1. 08 Mar, 2016 29 commits
    • Florian Fainelli's avatar
      net: phy: bcm7xxx: Fix shadow mode 2 disabling · c4c55f46
      Florian Fainelli authored
      commit 50d89980 upstream.
      
      The clear and set masks in the call to phy_set_clr_bits() called from
      bcm7xxx_config_init() are inverted. We need to fix this by swapping the two
      arguments, that is, set 0 bits, but clear the shade mode 2 enable bit.
      
      Fixes: b560a58c ("net: phy: add Broadcom BCM7xxx internal PHY driver")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c4c55f46
    • Rainer Weikusat's avatar
      af_unix: Guard against other == sk in unix_dgram_sendmsg · 456fe457
      Rainer Weikusat authored
      commit a5527dda upstream.
      
      The unix_dgram_sendmsg routine use the following test
      
      if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
      
      to determine if sk and other are in an n:1 association (either
      established via connect or by using sendto to send messages to an
      unrelated socket identified by address). This isn't correct as the
      specified address could have been bound to the sending socket itself or
      because this socket could have been connected to itself by the time of
      the unix_peer_get but disconnected before the unix_state_lock(other). In
      both cases, the if-block would be entered despite other == sk which
      might either block the sender unintentionally or lead to trying to unlock
      the same spin lock twice for a non-blocking send. Add a other != sk
      check to guard against this.
      
      Fixes: 7d267278 ("unix: avoid use-after-free in ep_remove_wait_queue")
      Reported-By: default avatarPhilipp Hahn <pmhahn@pmhahn.de>
      Signed-off-by: default avatarRainer Weikusat <rweikusat@mobileactivedefense.com>
      Tested-by: default avatarPhilipp Hahn <pmhahn@pmhahn.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      456fe457
    • Rainer Weikusat's avatar
      af_unix: Don't set err in unix_stream_read_generic unless there was an error · c75afa17
      Rainer Weikusat authored
      commit 1b92ee3d upstream.
      
      The present unix_stream_read_generic contains various code sequences of
      the form
      
      err = -EDISASTER;
      if (<test>)
      	goto out;
      
      This has the unfortunate side effect of possibly causing the error code
      to bleed through to the final
      
      out:
      	return copied ? : err;
      
      and then to be wrongly returned if no data was copied because the caller
      didn't supply a data buffer, as demonstrated by the program available at
      
      http://pad.lv/1540731
      
      Change it such that err is only set if an error condition was detected.
      
      Fixes: 3822b5c2 ("af_unix: Revert 'lock_interruptible' in stream receive code")
      Reported-by: default avatarJoseph Salisbury <joseph.salisbury@canonical.com>
      Signed-off-by: default avatarRainer Weikusat <rweikusat@mobileactivedefense.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16:
        - modify unix_stream_recvmsg() instead of unix_stream_read_generic()
        - adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c75afa17
    • Jay Vosburgh's avatar
      bonding: Fix ARP monitor validation · 8ae6af83
      Jay Vosburgh authored
      commit 21a75f09 upstream.
      
      The current logic in bond_arp_rcv will accept an incoming ARP for
      validation if (a) the receiving slave is either "active" (which includes
      the currently active slave, or the current ARP slave) or, (b) there is a
      currently active slave, and it has received an ARP since it became active.
      For case (b), the receiving slave isn't the currently active slave, and is
      receiving the original broadcast ARP request, not an ARP reply from the
      target.
      
      	This logic can fail if there is no currently active slave.  In
      this situation, the ARP probe logic cycles through all slaves, assigning
      each in turn as the "current_arp_slave" for one arp_interval, then setting
      that one as "active," and sending an ARP probe from that slave.  The
      current logic expects the ARP reply to arrive on the sending
      current_arp_slave, however, due to switch FDB updating delays, the reply
      may be directed to another slave.
      
      	This can arise if the bonding slaves and switch are working, but
      the ARP target is not responding.  When the ARP target recovers, a
      condition may result wherein the ARP target host replies faster than the
      switch can update its forwarding table, causing each ARP reply to be sent
      to the previous current_arp_slave.  This will never pass the logic in
      bond_arp_rcv, as neither of the above conditions (a) or (b) are met.
      
