1. 26 Apr, 2016 40 commits
    • cpaul@redhat.com's avatar
      drm/dp/mst: Validate port in drm_dp_payload_send_msg() · e37b6940
      cpaul@redhat.com authored
      commit deba0a2a upstream.
      
      With the joys of things running concurrently, there's always a chance
      that the port we get passed in drm_dp_payload_send_msg() isn't actually
      valid anymore. Because of this, we need to make sure we validate the
      reference to the port before we use it otherwise we risk running into
      various race conditions. For instance, on the Dell MST monitor I have
      here for testing, hotplugging it enough times causes us to kernel panic:
      
      [drm:intel_mst_enable_dp] 1
      [drm:drm_dp_update_payload_part2] payload 0 1
      [drm:intel_get_hpd_pins] hotplug event received, stat 0x00200000, dig 0x10101011, pins 0x00000020
      [drm:intel_hpd_irq_handler] digital hpd port B - short
      [drm:intel_dp_hpd_pulse] got hpd irq on port B - short
      [drm:intel_dp_check_mst_status] got esi 00 10 00
      [drm:drm_dp_update_payload_part2] payload 1 1
      general protection fault: 0000 [#1] SMP
      …
      Call Trace:
       [<ffffffffa012b632>] drm_dp_update_payload_part2+0xc2/0x130 [drm_kms_helper]
       [<ffffffffa032ef08>] intel_mst_enable_dp+0xf8/0x180 [i915]
       [<ffffffffa0310dbd>] haswell_crtc_enable+0x3ed/0x8c0 [i915]
       [<ffffffffa030c84d>] intel_atomic_commit+0x5ad/0x1590 [i915]
       [<ffffffffa01db877>] ? drm_atomic_set_crtc_for_connector+0x57/0xe0 [drm]
       [<ffffffffa01dc4e7>] drm_atomic_commit+0x37/0x60 [drm]
       [<ffffffffa0130a3a>] drm_atomic_helper_set_config+0x7a/0xb0 [drm_kms_helper]
       [<ffffffffa01cc482>] drm_mode_set_config_internal+0x62/0x100 [drm]
       [<ffffffffa01d02ad>] drm_mode_setcrtc+0x3cd/0x4e0 [drm]
       [<ffffffffa01c18e3>] drm_ioctl+0x143/0x510 [drm]
       [<ffffffffa01cfee0>] ? drm_mode_setplane+0x1b0/0x1b0 [drm]
       [<ffffffff810f79a7>] ? hrtimer_start_range_ns+0x1b7/0x3a0
       [<ffffffff81212962>] do_vfs_ioctl+0x92/0x570
       [<ffffffff81590852>] ? __sys_recvmsg+0x42/0x80
       [<ffffffff81212eb9>] SyS_ioctl+0x79/0x90
       [<ffffffff816b4e32>] entry_SYSCALL_64_fastpath+0x1a/0xa4
      RIP  [<ffffffffa012b026>] drm_dp_payload_send_msg+0x146/0x1f0 [drm_kms_helper]
      
      Which occurs because of the hotplug event shown in the log, which ends
      up causing DRM's dp helpers to drop the port we're updating the payload
      on and panic.
      Signed-off-by: default avatarLyude <cpaul@redhat.com>
      Reviewed-by: default avatarDavid Airlie <airlied@linux.ie>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      e37b6940
    • Takashi Iwai's avatar
      ALSA: pcxhr: Fix missing mutex unlock · 6a885f1c
      Takashi Iwai authored
      commit 67f3754b upstream.
      
      The commit [9bef72bd: ALSA: pcxhr: Use nonatomic PCM ops]
      converted to non-atomic PCM ops, but shamelessly with an unbalanced
      mutex locking, which leads to the hangup easily.  Fix it.
      
