1. 14 Dec, 2014 40 commits
    • Lu Baolu's avatar
      Revert "xhci: clear root port wake on bits if controller isn't wake-up capable" · fcd751b7
      Lu Baolu authored
      commit 9b41ebd3 upstream.
      
      commit ff8cbf25 ("xhci: clear root port wake on bits if controller isn't")
      can cause device detection error if runtime PM is enabled, and S3 wake
      is disabled. Revert it.
      https://bugzilla.kernel.org/show_bug.cgi?id=85701
      
      This commit got into stable and should be reverted from there as well.
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Reported-by: default avatarDmitry Nezhevenko <dion@inhex.net>
      [Mathias Nyman: reword commit message]
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fcd751b7
    • Mathias Nyman's avatar
      USB: xhci: don't start a halted endpoint before its new dequeue is set · aba14f8e
      Mathias Nyman authored
      commit c3492dbf upstream.
      
      A halted endpoint ring must first be reset, then move the ring
      dequeue pointer past the problematic TRB. If we start the ring too
      early after reset, but before moving the dequeue pointer we
      will end up executing the same problematic TRB again.
      
      As we always issue a set transfer dequeue command after a reset
      endpoint command we can skip starting endpoint rings at reset endpoint
      command completion.
      
      Without this fix we end up trying to handle the same faulty TD for
      contol endpoints. causing timeout, and failing testusb ctrl_out write
      tests.
      
      Fixes: e9df17eb (USB: xhci: Correct assumptions about number of rings per endpoint.)
      Tested-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      aba14f8e
    • Dmitry Eremin-Solenikov's avatar
      ARM: 8216/1: xscale: correct auxiliary register in suspend/resume · 40f674b6
      Dmitry Eremin-Solenikov authored
      commit ef59a20b upstream.
      
      According to the manuals I have, XScale auxiliary register should be
      reached with opc_2 = 1 instead of crn = 1. cpu_xscale_proc_init
      correctly uses c1, c0, 1 arguments, but cpu_xscale_do_suspend and
      cpu_xscale_do_resume use c1, c1, 0. Correct suspend/resume functions to
      also use c1, c0, 1.
      
      The issue was primarily noticed thanks to qemu reporing "unsupported
      instruction" on the pxa suspend path. Confirmed in PXA210/250 and PXA255
      XScale Core manuals and in PXA270 and PXA320 Developers Guides.
      
      Harware tested by me on tosa (pxa255). Robert confirmed on pxa270 board.
      Tested-by: default avatarRobert Jarzmik <robert.jarzmik@free.fr>
      Signed-off-by: default avatarDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Acked-by: default avatarRobert Jarzmik <robert.jarzmik@free.fr>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      40f674b6
    • Maurizio Lombardi's avatar
      bnx2fc: do not add shared skbs to the fcoe_rx_list · 0a3beceb
      Maurizio Lombardi authored
      commit 01a4cc4d upstream.
      
      In some cases, the fcoe_rx_list may contains multiple instances
      of the same skb (the so called "shared skbs").
      
      the bnx2fc_l2_rcv thread is a loop that extracts a skb from the list,
      modifies (and destroys) its content and then proceed to the next one.
      The problem is that if the skb is shared, the remaining instances will
      be corrupted.
      
      The solution is to use skb_share_check() before adding the skb to the
      fcoe_rx_list.
      
      [ 6286.808725] ------------[ cut here ]------------
      [ 6286.808729] WARNING: at include/scsi/fc_frame.h:173 bnx2fc_l2_rcv_thread+0x425/0x450 [bnx2fc]()
      [ 6286.808748] Modules linked in: bnx2x(-) mdio dm_service_time bnx2fc cnic uio fcoe libfcoe 8021q garp stp mrp libfc llc scsi_transport_fc scsi_tgt sg iTCO_wdt iTCO_vendor_support coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel e1000e ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper ptp cryptd hpilo serio_raw hpwdt lpc_ich pps_core ipmi_si pcspkr mfd_core ipmi_msghandler shpchp pcc_cpufreq mperf nfsd auth_rpcgss nfs_acl lockd sunrpc dm_multipath xfs libcrc32c ata_generic pata_acpi sd_mod crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit ata_piix drm_kms_helper ttm drm libata i2c_core hpsa dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mdio]
      [ 6286.808750] CPU: 3 PID: 1304 Comm: bnx2fc_l2_threa Not tainted 3.10.0-121.el7.x86_64 #1
      [ 6286.808750] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013
      [ 6286.808752]  0000000000000000 000000000b36e715 ffff8800deba1e00 ffffffff815ec0ba
      [ 6286.808753]  ffff8800deba1e38 ffffffff8105dee1 ffffffffa05618c0 ffff8801e4c81888
      [ 6286.808754]  ffffe8ffff663868 ffff8801f402b180 ffff8801f56bc000 ffff8800deba1e48
      [ 6286.808754] Call Trace:
      [ 6286.808759]  [<ffffffff815ec0ba>] dump_stack+0x19/0x1b
      [ 6286.808762]  [<ffffffff8105dee1>] warn_slowpath_common+0x61/0x80
      [ 6286.808763]  [<ffffffff8105e00a>] warn_slowpath_null+0x1a/0x20
      [ 6286.808765]  [<ffffffffa054f415>] bnx2fc_l2_rcv_thread+0x425/0x450 [bnx2fc]
      [ 6286.808767]  [<ffffffffa054eff0>] ? bnx2fc_disable+0x90/0x90 [bnx2fc]
      [ 6286.808769]  [<ffffffff81085aef>] kthread+0xcf/0xe0
      [ 6286.808770]  [<ffffffff81085a20>] ? kthread_create_on_node+0x140/0x140
      [ 6286.808772]  [<ffffffff815fc76c>] ret_from_fork+0x7c/0xb0
      [ 6286.808773]  [<ffffffff81085a20>] ? kthread_create_on_node+0x140/0x140
      [ 6286.808774] ---[ end trace c6cdb939184ccb4e ]---
      Signed-off-by: default avatarMaurizio Lombardi <mlombard@redhat.com>
      Acked-by: default avatarChad Dupuis <chad.dupuis@qlogic.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0a3beceb
    • Trond Myklebust's avatar
      nfsd: Fix slot wake up race in the nfsv4.1 callback code · d74ea723
      Trond Myklebust authored
      commit c6c15e1e upstream.
      
