1. 23 Feb, 2017 40 commits
    • Richard Weinberger's avatar
      ubifs: Fix xattr_names length in exit paths · 72ee0177
      Richard Weinberger authored
      commit 843741c5 upstream.
      
      When the operation fails we also have to undo the changes
      we made to ->xattr_names. Otherwise listxattr() will report
      wrong lengths.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      72ee0177
    • Patrick Scheuring's avatar
      Input: i8042 - add XMG C504 to keyboard reset table · 77831667
      Patrick Scheuring authored
      commit da25311c upstream.
      
      The Schenker XMG C504 is a rebranded Gigabyte P35 v2 laptop.
      Therefore it also needs a keyboard reset to detect the Elantech touchpad.
      Otherwise the touchpad appears to be dead.
      
      With this patch the touchpad is detected:
      
      $ dmesg | grep -E "(i8042|Elantech|elantech)"
      
      [    2.675399] i8042: PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12
      [    2.680372] i8042: Attempting to reset device connected to KBD port
      [    2.789037] serio: i8042 KBD port at 0x60,0x64 irq 1
      [    2.791586] serio: i8042 AUX port at 0x60,0x64 irq 12
      [    2.813840] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input4
      [    3.811431] psmouse serio1: elantech: assuming hardware version 4 (with firmware version 0x361f0e)
      [    3.825424] psmouse serio1: elantech: Synaptics capabilities query result 0x00, 0x15, 0x0f.
      [    3.839424] psmouse serio1: elantech: Elan sample query result 03, 58, 74
      [    3.911349] input: ETPS/2 Elantech Touchpad as /devices/platform/i8042/serio1/input/input6
      Signed-off-by: default avatarPatrick Scheuring <patrick.scheuring.dev@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      77831667
    • Jan Kara's avatar
      isofs: Do not return EACCES for unknown filesystems · 17490601
      Jan Kara authored
      commit a2ed0b39 upstream.
      
      When isofs_mount() is called to mount a device read-write, it returns
      EACCES even before it checks that the device actually contains an isofs
      filesystem. This may confuse mount(8) which then tries to mount all
      subsequent filesystem types in read-only mode.
      
      Fix the problem by returning EACCES only once we verify that the device
      indeed contains an iso9660 filesystem.
      
      Fixes: 17b7f7cfReported-by: default avatarKent Overstreet <kent.overstreet@gmail.com>
      Reported-by: default avatarKarel Zak <kzak@redhat.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      17490601
    • Dan Carpenter's avatar
      scsi: zfcp: spin_lock_irqsave() is not nestable · ff9c51e4
      Dan Carpenter authored
      commit e7cb08e8 upstream.
      
      We accidentally overwrite the original saved value of "flags" so that we
      can't re-enable IRQs at the end of the function.  Presumably this
      function is mostly called with IRQs disabled or it would be obvious in
      testing.
      
      Fixes: aceeffbb ("zfcp: trace full payload of all SAN records (req,resp,iels)")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ff9c51e4
    • Johannes Berg's avatar
      mac80211: discard multicast and 4-addr A-MSDUs · 53718b13
      Johannes Berg authored
      commit ea720935 upstream.
      
      In mac80211, multicast A-MSDUs are accepted in many cases that
      they shouldn't be accepted in:
       * drop A-MSDUs with a multicast A1 (RA), as required by the
         spec in 9.11 (802.11-2012 version)
       * drop A-MSDUs with a 4-addr header, since the fourth address
         can't actually be useful for them; unless 4-address frame
         format is actually requested, even though the fourth address
         is still not useful in this case, but ignored
      
      Accepting the first case, in particular, is very problematic
      since it allows anyone else with possession of a GTK to send
      unicast frames encapsulated in a multicast A-MSDU, even when
      the AP has client isolation enabled.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      53718b13
    • Ming Lei's avatar
      scsi: Fix use-after-free · a95eb569
      Ming Lei authored
      commit bcd8f2e9 upstream.
      
      This patch fixes one use-after-free report[1] by KASAN.
      
      In __scsi_scan_target(), when a type 31 device is probed,
      SCSI_SCAN_TARGET_PRESENT is returned and the target will be scanned
      again.
      
      Inside the following scsi_report_lun_scan(), one new scsi_device
      instance is allocated, and scsi_probe_and_add_lun() is called again to
      probe the target and still see type 31 device, finally
      __scsi_remove_device() is called to remove & free the device at the end
      of scsi_probe_and_add_lun(), so cause use-after-free in
      scsi_report_lun_scan().
      
      And the following SCSI log can be observed:
      
      	scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36
      	scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0
      	scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added
      	scsi 0:0:2:0: scsi scan: Sending REPORT LUNS to (try 0)
      	scsi 0:0:2:0: scsi scan: REPORT LUNS successful (try 0) result 0x0
      	scsi 0:0:2:0: scsi scan: REPORT LUN scan
      	scsi 0:0:2:0: scsi scan: INQUIRY pass 1 length 36
      	scsi 0:0:2:0: scsi scan: INQUIRY successful with code 0x0
      	scsi 0:0:2:0: scsi scan: peripheral device type of 31, no device added
      	BUG: KASAN: use-after-free in __scsi_scan_target+0xbf8/0xe40 at addr ffff88007b44a104
      
      This patch fixes the issue by moving the putting reference at
      the end of scsi_report_lun_scan().
      