      	Some experimentation on a LAN shows ARP reply round trips in the
      200 usec range, but my available switches never update their FDB in less
      than 4000 usec.
      
      	This patch changes the logic in bond_arp_rcv to additionally
      accept an ARP reply for validation on any slave if there is a current ARP
      slave and it sent an ARP probe during the previous arp_interval.
      
      Fixes: aeea64ac ("bonding: don't trust arp requests unless active slave really works")
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
      Signed-off-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      8ae6af83
    • Heinrich Schuchardt's avatar
      ARM: dts: kirkwood: use unique machine name for ds112 · e0267997
      Heinrich Schuchardt authored
      commit 9d021c9d upstream.
      
      Downstream packages like Debian flash-kernel use
      /proc/device-tree/model
      to determine which dtb file to install.
      
      Hence each dts in the Linux kernel should provide a unique model
      identifier.
      
      Commit 2d0a7add ("ARM: Kirkwood: Add support for many Synology NAS
      devices") created the new files kirkwood-ds111.dts and kirkwood-ds112.dts
      using the same model identifier.
      
      This patch provides a unique model identifier for the
      Synology DiskStation DS112.
      
      Fixes: 2d0a7add ("ARM: Kirkwood: Add support for many Synology NAS devices")
      Signed-off-by: default avatarHeinrich Schuchardt <xypron.glpk@gmx.de>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e0267997
    • Al Viro's avatar
      do_last(): don't let a bogus return value from ->open() et.al. to confuse us · 9ecd5948
      Al Viro authored
      commit c80567c8 upstream.
      
      ... into returning a positive to path_openat(), which would interpret that
      as "symlink had been encountered" and proceed to corrupt memory, etc.
      It can only happen due to a bug in some ->open() instance or in some LSM
      hook, etc., so we report any such event *and* make sure it doesn't trick
      us into further unpleasantness.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9ecd5948
    • Mikulas Patocka's avatar
      hpfs: don't truncate the file when delete fails · e59c6daf
      Mikulas Patocka authored
      commit b6853f78 upstream.
      
      The delete opration can allocate additional space on the HPFS filesystem
      due to btree split. The HPFS driver checks in advance if there is
      available space, so that it won't corrupt the btree if we run out of space
      during splitting.
      
      If there is not enough available space, the HPFS driver attempted to
      truncate the file, but this results in a deadlock since the commit
      7dd29d8d ("HPFS: Introduce a global mutex
      and lock it on every callback from VFS").
      
      This patch removes the code that tries to truncate the file and -ENOSPC is
      returned instead. If the user hits -ENOSPC on delete, he should try to
      delete other files (that are stored in a leaf btree node), so that the
      delete operation will make some space for deleting the file stored in
      non-leaf btree node.
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: default avatarMikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      e59c6daf
    • Takashi Iwai's avatar
      ALSA: hda - Fix headset support and noise on HP EliteBook 755 G2 · ac3d643e
      Takashi Iwai authored
      commit f883982d upstream.
      
      HP EliteBook 755 G2 with ALC3228 (ALC280) codec [103c:221c] requires
      the known fixup (ALC269_FIXUP_HEADSET_MIC) for making the headset mic
      working.  Also, it suffers from the loopback noise problem, so we
      should disable aamix path as well.
      Reported-by: default avatarDerick Eddington <derick.eddington@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ac3d643e
    • Mike Krinkin's avatar
      KVM: x86: MMU: fix ubsan index-out-of-range warning · 4337b887
      Mike Krinkin authored
      commit 17e4bce0 upstream.
      
      Ubsan reports the following warning due to a typo in
      update_accessed_dirty_bits template, the patch fixes
      the typo:
      