      The currect code for nfsd41_cb_get_slot() and nfsd4_cb_done() has no
      locking in order to guarantee atomicity, and so allows for races of
      the form.
      
      Task 1                                  Task 2
      ======                                  ======
      if (test_and_set_bit(0) != 0) {
                                              clear_bit(0)
                                              rpc_wake_up_next(queue)
              rpc_sleep_on(queue)
              return false;
      }
      
      This patch breaks the race condition by adding a retest of the bit
      after the call to rpc_sleep_on().
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d74ea723
    • Aaro Koskinen's avatar
      MIPS: oprofile: Fix backtrace on 64-bit kernel · 8d3e0ea1
      Aaro Koskinen authored
      commit bbaf113a upstream.
      
      Fix incorrect cast that always results in wrong address for the new
      frame on 64-bit kernels.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@nsn.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/8110/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8d3e0ea1
    • Trond Myklebust's avatar
      SUNRPC: Fix locking around callback channel reply receive · 68057275
      Trond Myklebust authored
      commit 093a1468 upstream.
      
      Both xprt_lookup_rqst() and xprt_complete_rqst() require that you
      take the transport lock in order to avoid races with xprt_transmit().
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Reviewed-by: default avatarJeff Layton <jlayton@primarydata.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      68057275
    • Chuck Lever's avatar
      sunrpc: fix byte-swapping of displayed XID · 5fb2a40b
      Chuck Lever authored
      commit 71efecb3 upstream.
      
      xprt_lookup_rqst() and bc_send_request() display a byte-swapped XID,
      but receive_cb_reply() does not.
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5fb2a40b
    • Johan Hovold's avatar
      USB: ssu100: fix overrun-error reporting · d2265976
      Johan Hovold authored
      commit 75bcbf29 upstream.
      
      Fix reporting of overrun errors, which should only be reported once
      using the inserted null character.
      
      Fixes: 6b8f1ca5 ("USB: ssu100: set tty_flags in ssu100_process_packet")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [bwh: Backported to 3.2:
       - Use tty_port_tty_get() to look up tty_struct
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d2265976
    • Johan Hovold's avatar
      USB: keyspan: fix overrun-error reporting · 1e8d16df
      Johan Hovold authored
      commit 855515a6 upstream.
      
      Fix reporting of overrun errors, which are not associated with a
      character. Instead insert a null character and report only once.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [bwh: Backported to 3.2:
       - s/\&port->port/tty/
       - Adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1e8d16df
    • Johan Hovold's avatar
      USB: keyspan: fix tty line-status reporting · 25c5feef
      Johan Hovold authored
      commit 5d1678a3 upstream.
      
      Fix handling of TTY error flags, which are not bitmasks and must
      specifically not be ORed together as this prevents the line discipline
      from recognising them.
      
      Also insert null characters when reporting overrun errors as these are
      not associated with the received character.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [bwh: Backported to 3.2:
       - s/\&port->port/tty/
       - Adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      25c5feef
    • Troy Clark's avatar
      usb: serial: ftdi_sio: add PIDs for Matrix Orbital products · afb8c248
      Troy Clark authored
      commit 204ec6e0 upstream.
      
      Add PIDs for new Matrix Orbital GTT series products.
      Signed-off-by: default avatarTroy Clark <tclark@matrixorbital.ca>
      [johan: shorten commit message ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      afb8c248
    • Benjamin Herrenschmidt's avatar
      of/base: Fix PowerPC address parsing hack · f0997a95
      Benjamin Herrenschmidt authored
      commit 746c9e9f upstream.
      
      We have a historical hack that treats missing ranges properties as the
      equivalent of an empty one. This is needed for ancient PowerMac "bad"
      device-trees, and shouldn't be enabled for any other PowerPC platform,
      otherwise we get some nasty layout of devices in sysfs or even
      duplication when a set of otherwise identically named devices is
      created multiple times under a different parent node with no ranges
      property.
      
      This fix is needed for the PowerNV i2c busses to be exposed properly
      and will fix a number of other embedded cases.
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Acked-by: default avatarGrant Likely <grant.likely@linaro.org>
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      [bwh: Backported to 3.2: use #ifdef because IS_ENABLED() only works for
       config symbols that are defined on the current architecture]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f0997a95
    • Kees Cook's avatar
      x86, mm: Set NX across entire PMD at boot · a5c187d9
      Kees Cook authored
      commit 45e2a9d4 upstream.
      
      When setting up permissions on kernel memory at boot, the end of the
      PMD that was split from bss remained executable. It should be NX like
      the rest. This performs a PMD alignment instead of a PAGE alignment to
      get the correct span of memory.
      
      Before:
      ---[ High Kernel Mapping ]---
      ...
      0xffffffff8202d000-0xffffffff82200000  1868K     RW       GLB NX pte
      0xffffffff82200000-0xffffffff82c00000    10M     RW   PSE GLB NX pmd
      0xffffffff82c00000-0xffffffff82df5000  2004K     RW       GLB NX pte
      0xffffffff82df5000-0xffffffff82e00000    44K     RW       GLB x  pte
      0xffffffff82e00000-0xffffffffc0000000   978M                     pmd
      
      After:
      ---[ High Kernel Mapping ]---
      ...
      0xffffffff8202d000-0xffffffff82200000  1868K     RW       GLB NX pte
      0xffffffff82200000-0xffffffff82e00000    12M     RW   PSE GLB NX pmd
      0xffffffff82e00000-0xffffffffc0000000   978M                     pmd
      
      [ tglx: Changed it to roundup(_brk_end, PMD_SIZE) and added a comment.
              We really should unmap the reminder along with the holes
              caused by init,initdata etc. but thats a different issue ]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Toshi Kani <toshi.kani@hp.com>
      Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Cc: David Vrabel <david.vrabel@citrix.com>
      Cc: Wang Nan <wangnan0@huawei.com>
      Cc: Yinghai Lu <yinghai@kernel.org>
      Link: http://lkml.kernel.org/r/20141114194737.GA3091@www.outflux.netSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [bwh: BAckported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a5c187d9
    • Yinghai Lu's avatar
      x86, 64bit, mm: Mark data/bss/brk to nx · e105c818
      Yinghai Lu authored
      commit 72212675 upstream.
      
