1. 30 Jul, 2015 40 commits
    • Anton Blanchard's avatar
      powerpc/perf: Fix book3s kernel to userspace backtraces · d820ef12
      Anton Blanchard authored
      commit 72e349f1 upstream.
      
      When we take a PMU exception or a software event we call
      perf_read_regs(). This overloads regs->result with a boolean that
      describes if we should use the sampled instruction address register
      (SIAR) or the regs.
      
      If the exception is in kernel, we start with the kernel regs and
      backtrace through the kernel stack. At this point we switch to the
      userspace regs and backtrace the user stack with perf_callchain_user().
      
      Unfortunately these regs have not got the perf_read_regs() treatment,
      so regs->result could be anything. If it is non zero,
      perf_instruction_pointer() decides to use the SIAR, and we get issues
      like this:
      
      0.11%  qemu-system-ppc  [kernel.kallsyms]        [k] _raw_spin_lock_irqsave
             |
             ---_raw_spin_lock_irqsave
                |
                |--52.35%-- 0
                |          |
                |          |--46.39%-- __hrtimer_start_range_ns
                |          |          kvmppc_run_core
                |          |          kvmppc_vcpu_run_hv
                |          |          kvmppc_vcpu_run
                |          |          kvm_arch_vcpu_ioctl_run
                |          |          kvm_vcpu_ioctl
                |          |          do_vfs_ioctl
                |          |          sys_ioctl
                |          |          system_call
                |          |          |
                |          |          |--67.08%-- _raw_spin_lock_irqsave <--- hi mum
                |          |          |          |
                |          |          |           --100.00%-- 0x7e714
                |          |          |                     0x7e714
      
      Notice the bogus _raw_spin_irqsave when we transition from kernel
      (system_call) to userspace (0x7e714). We inserted what was in the SIAR.
      
      Add a check in regs_use_siar() to check that the regs in question
      are from a PMU exception. With this fix the backtrace makes sense:
      
           0.47%  qemu-system-ppc  [kernel.vmlinux]         [k] _raw_spin_lock_irqsave
                  |
                  ---_raw_spin_lock_irqsave
                     |
                     |--53.83%-- 0
                     |          |
                     |          |--44.73%-- hrtimer_try_to_cancel
                     |          |          kvmppc_start_thread
                     |          |          kvmppc_run_core
                     |          |          kvmppc_vcpu_run_hv
                     |          |          kvmppc_vcpu_run
                     |          |          kvm_arch_vcpu_ioctl_run
                     |          |          kvm_vcpu_ioctl
                     |          |          do_vfs_ioctl
                     |          |          sys_ioctl
                     |          |          system_call
                     |          |          __ioctl
                     |          |          0x7e714
                     |          |          0x7e714
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d820ef12
    • Marc Zyngier's avatar
      arm: KVM: force execution of HCPTR access on VM exit · 91f6ad7d
      Marc Zyngier authored
      commit 85e84ba3 upstream.
      
      On VM entry, we disable access to the VFP registers in order to
      perform a lazy save/restore of these registers.
      
      On VM exit, we restore access, test if we did enable them before,
      and save/restore the guest/host registers if necessary. In this
      sequence, the FPEXC register is always accessed, irrespective
      of the trapping configuration.
      
      If the guest didn't touch the VFP registers, then the HCPTR access
      has now enabled such access, but we're missing a barrier to ensure
      architectural execution of the new HCPTR configuration. If the HCPTR
      access has been delayed/reordered, the subsequent access to FPEXC
      will cause a trap, which we aren't prepared to handle at all.
      
      The same condition exists when trapping to enable VFP for the guest.
      
      The fix is to introduce a barrier after enabling VFP access. In the
      vmexit case, it can be relaxed to only takes place if the guest hasn't
      accessed its view of the VFP registers, making the access to FPEXC safe.
      
      The set_hcptr macro is modified to deal with both vmenter/vmexit and
      vmtrap operations, and now takes an optional label that is branched to
      when the guest hasn't touched the VFP registers.
      Reported-by: default avatarVikram Sethi <vikrams@codeaurora.org>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      91f6ad7d
    • Joerg Roedel's avatar
      iommu/amd: Handle large pages correctly in free_pagetable · 4075da9b
      Joerg Roedel authored
      commit 0b3fff54 upstream.
      
      Make sure that we are skipping over large PTEs while walking
      the page-table tree.
      
      Fixes: 5c34c403 ("iommu/amd: Fix memory leak in free_pagetable")
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4075da9b
    • Horia Geant?'s avatar
      Revert "crypto: talitos - convert to use be16_add_cpu()" · 7f9a9673
      Horia Geant? authored
      commit 69d9cd8c upstream.
      
      This reverts commit 7291a932.
      
      The conversion to be16_add_cpu() is incorrect in case cryptlen is
      negative due to premature (i.e. before addition / subtraction)
      implicit conversion of cryptlen (int -> u16) leading to sign loss.
      