      Fixes: 9bef72bd ('ALSA: pcxhr: Use nonatomic PCM ops')
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116441Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      6a885f1c
    • Davidlohr Bueso's avatar
      futex: Acknowledge a new waiter in counter before plist · b5f47039
      Davidlohr Bueso authored
      commit fe1bce9e upstream.
      
      Otherwise an incoming waker on the dest hash bucket can miss
      the waiter adding itself to the plist during the lockless
      check optimization (small window but still the correct way
      of doing this); similarly to the decrement counterpart.
      Suggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: bigeasy@linutronix.de
      Cc: dvhart@infradead.org
      Link: http://lkml.kernel.org/r/1461208164-29150-1-git-send-email-dave@stgolabs.netSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      b5f47039
    • Sebastian Andrzej Siewior's avatar
      futex: Handle unlock_pi race gracefully · 9de2b226
      Sebastian Andrzej Siewior authored
      commit 89e9e66b upstream.
      
      If userspace calls UNLOCK_PI unconditionally without trying the TID -> 0
      transition in user space first then the user space value might not have the
      waiters bit set. This opens the following race:
      
      CPU0	    	      	    CPU1
      uval = get_user(futex)
      			    lock(hb)
      lock(hb)
      			    futex |= FUTEX_WAITERS
      			    ....
      			    unlock(hb)
      
      cmpxchg(futex, uval, newval)
      
      So the cmpxchg fails and returns -EINVAL to user space, which is wrong because
      the futex value is valid.
      
      To handle this (yes, yet another) corner case gracefully, check for a flag
      change and retry.
      
      [ tglx: Massaged changelog and slightly reworked implementation ]
      
      Fixes: ccf9e6a8 ("futex: Make unlock_pi more robust")
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Darren Hart <dvhart@linux.intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lkml.kernel.org/r/1460723739-5195-1-git-send-email-bigeasy@linutronix.deSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [ kamal: backport to 3.19-stable: context ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      9de2b226
    • Alex Deucher's avatar
    • Anton Blanchard's avatar
      powerpc: Update TM user feature bits in scan_features() · cde5ccf8
      Anton Blanchard authored
      commit 4705e024 upstream.
      
      We need to update the user TM feature bits (PPC_FEATURE2_HTM and
      PPC_FEATURE2_HTM) to mirror what we do with the kernel TM feature
      bit.
      
      At the moment, if firmware reports TM is not available we turn off
      the kernel TM feature bit but leave the userspace ones on. Userspace
      thinks it can execute TM instructions and it dies trying.
      
      This (together with a QEMU patch) fixes PR KVM, which doesn't currently
      support TM.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      cde5ccf8
    • Anton Blanchard's avatar
      powerpc: Update cpu_user_features2 in scan_features() · 91a3d3d6
      Anton Blanchard authored
      commit beff8237 upstream.
      
      scan_features() updates cpu_user_features but not cpu_user_features2.
      
      Amongst other things, cpu_user_features2 contains the user TM feature
      bits which we must keep in sync with the kernel TM feature bit.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      91a3d3d6
    • Anton Blanchard's avatar
      powerpc: scan_features() updates incorrect bits for REAL_LE · 9f303958
      Anton Blanchard authored
      commit 6997e57d upstream.
      
      The REAL_LE feature entry in the ibm_pa_feature struct is missing an MMU
      feature value, meaning all the remaining elements initialise the wrong
      values.
      
      This means instead of checking for byte 5, bit 0, we check for byte 0,
      bit 0, and then we incorrectly set the CPU feature bit as well as MMU
      feature bit 1 and CPU user feature bits 0 and 2 (5).
      
      Checking byte 0 bit 0 (IBM numbering), means we're looking at the
      "Memory Management Unit (MMU)" feature - ie. does the CPU have an MMU.
      In practice that bit is set on all platforms which have the property.
      
      This means we set CPU_FTR_REAL_LE always. In practice that seems not to
      matter because all the modern cpus which have this property also
      implement REAL_LE, and we've never needed to disable it.
      