      HPA said, we should not have RW and +x set at the time.
      
      for kernel layout:
      [    0.000000] Kernel Layout:
      [    0.000000]   .text: [0x01000000-0x021434f8]
      [    0.000000] .rodata: [0x02200000-0x02a13fff]
      [    0.000000]   .data: [0x02c00000-0x02dc763f]
      [    0.000000]   .init: [0x02dc9000-0x0312cfff]
      [    0.000000]    .bss: [0x0313b000-0x03dd6fff]
      [    0.000000]    .brk: [0x03dd7000-0x03dfffff]
      
      before the patch, we have
      ---[ High Kernel Mapping ]---
      0xffffffff80000000-0xffffffff81000000          16M                           pmd
      0xffffffff81000000-0xffffffff82200000          18M     ro         PSE GLB x  pmd
      0xffffffff82200000-0xffffffff82c00000          10M     ro         PSE GLB NX pmd
      0xffffffff82c00000-0xffffffff82dc9000        1828K     RW             GLB x  pte
      0xffffffff82dc9000-0xffffffff82e00000         220K     RW             GLB NX pte
      0xffffffff82e00000-0xffffffff83000000           2M     RW         PSE GLB NX pmd
      0xffffffff83000000-0xffffffff8313a000        1256K     RW             GLB NX pte
      0xffffffff8313a000-0xffffffff83200000         792K     RW             GLB x  pte
      0xffffffff83200000-0xffffffff83e00000          12M     RW         PSE GLB x  pmd
      0xffffffff83e00000-0xffffffffa0000000         450M                           pmd
      
      after patch,, we get
      ---[ High Kernel Mapping ]---
      0xffffffff80000000-0xffffffff81000000          16M                           pmd
      0xffffffff81000000-0xffffffff82200000          18M     ro         PSE GLB x  pmd
      0xffffffff82200000-0xffffffff82c00000          10M     ro         PSE GLB NX pmd
      0xffffffff82c00000-0xffffffff82e00000           2M     RW             GLB NX pte
      0xffffffff82e00000-0xffffffff83000000           2M     RW         PSE GLB NX pmd
      0xffffffff83000000-0xffffffff83200000           2M     RW             GLB NX pte
      0xffffffff83200000-0xffffffff83e00000          12M     RW         PSE GLB NX pmd
      0xffffffff83e00000-0xffffffffa0000000         450M                           pmd
      
      so data, bss, brk get NX ...
      Signed-off-by: default avatarYinghai Lu <yinghai@kernel.org>
      Link: http://lkml.kernel.org/r/1359058816-7615-33-git-send-email-yinghai@kernel.orgSigned-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e105c818
    • Alexey Khoroshilov's avatar
      can: esd_usb2: fix memory leak on disconnect · 923edc87
      Alexey Khoroshilov authored
      commit efbd50d2 upstream.
      
      It seems struct esd_usb2 dev is not deallocated on disconnect. The patch adds
      the missing deallocation.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Acked-by: default avatarMatthias Fuchs <matthias.fuchs@esd.eu>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      923edc87
    • Thomas Körper's avatar
      can: dev: avoid calling kfree_skb() from interrupt context · 42cccc21
      Thomas Körper authored
      commit 5247a589 upstream.
      
      ikfree_skb() is Called in can_free_echo_skb(), which might be called from (TX
      Error) interrupt, which triggers the folloing warning:
      
      [ 1153.360705] ------------[ cut here ]------------
      [ 1153.360715] WARNING: CPU: 0 PID: 31 at net/core/skbuff.c:563 skb_release_head_state+0xb9/0xd0()
      [ 1153.360772] Call Trace:
      [ 1153.360778]  [<c167906f>] dump_stack+0x41/0x52
      [ 1153.360782]  [<c105bb7e>] warn_slowpath_common+0x7e/0xa0
      [ 1153.360784]  [<c158b909>] ? skb_release_head_state+0xb9/0xd0
      [ 1153.360786]  [<c158b909>] ? skb_release_head_state+0xb9/0xd0
      [ 1153.360788]  [<c105bc42>] warn_slowpath_null+0x22/0x30
      [ 1153.360791]  [<c158b909>] skb_release_head_state+0xb9/0xd0
      [ 1153.360793]  [<c158be90>] skb_release_all+0x10/0x30
      [ 1153.360795]  [<c158bf06>] kfree_skb+0x36/0x80
      [ 1153.360799]  [<f8486938>] ? can_free_echo_skb+0x28/0x40 [can_dev]
      [ 1153.360802]  [<f8486938>] can_free_echo_skb+0x28/0x40 [can_dev]
      [ 1153.360805]  [<f849a12c>] esd_pci402_interrupt+0x34c/0x57a [esd402]
      [ 1153.360809]  [<c10a75b5>] handle_irq_event_percpu+0x35/0x180
      [ 1153.360811]  [<c10a7623>] ? handle_irq_event_percpu+0xa3/0x180
      [ 1153.360813]  [<c10a7731>] handle_irq_event+0x31/0x50
      [ 1153.360816]  [<c10a9c7f>] handle_fasteoi_irq+0x6f/0x120
      [ 1153.360818]  [<c10a9c10>] ? handle_edge_irq+0x110/0x110
      [ 1153.360822]  [<c1011b61>] handle_irq+0x71/0x90
      [ 1153.360823]  <IRQ>  [<c168152c>] do_IRQ+0x3c/0xd0
      [ 1153.360829]  [<c1680b6c>] common_interrupt+0x2c/0x34
      [ 1153.360834]  [<c107d277>] ? finish_task_switch+0x47/0xf0
      [ 1153.360836]  [<c167c27b>] __schedule+0x35b/0x7e0
      [ 1153.360839]  [<c10a5334>] ? console_unlock+0x2c4/0x4d0
      [ 1153.360842]  [<c13df500>] ? n_tty_receive_buf_common+0x890/0x890
      [ 1153.360845]  [<c10707b6>] ? process_one_work+0x196/0x370
      [ 1153.360847]  [<c167c723>] schedule+0x23/0x60
      [ 1153.360849]  [<c1070de1>] worker_thread+0x161/0x460
      [ 1153.360852]  [<c1090fcf>] ? __wake_up_locked+0x1f/0x30
      [ 1153.360854]  [<c1070c80>] ? rescuer_thread+0x2f0/0x2f0
      [ 1153.360856]  [<c1074f01>] kthread+0xa1/0xc0
      [ 1153.360859]  [<c1680401>] ret_from_kernel_thread+0x21/0x30
      [ 1153.360861]  [<c1074e60>] ? kthread_create_on_node+0x110/0x110
      [ 1153.360863] ---[ end trace 5ff83639cbb74b35 ]---
      