      [  168.791851] ================================================================================
      [  168.791862] UBSAN: Undefined behaviour in arch/x86/kvm/paging_tmpl.h:252:15
      [  168.791866] index 4 is out of range for type 'u64 [4]'
      [  168.791871] CPU: 0 PID: 2950 Comm: qemu-system-x86 Tainted: G           O L  4.5.0-rc5-next-20160222 #7
      [  168.791873] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 07/09/2013
      [  168.791876]  0000000000000000 ffff8801cfcaf208 ffffffff81c9f780 0000000041b58ab3
      [  168.791882]  ffffffff82eb2cc1 ffffffff81c9f6b4 ffff8801cfcaf230 ffff8801cfcaf1e0
      [  168.791886]  0000000000000004 0000000000000001 0000000000000000 ffffffffa1981600
      [  168.791891] Call Trace:
      [  168.791899]  [<ffffffff81c9f780>] dump_stack+0xcc/0x12c
      [  168.791904]  [<ffffffff81c9f6b4>] ? _atomic_dec_and_lock+0xc4/0xc4
      [  168.791910]  [<ffffffff81da9e81>] ubsan_epilogue+0xd/0x8a
      [  168.791914]  [<ffffffff81daafa2>] __ubsan_handle_out_of_bounds+0x15c/0x1a3
      [  168.791918]  [<ffffffff81daae46>] ? __ubsan_handle_shift_out_of_bounds+0x2bd/0x2bd
      [  168.791922]  [<ffffffff811287ef>] ? get_user_pages_fast+0x2bf/0x360
      [  168.791954]  [<ffffffffa1794050>] ? kvm_largepages_enabled+0x30/0x30 [kvm]
      [  168.791958]  [<ffffffff81128530>] ? __get_user_pages_fast+0x360/0x360
      [  168.791987]  [<ffffffffa181b818>] paging64_walk_addr_generic+0x1b28/0x2600 [kvm]
      [  168.792014]  [<ffffffffa1819cf0>] ? init_kvm_mmu+0x1100/0x1100 [kvm]
      [  168.792019]  [<ffffffff8129e350>] ? debug_check_no_locks_freed+0x350/0x350
      [  168.792044]  [<ffffffffa1819cf0>] ? init_kvm_mmu+0x1100/0x1100 [kvm]
      [  168.792076]  [<ffffffffa181c36d>] paging64_gva_to_gpa+0x7d/0x110 [kvm]
      [  168.792121]  [<ffffffffa181c2f0>] ? paging64_walk_addr_generic+0x2600/0x2600 [kvm]
      [  168.792130]  [<ffffffff812e848b>] ? debug_lockdep_rcu_enabled+0x7b/0x90
      [  168.792178]  [<ffffffffa17d9a4a>] emulator_read_write_onepage+0x27a/0x1150 [kvm]
      [  168.792208]  [<ffffffffa1794d44>] ? __kvm_read_guest_page+0x54/0x70 [kvm]
      [  168.792234]  [<ffffffffa17d97d0>] ? kvm_task_switch+0x160/0x160 [kvm]
      [  168.792238]  [<ffffffff812e848b>] ? debug_lockdep_rcu_enabled+0x7b/0x90
      [  168.792263]  [<ffffffffa17daa07>] emulator_read_write+0xe7/0x6d0 [kvm]
      [  168.792290]  [<ffffffffa183b620>] ? em_cr_write+0x230/0x230 [kvm]
      [  168.792314]  [<ffffffffa17db005>] emulator_write_emulated+0x15/0x20 [kvm]
      [  168.792340]  [<ffffffffa18465f8>] segmented_write+0xf8/0x130 [kvm]
      [  168.792367]  [<ffffffffa1846500>] ? em_lgdt+0x20/0x20 [kvm]
      [  168.792374]  [<ffffffffa14db512>] ? vmx_read_guest_seg_ar+0x42/0x1e0 [kvm_intel]
      [  168.792400]  [<ffffffffa1846d82>] writeback+0x3f2/0x700 [kvm]
      [  168.792424]  [<ffffffffa1846990>] ? em_sidt+0xa0/0xa0 [kvm]
      [  168.792449]  [<ffffffffa185554d>] ? x86_decode_insn+0x1b3d/0x4f70 [kvm]
      [  168.792474]  [<ffffffffa1859032>] x86_emulate_insn+0x572/0x3010 [kvm]
      [  168.792499]  [<ffffffffa17e71dd>] x86_emulate_instruction+0x3bd/0x2110 [kvm]
      [  168.792524]  [<ffffffffa17e6e20>] ? reexecute_instruction.part.110+0x2e0/0x2e0 [kvm]
      [  168.792532]  [<ffffffffa14e9a81>] handle_ept_misconfig+0x61/0x460 [kvm_intel]
      [  168.792539]  [<ffffffffa14e9a20>] ? handle_pause+0x450/0x450 [kvm_intel]
      [  168.792546]  [<ffffffffa15130ea>] vmx_handle_exit+0xd6a/0x1ad0 [kvm_intel]
      [  168.792572]  [<ffffffffa17f6a6c>] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 [kvm]
      [  168.792597]  [<ffffffffa17f6bcd>] kvm_arch_vcpu_ioctl_run+0xd3d/0x6090 [kvm]
      [  168.792621]  [<ffffffffa17f6a6c>] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 [kvm]
      [  168.792627]  [<ffffffff8293b530>] ? __ww_mutex_lock_interruptible+0x1630/0x1630
      [  168.792651]  [<ffffffffa17f5e90>] ? kvm_arch_vcpu_runnable+0x4f0/0x4f0 [kvm]
      [  168.792656]  [<ffffffff811eeb30>] ? preempt_notifier_unregister+0x190/0x190
      [  168.792681]  [<ffffffffa17e0447>] ? kvm_arch_vcpu_load+0x127/0x650 [kvm]
      [  168.792704]  [<ffffffffa178e9a3>] kvm_vcpu_ioctl+0x553/0xda0 [kvm]
      [  168.792727]  [<ffffffffa178e450>] ? vcpu_put+0x40/0x40 [kvm]
      [  168.792732]  [<ffffffff8129e350>] ? debug_check_no_locks_freed+0x350/0x350
      [  168.792735]  [<ffffffff82946087>] ? _raw_spin_unlock+0x27/0x40
      [  168.792740]  [<ffffffff8163a943>] ? handle_mm_fault+0x1673/0x2e40
      [  168.792744]  [<ffffffff8129daa8>] ? trace_hardirqs_on_caller+0x478/0x6c0
      [  168.792747]  [<ffffffff8129dcfd>] ? trace_hardirqs_on+0xd/0x10
      [  168.792751]  [<ffffffff812e848b>] ? debug_lockdep_rcu_enabled+0x7b/0x90
      [  168.792756]  [<ffffffff81725a80>] do_vfs_ioctl+0x1b0/0x12b0
      [  168.792759]  [<ffffffff817258d0>] ? ioctl_preallocate+0x210/0x210
      [  168.792763]  [<ffffffff8174aef3>] ? __fget+0x273/0x4a0
      [  168.792766]  [<ffffffff8174acd0>] ? __fget+0x50/0x4a0
      [  168.792770]  [<ffffffff8174b1f6>] ? __fget_light+0x96/0x2b0
      [  168.792773]  [<ffffffff81726bf9>] SyS_ioctl+0x79/0x90
      [  168.792777]  [<ffffffff82946880>] entry_SYSCALL_64_fastpath+0x23/0xc1
      [  168.792780] ================================================================================
      Signed-off-by: default avatarMike Krinkin <krinkin.m.u@gmail.com>
      Reviewed-by: default avatarXiao Guangrong <guangrong.xiao@linux.intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4337b887
    • Kai-Heng Feng's avatar
      ALSA: hda - Fixing background noise on Dell Inspiron 3162 · 55dd4743
      Kai-Heng Feng authored
      commit 3b43b71f upstream.
      