      [1] KASAN report
      ==================================================================
      [    3.274597] PM: Adding info for serio:serio1
      [    3.275127] BUG: KASAN: use-after-free in __scsi_scan_target+0xd87/0xdf0 at addr ffff880254d8c304
      [    3.275653] Read of size 4 by task kworker/u10:0/27
      [    3.275903] CPU: 3 PID: 27 Comm: kworker/u10:0 Not tainted 4.8.0 #2121
      [    3.276258] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [    3.276797] Workqueue: events_unbound async_run_entry_fn
      [    3.277083]  ffff880254d8c380 ffff880259a37870 ffffffff94bbc6c1 ffff880078402d80
      [    3.277532]  ffff880254d8bb80 ffff880259a37898 ffffffff9459fec1 ffff880259a37930
      [    3.277989]  ffff880254d8bb80 ffff880078402d80 ffff880259a37920 ffffffff945a0165
      [    3.278436] Call Trace:
      [    3.278528]  [<ffffffff94bbc6c1>] dump_stack+0x65/0x84
      [    3.278797]  [<ffffffff9459fec1>] kasan_object_err+0x21/0x70
      [    3.279063] device: 'psaux': device_add
      [    3.279616]  [<ffffffff945a0165>] kasan_report_error+0x205/0x500
      [    3.279651] PM: Adding info for No Bus:psaux
      [    3.280202]  [<ffffffff944ecd22>] ? kfree_const+0x22/0x30
      [    3.280486]  [<ffffffff94bc2dc9>] ? kobject_release+0x119/0x370
      [    3.280805]  [<ffffffff945a0543>] __asan_report_load4_noabort+0x43/0x50
      [    3.281170]  [<ffffffff9507e1f7>] ? __scsi_scan_target+0xd87/0xdf0
      [    3.281506]  [<ffffffff9507e1f7>] __scsi_scan_target+0xd87/0xdf0
      [    3.281848]  [<ffffffff9507d470>] ? scsi_add_device+0x30/0x30
      [    3.282156]  [<ffffffff94f7f660>] ? pm_runtime_autosuspend_expiration+0x60/0x60
      [    3.282570]  [<ffffffff956ddb07>] ? _raw_spin_lock+0x17/0x40
      [    3.282880]  [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160
      [    3.283200]  [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0
      [    3.283563]  [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250
      [    3.283882]  [<ffffffff9507efc1>] do_scan_async+0x41/0x450
      [    3.284173]  [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610
      [    3.284492]  [<ffffffff941a8954>] ? pwq_dec_nr_in_flight+0x124/0x2a0
      [    3.284876]  [<ffffffff941d1770>] ? preempt_count_add+0x130/0x160
      [    3.285207]  [<ffffffff941a9a84>] process_one_work+0x544/0x12d0
      [    3.285526]  [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0
      [    3.285844]  [<ffffffff941aa810>] ? process_one_work+0x12d0/0x12d0
      [    3.286182]  [<ffffffff941bb365>] kthread+0x1c5/0x260
      [    3.286443]  [<ffffffff940855cd>] ? __switch_to+0x88d/0x1430
      [    3.286745]  [<ffffffff941bb1a0>] ? kthread_worker_fn+0x5a0/0x5a0
      [    3.287085]  [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40
      [    3.287368]  [<ffffffff941bb1a0>] ? kthread_worker_fn+0x5a0/0x5a0
      [    3.287697] Object at ffff880254d8bb80, in cache kmalloc-2048 size: 2048
      [    3.288064] Allocated:
      [    3.288147] PID = 27
      [    3.288218]  [<ffffffff940b27ab>] save_stack_trace+0x2b/0x50
      [    3.288531]  [<ffffffff9459f246>] save_stack+0x46/0xd0
      [    3.288806]  [<ffffffff9459f4bd>] kasan_kmalloc+0xad/0xe0
      [    3.289098]  [<ffffffff9459c07e>] __kmalloc+0x13e/0x250
      [    3.289378]  [<ffffffff95078e5a>] scsi_alloc_sdev+0xea/0xcf0
      [    3.289701]  [<ffffffff9507de76>] __scsi_scan_target+0xa06/0xdf0
      [    3.290034]  [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160
      [    3.290362]  [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0
      [    3.290724]  [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250
      [    3.291055]  [<ffffffff9507efc1>] do_scan_async+0x41/0x450
      [    3.291354]  [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610
      [    3.291695]  [<ffffffff941a9a84>] process_one_work+0x544/0x12d0
      [    3.292022]  [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0
      [    3.292325]  [<ffffffff941bb365>] kthread+0x1c5/0x260
      [    3.292594]  [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40
      [    3.292886] Freed:
      [    3.292945] PID = 27
      [    3.293016]  [<ffffffff940b27ab>] save_stack_trace+0x2b/0x50
      [    3.293327]  [<ffffffff9459f246>] save_stack+0x46/0xd0
      [    3.293600]  [<ffffffff9459fa61>] kasan_slab_free+0x71/0xb0
      [    3.293916]  [<ffffffff9459bac2>] kfree+0xa2/0x1f0
      [    3.294168]  [<ffffffff9508158a>] scsi_device_dev_release_usercontext+0x50a/0x730
      [    3.294598]  [<ffffffff941ace9a>] execute_in_process_context+0xda/0x130
      [    3.294974]  [<ffffffff9508107c>] scsi_device_dev_release+0x1c/0x20
      [    3.295322]  [<ffffffff94f566f6>] device_release+0x76/0x1e0
      [    3.295626]  [<ffffffff94bc2db7>] kobject_release+0x107/0x370
      [    3.295942]  [<ffffffff94bc29ce>] kobject_put+0x4e/0xa0
      [    3.296222]  [<ffffffff94f56e17>] put_device+0x17/0x20
      [    3.296497]  [<ffffffff9505201c>] scsi_device_put+0x7c/0xa0
      [    3.296801]  [<ffffffff9507e1bc>] __scsi_scan_target+0xd4c/0xdf0
      [    3.297132]  [<ffffffff9507e505>] scsi_scan_channel+0x105/0x160
      [    3.297458]  [<ffffffff9507e8a2>] scsi_scan_host_selected+0x212/0x2f0
      [    3.297829]  [<ffffffff9507eb3c>] do_scsi_scan_host+0x1bc/0x250
      [    3.298156]  [<ffffffff9507efc1>] do_scan_async+0x41/0x450
      [    3.298453]  [<ffffffff941c1fee>] async_run_entry_fn+0xfe/0x610
      [    3.298777]  [<ffffffff941a9a84>] process_one_work+0x544/0x12d0
      [    3.299105]  [<ffffffff941aa8e9>] worker_thread+0xd9/0x12f0
      [    3.299408]  [<ffffffff941bb365>] kthread+0x1c5/0x260
      [    3.299676]  [<ffffffff956dde9f>] ret_from_fork+0x1f/0x40
      [    3.299967] Memory state around the buggy address:
      [    3.300209]  ffff880254d8c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    3.300608]  ffff880254d8c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    3.300986] >ffff880254d8c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    3.301408]                    ^
      [    3.301550]  ffff880254d8c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [    3.301987]  ffff880254d8c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [    3.302396]
      ==================================================================
      