      This patch replaces the kfree_skb() by dev_kfree_skb_any().
      Signed-off-by: default avatarThomas Körper <thomas.koerper@esd.eu>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      42cccc21
    • Dave Hansen's avatar
      x86: Require exact match for 'noxsave' command line option · 888e7ee2
      Dave Hansen authored
      commit 2cd3949f upstream.
      
      We have some very similarly named command-line options:
      
      arch/x86/kernel/cpu/common.c:__setup("noxsave", x86_xsave_setup);
      arch/x86/kernel/cpu/common.c:__setup("noxsaveopt", x86_xsaveopt_setup);
      arch/x86/kernel/cpu/common.c:__setup("noxsaves", x86_xsaves_setup);
      
      __setup() is designed to match options that take arguments, like
      "foo=bar" where you would have:
      
      	__setup("foo", x86_foo_func...);
      
      The problem is that "noxsave" actually _matches_ "noxsaves" in
      the same way that "foo" matches "foo=bar".  If you boot an old
      kernel that does not know about "noxsaves" with "noxsaves" on the
      command line, it will interpret the argument as "noxsave", which
      is not what you want at all.
      
      This makes the "noxsave" handler only return success when it finds
      an *exact* match.
      
      [ tglx: We really need to make __setup() more robust. ]
      Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Cc: Dave Hansen <dave@sr71.net>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: x86@kernel.org
      Link: http://lkml.kernel.org/r/20141111220133.FE053984@viggo.jf.intel.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      888e7ee2
    • Cristina Ciocan's avatar
      iio: Fix IIO_EVENT_CODE_EXTRACT_DIR bit mask · 07ea3ff9
      Cristina Ciocan authored
      commit ccf54555 upstream.
      
      The direction field is set on 7 bits, thus we need to AND it with 0111 111 mask
      in order to retrieve it, that is 0x7F, not 0xCF as it is now.
      
      Fixes: ade7ef7b (staging:iio: Differential channel handling)
      Signed-off-by: default avatarCristina Ciocan <cristina.ciocan@intel.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      07ea3ff9
    • Stefan Richter's avatar
      firewire: cdev: prevent kernel stack leaking into ioctl arguments · adfa08f5
      Stefan Richter authored
      commit eaca2d8e upstream.
      
      Found by the UC-KLEE tool:  A user could supply less input to
      firewire-cdev ioctls than write- or write/read-type ioctl handlers
      expect.  The handlers used data from uninitialized kernel stack then.
      
      This could partially leak back to the user if the kernel subsequently
      generated fw_cdev_event_'s (to be read from the firewire-cdev fd)
      which notably would contain the _u64 closure field which many of the
      ioctl argument structures contain.
      
      The fact that the handlers would act on random garbage input is a
      lesser issue since all handlers must check their input anyway.
      
      The fix simply always null-initializes the entire ioctl argument buffer
      regardless of the actual length of expected user input.  That is, a
      runtime overhead of memset(..., 40) is added to each firewirew-cdev
      ioctl() call.  [Comment from Clemens Ladisch:  This part of the stack is
      most likely to be already in the cache.]
      
      Remarks:
        - There was never any leak from kernel stack to the ioctl output
          buffer itself.  IOW, it was not possible to read kernel stack by a
          read-type or write/read-type ioctl alone; the leak could at most
          happen in combination with read()ing subsequent event data.
        - The actual expected minimum user input of each ioctl from
          include/uapi/linux/firewire-cdev.h is, in bytes:
          [0x00] = 32, [0x05] =  4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16,
          [0x01] = 36, [0x06] = 20, [0x0b] =  4, [0x10] = 20, [0x15] = 20,
          [0x02] = 20, [0x07] =  4, [0x0c] =  0, [0x11] =  0, [0x16] =  8,
          [0x03] =  4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12,
          [0x04] = 20, [0x09] = 24, [0x0e] =  4, [0x13] = 40, [0x18] =  4.
      Reported-by: default avatarDavid Ramos <daramos@stanford.edu>
      Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      adfa08f5
    • Fabio Estevam's avatar
      ASoC: sgtl5000: Fix SMALL_POP bit definition · 0718a802
      Fabio Estevam authored
      commit c251ea7b upstream.
      
      On a mx28evk with a sgtl5000 codec we notice a loud 'click' sound  to happen
      5 seconds after the end of a playback.
      
      The SMALL_POP bit should fix this, but its definition is incorrect:
      according to the sgtl5000 manual it is bit 0 of CHIP_REF_CTRL register, not
      bit 1.
      