      After login to the desktop on Dell Inspiron 3162,
      there's a very loud background noise comes from the builtin speaker.
      The noise does not go away even if the speaker is muted.
      
      The noise disappears after using the aamix fixup.
      
      Codec: Realtek ALC3234
      Address: 0
      AFG Function Id: 0x1 (unsol 1)
          Vendor Id: 0x10ec0255
          Subsystem Id: 0x10280725
          Revision Id: 0x100002
          No Modem Function Group found
      
      BugLink: http://bugs.launchpad.net/bugs/1549620Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      55dd4743
    • Ilya Dryomov's avatar
      libceph: don't bail early from try_read() when skipping a message · c8f36e20
      Ilya Dryomov authored
      commit e7a88e82 upstream.
      
      The contract between try_read() and try_write() is that when called
      each processes as much data as possible.  When instructed by osd_client
      to skip a message, try_read() is violating this contract by returning
      after receiving and discarding a single message instead of checking for
      more.  try_write() then gets a chance to write out more requests,
      generating more replies/skips for try_read() to handle, forcing the
      messenger into a starvation loop.
      Reported-by: default avatarVarada Kari <Varada.Kari@sandisk.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Tested-by: default avatarVarada Kari <Varada.Kari@sandisk.com>
      Reviewed-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c8f36e20
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Fix showing function event in available_events · 129ba7b7
      Steven Rostedt (Red Hat) authored
      commit d045437a upstream.
      
