstream commit a50af86d ]
      
      Hyper-V (and Azure) support using NVGRE which requires some extra space
      for encapsulation headers. Because of this the largest allowed TSO
      packet is reduced.
      
      For older releases, hard code a fixed reduced value.  For next release,
      there is a better solution which uses result of host offload
      negotiation.
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      fa5e29d5
    • Felipe Balbi's avatar
      usb: gadget: composite: always set ep->mult to a sensible value · 6e89266f
      Felipe Balbi authored
      commit eaa496ff upstream.
      
      ep->mult is supposed to be set to Isochronous and
      Interrupt Endapoint's multiplier value. This value
      is computed from different places depending on the
      link speed.
      
      If we're dealing with HighSpeed, then it's part of
      bits [12:11] of wMaxPacketSize. This case wasn't
      taken into consideration before.
      
      While at that, also make sure the ep->mult defaults
      to one so drivers can use it unconditionally and
      assume they'll never multiply ep->maxpacket to zero.
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6e89266f
    • Thomas Gleixner's avatar
      tick/broadcast: Prevent NULL pointer dereference · ed470f11
      Thomas Gleixner authored
      commit c1a9eeb9 upstream.
      
      When a disfunctional timer, e.g. dummy timer, is installed, the tick core
      tries to setup the broadcast timer.
      
      If no broadcast device is installed, the kernel crashes with a NULL pointer
      dereference in tick_broadcast_setup_oneshot() because the function has no
      sanity check.
      Reported-by: default avatarMason <slash.tmp@free.fr>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
      Cc: Richard Cochran <rcochran@linutronix.de>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
      Cc: Peter Zijlstra <peterz@infradead.org>,
      Cc: Sebastian Frias <sf84@laposte.net>
      Cc: Thibaud Cornic <thibaud_cornic@sigmadesigns.com>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Link: http://lkml.kernel.org/r/1147ef90-7877-e4d2-bb2b-5c4fa8d3144b@free.frSigned-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ed470f11
    • Paul Burton's avatar
      net: ti: cpmac: Fix compiler warning due to type confusion · dd132142
      Paul Burton authored
      commit 2f5281ba upstream.
      
      cpmac_start_xmit() used the max() macro on skb->len (an unsigned int)
      and ETH_ZLEN (a signed int literal). This led to the following compiler
      warning:
      
        In file included from include/linux/list.h:8:0,
                         from include/linux/module.h:9,
                         from drivers/net/ethernet/ti/cpmac.c:19:
        drivers/net/ethernet/ti/cpmac.c: In function 'cpmac_start_xmit':
        include/linux/kernel.h:748:17: warning: comparison of distinct pointer
        types lacks a cast
          (void) (&_max1 == &_max2);  \
                         ^
        drivers/net/ethernet/ti/cpmac.c:560:8: note: in expansion of macro 'max'
          len = max(skb->len, ETH_ZLEN);
                ^
      
      On top of this, it assigned the result of the max() macro to a signed
      integer whilst all further uses of it result in it being cast to varying
      widths of unsigned integer.
      
      Fix this up by using max_t to ensure the comparison is performed as
      unsigned integers, and for consistency change the type of the len
      variable to unsigned int.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      dd132142
    • Arnd Bergmann's avatar
      cred/userns: define current_user_ns() as a function · 66bbced2
      Arnd Bergmann authored
      commit 0335695d upstream.
      
      The current_user_ns() macro currently returns &init_user_ns when user
      namespaces are disabled, and that causes several warnings when building
      with gcc-6.0 in code that compares the result of the macro to
      &init_user_ns itself:
      
        fs/xfs/xfs_ioctl.c: In function 'xfs_ioctl_setattr_check_projid':
        fs/xfs/xfs_ioctl.c:1249:22: error: self-comparison always evaluates to true [-Werror=tautological-compare]
          if (current_user_ns() == &init_user_ns)
      
      This is a legitimate warning in principle, but here it isn't really
      helpful, so I'm reprasing the definition in a way that shuts up the
      warning.  Apparently gcc only warns when comparing identical literals,
      but it can figure out that the result of an inline function can be
      identical to a constant expression in order to optimize a condition yet
      not warn about the fact that the condition is known at compile time.
      This is exactly what we want here, and it looks reasonable because we
      generally prefer inline functions over macros anyway.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Yaowei Bai <baiyaowei@cmss.chinamobile.com>
      Cc: James Morris <james.l.morris@oracle.com>
      Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      66bbced2
    • Johan Hovold's avatar
      powerpc/pci/rpadlpar: Fix device reference leaks · 0d8f571b
      Johan Hovold authored
      commit 99e5cde5 upstream.
      