      Fix the definition accordingly and enable the bit as intended per the code
      comment.
      
      After applying this change, no loud 'click' sound is heard after playback
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0718a802
    • Ilya Dryomov's avatar
      libceph: do not crash on large auth tickets · 42fdf7a1
      Ilya Dryomov authored
      commit aaef3170 upstream.
      
      Large (greater than 32k, the value of PAGE_ALLOC_COSTLY_ORDER) auth
      tickets will have their buffers vmalloc'ed, which leads to the
      following crash in crypto:
      
      [   28.685082] BUG: unable to handle kernel paging request at ffffeb04000032c0
      [   28.686032] IP: [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
      [   28.686032] PGD 0
      [   28.688088] Oops: 0000 [#1] PREEMPT SMP
      [   28.688088] Modules linked in:
      [   28.688088] CPU: 0 PID: 878 Comm: kworker/0:2 Not tainted 3.17.0-vm+ #305
      [   28.688088] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
      [   28.688088] Workqueue: ceph-msgr con_work
      [   28.688088] task: ffff88011a7f9030 ti: ffff8800d903c000 task.ti: ffff8800d903c000
      [   28.688088] RIP: 0010:[<ffffffff81392b42>]  [<ffffffff81392b42>] scatterwalk_pagedone+0x22/0x80
      [   28.688088] RSP: 0018:ffff8800d903f688  EFLAGS: 00010286
      [   28.688088] RAX: ffffeb04000032c0 RBX: ffff8800d903f718 RCX: ffffeb04000032c0
      [   28.688088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8800d903f750
      [   28.688088] RBP: ffff8800d903f688 R08: 00000000000007de R09: ffff8800d903f880
      [   28.688088] R10: 18df467c72d6257b R11: 0000000000000000 R12: 0000000000000010
      [   28.688088] R13: ffff8800d903f750 R14: ffff8800d903f8a0 R15: 0000000000000000
      [   28.688088] FS:  00007f50a41c7700(0000) GS:ffff88011fc00000(0000) knlGS:0000000000000000
      [   28.688088] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   28.688088] CR2: ffffeb04000032c0 CR3: 00000000da3f3000 CR4: 00000000000006b0
      [   28.688088] Stack:
      [   28.688088]  ffff8800d903f698 ffffffff81392ca8 ffff8800d903f6e8 ffffffff81395d32
      [   28.688088]  ffff8800dac96000 ffff880000000000 ffff8800d903f980 ffff880119b7e020
      [   28.688088]  ffff880119b7e010 0000000000000000 0000000000000010 0000000000000010
      [   28.688088] Call Trace:
      [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
      [   28.688088]  [<ffffffff81392ca8>] scatterwalk_done+0x38/0x40
      [   28.688088]  [<ffffffff81395d32>] blkcipher_walk_done+0x182/0x220
      [   28.688088]  [<ffffffff813990bf>] crypto_cbc_encrypt+0x15f/0x180
      [   28.688088]  [<ffffffff81399780>] ? crypto_aes_set_key+0x30/0x30
      [   28.688088]  [<ffffffff8156c40c>] ceph_aes_encrypt2+0x29c/0x2e0
      [   28.688088]  [<ffffffff8156d2a3>] ceph_encrypt2+0x93/0xb0
      [   28.688088]  [<ffffffff8156d7da>] ceph_x_encrypt+0x4a/0x60
      [   28.688088]  [<ffffffff8155b39d>] ? ceph_buffer_new+0x5d/0xf0
      [   28.688088]  [<ffffffff8156e837>] ceph_x_build_authorizer.isra.6+0x297/0x360
      [   28.688088]  [<ffffffff8112089b>] ? kmem_cache_alloc_trace+0x11b/0x1c0
      [   28.688088]  [<ffffffff8156b496>] ? ceph_auth_create_authorizer+0x36/0x80
      [   28.688088]  [<ffffffff8156ed83>] ceph_x_create_authorizer+0x63/0xd0
      [   28.688088]  [<ffffffff8156b4b4>] ceph_auth_create_authorizer+0x54/0x80
      [   28.688088]  [<ffffffff8155f7c0>] get_authorizer+0x80/0xd0
      [   28.688088]  [<ffffffff81555a8b>] prepare_write_connect+0x18b/0x2b0
      [   28.688088]  [<ffffffff81559289>] try_read+0x1e59/0x1f10
      
      This is because we set up crypto scatterlists as if all buffers were
      kmalloc'ed.  Fix it.
      Signed-off-by: default avatarIlya Dryomov <idryomov@redhat.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      42fdf7a1
    • Stanislaw Gruszka's avatar
      rt2x00: do not align payload on modern H/W · f8ddde5a
      Stanislaw Gruszka authored
      commit cfd9167a upstream.
      
      RT2800 and newer hardware require padding between header and payload if
      header length is not multiple of 4.
      
      For historical reasons we also align payload to to 4 bytes boundary, but
      such alignment is not needed on modern H/W.
      
      Patch fixes skb_under_panic problems reported from time to time:
      
      https://bugzilla.kernel.org/show_bug.cgi?id=84911
      https://bugzilla.kernel.org/show_bug.cgi?id=72471
      http://marc.info/?l=linux-wireless&m=139108549530402&w=2
      https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1087591
      
      Panic happened because we eat 4 bytes of skb headroom on each
      (re)transmission when sending frame without the payload and the header
      length not being multiple of 4 (i.e. QoS header has 26 bytes). On such
      case because paylad_aling=2 is bigger than header_align=0 we increase
      header_align by 4 bytes. To prevent that we could change the check to:
      
      	if (payload_length && payload_align > header_align)
      		header_align += 4;
      
      but not aligning payload at all is more effective and alignment is not
      really needed by H/W (that has been tested on OpenWrt project for few
      years now).
      Reported-and-tested-by: default avatarAntti S. Lankila <alankila@bel.fi>
      Debugged-by: default avatarAntti S. Lankila <alankila@bel.fi>
      Reported-by: default avatarHenrik Asp <solenskiner@gmail.com>
      Originally-From: Helmut Schaa <helmut.schaa@googlemail.com>
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f8ddde5a
    • Miklos Szeredi's avatar
      audit: keep inode pinned · 51a8f21b
      Miklos Szeredi authored
      commit 799b6014 upstream.
      