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMing Lei <tom.leiming@gmail.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a95eb569
    • Paul Mackerras's avatar
      powerpc/64: Fix incorrect return value from __copy_tofrom_user · f51adbea
      Paul Mackerras authored
      commit 1a34439e upstream.
      
      Debugging a data corruption issue with virtio-net/vhost-net led to
      the observation that __copy_tofrom_user was occasionally returning
      a value 16 larger than it should.  Since the return value from
      __copy_tofrom_user is the number of bytes not copied, this means
      that __copy_tofrom_user can occasionally return a value larger
      than the number of bytes it was asked to copy.  In turn this can
      cause higher-level copy functions such as copy_page_to_iter_iovec
      to corrupt memory by copying data into the wrong memory locations.
      
      It turns out that the failing case involves a fault on the store
      at label 79, and at that point the first unmodified byte of the
      destination is at R3 + 16.  Consequently the exception handler
      for that store needs to add 16 to R3 before using it to work out
      how many bytes were not copied, but in this one case it was not
      adding the offset to R3.  To fix it, this moves the label 179 to
      the point where we add 16 to R3.  I have checked manually all the
      exception handlers for the loads and stores in this code and the
      rest of them are correct (it would be excellent to have an
      automated test of all the exception cases).
      
      This bug has been present since this code was initially
      committed in May 2002 to Linux version 2.5.20.
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f51adbea
    • Ondrej Mosnáček's avatar
      crypto: gcm - Fix IV buffer size in crypto_gcm_setkey · 35a6ba63
      Ondrej Mosnáček authored
      commit 50d2e6dc upstream.
      
      The cipher block size for GCM is 16 bytes, and thus the CTR transform
      used in crypto_gcm_setkey() will also expect a 16-byte IV. However,
      the code currently reserves only 8 bytes for the IV, causing
      an out-of-bounds access in the CTR transform. This patch fixes
      the issue by setting the size of the IV buffer to 16 bytes.
      
      Fixes: 84c91152 ("[CRYPTO] gcm: Add support for async ciphers")
      Signed-off-by: default avatarOndrej Mosnacek <omosnacek@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      35a6ba63
    • Miklos Szeredi's avatar
      fuse: listxattr: verify xattr list · b60c85b4
      Miklos Szeredi authored
      commit cb3ae6d2 upstream.
      
      Make sure userspace filesystem is returning a well formed list of xattr
      names (zero or more nonzero length, null terminated strings).
      
      [Michael Theall: only verify in the nonzero size case]
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      [bwh: Backported to 3.2: adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b60c85b4
    • Miklos Szeredi's avatar
      fuse: fix killing s[ug]id in setattr · 93d39020
      Miklos Szeredi authored
      commit a09f99ed upstream.
      
      Fuse allowed VFS to set mode in setattr in order to clear suid/sgid on
      chown and truncate, and (since writeback_cache) write.  The problem with
      this is that it'll potentially restore a stale mode.
      
      The poper fix would be to let the filesystems do the suid/sgid clearing on
      the relevant operations.  Possibly some are already doing it but there's no
      way we can detect this.
      
      So fix this by refreshing and recalculating the mode.  Do this only if
      ATTR_KILL_S[UG]ID is set to not destroy performance for writes.  This is
      still racy but the size of the window is reduced.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      93d39020
    • Miklos Szeredi's avatar
      fuse: invalidate dir dentry after chmod · 643263c1
      Miklos Szeredi authored
      commit 5e2b8828 upstream.
      
      Without "default_permissions" the userspace filesystem's lookup operation
      needs to perform the check for search permission on the directory.
      
      If directory does not allow search for everyone (this is quite rare) then
      userspace filesystem has to set entry timeout to zero to make sure
      permissions are always performed.
      
      Changing the mode bits of the directory should also invalidate the
      (previously cached) dentry to make sure the next lookup will have a chance
      of updating the timeout, if needed.
      Reported-by: default avatarJean-Pierre André <jean-pierre.andre@wanadoo.fr>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      [bwh: Backported to 3.2:
       - Adjust context
       - Open-code d_is_dir()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      643263c1
    • Sascha Silbe's avatar
      s390/con3270: fix insufficient space padding · d03cb14e
      Sascha Silbe authored
      commit 6cd997db upstream.
      
      con3270 contains an optimisation that reduces the amount of data to be
      transmitted to the 3270 terminal by putting a Repeat to Address (RA)
      order into the data stream. The RA order itself takes up space, so
      con3270 only uses it if there's enough space left in the line
      buffer. Otherwise it just pads out the line manually.
      