      Cc: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: default avatarHoria Geanta <horia.geanta@freescale.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7f9a9673
    • Horia Geant?'s avatar
      crypto: talitos - avoid memleak in talitos_alg_alloc() · 284d4f3c
      Horia Geant? authored
      commit 5fa7dadc upstream.
      
      Fixes: 1d11911a ("crypto: talitos - fix warning: 'alg' may be used uninitialized in this function")
      Signed-off-by: default avatarHoria Geanta <horia.geanta@freescale.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      284d4f3c
    • Alexander Sverdlin's avatar
      sctp: Fix race between OOTB responce and route removal · a41f0610
      Alexander Sverdlin authored
      [ Upstream commit 29c4afc4 ]
      
      There is NULL pointer dereference possible during statistics update if the route
      used for OOTB responce is removed at unfortunate time. If the route exists when
      we receive OOTB packet and we finally jump into sctp_packet_transmit() to send
      ABORT, but in the meantime route is removed under our feet, we take "no_route"
      path and try to update stats with IP_INC_STATS(sock_net(asoc->base.sk), ...).
      
      But sctp_ootb_pkt_new() used to prepare responce packet doesn't call
      sctp_transport_set_owner() and therefore there is no asoc associated with this
      packet. Probably temporary asoc just for OOTB responces is overkill, so just
      introduce a check like in all other places in sctp_packet_transmit(), where
      "asoc" is dereferenced.
      
      To reproduce this, one needs to
      0. ensure that sctp module is loaded (otherwise ABORT is not generated)
      1. remove default route on the machine
      2. while true; do
           ip route del [interface-specific route]
           ip route add [interface-specific route]
         done
      3. send enough OOTB packets (i.e. HB REQs) from another host to trigger ABORT
         responce
      