      The ftrace:function event is only displayed for parsing the function tracer
      data. It is not used to enable function tracing, and does not include an
      "enable" file in its event directory.
      
      Originally, this event was kept separate from other events because it did
      not have a ->reg parameter. But perf added a "reg" parameter for its use
      which caused issues, because it made the event available to functions where
      it was not compatible for.
      
      Commit 9b63776f "tracing: Do not enable function event with enable"
      added a TRACE_EVENT_FL_IGNORE_ENABLE flag that prevented the function event
      from being enabled by normal trace events. But this commit missed keeping
      the function event from being displayed by the "available_events" directory,
      which is used to show what events can be enabled by set_event.
      
      One documented way to enable all events is to:
      
       cat available_events > set_event
      
      But because the function event is displayed in the available_events, this
      now causes an INVALID error:
      
       cat: write error: Invalid argument
      Reported-by: default avatarChunyu Hu <chuhu@redhat.com>
      Fixes: 9b63776f "tracing: Do not enable function event with enable"
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      129ba7b7
    • Christian Borntraeger's avatar
      KVM: async_pf: do not warn on page allocation failures · c579f2af
      Christian Borntraeger authored
      commit d7444794 upstream.
      
      In async_pf we try to allocate with NOWAIT to get an element quickly
      or fail. This code also handle failures gracefully. Lets silence
      potential page allocation failures under load.
      
      qemu-system-s39: page allocation failure: order:0,mode:0x2200000
      [...]
      Call Trace:
      ([<00000000001146b8>] show_trace+0xf8/0x148)
      [<000000000011476a>] show_stack+0x62/0xe8
      [<00000000004a36b8>] dump_stack+0x70/0x98
      [<0000000000272c3a>] warn_alloc_failed+0xd2/0x148
      [<000000000027709e>] __alloc_pages_nodemask+0x94e/0xb38
      [<00000000002cd36a>] new_slab+0x382/0x400
      [<00000000002cf7ac>] ___slab_alloc.constprop.30+0x2dc/0x378
      [<00000000002d03d0>] kmem_cache_alloc+0x160/0x1d0
      [<0000000000133db4>] kvm_setup_async_pf+0x6c/0x198
      [<000000000013dee8>] kvm_arch_vcpu_ioctl_run+0xd48/0xd58
      [<000000000012fcaa>] kvm_vcpu_ioctl+0x372/0x690
      [<00000000002f66f6>] do_vfs_ioctl+0x3be/0x510
      [<00000000002f68ec>] SyS_ioctl+0xa4/0xb8
      [<0000000000781c5e>] system_call+0xd6/0x264
      [<000003ffa24fa06a>] 0x3ffa24fa06a
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Reviewed-by: default avatarDominik Dingel <dingel@linux.vnet.ibm.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c579f2af
    • Stefan Hajnoczi's avatar
      sunrpc/cache: fix off-by-one in qword_get() · db35046f
      Stefan Hajnoczi authored
      commit b7052cd7 upstream.
      
      The qword_get() function NUL-terminates its output buffer.  If the input
      string is in hex format \xXXXX... and the same length as the output
      buffer, there is an off-by-one:
      
        int qword_get(char **bpp, char *dest, int bufsize)
        {
            ...
            while (len < bufsize) {
                ...
                *dest++ = (h << 4) | l;
                len++;
            }
            ...
            *dest = '\0';
            return len;
        }
      
      This patch ensures the NUL terminator doesn't fall outside the output
      buffer.
      Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      db35046f
    • Alex Deucher's avatar
      drm/radeon/pm: adjust display configuration after powerstate · 0e3c1d6f
      Alex Deucher authored
      commit 39d42750 upstream.
      
      set_power_state defaults to no displays, so we need to update
      the display configuration after setting up the powerstate on the
      first call. In most cases this is not an issue since ends up
      getting called multiple times at any given modeset and the proper
      order is achieved in the display changed handling at the top of
      the function.
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Acked-by: default avatarJordan Lazare <Jordan.Lazare@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      0e3c1d6f
    • Gerhard Uttenthaler's avatar
      can: ems_usb: Fix possible tx overflow · ce8f29d3
      Gerhard Uttenthaler authored
      commit 90cfde46 upstream.
      