      For lines that were _just_ short enough that the RA order still fit in
      the line buffer, the line was instead padded with an insufficient
      amount of spaces. This was caused by examining the size of the
      allocated line buffer rather than the length of the string to be
      displayed.
      
      For con3270_cline_end(), we just compare against the line length. For
      con3270_update_string() however that isn't available anymore, so we
      check whether the Repeat to Address order is present.
      
      Fixes: f51320a5 ("[PATCH] s390: new 3270 driver.") (tglx/history.git)
      Tested-by: default avatarJing Liu <liujbjl@linux.vnet.ibm.com>
      Tested-by: default avatarYang Chen <bjcyang@linux.vnet.ibm.com>
      Signed-off-by: default avatarSascha Silbe <silbe@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d03cb14e
    • Sascha Silbe's avatar
      s390/con3270: fix use of uninitialised data · 6f2ea755
      Sascha Silbe authored
      commit c14f2aac upstream.
      
      con3270 contains an optimisation that reduces the amount of data to be
      transmitted to the 3270 terminal by putting a Repeat to Address (RA)
      order into the data stream. The RA order itself takes up space, so
      con3270 only uses it if there's enough space left in the line
      buffer. Otherwise it just pads out the line manually.
      
      For lines too long to include the RA order, one byte was left
      uninitialised. This was caused by an off-by-one bug in the loop that
      pads out the line. Since the buffer is allocated from a common pool,
      the single byte left uninitialised contained some previous buffer
      content. Usually this was just a space or some character (which can
      result in clutter but is otherwise harmless). Sometimes, however, it
      was a Repeat to Address order, messing up the entire screen layout and
      causing the display to send the entire buffer content on every
      keystroke.
      
      Fixes: f51320a5 ("[PATCH] s390: new 3270 driver.") (tglx/history.git)
      Reported-by: default avatarLiu Jing <liujbjl@linux.vnet.ibm.com>
      Tested-by: default avatarJing Liu <liujbjl@linux.vnet.ibm.com>
      Tested-by: default avatarYang Chen <bjcyang@linux.vnet.ibm.com>
      Signed-off-by: default avatarSascha Silbe <silbe@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6f2ea755
    • gmail's avatar
      ext4: release bh in make_indexed_dir · 90d3d0dd
      gmail authored
      commit e81d4477 upstream.
      
      The commit 6050d47a: "ext4: bail out from make_indexed_dir() on
      first error" could end up leaking bh2 in the error path.
      
      [ Also avoid renaming bh2 to bh, which just confuses things --tytso ]
      Signed-off-by: default avataryangsheng <yngsion@gmail.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      90d3d0dd
    • Anton Blanchard's avatar
      powerpc/vdso64: Use double word compare on pointers · f8351abb
      Anton Blanchard authored
      commit 5045ea37 upstream.
      
      __kernel_get_syscall_map() and __kernel_clock_getres() use cmpli to
      check if the passed in pointer is non zero. cmpli maps to a 32 bit
      compare on binutils, so we ignore the top 32 bits.
      
      A simple test case can be created by passing in a bogus pointer with
      the bottom 32 bits clear. Using a clk_id that is handled by the VDSO,
      then one that is handled by the kernel shows the problem:
      
        printf("%d\n", clock_getres(CLOCK_REALTIME, (void *)0x100000000));
        printf("%d\n", clock_getres(CLOCK_BOOTTIME, (void *)0x100000000));
      
      And we get:
      
        0
        -1
      
      The bigger issue is if we pass a valid pointer with the bottom 32 bits
      clear, in this case we will return success but won't write any data
      to the pointer.
      
      I stumbled across this issue because the LLVM integrated assembler
      doesn't accept cmpli with 3 arguments. Fix this by converting them to
      cmpldi.
      
      Fixes: a7f290da ("[PATCH] powerpc: Merge vdso's and add vdso support to 32 bits kernel")
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f8351abb
    • Trond Myklebust's avatar
      NFSv4: Open state recovery must account for file permission changes · 281b1479
      Trond Myklebust authored
      commit 304020fe upstream.
      
      If the file permissions change on the server, then we may not be able to
      recover open state. If so, we need to ensure that we mark the file
      descriptor appropriately.
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Tested-by: default avatarOleg Drokin <green@linuxhacker.ru>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      281b1479
    • Kyle Jones's avatar
      USB: serial: cp210x: Add ID for a Juniper console · 19f81b74
      Kyle Jones authored
      commit decc5360 upstream.
      Signed-off-by: default avatarKyle Jones <kyle@kf5jwc.us>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      19f81b74
    • Daniel Glöckner's avatar
      mmc: block: don't use CMD23 with very old MMC cards · 73531ad4
      Daniel Glöckner authored
      commit 0ed50abb upstream.
      
      CMD23 aka SET_BLOCK_COUNT was introduced with MMC v3.1.
      Older versions of the specification allowed to terminate
      multi-block transfers only with CMD12.
      