      Audit rules disappear when an inode they watch is evicted from the cache.
      This is likely not what we want.
      
      The guilty commit is "fsnotify: allow marks to not pin inodes in core",
      which didn't take into account that audit_tree adds watches with a zero
      mask.
      
      Adding any mask should fix this.
      
      Fixes: 90b1e7a5 ("fsnotify: allow marks to not pin inodes in core")
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      51a8f21b
    • Christoph Hellwig's avatar
      scsi: only re-lock door after EH on devices that were reset · cfc515ec
      Christoph Hellwig authored
      commit 48379270 upstream.
      
      Setups that use the blk-mq I/O path can lock up if a host with a single
      device that has its door locked enters EH.  Make sure to only send the
      command to re-lock the door to devices that actually were reset and thus
      might have lost their state.  Otherwise the EH code might be get blocked
      on blk_get_request as all requests for non-reset devices might be in use.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reported-by: default avatarMeelis Roos <meelis.roos@ut.ee>
      Tested-by: default avatarMeelis Roos <meelis.roos@ut.ee>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cfc515ec
    • Preston Fick's avatar
      USB: serial: cp210x: add IDs for CEL MeshConnect USB Stick · 8c952daa
      Preston Fick authored
      commit ffcfe30e upstream.
      Signed-off-by: default avatarPreston Fick <pffick@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8c952daa
    • Pali Rohár's avatar
      Input: alps - allow up to 2 invalid packets without resetting device · b4c57768
      Pali Rohár authored
      commit 9d720b34 upstream.
      
      On some Dell Latitude laptops ALPS device or Dell EC send one invalid byte
      in 6 bytes ALPS packet. In this case psmouse driver enter out of sync
      state. It looks like that all other bytes in packets are valid and also
      device working properly. So there is no need to do full device reset, just
      need to wait for byte which match condition for first byte (start of
      packet). Because ALPS packets are bigger (6 or 8 bytes) default limit is
      small.
      
      This patch increase number of invalid bytes to size of 2 ALPS packets which
      psmouse driver can drop before do full reset.
      
      Resetting ALPS devices take some time and when doing reset on some Dell
      laptops touchpad, trackstick and also keyboard do not respond. So it is
      better to do it only if really necessary.
      Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b4c57768
    • Pali Rohár's avatar
      Input: alps - ignore potential bare packets when device is out of sync · 6c952f13
      Pali Rohár authored
      commit 4ab8f7f3 upstream.
      
      5th and 6th byte of ALPS trackstick V3 protocol match condition for first
      byte of PS/2 3 bytes packet. When driver enters out of sync state and ALPS
      trackstick is sending data then driver match 5th, 6th and next 1st bytes as
      PS/2.
      
      It basically means if user is using trackstick when driver is in out of
      sync state driver will never resync. Processing these bytes as 3 bytes PS/2
      data cause total mess (random cursor movements, random clicks) and make
      trackstick unusable until psmouse driver decide to do full device reset.
      
      Lot of users reported problems with ALPS devices on Dell Latitude E6440,
      E6540 and E7440 laptops. ALPS device or Dell EC for unknown reason send
      some invalid ALPS PS/2 bytes which cause driver out of sync. It looks like
      that i8042 and psmouse/alps driver always receive group of 6 bytes packets
      so there are no missing bytes and no bytes were inserted between valid
      ones.
      
      This patch does not fix root of problem with ALPS devices found in Dell
      Latitude laptops but it does not allow to process some (invalid)
      subsequence of 6 bytes ALPS packets as 3 bytes PS/2 when driver is out of
      sync.
      
      So with this patch trackstick input device does not report bogus data when
      also driver is out of sync, so trackstick should be usable on those
      machines.
      Signed-off-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Reviewed-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6c952f13
    • Thor Thayer's avatar
      spi: dw: Fix dynamic speed change. · 656378a5
      Thor Thayer authored
      commit 0a8727e6 upstream.
      
      An IOCTL call that calls spi_setup() and then dw_spi_setup() will
      overwrite the persisted last transfer speed. On each transfer, the
      SPI speed is compared to the last transfer speed to determine if the
      clock divider registers need to be updated (did the speed change?).
      This bug was observed with the spidev driver using spi-config to
      update the max transfer speed.
      
      This fix: Don't overwrite the persisted last transaction clock speed
      when updating the SPI parameters in dw_spi_setup(). On the next
      transaction, the new speed won't match the persisted last speed
      and the hardware registers will be updated.
      On initialization, the persisted last transaction clock
      speed will be 0 but will be updated after the first SPI
      transaction.
      
      Move zeroed clock divider check into clock change test because
      chip->clk_div is zero on startup and would cause a divide-by-zero
      error. The calculation was wrong as well (can't support odd #).
      Reported-by: default avatarVlastimil Setka <setka@vsis.cz>
      Signed-off-by: default avatarVlastimil Setka <setka@vsis.cz>
      Signed-off-by: default avatarThor Thayer <tthayer@opensource.altera.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      656378a5
    • Imre Deak's avatar
      tty/vt: don't set font mappings on vc not supporting this · 2e0f55ea
      Imre Deak authored
      commit 9e326f78 upstream.
      
      We can call this function for a dummy console that doesn't support
      setting the font mapping, which will result in a null ptr BUG. So check
      for this case and return error for consoles w/o font mapping support.
      
      Reference: https://bugzilla.kernel.org/show_bug.cgi?id=59321Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: this function doesn't take a lock, so doesn't
       need to unlock on error]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2e0f55ea
    • Peter Hurley's avatar
      tty: Fix high cpu load if tty is unreleaseable · 069347b2
      Peter Hurley authored
      commit 37b16457 upstream.
      