      On x86_64 the crash looks like this:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
      IP: [<ffffffffa05ec9ac>] sctp_packet_transmit+0x63c/0x730 [sctp]
      PGD 0
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in: ...
      CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O    4.0.5-1-ARCH #1
      Hardware name: ...
      task: ffffffff818124c0 ti: ffffffff81800000 task.ti: ffffffff81800000
      RIP: 0010:[<ffffffffa05ec9ac>]  [<ffffffffa05ec9ac>] sctp_packet_transmit+0x63c/0x730 [sctp]
      RSP: 0018:ffff880127c037b8  EFLAGS: 00010296
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000015ff66b480
      RDX: 00000015ff66b400 RSI: ffff880127c17200 RDI: ffff880123403700
      RBP: ffff880127c03888 R08: 0000000000017200 R09: ffffffff814625af
      R10: ffffea00047e4680 R11: 00000000ffffff80 R12: ffff8800b0d38a28
      R13: ffff8800b0d38a28 R14: ffff8800b3e88000 R15: ffffffffa05f24e0
      FS:  0000000000000000(0000) GS:ffff880127c00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000020 CR3: 00000000c855b000 CR4: 00000000000007f0
      Stack:
       ffff880127c03910 ffff8800b0d38a28 ffffffff8189d240 ffff88011f91b400
       ffff880127c03828 ffffffffa05c94c5 0000000000000000 ffff8800baa1c520
       0000000000000000 0000000000000001 0000000000000000 0000000000000000
      Call Trace:
       <IRQ>
       [<ffffffffa05c94c5>] ? sctp_sf_tabort_8_4_8.isra.20+0x85/0x140 [sctp]
       [<ffffffffa05d6b42>] ? sctp_transport_put+0x52/0x80 [sctp]
       [<ffffffffa05d0bfc>] sctp_do_sm+0xb8c/0x19a0 [sctp]
       [<ffffffff810b0e00>] ? trigger_load_balance+0x90/0x210
       [<ffffffff810e0329>] ? update_process_times+0x59/0x60
       [<ffffffff812c7a40>] ? timerqueue_add+0x60/0xb0
       [<ffffffff810e0549>] ? enqueue_hrtimer+0x29/0xa0
       [<ffffffff8101f599>] ? read_tsc+0x9/0x10
       [<ffffffff8116d4b5>] ? put_page+0x55/0x60
       [<ffffffff810ee1ad>] ? clockevents_program_event+0x6d/0x100
       [<ffffffff81462b68>] ? skb_free_head+0x58/0x80
       [<ffffffffa029a10b>] ? chksum_update+0x1b/0x27 [crc32c_generic]
       [<ffffffff81283f3e>] ? crypto_shash_update+0xce/0xf0
       [<ffffffffa05d3993>] sctp_endpoint_bh_rcv+0x113/0x280 [sctp]
       [<ffffffffa05dd4e6>] sctp_inq_push+0x46/0x60 [sctp]
       [<ffffffffa05ed7a0>] sctp_rcv+0x880/0x910 [sctp]
       [<ffffffffa05ecb50>] ? sctp_packet_transmit_chunk+0xb0/0xb0 [sctp]
       [<ffffffffa05ecb70>] ? sctp_csum_update+0x20/0x20 [sctp]
       [<ffffffff814b05a5>] ? ip_route_input_noref+0x235/0xd30
       [<ffffffff81051d6b>] ? ack_ioapic_level+0x7b/0x150
       [<ffffffff814b27be>] ip_local_deliver_finish+0xae/0x210
       [<ffffffff814b2e15>] ip_local_deliver+0x35/0x90
       [<ffffffff814b2a15>] ip_rcv_finish+0xf5/0x370
       [<ffffffff814b3128>] ip_rcv+0x2b8/0x3a0
       [<ffffffff81474193>] __netif_receive_skb_core+0x763/0xa50
       [<ffffffff81476c28>] __netif_receive_skb+0x18/0x60
       [<ffffffff81476cb0>] netif_receive_skb_internal+0x40/0xd0
       [<ffffffff814776c8>] napi_gro_receive+0xe8/0x120
       [<ffffffffa03946aa>] rtl8169_poll+0x2da/0x660 [r8169]
       [<ffffffff8147896a>] net_rx_action+0x21a/0x360
       [<ffffffff81078dc1>] __do_softirq+0xe1/0x2d0
       [<ffffffff8107912d>] irq_exit+0xad/0xb0
       [<ffffffff8157d158>] do_IRQ+0x58/0xf0
       [<ffffffff8157b06d>] common_interrupt+0x6d/0x6d
       <EOI>
       [<ffffffff810e1218>] ? hrtimer_start+0x18/0x20
       [<ffffffffa05d65f9>] ? sctp_transport_destroy_rcu+0x29/0x30 [sctp]
       [<ffffffff81020c50>] ? mwait_idle+0x60/0xa0
       [<ffffffff810216ef>] arch_cpu_idle+0xf/0x20
       [<ffffffff810b731c>] cpu_startup_entry+0x3ec/0x480
       [<ffffffff8156b365>] rest_init+0x85/0x90
       [<ffffffff818eb035>] start_kernel+0x48b/0x4ac
       [<ffffffff818ea120>] ? early_idt_handlers+0x120/0x120
       [<ffffffff818ea339>] x86_64_start_reservations+0x2a/0x2c
       [<ffffffff818ea49c>] x86_64_start_kernel+0x161/0x184
      Code: 90 48 8b 80 b8 00 00 00 48 89 85 70 ff ff ff 48 83 bd 70 ff ff ff 00 0f 85 cd fa ff ff 48 89 df 31 db e8 18 63 e7 e0 48 8b 45 80 <48> 8b 40 20 48 8b 40 30 48 8b 80 68 01 00 00 65 48 ff 40 78 e9
      RIP  [<ffffffffa05ec9ac>] sctp_packet_transmit+0x63c/0x730 [sctp]
       RSP <ffff880127c037b8>
      CR2: 0000000000000020
      ---[ end trace 5aec7fd2dc983574 ]---
      Kernel panic - not syncing: Fatal exception in interrupt
      Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff)
      drm_kms_helper: panic occurred, switching back to text console
      ---[ end Kernel panic - not syncing: Fatal exception in interrupt
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a41f0610
    • Julian Anastasov's avatar
      neigh: do not modify unlinked entries · 5cfc7581
      Julian Anastasov authored
      [ Upstream commit 2c51a97f ]
      
      The lockless lookups can return entry that is unlinked.
      Sometimes they get reference before last neigh_cleanup_and_release,
      sometimes they do not need reference. Later, any
      modification attempts may result in the following problems:
      
      1. entry is not destroyed immediately because neigh_update
      can start the timer for dead entry, eg. on change to NUD_REACHABLE
      state. As result, entry lives for some time but is invisible
      and out of control.
      
      2. __neigh_event_send can run in parallel with neigh_destroy
      while refcnt=0 but if timer is started and expired refcnt can
      reach 0 for second time leading to second neigh_destroy and
      possible crash.
      
      Thanks to Eric Dumazet and Ying Xue for their work and analyze
      on the __neigh_event_send change.
      
      Fixes: 767e97e1 ("neigh: RCU conversion of struct neighbour")
      Fixes: a263b309 ("ipv4: Make neigh lookups directly in output packet path.")
      Fixes: 6fd6ce20 ("ipv6: Do not depend on rt->n in ip6_finish_output2().")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Ying Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5cfc7581
    • Willem de Bruijn's avatar
      packet: avoid out of bounds read in round robin fanout · 53cd9056
      Willem de Bruijn authored
      [ Upstream commit 468479e6 ]
      
      PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
      f->num_members. It returns the old value unconditionally, but
      f->num_members may have changed since the last store. Ensure
      that the return value is always < num.
      
      When modifying the logic, simplify it further by replacing the loop
      with an unconditional atomic increment.
      