      The patch fixes the following problem:
      
        mmc0: new MMC card at address 0001
        mmcblk0: mmc0:0001 SDMB-16 15.3 MiB
        mmcblk0: timed out sending SET_BLOCK_COUNT command, card status 0x400900
        ...
        blk_update_request: I/O error, dev mmcblk0, sector 0
        Buffer I/O error on dev mmcblk0, logical block 0, async page read
         mmcblk0: unable to read partition table
      Signed-off-by: default avatarDaniel Glöckner <dg@emlix.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      73531ad4
    • Jan Remmet's avatar
      regulator: tps65910: Work around silicon erratum SWCZ010 · c2933e8c
      Jan Remmet authored
      commit 8f9165c9 upstream.
      
      http://www.ti.com/lit/pdf/SWCZ010:
        DCDC o/p voltage can go higher than programmed value
      
      Impact:
      VDDI, VDD2, and VIO output programmed voltage level can go higher than
      expected or crash, when coming out of PFM to PWM mode or using DVFS.
      
      Description:
      When DCDC CLK SYNC bits are 11/01:
      * VIO 3-MHz oscillator is the source clock of the digital core and input
        clock of VDD1 and VDD2
      * Turn-on of VDD1 and VDD2 HSD PFETis synchronized or at a constant
        phase shift
      * Current pulled though VCC1+VCC2 is Iload(VDD1) + Iload(VDD2)
      * The 3 HSD PFET will be turned-on at the same time, causing the highest
        possible switching noise on the application. This noise level depends
        on the layout, the VBAT level, and the load current. The noise level
        increases with improper layout.
      
      When DCDC CLK SYNC bits are 00:
      * VIO 3-MHz oscillator is the source clock of digital core
      * VDD1 and VDD2 are running on their own 3-MHz oscillator
      * Current pulled though VCC1+VCC2 average of Iload(VDD1) + Iload(VDD2)
      * The switching noise of the 3 SMPS will be randomly spread over time,
        causing lower overall switching noise.
      
      Workaround:
      Set DCDCCTRL_REG[1:0]= 00.
      Signed-off-by: default avatarJan Remmet <j.remmet@phytec.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      [bwh: Backported to 3.2: use tps65910_clear_bits()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c2933e8c
    • Anssi Hannula's avatar
      ALSA: usb-audio: Extend DragonFly dB scale quirk to cover other variants · edc95534
      Anssi Hannula authored
      commit eb1a74b7 upstream.
      
      The DragonFly quirk added in 42e3121d ("ALSA: usb-audio: Add a more
      accurate volume quirk for AudioQuest DragonFly") applies a custom dB map
      on the volume control when its range is reported as 0..50 (0 .. 0.2dB).
      
      However, there exists at least one other variant (hw v1.0c, as opposed
      to the tested v1.2) which reports a different non-sensical volume range
      (0..53) and the custom map is therefore not applied for that device.
      
      This results in all of the volume change appearing close to 100% on
      mixer UIs that utilize the dB TLV information.
      
      Add a fallback case where no dB TLV is reported at all if the control
      range is not 0..50 but still 0..N where N <= 1000 (3.9 dB). Also
      restrict the quirk to only apply to the volume control as there is also
      a mute control which would match the check otherwise.
      
      Fixes: 42e3121d ("ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly")
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@iki.fi>
      Reported-by: default avatarDavid W <regulars@d-dub.org.uk>
      Tested-by: default avatarDavid W <regulars@d-dub.org.uk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [bwh: Backported to 3.2: keep using dev_info()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      edc95534
    • Jack Morgenstein's avatar
      net/mlx4_core: Fix deadlock when switching between polling and event fw commands · 2a304eaf
      Jack Morgenstein authored
      commit a7e1f049 upstream.
      
      When switching from polling-based fw commands to event-based fw
      commands, there is a race condition which could cause a fw command
      in another task to hang: that task will keep waiting for the polling
      sempahore, but may never be able to acquire it. This is due to
      mlx4_cmd_use_events, which "down"s the sempahore back to 0.
      
      During driver initialization, this is not a problem, since no other
      tasks which invoke FW commands are active.
      
      However, there is a problem if the driver switches to polling mode
      and then back to event mode during normal operation.
      
      The "test_interrupts" feature does exactly that.
      Running "ethtool -t <eth device> offline" causes the PF driver to
      temporarily switch to polling mode, and then back to event mode.
      (Note that for VF drivers, such switching is not performed).
      
      Fix this by adding a read-write semaphore for protection when
      switching between modes.
      
      Fixes: 225c7b1f ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters")
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarMatan Barak <matanb@mellanox.com>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2a304eaf
    • Greg Kroah-Hartman's avatar
      usb: misc: legousbtower: Fix NULL pointer deference · dde8322a
      Greg Kroah-Hartman authored
      commit 2fae9e5a upstream.
      
      This patch fixes a NULL pointer dereference caused by a race codition in
      the probe function of the legousbtower driver. It re-structures the
      probe function to only register the interface after successfully reading
      the board's firmware ID.
      
      The probe function does not deregister the usb interface after an error
      receiving the devices firmware ID. The device file registered
      (/dev/usb/legousbtower%d) may be read/written globally before the probe
      function returns. When tower_delete is called in the probe function
      (after an r/w has been initiated), core dev structures are deleted while
      the file operation functions are still running. If the 0 address is
      mappable on the machine, this vulnerability can be used to create a
      Local Priviege Escalation exploit via a write-what-where condition by
      remapping dev->interrupt_out_buffer in tower_write. A forged USB device
      and local program execution would be required for LPE. The USB device
      would have to delay the control message in tower_probe and accept
      the control urb in tower_open whilst guest code initiated a write to the
      device file as tower_delete is called from the error in tower_probe.
      
      This bug has existed since 2003. Patch tested by emulated device.
      Reported-by: default avatarJames Patrick-Evans <james@jmp-e.com>
      Tested-by: default avatarJames Patrick-Evans <james@jmp-e.com>
      Signed-off-by: default avatarJames Patrick-Evans <james@jmp-e.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: keep using err()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dde8322a
    • Takashi Iwai's avatar
      ALSA: ali5451: Fix out-of-bound position reporting · 974779e8
      Takashi Iwai authored
      commit db685779 upstream.
      