      We're also incorrectly setting MMU feature bit 1, which is:
      
        #define MMU_FTR_TYPE_8xx		0x00000002
      
      Luckily the only place that looks for MMU_FTR_TYPE_8xx is in Book3E
      code, which can't run on the same cpus as scan_features(). So this also
      doesn't matter in practice.
      
      Finally in the CPU user feature mask, we're setting bits 0 and 2. Bit 2
      is not currently used, and bit 0 is:
      
        #define PPC_FEATURE_PPC_LE		0x00000001
      
      Which says the CPU supports the old style "PPC Little Endian" mode.
      Again this should be harmless in practice as no 64-bit CPUs implement
      that mode.
      
      Fix the code by adding the missing initialisation of the MMU feature.
      
      Also add a comment marking CPU user feature bit 2 (0x4) as reserved. It
      would be unsafe to start using it as old kernels incorrectly set it.
      
      Fixes: 44ae3ab3 ("powerpc: Free up some CPU feature bits by moving out MMU-related features")
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      [mpe: Flesh out changelog, add comment reserving 0x4]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      9f303958
    • Bastien Nocera's avatar
      ALSA: hda/realtek - Add ALC3234 headset mode for Optiplex 9020m · 3e8fffaa
      Bastien Nocera authored
      commit afecb146 upstream.
      
      The Optiplex 9020m with Haswell-DT processor needs a quirk for the
      headset jack at the front of the machine to be able to use microphones.
      
      A quirk for this model was originally added in 31278997, but c77900e6
      removed it in favour of a more generic version.
      
      Unfortunately, pin configurations can changed based on firmware/BIOS
      versions, and the generic version doesn't have any effect on newer
      versions of the machine/firmware anymore.
      
      With help from David Henningsson <diwic@ubuntu.com>
      Signed-off-by: default avatarBastien Nocera <hadess@hadess.net>
      Tested-by: default avatarBastien Nocera <hadess@hadess.net>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      3e8fffaa
    • Linus Walleij's avatar
      video: ARM CLCD: runtime check for Versatile · 86cd51bc
      Linus Walleij authored
      commit f36fdacc upstream.
      
      The current compile-time check for inversed IENB/CNTL does not
      work in multiplatform boots: as soon as versatile is included
      in the build, the IENB/CNTL is switched and breaks graphics.
      Convert this to a runtime switch.
      
      Cc: Rob Herring <robh@kernel.org>
      Cc: Russell King <linux@arm.linux.org.uk>
      Fixes: a29da136 ("ARM: versatile: convert to multi-platform")
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      86cd51bc
    • Tom Lendacky's avatar
      crypto: ccp - Prevent information leakage on export · a43a2805
      Tom Lendacky authored
      commit f709b45e upstream.
      
      Prevent information from leaking to userspace by doing a memset to 0 of
      the export state structure before setting the structure values and copying
      it. This prevents un-initialized padding areas from being copied into the
      export area.
      Reported-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      a43a2805
    • Xiaodong Liu's avatar
      crypto: sha1-mb - use corrcet pointer while completing jobs · c1d50460
      Xiaodong Liu authored
      commit 0851561d upstream.
      
      In sha_complete_job, incorrect mcryptd_hash_request_ctx pointer is used
      when check and complete other jobs. If the memory of first completed req
      is freed, while still completing other jobs in the func, kernel will
      crash since NULL pointer is assigned to RIP.
      Signed-off-by: default avatarXiaodong Liu <xiaodong.liu@intel.com>
      Acked-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      c1d50460
    • Robert Dobrowolski's avatar
      usb: hcd: out of bounds access in for_each_companion · 33e8a001
      Robert Dobrowolski authored
      commit e86103a7 upstream.
      