      Fixes: dc99f600 ("packet: Add fanout support.")
      Suggested-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      53cd9056
    • Eric Dumazet's avatar
      packet: read num_members once in packet_rcv_fanout() · d8162e46
      Eric Dumazet authored
      [ Upstream commit f98f4514 ]
      
      We need to tell compiler it must not read f->num_members multiple
      times. Otherwise testing if num is not zero is flaky, and we could
      attempt an invalid divide by 0 in fanout_demux_cpu()
      
      Note bug was present in packet_rcv_fanout_hash() and
      packet_rcv_fanout_lb() but final 3.1 had a simple location
      after commit 95ec3eb4 ("packet: Add 'cpu' fanout policy.")
      
      Fixes: dc99f600 ("packet: Add fanout support.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d8162e46
    • Nikolay Aleksandrov's avatar
      bridge: fix br_stp_set_bridge_priority race conditions · f08abd15
      Nikolay Aleksandrov authored
      [ Upstream commit 2dab80a8 ]
      
      After the ->set() spinlocks were removed br_stp_set_bridge_priority
      was left running without any protection when used via sysfs. It can
      race with port add/del and could result in use-after-free cases and
      corrupted lists. Tested by running port add/del in a loop with stp
      enabled while setting priority in a loop, crashes are easily
      reproducible.
      The spinlocks around sysfs ->set() were removed in commit:
      14f98f25 ("bridge: range check STP parameters")
      There's also a race condition in the netlink priority support that is
      fixed by this change, but it was introduced recently and the fixes tag
      covers it, just in case it's needed the commit is:
      af615762 ("bridge: add ageing_time, stp_state, priority over netlink")
      Signed-off-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Fixes: 14f98f25 ("bridge: range check STP parameters")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f08abd15
    • Marcelo Ricardo Leitner's avatar
      sctp: fix ASCONF list handling · bee9ad8f
      Marcelo Ricardo Leitner authored
      [ Upstream commit 2d45a02d ]
      
      ->auto_asconf_splist is per namespace and mangled by functions like
      sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.
      
      Also, the call to inet_sk_copy_descendant() was backuping
      ->auto_asconf_list through the copy but was not honoring
      ->do_auto_asconf, which could lead to list corruption if it was
      different between both sockets.
      
      This commit thus fixes the list handling by using ->addr_wq_lock
      spinlock to protect the list. A special handling is done upon socket
      creation and destruction for that. Error handlig on sctp_init_sock()
      will never return an error after having initialized asconf, so
      sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
      will be take on sctp_close_sock(), before locking the socket, so we
      don't do it in inverse order compared to sctp_addr_wq_timeout_handler().
      
      Instead of taking the lock on sctp_sock_migrate() for copying and
      restoring the list values, it's preferred to avoid rewritting it by
      implementing sctp_copy_descendant().
      
      Issue was found with a test application that kept flipping sysctl
      default_auto_asconf on and off, but one could trigger it by issuing
      simultaneous setsockopt() calls on multiple sockets or by
      creating/destroying sockets fast enough. This is only triggerable
      locally.
      
      Fixes: 9f7d653b ("sctp: Add Auto-ASCONF support (core).")
      Reported-by: default avatarJi Jianwen <jiji@redhat.com>
      Suggested-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Suggested-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bee9ad8f
    • Shaohua Li's avatar
      net: don't wait for order-3 page allocation · 11d59bca
      Shaohua Li authored
      [ Upstream commit fb05e7a8 ]
      
      We saw excessive direct memory compaction triggered by skb_page_frag_refill.
      This causes performance issues and add latency. Commit 5640f768
      introduces the order-3 allocation. According to the changelog, the order-3
      allocation isn't a must-have but to improve performance. But direct memory
      compaction has high overhead. The benefit of order-3 allocation can't
      compensate the overhead of direct memory compaction.
      
      This patch makes the order-3 page allocation atomic. If there is no memory
      pressure and memory isn't fragmented, the alloction will still success, so we
      don't sacrifice the order-3 benefit here. If the atomic allocation fails,
      direct memory compaction will not be triggered, skb_page_frag_refill will
      fallback to order-0 immediately, hence the direct memory compaction overhead is
      avoided. In the allocation failure case, kswapd is waken up and doing
      compaction, so chances are allocation could success next time.
      
      alloc_skb_with_frags is the same.
      
      The mellanox driver does similar thing, if this is accepted, we must fix
      the driver too.
      