      Kernel oops can cause the tty to be unreleaseable (for example, if
      n_tty_read() crashes while on the read_wait queue). This will cause
      tty_release() to endlessly loop without sleeping.
      
      Use a killable sleep timeout which grows by 2n+1 jiffies over the interval
      [0, 120 secs.) and then jumps to forever (but still killable).
      
      NB: killable just allows for the task to be rewoken manually, not
      to be terminated.
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      069347b2
    • Peter Hurley's avatar
      serial: Fix divide-by-zero fault in uart_get_divisor() · 2eb38b76
      Peter Hurley authored
      commit 547039ec upstream.
      
      uart_get_baud_rate() will return baud == 0 if the max rate is set
      to the "magic" 38400 rate and the SPD_* flags are also specified.
      On the first iteration, if the current baud rate is higher than the
      max, the baud rate is clamped at the max (which in the degenerate
      case is 38400). On the second iteration, the now-"magic" 38400 baud
      rate selects the possibly higher alternate baud rate indicated by
      the SPD_* flag. Since only two loop iterations are performed, the
      loop is exited, a kernel WARNING is generated and a baud rate of
      0 is returned.
      
      Reproducible with:
       setserial /dev/ttyS0 spd_hi base_baud 38400
      
      Only perform the "magic" 38400 -> SPD_* baud transform on the first
      loop iteration, which prevents the degenerate case from recognizing
      the clamped baud rate as the "magic" 38400 value.
      Reported-by: default avatarRobert Święcki <robert@swiecki.net>
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2eb38b76
    • Johan Hovold's avatar
      USB: cdc-acm: only raise DTR on transitions from B0 · ae11f62a
      Johan Hovold authored
      commit 4473d054 upstream.
      
      Make sure to only raise DTR on transitions from B0 in set_termios.
      
      Also allow set_termios to be called from open with a termios_old of
      NULL. Note that DTR will not be raised prematurely in this case.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ae11f62a
    • Lars-Peter Clausen's avatar
      staging:iio:ade7758: Remove "raw" from channel name · b05ff47c
      Lars-Peter Clausen authored
      commit b598aacc upstream.
      
      "raw" is a property of a channel, but should not be part of the name of
      channel.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      [bwh: Backported to 3.2: using IIO_CHAN() macro to initialise the structures]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b05ff47c
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix device_del() sysfs warnings at disconnect · f61457d8
      Takashi Iwai authored
      commit 0725dda2 upstream.
      
      Some USB-audio devices show weird sysfs warnings at disconnecting the
      devices, e.g.
       usb 1-3: USB disconnect, device number 3
       ------------[ cut here ]------------
       WARNING: CPU: 0 PID: 973 at fs/sysfs/group.c:216 device_del+0x39/0x180()
       sysfs group ffffffff8183df40 not found for kobject 'midiC1D0'
       Call Trace:
        [<ffffffff814a3e38>] ? dump_stack+0x49/0x71
        [<ffffffff8103cb72>] ? warn_slowpath_common+0x82/0xb0
        [<ffffffff8103cc55>] ? warn_slowpath_fmt+0x45/0x50
        [<ffffffff813521e9>] ? device_del+0x39/0x180
        [<ffffffff81352339>] ? device_unregister+0x9/0x20
        [<ffffffff81352384>] ? device_destroy+0x34/0x40
        [<ffffffffa00ba29f>] ? snd_unregister_device+0x7f/0xd0 [snd]
        [<ffffffffa025124e>] ? snd_rawmidi_dev_disconnect+0xce/0x100 [snd_rawmidi]
        [<ffffffffa00c0192>] ? snd_device_disconnect+0x62/0x90 [snd]
        [<ffffffffa00c025c>] ? snd_device_disconnect_all+0x3c/0x60 [snd]
        [<ffffffffa00bb574>] ? snd_card_disconnect+0x124/0x1a0 [snd]
        [<ffffffffa02e54e8>] ? usb_audio_disconnect+0x88/0x1c0 [snd_usb_audio]
        [<ffffffffa015260e>] ? usb_unbind_interface+0x5e/0x1b0 [usbcore]
        [<ffffffff813553e9>] ? __device_release_driver+0x79/0xf0
        [<ffffffff81355485>] ? device_release_driver+0x25/0x40
        [<ffffffff81354e11>] ? bus_remove_device+0xf1/0x130
        [<ffffffff813522b9>] ? device_del+0x109/0x180
        [<ffffffffa01501d5>] ? usb_disable_device+0x95/0x1f0 [usbcore]
        [<ffffffffa014634f>] ? usb_disconnect+0x8f/0x190 [usbcore]
        [<ffffffffa0149179>] ? hub_thread+0x539/0x13a0 [usbcore]
        [<ffffffff810669f5>] ? sched_clock_local+0x15/0x80
        [<ffffffff81066c98>] ? sched_clock_cpu+0xb8/0xd0
        [<ffffffff81070730>] ? bit_waitqueue+0xb0/0xb0
        [<ffffffffa0148c40>] ? usb_port_resume+0x430/0x430 [usbcore]
        [<ffffffffa0148c40>] ? usb_port_resume+0x430/0x430 [usbcore]
        [<ffffffff8105973e>] ? kthread+0xce/0xf0
        [<ffffffff81059670>] ? kthread_create_on_node+0x1c0/0x1c0
        [<ffffffff814a8b7c>] ? ret_from_fork+0x7c/0xb0
        [<ffffffff81059670>] ? kthread_create_on_node+0x1c0/0x1c0
       ---[ end trace 40b1928d1136b91e ]---
      
      This comes from the fact that usb-audio driver may receive the
      disconnect callback multiple times, per each usb interface.  When a
      device has both audio and midi interfaces, it gets called twice, and
      currently the driver tries to release resources at the last call.
      At this point, the first parent interface has been already deleted,
      thus deleting a child of the first parent hits such a warning.
      