      On BXT platform Host Controller and Device Controller figure as
      same PCI device but with different device function. HCD should
      not pass data to Device Controller but only to Host Controllers.
      Checking if companion device is Host Controller, otherwise skip.
      Signed-off-by: default avatarRobert Dobrowolski <robert.dobrowolski@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      33e8a001
    • Hans de Goede's avatar
      USB: uas: Add a new NO_REPORT_LUNS quirk · f15eb915
      Hans de Goede authored
      commit 13630746 upstream.
      
      Add a new NO_REPORT_LUNS quirk and set it for Seagate drives with
      an usb-id of: 0bc2:331a, as these will fail to respond to a
      REPORT_LUNS command.
      Reported-and-tested-by: default avatarDavid Webb <djw@noc.ac.uk>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      f15eb915
    • Mathias Nyman's avatar
      xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers · fda0aab1
      Mathias Nyman authored
      commit 98d74f9c upstream.
      
      PCI hotpluggable xhci controllers such as some Alpine Ridge solutions will
      remove the xhci controller from the PCI bus when the last USB device is
      disconnected.
      
      Add a flag to indicate that the host is being removed to avoid queueing
      configure_endpoint commands for the dropped endpoints.
      For PCI hotplugged controllers this will prevent 5 second command timeouts
      For static xhci controllers the configure_endpoint command is not needed
      in the removal case as everything will be returned, freed, and the
      controller is reset.
      
      For now the flag is only set for PCI connected host controllers.
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      fda0aab1
    • Roger Quadros's avatar
      usb: xhci: fix xhci locking up during hcd remove · dfc09d7f
      Roger Quadros authored
      commit ad6b1d91 upstream.
      
      The problem seems to be that if a new device is detected
      while we have already removed the shared HCD, then many of the
      xhci operations (e.g.  xhci_alloc_dev(), xhci_setup_device())
      hang as command never completes.
      
      I don't think XHCI can operate without the shared HCD as we've
      already called xhci_halt() in xhci_only_stop_hcd() when shared HCD
      goes away. We need to prevent new commands from being queued
      not only when HCD is dying but also when HCD is halted.
      
      The following lockup was detected while testing the otg state
      machine.
      