      This patch fixes the problem that more CAN messages could be sent to the
      interface as could be send on the CAN bus. This was more likely for slow baud
      rates. The sleeping _start_xmit was woken up in the _write_bulk_callback. Under
      heavy TX load this produced another bulk transfer without checking the
      free_slots variable and hence caused the overflow in the interface.
      Signed-off-by: default avatarGerhard Uttenthaler <uttenthaler@ems-wuensche.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ce8f29d3
    • Lisa Du's avatar
      drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE · b99166f2
      Lisa Du authored
      commit 7a64cd88 upstream.
      
      There's one point was missed in the patch commit da49889d ("staging:
      binder: Support concurrent 32 bit and 64 bit processes."). When configure
      BINDER_IPC_32BIT, the size of binder_uintptr_t was 32bits, but size of
      void * is 64bit on 64bit system. Correct it here.
      Signed-off-by: default avatarLisa Du <cldu@marvell.com>
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Fixes: da49889d ("staging: binder: Support concurrent 32 bit and 64 bit processes.")
      Acked-by: default avatarOlof Johansson <olof@lixom.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [ luis: backported to 3.16:
        - binder is still in staging in the 3.16 kernel]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      b99166f2
    • Peter Rosin's avatar
      hwmon: (ads1015) Handle negative conversion values correctly · 788ad9e6
      Peter Rosin authored
      commit acc14694 upstream.
      
      Make the divisor signed as DIV_ROUND_CLOSEST is undefined for negative
      dividends when the divisor is unsigned.
      Signed-off-by: default avatarPeter Rosin <peda@axentia.se>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      788ad9e6
    • Bjørn Mork's avatar
      USB: option: add "4G LTE usb-modem U901" · 3e7c5928
      Bjørn Mork authored
      commit d061c1ca upstream.
      
      Thomas reports:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=05c6 ProdID=6001 Rev=00.00
      S:  Manufacturer=USB Modem
      S:  Product=USB Modem
      S:  SerialNumber=1234567890ABCDEF
      C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
      Reported-by: default avatarThomas Schäfer <tschaefer@t-online.de>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3e7c5928
    • Ken Lin's avatar
      USB: cp210x: add IDs for GE B650V3 and B850V3 boards · fcd76c50
      Ken Lin authored
      commit 6627ae19 upstream.
      
      Add USB ID for cp2104/5 devices on GE B650v3 and B850v3 boards.
      Signed-off-by: default avatarKen Lin <ken.lin@advantech.com.tw>
      Signed-off-by: default avatarAkshay Bhat <akshay.bhat@timesys.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      fcd76c50
    • Andrey Skvortsov's avatar
      USB: option: add support for SIM7100E · 86569fdb
      Andrey Skvortsov authored
      commit 3158a8d4 upstream.
      
      $ lsusb:
      Bus 001 Device 101: ID 1e0e:9001 Qualcomm / Option
      
      $ usb-devices:
      T:  Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#=101 Spd=480  MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  2
      P:  Vendor=1e0e ProdID=9001 Rev= 2.32
      S:  Manufacturer=SimTech, Incorporated
      S:  Product=SimTech, Incorporated
      S:  SerialNumber=0123456789ABCDEF
      C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=500mA
      I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
      
      The last interface (6) is used for Android Composite ADB interface.
      
      Serial port layout:
      0: QCDM/DIAG
      1: NMEA
      2: AT
      3: AT/PPP
      4: audio
      Signed-off-by: default avatarAndrey Skvortsov <andrej.skvortzov@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      86569fdb
    • Benjamin Coddington's avatar
      NFSv4: Fix a dentry leak on alias use · bd9474d2
      Benjamin Coddington authored
      commit d9dfd8d7 upstream.
      
      In the case where d_add_unique() finds an appropriate alias to use it will
      have already incremented the reference count.  An additional dget() to swap
      the open context's dentry is unnecessary and will leak a reference.
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Fixes: 275bb307 ("NFSv4: Move dentry instantiation into the NFSv4-...")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      bd9474d2
    • John Youn's avatar
      usb: dwc3: Fix assignment of EP transfer resources · c3f8309b
      John Youn authored
      commit c4509601 upstream.
      