      V3: fix the same issue in alloc_skb_with_frags as pointed out by Eric
      V2: make the changelog clearer
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Chris Mason <clm@fb.com>
      Cc: Debabrata Banerjee <dbavatar@gmail.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      11d59bca
    • Nikolay Aleksandrov's avatar
      bridge: fix multicast router rlist endless loop · 07cde7c2
      Nikolay Aleksandrov authored
      [ Upstream commit 1a040eac ]
      
      Since the addition of sysfs multicast router support if one set
      multicast_router to "2" more than once, then the port would be added to
      the hlist every time and could end up linking to itself and thus causing an
      endless loop for rlist walkers.
      So to reproduce just do:
      echo 2 > multicast_router; echo 2 > multicast_router;
      in a bridge port and let some igmp traffic flow, for me it hangs up
      in br_multicast_flood().
      Fix this by adding a check in br_multicast_add_router() if the port is
      already linked.
      The reason this didn't happen before the addition of multicast_router
      sysfs entries is because there's a !hlist_unhashed check that prevents
      it.
      Signed-off-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Fixes: 0909e117 ("bridge: Add multicast_router sysfs entries")
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      07cde7c2
    • Sowmini Varadhan's avatar
      sparc: Use GFP_ATOMIC in ldc_alloc_exp_dring() as it can be called in softirq context · 6b4086dc
      Sowmini Varadhan authored
      commit 0edfad59 upstream.
      
      Since it is possible for vnet_event_napi to end up doing
      vnet_control_pkt_engine -> ... -> vnet_send_attr ->
      vnet_port_alloc_tx_ring -> ldc_alloc_exp_dring -> kzalloc()
      (i.e., in softirq context), kzalloc() should be called with
      GFP_ATOMIC from ldc_alloc_exp_dring.
      Signed-off-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      6b4086dc
    • Yann Droneaud's avatar
      arm64/mm: Remove hack in mmap randomize layout · bee6cd85
      Yann Droneaud authored
      commit d6c763af upstream.
      
      Since commit 8a0a9bd4 ('random: make get_random_int() more
      random'), get_random_int() returns a random value for each call,
      so comment and hack introduced in mmap_rnd() as part of commit
      1d18c47c ('arm64: MMU fault handling and page table management')
      are incorrects.
      
      Commit 1d18c47c seems to use the same hack introduced by
      commit a5adc91a ('powerpc: Ensure random space between stack
      and mmaps'), latter copied in commit 5a0efea0 ('sparc64: Sharpen
      address space randomization calculations.').
      
      But both architectures were cleaned up as part of commit
      fa8cbaaf ('powerpc+sparc64/mm: Remove hack in mmap randomize
      layout') as hack is no more needed since commit 8a0a9bd4.
      
      So the present patch removes the comment and the hack around
      get_random_int() on AArch64's mmap_rnd().
      
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Anton Blanchard <anton@samba.org>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Acked-by: default avatarDan McGee <dpmcgee@gmail.com>
      Signed-off-by: default avatarYann Droneaud <ydroneaud@opteya.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      bee6cd85
    • Rajat Jain's avatar
      PCI: pciehp: Add hotplug_lock to serialize hotplug events · 79be5a72
      Rajat Jain authored
      commit 50b52fde upstream.
      
      Today it is there is no protection around pciehp_enable_slot() and
      pciehp_disable_slot() to ensure that they complete before another
      hot-plug operation can be done on that particular slot.
      
      This patch introduces the slot->hotplug_lock to ensure that any hotplug
      operations (add / remove) complete before another hotplug event can begin
      processing on that particular slot.
      Signed-off-by: default avatarRajat Jain <rajatxjain@gmail.com>
      Signed-off-by: default avatarRajat Jain <rajatjain@juniper.net>
      Signed-off-by: default avatarGuenter Roeck <groeck@juniper.net>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      [backported for SLE12]
      Signed-off-by: default avatarLuis R. Rodriguez <mcgrof@suse.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      79be5a72
    • Al Viro's avatar
      get rid of s_files and files_lock · 0da9ac29
      Al Viro authored
      commit eee5cc27 upstream.
      
      The only thing we need it for is alt-sysrq-r (emergency remount r/o)
      and these days we can do just as well without going through the
      list of files.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      0da9ac29
    • Al Viro's avatar
      uninline destroy_super(), consolidate alloc_super() · da390b05
      Al Viro authored
      commit 7eb5e882 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      da390b05
    • huaibin Wang's avatar
      xfrm: release dst_orig in case of error in xfrm_lookup() · 423f5859
      huaibin Wang authored
      commit ac37e251 upstream.
      
      dst_orig should be released on error. Function like __xfrm_route_forward()
      expects that behavior.
      Since a recent commit, xfrm_lookup() may also be called by xfrm_lookup_route(),
      which expects the opposite.
      Let's introduce a new flag (XFRM_LOOKUP_KEEP_DST_REF) to tell what should be
      done in case of error.
      
      Fixes: f92ee619("xfrm: Generate blackhole routes only from route lookup functions")
      Signed-off-by: default avatarhuaibin Wang <huaibin.wang@6wind.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      423f5859
    • Bandan Das's avatar
      KVM: nSVM: Check for NRIPS support before updating control field · 90fccfbc
      Bandan Das authored
      commit f104765b upstream.
      