      [  178.199951] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller
      [  178.205799] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 1
      [  178.214458] xhci-hcd xhci-hcd.0.auto: hcc params 0x0220f04c hci version 0x100 quirks 0x00010010
      [  178.223619] xhci-hcd xhci-hcd.0.auto: irq 400, io mem 0x48890000
      [  178.230677] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
      [  178.237796] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
      [  178.245358] usb usb1: Product: xHCI Host Controller
      [  178.250483] usb usb1: Manufacturer: Linux 4.0.0-rc1-00024-g6111320 xhci-hcd
      [  178.257783] usb usb1: SerialNumber: xhci-hcd.0.auto
      [  178.267014] hub 1-0:1.0: USB hub found
      [  178.272108] hub 1-0:1.0: 1 port detected
      [  178.278371] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller
      [  178.284171] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 2
      [  178.294038] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003
      [  178.301183] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
      [  178.308776] usb usb2: Product: xHCI Host Controller
      [  178.313902] usb usb2: Manufacturer: Linux 4.0.0-rc1-00024-g6111320 xhci-hcd
      [  178.321222] usb usb2: SerialNumber: xhci-hcd.0.auto
      [  178.329061] hub 2-0:1.0: USB hub found
      [  178.333126] hub 2-0:1.0: 1 port detected
      [  178.567585] dwc3 48890000.usb: usb_otg_start_host 0
      [  178.572707] xhci-hcd xhci-hcd.0.auto: remove, state 4
      [  178.578064] usb usb2: USB disconnect, device number 1
      [  178.586565] xhci-hcd xhci-hcd.0.auto: USB bus 2 deregistered
      [  178.592585] xhci-hcd xhci-hcd.0.auto: remove, state 1
      [  178.597924] usb usb1: USB disconnect, device number 1
      [  178.603248] usb 1-1: new high-speed USB device number 2 using xhci-hcd
      [  190.597337] INFO: task kworker/u4:0:6 blocked for more than 10 seconds.
      [  190.604273]       Not tainted 4.0.0-rc1-00024-g6111320 #1058
      [  190.610228] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [  190.618443] kworker/u4:0    D c05c0ac0     0     6      2 0x00000000
      [  190.625120] Workqueue: usb_otg usb_otg_work
      [  190.629533] [<c05c0ac0>] (__schedule) from [<c05c10ac>] (schedule+0x34/0x98)
      [  190.636915] [<c05c10ac>] (schedule) from [<c05c1318>] (schedule_preempt_disabled+0xc/0x10)
      [  190.645591] [<c05c1318>] (schedule_preempt_disabled) from [<c05c23d0>] (mutex_lock_nested+0x1ac/0x3fc)
      [  190.655353] [<c05c23d0>] (mutex_lock_nested) from [<c046cf8c>] (usb_disconnect+0x3c/0x208)
      [  190.664043] [<c046cf8c>] (usb_disconnect) from [<c0470cf0>] (_usb_remove_hcd+0x98/0x1d8)
      [  190.672535] [<c0470cf0>] (_usb_remove_hcd) from [<c0485da8>] (usb_otg_start_host+0x50/0xf4)
      [  190.681299] [<c0485da8>] (usb_otg_start_host) from [<c04849a4>] (otg_set_protocol+0x5c/0xd0)
      [  190.690153] [<c04849a4>] (otg_set_protocol) from [<c0484b88>] (otg_set_state+0x170/0xbfc)
      [  190.698735] [<c0484b88>] (otg_set_state) from [<c0485740>] (otg_statemachine+0x12c/0x470)
      [  190.707326] [<c0485740>] (otg_statemachine) from [<c0053c84>] (process_one_work+0x1b4/0x4a0)
      [  190.716162] [<c0053c84>] (process_one_work) from [<c00540f8>] (worker_thread+0x154/0x44c)
      [  190.724742] [<c00540f8>] (worker_thread) from [<c0058f88>] (kthread+0xd4/0xf0)
      [  190.732328] [<c0058f88>] (kthread) from [<c000e810>] (ret_from_fork+0x14/0x24)
      [  190.739898] 5 locks held by kworker/u4:0/6:
      [  190.744274]  #0:  ("%s""usb_otg"){.+.+.+}, at: [<c0053bf4>] process_one_work+0x124/0x4a0
      [  190.752799]  #1:  ((&otgd->work)){+.+.+.}, at: [<c0053bf4>] process_one_work+0x124/0x4a0
      [  190.761326]  #2:  (&otgd->fsm.lock){+.+.+.}, at: [<c048562c>] otg_statemachine+0x18/0x470
      [  190.769934]  #3:  (usb_bus_list_lock){+.+.+.}, at: [<c0470ce8>] _usb_remove_hcd+0x90/0x1d8
      [  190.778635]  #4:  (&dev->mutex){......}, at: [<c046cf8c>] usb_disconnect+0x3c/0x208
      [  190.786700] INFO: task kworker/1:0:14 blocked for more than 10 seconds.
      [  190.793633]       Not tainted 4.0.0-rc1-00024-g6111320 #1058
      [  190.799567] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      [  190.807783] kworker/1:0     D c05c0ac0     0    14      2 0x00000000
      [  190.814457] Workqueue: usb_hub_wq hub_event
      [  190.818866] [<c05c0ac0>] (__schedule) from [<c05c10ac>] (schedule+0x34/0x98)
      [  190.826252] [<c05c10ac>] (schedule) from [<c05c4e40>] (schedule_timeout+0x13c/0x1ec)
      [  190.834377] [<c05c4e40>] (schedule_timeout) from [<c05c19f0>] (wait_for_common+0xbc/0x150)
      [  190.843062] [<c05c19f0>] (wait_for_common) from [<bf068a3c>] (xhci_setup_device+0x164/0x5cc [xhci_hcd])
      [  190.852986] [<bf068a3c>] (xhci_setup_device [xhci_hcd]) from [<c046b7f4>] (hub_port_init+0x3f4/0xb10)
      [  190.862667] [<c046b7f4>] (hub_port_init) from [<c046eb64>] (hub_event+0x704/0x1018)
      [  190.870704] [<c046eb64>] (hub_event) from [<c0053c84>] (process_one_work+0x1b4/0x4a0)
      [  190.878919] [<c0053c84>] (process_one_work) from [<c00540f8>] (worker_thread+0x154/0x44c)
      [  190.887503] [<c00540f8>] (worker_thread) from [<c0058f88>] (kthread+0xd4/0xf0)
      [  190.895076] [<c0058f88>] (kthread) from [<c000e810>] (ret_from_fork+0x14/0x24)
      [  190.902650] 5 locks held by kworker/1:0/14:
      [  190.907023]  #0:  ("usb_hub_wq"){.+.+.+}, at: [<c0053bf4>] process_one_work+0x124/0x4a0
      [  190.915454]  #1:  ((&hub->events)){+.+.+.}, at: [<c0053bf4>] process_one_work+0x124/0x4a0
      [  190.924070]  #2:  (&dev->mutex){......}, at: [<c046e490>] hub_event+0x30/0x1018
      [  190.931768]  #3:  (&port_dev->status_lock){+.+.+.}, at: [<c046eb50>] hub_event+0x6f0/0x1018
      [  190.940558]  #4:  (&bus->usb_address0_mutex){+.+.+.}, at: [<c046b458>] hub_port_init+0x58/0xb10
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      dfc09d7f
    • Lu Baolu's avatar
      usb: xhci: fix wild pointers in xhci_mem_cleanup · 5b7d397c
      Lu Baolu authored
      commit 71504062 upstream.
      