      Make sure to drop any device reference taken by vio_find_node() when
      adding and removing virtual I/O slots.
      
      Fixes: 5eeb8c63 ("[PATCH] PCI Hotplug: rpaphp: Move VIO registration")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0d8f571b
    • Shaohua Li's avatar
      md: MD_RECOVERY_NEEDED is set for mddev->recovery · 4007c256
      Shaohua Li authored
      commit 82a301cb upstream.
      
      Fixes: 90f5f7ad("md: Wait for md_check_recovery before attempting device
      removal.")
      Reviewed-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4007c256
    • Dan Carpenter's avatar
      mmc: mmc_test: Uninitialized return value · 805ce4f6
      Dan Carpenter authored
      commit 16652a93 upstream.
      
      We never set "ret" to RESULT_OK.
      
      Fixes: 9f9c4180 ("mmc: mmc_test: add test for non-blocking transfers")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      805ce4f6
    • Dan Carpenter's avatar
      target/iscsi: Fix double free in lio_target_tiqn_addtpg() · 7d91bd7b
      Dan Carpenter authored
      commit a91918cd upstream.
      
      This iscsit_tpg_add_portal_group() function is only called from
      lio_target_tiqn_addtpg().  Both functions free the "tpg" pointer on
      error so it's a double free bug.  The memory is allocated in the caller
      so it should be freed in the caller and not here.
      
      Fixes: e48354ce ("iscsi-target: Add iSCSI fabric support for target v4.1")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarDavid Disseldorp <ddiss@suse.de>
      [ bvanassche: Added "Fix" at start of patch title ]
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7d91bd7b
    • Arnd Bergmann's avatar
      scsi: mvsas: fix command_active typo · 383591b8
      Arnd Bergmann authored
      commit af15769f upstream.
      
      gcc-7 notices that the condition in mvs_94xx_command_active looks
      suspicious:
      
      drivers/scsi/mvsas/mv_94xx.c: In function 'mvs_94xx_command_active':
      drivers/scsi/mvsas/mv_94xx.c:671:15: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context]
      
      This was introduced when the mv_printk() statement got added, and leads
      to the condition being ignored. This is probably harmless.
      
      Changing '&&' to '&' makes the code look reasonable, as we check the
      command bit before setting and printing it.
      
      Fixes: a4632aae ("[SCSI] mvsas: Add new macros and functions")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      383591b8
    • Huang Rui's avatar
      iommu/amd: Fix the left value check of cmd buffer · 70eaa9c0
      Huang Rui authored
      commit 432abf68 upstream.
      
      The generic command buffer entry is 128 bits (16 bytes), so the offset
      of tail and head pointer should be 16 bytes aligned and increased with
      0x10 per command.
      
      When cmd buf is full, head = (tail + 0x10) % CMD_BUFFER_SIZE.
      
      So when left space of cmd buf should be able to store only two
      command, we should be issued one COMPLETE_WAIT additionally to wait
      all older commands completed. Then the left space should be increased
      after IOMMU fetching from cmd buf.
      
      So left check value should be left <= 0x20 (two commands).
      Signed-off-by: default avatarHuang Rui <ray.huang@amd.com>
      Fixes: ac0ea6e9 ('x86/amd-iommu: Improve handling of full command buffer')
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      70eaa9c0
    • Pan Bian's avatar
      clk: clk-wm831x: fix a logic error · 4038387d
      Pan Bian authored
      commit 20979202 upstream.
      
      Fix bug https://bugzilla.kernel.org/show_bug.cgi?id=188561. Function
      wm831x_clkout_is_prepared() returns "true" when it fails to read
      CLOCK_CONTROL_1. "true" means the device is already prepared. So
      return "true" on the read failure seems improper.
      Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Acked-by: default avatarCharles Keepax <ckeepax@opensource.wolfsonmicro.com>
      Fixes: f05259a6 ("clk: wm831x: Add initial WM831x clock driver")
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4038387d
    • Guenter Roeck's avatar
      hwmon: (g762) Fix overflows and crash seen when writing limit attributes · df3fbf21
      Guenter Roeck authored
      commit 4fccd4a1 upstream.
      