      If hardware doesn't support DecodeAssist - a feature that provides
      more information about the intercept in the VMCB, KVM decodes the
      instruction and then updates the next_rip vmcb control field.
      However, NRIP support itself depends on cpuid Fn8000_000A_EDX[NRIPS].
      Since skip_emulated_instruction() doesn't verify nrip support
      before accepting control.next_rip as valid, avoid writing this
      field if support isn't present.
      Signed-off-by: default avatarBandan Das <bsd@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      90fccfbc
    • Sebastien Szymanski's avatar
      ARM: clk-imx6q: refine sata's parent · 3b4e13eb
      Sebastien Szymanski authored
      commit da946aea upstream.
      
      According to IMX6D/Q RM, table 18-3, sata clock's parent is ahb, not ipg.
      Signed-off-by: default avatarSebastien Szymanski <sebastien.szymanski@armadeus.com>
      Reviewed-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarShawn Guo <shawn.guo@linaro.org>
      [dirk.behme: Adjust moved file]
      Signed-off-by: default avatarDirk Behme <dirk.behme@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3b4e13eb
    • Filipe Manana's avatar
      Btrfs: make xattr replace operations atomic · a873146c
      Filipe Manana authored
      commit 5f5bc6b1 upstream.
      
      Replacing a xattr consists of doing a lookup for its existing value, delete
      the current value from the respective leaf, release the search path and then
      finally insert the new value. This leaves a time window where readers (getxattr,
      listxattrs) won't see any value for the xattr. Xattrs are used to store ACLs,
      so this has security implications.
      
      This change also fixes 2 other existing issues which were:
      
      *) Deleting the old xattr value without verifying first if the new xattr will
         fit in the existing leaf item (in case multiple xattrs are packed in the
         same item due to name hash collision);
      
      *) Returning -EEXIST when the flag XATTR_CREATE is given and the xattr doesn't
         exist but we have have an existing item that packs muliple xattrs with
         the same name hash as the input xattr. In this case we should return ENOSPC.
      
      A test case for xfstests follows soon.
      
      Thanks to Alexandre Oliva for reporting the non-atomicity of the xattr replace
      implementation.
      Reported-by: default avatarAlexandre Oliva <oliva@gnu.org>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a873146c
    • Chen Gang's avatar
      netfilter: nfnetlink_cthelper: Remove 'const' and '&' to avoid warnings · 26c68a08
      Chen Gang authored
      commit b18c5d15 upstream.
      
      The related code can be simplified, and also can avoid related warnings
      (with allmodconfig under parisc):
      
          CC [M]  net/netfilter/nfnetlink_cthelper.o
        net/netfilter/nfnetlink_cthelper.c: In function ‘nfnl_cthelper_from_nlattr’:
        net/netfilter/nfnetlink_cthelper.c:97:9: warning: passing argument 1 o ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers]
          memcpy(&help->data, nla_data(attr), help->helper->data_len);
                 ^
        In file included from include/linux/string.h:17:0,
                         from include/uapi/linux/uuid.h:25,
                         from include/linux/uuid.h:23,
                         from include/linux/mod_devicetable.h:12,
                         from ./arch/parisc/include/asm/hardware.h:4,
                         from ./arch/parisc/include/asm/processor.h:15,
                         from ./arch/parisc/include/asm/spinlock.h:6,
                         from ./arch/parisc/include/asm/atomic.h:21,
                         from include/linux/atomic.h:4,
                         from ./arch/parisc/include/asm/bitops.h:12,
                         from include/linux/bitops.h:36,
                         from include/linux/kernel.h:10,
                         from include/linux/list.h:8,
                         from include/linux/module.h:9,
                         from net/netfilter/nfnetlink_cthelper.c:11:
        ./arch/parisc/include/asm/string.h:8:8: note: expected ‘void *’ but argument is of type ‘const char (*)[]’
         void * memcpy(void * dest,const void *src,size_t count);
                ^
      Signed-off-by: default avatarChen Gang <gang.chen.5i5j@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@soleta.eu>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      26c68a08
    • Eugene Shatokhin's avatar
      kprobes/x86: Return correct length in __copy_instruction() · b7889b59
      Eugene Shatokhin authored
      commit c80e5c0c upstream.
      
      On x86-64, __copy_instruction() always returns 0 (error) if the
      instruction uses %rip-relative addressing. This is because
      kernel_insn_init() is called the second time for 'insn' instance
      in such cases and sets all its fields to 0.
      
      Because of this, trying to place a kprobe on such instruction
      will fail, register_kprobe() will return -EINVAL.
      
      This patch fixes the problem.
      Signed-off-by: default avatarEugene Shatokhin <eugene.shatokhin@rosalab.ru>
      Signed-off-by: default avatarMasami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Link: http://lkml.kernel.org/r/20150317100918.28349.94654.stgit@localhost.localdomainSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b7889b59
    • Wen-chien Jesse Sung's avatar
      Bluetooth: ath3k: Add a new ID 0cf3:e006 to ath3k list · 9a8c56f0
      Wen-chien Jesse Sung authored
      commit ca79f232 upstream.
      