      The pointer callbacks of ali5451 driver may return the value at the
      boundary occasionally, and it results in the kernel warning like
        snd_ali5451 0000:00:06.0: BUG: , pos = 16384, buffer size = 16384, period size = 1024
      
      It seems that folding the position offset is enough for fixing the
      warning and no ill-effect has been seen by that.
      Reported-by: default avatarEnrico Mioso <mrkiko.rs@gmail.com>
      Tested-by: default avatarEnrico Mioso <mrkiko.rs@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      974779e8
    • Pan Xinhui's avatar
      powerpc/nvram: Fix an incorrect partition merge · b4f20c34
      Pan Xinhui authored
      commit 11b7e154 upstream.
      
      When we merge two contiguous partitions whose signatures are marked
      NVRAM_SIG_FREE, We need update prev's length and checksum, then write it
      to nvram, not cur's. So lets fix this mistake now.
      
      Also use memset instead of strncpy to set the partition's name. It's
      more readable if we want to fill up with duplicate chars .
      
      Fixes: fa2b4e54 ("powerpc/nvram: Improve partition removal")
      Signed-off-by: default avatarPan Xinhui <xinhui.pan@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b4f20c34
    • Brian King's avatar
      scsi: ibmvfc: Fix I/O hang when port is not mapped · c5fe093e
      Brian King authored
      commit 07d0e9a8 upstream.
      
      If a VFC port gets unmapped in the VIOS, it may not respond with a CRQ
      init complete following H_REG_CRQ. If this occurs, we can end up having
      called scsi_block_requests and not a resulting unblock until the init
      complete happens, which may never occur, and we end up hanging I/O
      requests.  This patch ensures the host action stay set to
      IBMVFC_HOST_ACTION_TGT_DEL so we move all rports into devloss state and
      unblock unless we receive an init complete.
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Acked-by: default avatarTyrel Datwyler <tyreld@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c5fe093e
    • Baoquan He's avatar
      iommu/amd: Free domain id when free a domain of struct dma_ops_domain · 74b5e5fb
      Baoquan He authored
      commit c3db901c upstream.
      
      The current code missed freeing domain id when free a domain of
      struct dma_ops_domain.
      Signed-off-by: default avatarBaoquan He <bhe@redhat.com>
      Fixes: ec487d1a ('x86, AMD IOMMU: add domain allocation and deallocation functions')
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      74b5e5fb
    • Xin Long's avatar
      sctp: do not return the transmit err back to sctp_sendmsg · fdb733e3
      Xin Long authored
      commit 66388f2c upstream.
      
      Once a chunk is enqueued successfully, sctp queues can take care of it.
      Even if it is failed to transmit (like because of nomem), it should be
      put into retransmit queue.
      
      If sctp report this error to users, it confuses them, they may resend
      that msg, but actually in kernel sctp stack is in charge of retransmit
      it already.
      
      Besides, this error probably is not from the failure of transmitting
      current msg, but transmitting or retransmitting another msg's chunks,
      as sctp_outq_flush just tries to send out all transports' chunks.
      
      This patch is to make sctp_cmd_send_msg return avoid, and not return the
      transmit err back to sctp_sendmsg
      
      Fixes: 8b570dc9 ("sctp: only drop the reference on the datamsg after sending a msg")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.2: no gfp flags parameter]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fdb733e3
    • Mike Galbraith's avatar
      reiserfs: Unlock superblock before calling reiserfs_quota_on_mount() · 675e634a
      Mike Galbraith authored
      commit 420902c9 upstream.
      
      If we hold the superblock lock while calling reiserfs_quota_on_mount(), we can
      deadlock our own worker - mount blocks kworker/3:2, sleeps forever more.
      