      Fix overflows seen when writing into fan speed limit attributes.
      Also fix crash due to division by zero, seen when certain very
      large values (such as 2147483648, or 0x80000000) are written
      into fan speed limit attributes.
      
      Fixes: 594fbe71 ("Add support for GMT G762/G763 PWM fan controllers")
      Cc: Arnaud Ebalard <arno@natisbad.org>
      Reviewed-by: default avatarJean Delvare <jdelvare@suse.de>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      df3fbf21
    • Guenter Roeck's avatar
      hwmon: (ds620) Fix overflows seen when writing temperature limits · 255113ec
      Guenter Roeck authored
      commit e36ce99e upstream.
      
      Module test reports:
      
      temp1_max: Suspected overflow: [160000 vs. 0]
      temp1_min: Suspected overflow: [160000 vs. 0]
      
      This is seen because the values passed when writing temperature limits
      are unbound.
      Reviewed-by: default avatarJean Delvare <jdelvare@suse.de>
      Fixes: 60994698 ("hwmon: Support for Dallas Semiconductor DS620")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      255113ec
    • Guenter Roeck's avatar
      cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected · d8abb38e
      Guenter Roeck authored
      commit 328cf692 upstream.
      
      If CONFIG_ETRAX_AXISFLASHMAP is not configured, the flash rescue image
      object file is empty. With recent versions of binutils, this results
      in the following build error.
      
      cris-linux-objcopy: error:
      	the input file 'arch/cris/boot/rescue/rescue.o' has no sections
      
      This is seen, for example, when trying to build cris:allnoconfig
      with recently generated toolchains.
      
      Since it does not make sense to build a flash rescue image if there is
      no flash, only build it if CONFIG_ETRAX_AXISFLASHMAP is enabled.
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Fixes: 66ab3a74 ("CRIS: Merge machine dependent boot/compressed ..")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarJesper Nilsson <jesper.nilsson@axis.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d8abb38e
    • Felipe Balbi's avatar
      usb: dwc3: gadget: always unmap EP0 requests · 44f88151
      Felipe Balbi authored
      commit d6214592 upstream.
      
      commit 0416e494 ("usb: dwc3: ep0: correct cache
      sync issue in case of ep0_bounced") introduced a bug
      where we would leak DMA resources which would cause
      us to starve the system of them resulting in failing
      DMA transfers.
      
      Fix the bug by making sure that we always unmap EP0
      requests since those are *always* mapped.
      
      Fixes: 0416e494 ("usb: dwc3: ep0: correct cache
      	sync issue in case of ep0_bounced")
      Tested-by: default avatarTomasz Medrek <tomaszx.medrek@intel.com>
      Reported-by: default avatarJanusz Dziedzic <januszx.dziedzic@linux.intel.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      44f88151
    • Eva Rachel Retuya's avatar
      staging: iio: ad7606: fix improper setting of oversampling pins · 9e8f9aa9
      Eva Rachel Retuya authored
      commit b321a38d upstream.
      
      The oversampling ratio is controlled using the oversampling pins,
      OS [2:0] with OS2 being the MSB control bit, and OS0 the LSB control
      bit.
      
      The gpio connected to the OS2 pin is not being set correctly, only OS0
      and OS1 pins are being set. Fix the typo to allow proper control of the
      oversampling pins.
      Signed-off-by: default avatarEva Rachel Retuya <eraretuya@gmail.com>
      Fixes: b9618c0c ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4")
      Acked-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9e8f9aa9
    • Johan Hovold's avatar
      USB: serial: io_ti: bind to interface after fw download · 8cb5b090
      Johan Hovold authored
      commit e35d6d7c upstream.
      
      Bind to the interface, but do not register any ports, after having
      downloaded the firmware. The device will still disconnect and
      re-enumerate, but this way we avoid an error messages from being logged
      as part of the process:
      
      io_ti: probe of 1-1.3:1.0 failed with error -5
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8cb5b090
    • Johan Hovold's avatar
      USB: phy: am335x-control: fix device and of_node leaks · 732304a3
      Johan Hovold authored
      commit 015105b1 upstream.
      
      Make sure to drop the references taken by of_parse_phandle() and
      bus_find_device() before returning from am335x_get_phy_control().
      
      Note that there is no guarantee that the devres-managed struct
      phy_control will be valid for the lifetime of the sibling phy device
      regardless of this change.
      
      Fixes: 3bb869c8 ("usb: phy: Add AM335x PHY driver")
      Acked-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      732304a3