      The assignement of EP transfer resources was not handled properly in the
      dwc3 driver. Commit aebda618 ("usb: dwc3: Reset the transfer
      resource index on SET_INTERFACE") previously fixed one aspect of this
      where resources may be exhausted with multiple calls to SET_INTERFACE.
      However, it introduced an issue where composite devices with multiple
      interfaces can be assigned the same transfer resources for different
      endpoints. This patch solves both issues.
      
      The assignment of transfer resources cannot perfectly follow the data
      book due to the fact that the controller driver does not have all
      knowledge of the configuration in advance. It is given this information
      piecemeal by the composite gadget framework after every
      SET_CONFIGURATION and SET_INTERFACE. Trying to follow the databook
      programming model in this scenario can cause errors. For two reasons:
      
      1) The databook says to do DEPSTARTCFG for every SET_CONFIGURATION and
      SET_INTERFACE (8.1.5). This is incorrect in the scenario of multiple
      interfaces.
      
      2) The databook does not mention doing more DEPXFERCFG for new endpoint
      on alt setting (8.1.6).
      
      The following simplified method is used instead:
      
      All hardware endpoints can be assigned a transfer resource and this
      setting will stay persistent until either a core reset or hibernation.
      So whenever we do a DEPSTARTCFG(0) we can go ahead and do DEPXFERCFG for
      every hardware endpoint as well. We are guaranteed that there are as
      many transfer resources as endpoints.
      
      This patch triggers off of the calling dwc3_gadget_start_config() for
      EP0-out, which always happens first, and which should only happen in one
      of the above conditions.
      
      Fixes: aebda618 ("usb: dwc3: Reset the transfer resource index on SET_INTERFACE")
      Reported-by: default avatarRavi Babu <ravibabu@ti.com>
      Signed-off-by: default avatarJohn Youn <johnyoun@synopsys.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c3f8309b
    • Konrad Rzeszutek Wilk's avatar
      xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted. · 2b599597
      Konrad Rzeszutek Wilk authored
      commit 4d8c8bd6 upstream.
      
      Occasionaly PV guests would crash with:
      
      pciback 0000:00:00.1: Xen PCI mapped GSI0 to IRQ16
      BUG: unable to handle kernel paging request at 0000000d1a8c0be0
      .. snip..
        <ffffffff8139ce1b>] find_next_bit+0xb/0x10
        [<ffffffff81387f22>] cpumask_next_and+0x22/0x40
        [<ffffffff813c1ef8>] pci_device_probe+0xb8/0x120
        [<ffffffff81529097>] ? driver_sysfs_add+0x77/0xa0
        [<ffffffff815293e4>] driver_probe_device+0x1a4/0x2d0
        [<ffffffff813c1ddd>] ? pci_match_device+0xdd/0x110
        [<ffffffff81529657>] __device_attach_driver+0xa7/0xb0
        [<ffffffff815295b0>] ? __driver_attach+0xa0/0xa0
        [<ffffffff81527622>] bus_for_each_drv+0x62/0x90
        [<ffffffff8152978d>] __device_attach+0xbd/0x110
        [<ffffffff815297fb>] device_attach+0xb/0x10
        [<ffffffff813b75ac>] pci_bus_add_device+0x3c/0x70
        [<ffffffff813b7618>] pci_bus_add_devices+0x38/0x80
        [<ffffffff813dc34e>] pcifront_scan_root+0x13e/0x1a0
        [<ffffffff817a0692>] pcifront_backend_changed+0x262/0x60b
        [<ffffffff814644c6>] ? xenbus_gather+0xd6/0x160
        [<ffffffff8120900f>] ? put_object+0x2f/0x50
        [<ffffffff81465c1d>] xenbus_otherend_changed+0x9d/0xa0
        [<ffffffff814678ee>] backend_changed+0xe/0x10
        [<ffffffff81463a28>] xenwatch_thread+0xc8/0x190
        [<ffffffff810f22f0>] ? woken_wake_function+0x10/0x10
      
      which was the result of two things:
      