      crash> ps|grep UN
          715      2   3  ffff880220734d30  UN   0.0       0      0  [kworker/3:2]
         9369   9341   2  ffff88021ffb7560  UN   1.3  493404 123184  Xorg
         9665   9664   3  ffff880225b92ab0  UN   0.0   47368    812  udisks-daemon
        10635  10403   3  ffff880222f22c70  UN   0.0   14904    936  mount
      crash> bt ffff880220734d30
      PID: 715    TASK: ffff880220734d30  CPU: 3   COMMAND: "kworker/3:2"
       #0 [ffff8802244c3c20] schedule at ffffffff8144584b
       #1 [ffff8802244c3cc8] __rt_mutex_slowlock at ffffffff814472b3
       #2 [ffff8802244c3d28] rt_mutex_slowlock at ffffffff814473f5
       #3 [ffff8802244c3dc8] reiserfs_write_lock at ffffffffa05f28fd [reiserfs]
       #4 [ffff8802244c3de8] flush_async_commits at ffffffffa05ec91d [reiserfs]
       #5 [ffff8802244c3e08] process_one_work at ffffffff81073726
       #6 [ffff8802244c3e68] worker_thread at ffffffff81073eba
       #7 [ffff8802244c3ec8] kthread at ffffffff810782e0
       #8 [ffff8802244c3f48] kernel_thread_helper at ffffffff81450064
      crash> rd ffff8802244c3cc8 10
      ffff8802244c3cc8:  ffffffff814472b3 ffff880222f23250   .rD.....P2."....
      ffff8802244c3cd8:  0000000000000000 0000000000000286   ................
      ffff8802244c3ce8:  ffff8802244c3d30 ffff880220734d80   0=L$.....Ms ....
      ffff8802244c3cf8:  ffff880222e8f628 0000000000000000   (.."............
      ffff8802244c3d08:  0000000000000000 0000000000000002   ................
      crash> struct rt_mutex ffff880222e8f628
      struct rt_mutex {
        wait_lock = {
          raw_lock = {
            slock = 65537
          }
        },
        wait_list = {
          node_list = {
            next = 0xffff8802244c3d48,
            prev = 0xffff8802244c3d48
          }
        },
        owner = 0xffff880222f22c71,
        save_state = 0
      }
      crash> bt 0xffff880222f22c70
      PID: 10635  TASK: ffff880222f22c70  CPU: 3   COMMAND: "mount"
       #0 [ffff8802216a9868] schedule at ffffffff8144584b
       #1 [ffff8802216a9910] schedule_timeout at ffffffff81446865
       #2 [ffff8802216a99a0] wait_for_common at ffffffff81445f74
       #3 [ffff8802216a9a30] flush_work at ffffffff810712d3
       #4 [ffff8802216a9ab0] schedule_on_each_cpu at ffffffff81074463
       #5 [ffff8802216a9ae0] invalidate_bdev at ffffffff81178aba
       #6 [ffff8802216a9af0] vfs_load_quota_inode at ffffffff811a3632
       #7 [ffff8802216a9b50] dquot_quota_on_mount at ffffffff811a375c
       #8 [ffff8802216a9b80] finish_unfinished at ffffffffa05dd8b0 [reiserfs]
       #9 [ffff8802216a9cc0] reiserfs_fill_super at ffffffffa05de825 [reiserfs]
          RIP: 00007f7b9303997a  RSP: 00007ffff443c7a8  RFLAGS: 00010202
          RAX: 00000000000000a5  RBX: ffffffff8144ef12  RCX: 00007f7b932e9ee0
          RDX: 00007f7b93d9a400  RSI: 00007f7b93d9a3e0  RDI: 00007f7b93d9a3c0
          RBP: 00007f7b93d9a2c0   R8: 00007f7b93d9a550   R9: 0000000000000001
          R10: ffffffffc0ed040e  R11: 0000000000000202  R12: 000000000000040e
          R13: 0000000000000000  R14: 00000000c0ed040e  R15: 00007ffff443ca20
          ORIG_RAX: 00000000000000a5  CS: 0033  SS: 002b
      Signed-off-by: default avatarMike Galbraith <efault@gmx.de>
      Acked-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
      Acked-by: default avatarMike Galbraith <mgalbraith@suse.de>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      675e634a
    • Daeho Jeong's avatar
      ext4: reinforce check of i_dtime when clearing high fields of uid and gid · 8adcceba
      Daeho Jeong authored
      commit 93e3b4e6 upstream.
      
      Now, ext4_do_update_inode() clears high 16-bit fields of uid/gid
      of deleted and evicted inode to fix up interoperability with old
      kernels. However, it checks only i_dtime of an inode to determine
      whether the inode was deleted and evicted, and this is very risky,
      because i_dtime can be used for the pointer maintaining orphan inode
      list, too. We need to further check whether the i_dtime is being
      used for the orphan inode list even if the i_dtime is not NULL.
      
      We found that high 16-bit fields of uid/gid of inode are unintentionally
      and permanently cleared when the inode truncation is just triggered,
      but not finished, and the inode metadata, whose high uid/gid bits are
      cleared, is written on disk, and the sudden power-off follows that
      in order.
      Signed-off-by: default avatarDaeho Jeong <daeho.jeong@samsung.com>
      Signed-off-by: default avatarHobin Woo <hobin.woo@samsung.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8adcceba
    • Mauro Carvalho Chehab's avatar
      cx231xx: fix GPIOs for Pixelview SBTVD hybrid · e5ff0240
      Mauro Carvalho Chehab authored
      commit 24b923f0 upstream.
      
      This device uses GPIOs: 28 to switch between analog and
      digital modes: on digital mode, it should be set to 1.
      
      The code that sets it on analog mode is OK, but it misses
      the logic that sets it on digital mode.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      [bwh: Backported to 3.2: adjust filenames]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e5ff0240
    • Mauro Carvalho Chehab's avatar
      cx231xx: don't return error on success · 6f337c5b
      Mauro Carvalho Chehab authored
      commit 1871d718 upstream.
      
      The cx231xx_set_agc_analog_digital_mux_select() callers
      expect it to return 0 or an error. Returning a positive value
      makes the first attempt to switch between analog/digital to fail.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6f337c5b
    • Mauro Carvalho Chehab's avatar
      mb86a20s: fix the locking logic · 50d3a118
      Mauro Carvalho Chehab authored
      commit dafb65fb upstream.
      
      On this frontend, it takes a while to start output normal
      TS data. That only happens on state S9. On S8, the TS output
      is enabled, but it is not reliable enough.
      
      However, the zigzag loop is too fast to let it sync.
      
      As, on practical tests, the zigzag software loop doesn't
      seem to be helping, but just slowing down the tuning, let's
      switch to hardware algorithm, as the tuners used on such
      devices are capable of work with frequency drifts without
      any help from software.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      50d3a118
    • Larry Finger's avatar
      rtlwifi: Fix missing country code for Great Britain · 48d8ca39
      Larry Finger authored
      commit 0c9d3491 upstream.
      