      Device info in /sys/kernel/debug/usb/devices:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=05 Cnt=02 Dev#=  3 Spd=12   MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0cf3 ProdID=e006 Rev= 0.01
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: default avatarWen-chien Jesse Sung <jesse.sung@canonical.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      9a8c56f0
    • Dmitry Tunin's avatar
      Bluetooth: ath3k: add support of 04ca:300f AR3012 device · c1290f1f
      Dmitry Tunin authored
      commit ec0810d2 upstream.
      
      BugLink: https://bugs.launchpad.net/bugs/1449730
      
      T:  Bus=01 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#=  3 Spd=12  MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=04ca ProdID=300f Rev=00.01
      C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      c1290f1f
    • Ben Hutchings's avatar
      pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic · e3d4ed26
      Ben Hutchings authored
      pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
      the first time atomically and the second time not.  The second attempt
      needs to continue from the iovec position, pipe buffer offset and
      remaining length where the first attempt failed, but currently the
      pipe buffer offset and remaining length are reset.  This will corrupt
      the piped data (possibly also leading to an information leak between
      processes) and may also corrupt kernel memory.
      
      This was fixed upstream by commits f0d1bec9 ("new helper:
      copy_page_from_iter()") and 637b58c2 ("switch pipe_read() to
      copy_page_to_iter()"), but those aren't suitable for stable.  This fix
      for older kernel versions was made by Seth Jennings for RHEL and I
      have extracted it from their update.
      
      CVE-2015-1805
      
      References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e3d4ed26
    • Dmitry Tunin's avatar
      ath3k: add support of 13d3:3474 AR3012 device · 7ae9f79d
      Dmitry Tunin authored
      commit 0d0cef61 upstream.
      
      BugLink: https://bugs.launchpad.net/bugs/1427680
      
      This device requires new firmware files
       AthrBT_0x11020100.dfu and ramps_0x11020100_40.dfu added to
      /lib/firmware/ar3k/ that are not included in linux-firmware yet.
      
      T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
      D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=13d3 ProdID=3474 Rev=00.01
      C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7ae9f79d
    • Dmitry Tunin's avatar
      ath3k: Add support of 0489:e076 AR3012 device · 8562990b
      Dmitry Tunin authored
      commit 692c062e upstream.
      
      BugLink: https://bugs.launchpad.net/bugs/1462614
      
      This device requires new firmware files
       AthrBT_0x11020100.dfu and ramps_0x11020100_40.dfu added to
      /lib/firmware/ar3k/ that are not included in linux-firmware yet.
      
      T: Bus=03 Lev=01 Prnt=01 Port=09 Cnt=06 Dev#= 7 Spd=12 MxCh= 0
      D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
      P: Vendor=0489 ProdID=e076 Rev= 0.01
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
      E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
      E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
      E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
      E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
      I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
      E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
      I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
      E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
      I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
      E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
      I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
      E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
      I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
      E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
      E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
      Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8562990b
    • James Smart's avatar
      lpfc: Add iotag memory barrier · d8c6ea5b
      James Smart authored
      commit 27f344eb upstream.
      
      Add a memory barrier to ensure the valid bit is read before
      any of the cqe payload is read. This fixes an issue seen
      on Power where the cqe payload was getting loaded before
      the valid bit. When this occurred, we saw an iotag out of
      range error when a command completed, but since the iotag
      looked invalid the command didn't get completed to scsi core.
      Later we hit the command timeout, attempted to abort the command,
      then waited for the aborted command to get returned. Since the
      adapter already returned the command, we timeout waiting,
      and end up escalating EEH all the way to host reset. This
      patch fixes this issue.
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Signed-off-by: default avatarJames Smart <james.smart@emulex.com>
      
       ---
      
       lpfc_sli.c |   21 +++++++++++++++++++++
       1 file changed, 21 insertions(+)
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.com>
      d8c6ea5b
    • Chris Wilson's avatar
      drm/i915: Evict CS TLBs between batches · a840d9e6
      Chris Wilson authored
      commit c4d69da1 upstream.
      
      Running igt, I was encountering the invalid TLB bug on my 845g, despite
      that it was using the CS workaround. Examining the w/a buffer in the
      error state, showed that the copy from the user batch into the
      workaround itself was suffering from the invalid TLB bug (the first
      cacheline was broken with the first two words reversed). Time to try a
      fresh approach. This extends the workaround to write into each page of
      our scratch buffer in order to overflow the TLB and evict the invalid
      entries. This could be refined to only do so after we update the GTT,
      but for simplicity, we do it before each batch.
      
      I suspect this supersedes our current workaround, but for safety keep
      doing both.
      
      V2: The magic number shall be 2.
      
      This doesn't conclusively prove that it is the mythical TLB bug we've
      been trying to workaround for so long, that it requires touching a number
      of pages to prevent the corruption indicates to me that it is TLB
      related, but the corruption (the reversed cacheline) is more subtle than
      a TLB bug, where we would expect it to read the wrong page entirely.
      