      For fixing this problem, we need to call snd_card_disconnect() and
      cancel pending operations at the very first disconnect while the
      release of the whole objects waits until the last disconnect call.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=80931Reported-and-tested-by: default avatarTomas Gayoso <tgayoso@gmail.com>
      Reported-and-tested-by: default avatarChris J Arges <chris.j.arges@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f61457d8
    • Oliver Neukum's avatar
      xhci: no switching back on non-ULT Haswell · 906341cd
      Oliver Neukum authored
      commit b45abacd upstream.
      
      The switch back is limited to ULT even on HP. The contrary
      finding arose by bad luck in BIOS versions for testing.
      This fixes spontaneous resume from S3 on some HP laptops.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      906341cd
    • Alan Stern's avatar
      usb-storage: handle a skipped data phase · 85e66060
      Alan Stern authored
      commit 93c9bf4d upstream.
      
      Sometimes mass-storage devices using the Bulk-only transport will
      mistakenly skip the data phase of a command.  Rather than sending the
      data expected by the host or sending a zero-length packet, they go
      directly to the status phase and send the CSW.
      
      This causes problems for usb-storage, for obvious reasons.  The driver
      will interpret the CSW as a short data transfer and will wait to
      receive a CSW.  The device won't have anything left to send, so the
      command eventually times out.
      
      The SCSI layer doesn't retry commands after they time out (this is a
      relatively recent change).  Therefore we should do our best to detect
      a skipped data phase and handle it promptly.
      
      This patch adds code to do that.  If usb-storage receives a short
      13-byte data transfer from the device, and if the first four bytes of
      the data match the CSW signature, the driver will set the residue to
      the full transfer length and interpret the data as a CSW.
      
      This fixes Bugzilla #86611.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      CC: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
      Tested-by: default avatarPaul Osmialowski <newchief@king.net.pl>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: use US_DEBUGP() not usb_stor_dbg()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      85e66060
    • Hans de Goede's avatar
      usb: Do not allow usb_alloc_streams on unconfigured devices · 4fee2090
      Hans de Goede authored
      commit 90a646c7 upstream.
      
      This commit fixes the following oops:
      
      [10238.622067] scsi host3: uas_eh_bus_reset_handler start
      [10240.766164] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
      [10245.779365] usb 3-4: device descriptor read/8, error -110
      [10245.883331] usb 3-4: reset SuperSpeed USB device number 3 using xhci_hcd
      [10250.897603] usb 3-4: device descriptor read/8, error -110
      [10251.058200] BUG: unable to handle kernel NULL pointer dereference at  0000000000000040
      [10251.058244] IP: [<ffffffff815ac6e1>] xhci_check_streams_endpoint+0x91/0x140
      <snip>
      [10251.059473] Call Trace:
      [10251.059487]  [<ffffffff815aca6c>] xhci_calculate_streams_and_bitmask+0xbc/0x130
      [10251.059520]  [<ffffffff815aeb5f>] xhci_alloc_streams+0x10f/0x5a0
      [10251.059548]  [<ffffffff810a4685>] ? check_preempt_curr+0x75/0xa0
      [10251.059575]  [<ffffffff810a46dc>] ? ttwu_do_wakeup+0x2c/0x100
      [10251.059601]  [<ffffffff810a49e6>] ? ttwu_do_activate.constprop.111+0x66/0x70
      [10251.059635]  [<ffffffff815779ab>] usb_alloc_streams+0xab/0xf0
      [10251.059662]  [<ffffffffc0616b48>] uas_configure_endpoints+0x128/0x150 [uas]
      [10251.059694]  [<ffffffffc0616bac>] uas_post_reset+0x3c/0xb0 [uas]
      [10251.059722]  [<ffffffff815727d9>] usb_reset_device+0x1b9/0x2a0
      [10251.059749]  [<ffffffffc0616f42>] uas_eh_bus_reset_handler+0xb2/0x190 [uas]
      [10251.059781]  [<ffffffff81514293>] scsi_try_bus_reset+0x53/0x110
      [10251.059808]  [<ffffffff815163b7>] scsi_eh_bus_reset+0xf7/0x270
      <snip>
      
      The problem is the following call sequence (simplified):
      
      1) usb_reset_device
      2)  usb_reset_and_verify_device
      2)   hub_port_init
      3)    hub_port_finish_reset
      3)     xhci_discover_or_reset_device
              This frees xhci->devs[slot_id]->eps[ep_index].ring for all eps but 0
      4)    usb_get_device_descriptor
             This fails
      5)   hub_port_init fails
      6)  usb_reset_and_verify_device fails, does not restore device config
      7)  uas_post_reset
      8)   xhci_alloc_streams
            NULL deref on the free-ed ring
      
      This commit fixes this by not allowing usb_alloc_streams to continue if
      the device is not configured.
      
      Note that we do allow usb_free_streams to continue after a (logical)
      disconnect, as it is necessary to explicitly free the streams at the xhci
      controller level.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4fee2090
    • Johan Hovold's avatar
      USB: cdc-acm: add device id for GW Instek AFG-2225 · c31af119
      Johan Hovold authored
      commit cf84a691 upstream.
      
      Add device-id entry for GW Instek AFG-2225, which has a byte swapped
      bInterfaceSubClass (0x20).
      Reported-by: default avatarKarl Palsson <karlp@tweak.net.au>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c31af119
    • Johannes Berg's avatar
      mac80211: fix use-after-free in defragmentation · bc11c708
      Johannes Berg authored
      commit b8fff407 upstream.
      
      Upon receiving the last fragment, all but the first fragment
      are freed, but the multicast check for statistics at the end
      of the function refers to the current skb (the last fragment)
      causing a use-after-free bug.
      
      Since multicast frames cannot be fragmented and we check for
      this early in the function, just modify that check to also
      do the accounting to fix the issue.
      Reported-by: default avatarYosef Khyal <yosefx.khyal@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bc11c708