      Some RTL8821AE devices sold in Great Britain have the country code of
      0x25 encoded in their EEPROM. This value is not tested in the routine
      that establishes the regulatory info for the chip. The fix is to set
      this code to have the same capabilities as the EU countries. In addition,
      the channels allowed for COUNTRY_CODE_ETSI were more properly suited
      for China and Israel, not the EU. This problem has also been fixed.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      48d8ca39
    • Shao Fu's avatar
      rtlwifi: Update regulatory database · 5222f9d6
      Shao Fu authored
      commit 02b5fffb upstream.
      
      Driver rtlwifi maintains its own regulatory information, The Chrome Autotest
      (https://www.chromium.org/chromium-os/testing/autotest-user-doc)
      showed some errors. This patch adds the necessary information for rtlwifi.
      Signed-off-by: default avatarShao Fu <shaofu@realtek.com>
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5222f9d6
    • Florian Westphal's avatar
      netfilter: restart search if moved to other chain · 801e866d
      Florian Westphal authored
      commit 95a8d19f upstream.
      
      In case nf_conntrack_tuple_taken did not find a conflicting entry
      check that all entries in this hash slot were tested and restart
      in case an entry was moved to another chain.
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Fixes: ea781f19 ("netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu()")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      [bwh: Backported to 3.2:
       - Adjust context
       - Use NF_CT_STAT_INC(), not the _ATOMIC variant, since we disable BHs]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      801e866d
    • Steffen Maier's avatar
      zfcp: trace full payload of all SAN records (req,resp,iels) · 3f168b10
      Steffen Maier authored
      commit aceeffbb upstream.
      
      This was lost with commit 2c55b750
      ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      but is necessary for problem determination, e.g. to see the
      currently active zone set during automatic port scan.
      
      For the large GPN_FT response (4 pages), save space by not dumping
      any empty residual entries.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 2c55b750 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      Reviewed-by: default avatarAlexey Ishchuk <aishchuk@linux.vnet.ibm.com>
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3f168b10
    • Steffen Maier's avatar
      zfcp: fix payload trace length for SAN request&response · 2bc69d38
      Steffen Maier authored
      commit 94db3725 upstream.
      
      commit 2c55b750
      ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      started to add FC_CT_HDR_LEN which made zfcp dump random data
      out of bounds for RSPN GS responses because u.rspn.rsp
      is the largest and last field in the union of struct zfcp_fc_req.
      Other request/response types only happened to stay within bounds
      due to the padding of the union or
      due to the trace capping of u.gspn.rsp to ZFCP_DBF_SAN_MAX_PAYLOAD.
      
      Timestamp      : ...
      Area           : SAN
      Subarea        : 00
      Level          : 1
      Exception      : -
      CPU id         : ..
      Caller         : ...
      Record id      : 2
      Tag            : fsscth2
      Request id     : 0x...
      Destination ID : 0x00fffffc
      Payload short  : 01000000 fc020000 80020000 00000000
                       xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx <===
                       00000000 00000000 00000000 00000000
      Payload length : 32                                  <===
      
      struct zfcp_fc_req {
          [0] struct zfcp_fsf_ct_els ct_els;
         [56] struct scatterlist sg_req;
         [96] struct scatterlist sg_rsp;
              union {
                  struct {req; rsp;} adisc;    SIZE: 28+28=   56
                  struct {req; rsp;} gid_pn;   SIZE: 24+20=   44
                  struct {rspsg; req;} gpn_ft; SIZE: 40*4+20=180
                  struct {req; rsp;} gspn;     SIZE: 20+273= 293
                  struct {req; rsp;} rspn;     SIZE: 277+16= 293
        [136] } u;
      }
      SIZE: 432
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 2c55b750 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      Reviewed-by: default avatarAlexey Ishchuk <aishchuk@linux.vnet.ibm.com>
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2bc69d38
    • Steffen Maier's avatar
      zfcp: fix D_ID field with actual value on tracing SAN responses · b3250429
      Steffen Maier authored
      commit 771bf035 upstream.
      
      With commit 2c55b750
      ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      we lost the N_Port-ID where an ELS response comes from.
      With commit 7c7dc196
      ("[SCSI] zfcp: Simplify handling of ct and els requests")
      we lost the N_Port-ID where a CT response comes from.
      It's especially useful if the request SAN trace record
      with D_ID was already lost due to trace buffer wrap.
      
      GS uses an open WKA port handle and ELS just a D_ID, and
      only for ELS we could get D_ID from QTCB bottom via zfcp_fsf_req.
      To cover both cases, add a new field to zfcp_fsf_ct_els
      and fill it in on request to use in SAN response trace.
      Strictly speaking the D_ID on SAN response is the FC frame's S_ID.
      We don't need a field for the other end which is always us.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: 2c55b750 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.")
      Fixes: 7c7dc196 ("[SCSI] zfcp: Simplify handling of ct and els requests")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b3250429
    • Steffen Maier's avatar
      zfcp: restore tracing of handle for port and LUN with HBA records · 1039ce51
      Steffen Maier authored
      commit 7c964ffe upstream.
      
      This information was lost with
      commit a54ca0f6
      ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
      but is required to debug e.g. invalid handle situations.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: a54ca0f6 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1039ce51
    • Steffen Maier's avatar
      zfcp: trace on request for open and close of WKA port · f45eeb52
      Steffen Maier authored
      commit d27a7cb9 upstream.
      
      Since commit a54ca0f6
      ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
      HBA records no longer contain WWPN, D_ID, or LUN
      to reduce duplicate information which is already in REC records.
      In contrast to "regular" target ports, we don't use recovery to open
      WKA ports such as directory/nameserver, so we don't get REC records.
      Therefore, introduce pseudo REC running records without any
      actual recovery action but including D_ID of WKA port on open/close.
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Fixes: a54ca0f6 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
      Reviewed-by: default avatarBenjamin Block <bblock@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f45eeb52