      Oh well, it prevents a reliable hang for me and so probably for others
      as well.
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a840d9e6
    • Jesse Barnes's avatar
      drm/i915: save/restore GMBUS freq across suspend/resume on gen4 · 0bf81403
      Jesse Barnes authored
      commit 9f49c376 upstream.
      
      Should probably just init this in the GMbus code all the time, based on
      the cdclk and HPLL like we do on newer platforms.  Ville has code for
      that in a rework branch, but until then we can fix this bug fairly
      easily.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=76301Signed-off-by: default avatarJesse Barnes <jbarnes@virtuousgeek.org>
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Tested-by: default avatarNikolay <mar.kolya@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0bf81403
    • Chris Wilson's avatar
      2e9817d5
    • Daniel Vetter's avatar
      drm/i915: drop WaSetupGtModeTdRowDispatch:snb · b53e4fee
      Daniel Vetter authored
      commit 2208d655 upstream.
      
      This reverts the regressing
      
      commit 6547fbdb
      Author: Daniel Vetter <daniel.vetter@ffwll.ch>
      Date:   Fri Dec 14 23:38:29 2012 +0100
      
          drm/i915: Implement WaSetupGtModeTdRowDispatch
      
      that causes GPU hangs immediately on boot.
      Reported-by: default avatarLeo Wolf <jclw@ymail.com>
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=79996
      Cc: stable@vger.kernel.org (v3.8+)
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      [Jani: amended the commit message slightly.]
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b53e4fee
    • Christian Vogel's avatar
      usbhid/quirks: Ignore Riso Kagaku Webmail Notifier · acb700bc
      Christian Vogel authored
      commit 759db9ea upstream.
      
      The "Webmail Notifier" is a USB controlled LED that appears as a HID
      device. When trying to change the LED via hidraw it returns malformed
      reports. As "usbled" supports it, we blacklist it in usbhid.
      Signed-off-by: default avatarChristian Vogel <vogelchr@vogel.cx>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      acb700bc
    • Christian Vogel's avatar
      usb/misc/usbled: Add Riso Kagaku Webmail Notifier · a3b83ace
      Christian Vogel authored
      commit e8fcbb61 upstream.
      
      Add support for the "Webmail Notifier" (USB powered LED for signaling
      new emails) made by Riso Kagaku Corp. which displays 7 distinct colors.
      
      USB Protocol initially reverse engineered by
      	https://code.google.com/p/usbmailnotifier/.
      Signed-off-by: default avatarChristian Vogel <vogelchr@vogel.cx>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a3b83ace
    • Kristian Evensen's avatar
      HID: do not bind to Microchip Pick16F1454 · dff1902e
      Kristian Evensen authored
      commit a8c8316b upstream.
      
      The Microchip Pick16F1454 is exported as a HID device and is used by for
      example the Yepkit YKUSH three-port switchable USB hub. However, it is not an
      actual HID-device. On the Yepkit, it is used to power up/down the ports on the
      hub. The HID driver should ignore this device.
      Signed-off-by: default avatarKristian Evensen <kristian.evensen@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      dff1902e
    • Patrick Plattes's avatar
      HID: ignore jabra gn9350e · e9a8e432
      Patrick Plattes authored
      commit 43c1a0a9 upstream.
      
      Ignore Jabra GN9350E HID interface. USB audio is working nicely, but
      registering as HID blocks USB mouse buttons. Since special userspace programs
      are needed we will avoid attaching usbhid drivers in general.
      Signed-off-by: default avatarPatrick Plattes <patrick@erdbeere.net>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      e9a8e432
    • Dinesh Ram's avatar
      [media] si4713: HID blacklist Si4713 USB development board · b828f594
      Dinesh Ram authored
      commit adc23259 upstream.
      
      The Si4713 development board contains a Si4713 FM transmitter chip
      and is handled by the radio-usb-si4713 driver.
      The board reports itself as (10c4:8244) Cygnal Integrated Products, Inc.
      and misidentifies itself as a HID device in its USB interface descriptor.
      This patch ignores this device as an HID device and hence loads the custom driver.
      Signed-off-by: default avatarDinesh Ram <dinesh.ram@cern.ch>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Acked-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Tested-by: default avatarEduardo Valentin <edubezval@gmail.com>
      Acked-by: default avatarEduardo Valentin <edubezval@gmail.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b828f594
    • Forest Wilkinson's avatar
      HID: tivo: enable all buttons on the TiVo Slide Pro remote · 57c3542b
      Forest Wilkinson authored
      commit 9b028649 upstream.
      
      The linux kernel has supported the TiVo Slide remote control for some time, but
      does not recognize the USB ID of the newer Slide Pro. This patch adds the
      missing data structures so the newer remote will be recognized by the driver,
      thereby allowing the TiVo, LiveTV, and Thumbs Up/Down buttons to be
      mapped with a hwdb file.
      Signed-off-by: default avatarForest Wilkinson <web11.forest@tibit.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      57c3542b