      When we call pci_scan_root_bus we would pass in 'sd' (sysdata)
      pointer which was an 'pcifront_sd' structure. However in the
      pci_device_add it expects that the 'sd' is 'struct sysdata' and
      sets the dev->node to what is in sd->node (offset 4):
      
      set_dev_node(&dev->dev, pcibus_to_node(bus));
      
       __pcibus_to_node(const struct pci_bus *bus)
      {
              const struct pci_sysdata *sd = bus->sysdata;
      
              return sd->node;
      }
      
      However our structure was pcifront_sd which had nothing at that
      offset:
      
      struct pcifront_sd {
              int                        domain;    /*     0     4 */
              /* XXX 4 bytes hole, try to pack */
              struct pcifront_device *   pdev;      /*     8     8 */
      }
      
      That is an hole - filled with garbage as we used kmalloc instead of
      kzalloc (the second problem).
      
      This patch fixes the issue by:
       1) Use kzalloc to initialize to a well known state.
       2) Put 'struct pci_sysdata' at the start of 'pcifront_sd'. That
          way access to the 'node' will access the right offset.
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2b599597
    • Konrad Rzeszutek Wilk's avatar
      xen/pciback: Save the number of MSI-X entries to be copied later. · 181faf30
      Konrad Rzeszutek Wilk authored
      commit d159457b upstream.
      
      Commit 8135cf8b (xen/pciback: Save
      xen_pci_op commands before processing it) broke enabling MSI-X because
      it would never copy the resulting vectors into the response.  The
      number of vectors requested was being overwritten by the return value
      (typically zero for success).
      
      Save the number of vectors before processing the op, so the correct
      number of vectors are copied afterwards.
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      181faf30
    • Konrad Rzeszutek Wilk's avatar
      xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY · 52543395
      Konrad Rzeszutek Wilk authored
      commit 8d47065f upstream.
      
      Commit 408fb0e5 (xen/pciback: Don't
      allow MSI-X ops if PCI_COMMAND_MEMORY is not set) prevented enabling
      MSI-X on passed-through virtual functions, because it checked the VF
      for PCI_COMMAND_MEMORY but this is not a valid bit for VFs.
      
      Instead, check the physical function for PCI_COMMAND_MEMORY.
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      52543395
    • Christoph Hellwig's avatar
      nfs: fix nfs_size_to_loff_t · 29e3552e
      Christoph Hellwig authored
      commit 50ab8ec7 upstream.
      
      See http: //www.infradead.org/rpr.html
      X-Evolution-Source: 1451162204.2173.11@leira.trondhjem.org
      Content-Transfer-Encoding: 8bit
      Mime-Version: 1.0
      
      We support OFFSET_MAX just fine, so don't round down below it.  Also
      switch to using min_t to make the helper more readable.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Fixes: 433c9237 ("NFS: Clean up nfs_size_to_loff_t()")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      29e3552e
    • Ben Hutchings's avatar
      crypto: {blk,giv}cipher: Set has_setkey · 63ce06ed
      Ben Hutchings authored
      Commit a1383cd8 ("crypto: skcipher - Add crypto_skcipher_has_setkey")
      was incorrectly backported to the 3.2.y and 3.16.y stable branches.
      We need to set ablkcipher_tfm::has_setkey in the
      crypto_init_blkcipher_ops_async() and crypto_init_givcipher_ops()
      functions as well as crypto_init_ablkcipher_ops().
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      63ce06ed
    • Andy Lutomirski's avatar
      x86/entry/compat: Add missing CLAC to entry_INT80_32 · a39881d1
      Andy Lutomirski authored
      commit 3d44d51b upstream.
      
      This doesn't seem to fix a regression -- I don't think the CLAC was
      ever there.
      
      I double-checked in a debugger: entries through the int80 gate do
      not automatically clear AC.
      
      Stable maintainers: I can provide a backport to 4.3 and earlier if
      needed.  This needs to be backported all the way to 3.10.
      Reported-by: default avatarBrian Gerst <brgerst@gmail.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 63bcff2a ("x86, smap: Add STAC and CLAC instructions to control user space access")
      Link: http://lkml.kernel.org/r/b02b7e71ae54074be01fc171cbd4b72517055c0e.1456345086.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [ kamal: backport to 3.10 through 3.19-stable: file rename; context ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a39881d1
  2. 04 Mar, 2016 11 commits