      This patch fixes some wild pointers produced by xhci_mem_cleanup.
      These wild pointers will cause system crash if xhci_mem_cleanup()
      is called twice.
      Reported-and-tested-by: default avatarPengcheng Li <lpc.li@hisilicon.com>
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      5b7d397c
    • Yoshihiro Shimoda's avatar
      usb: host: xhci: add a new quirk XHCI_NO_64BIT_SUPPORT · 44459d08
      Yoshihiro Shimoda authored
      commit 0a380be8 upstream.
      
      On some xHCI controllers (e.g. R-Car SoCs), the AC64 bit (bit 0) of
      HCCPARAMS1 is set to 1. However, the xHCs don't support 64-bit
      address memory pointers actually. So, in this case, this driver should
      call dma_set_coherent_mask(dev, DMA_BIT_MASK(32)) in xhci_gen_setup().
      Otherwise, the xHCI controller will be died after a usb device is
      connected if it runs on above 4GB physical memory environment.
      
      So, this patch adds a new quirk XHCI_NO_64BIT_SUPPORT to resolve
      such an issue.
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Reviewed-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      44459d08
    • Mathias Nyman's avatar
      xhci: resume USB 3 roothub first · 80f1d0ee
      Mathias Nyman authored
      commit 671ffdff upstream.
      
      Give USB3 devices a better chance to enumerate at USB 3 speeds if
      they are connected to a suspended host.
      Solves an issue with NEC uPD720200 host hanging when partially
      enumerating a USB3 device as USB2 after host controller runtime resume.
      Tested-by: default avatarMike Murdoch <main.haarp@gmail.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      80f1d0ee
    • Rafal Redzimski's avatar
      usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host · 28441c2d
      Rafal Redzimski authored
      commit 0d46faca upstream.
      
      Broxton B0 also requires XHCI_PME_STUCK_QUIRK.
      Adding PCI device ID for Broxton B and adding to quirk.
      Signed-off-by: default avatarRafal Redzimski <rafal.f.redzimski@intel.com>
      Signed-off-by: default avatarRobert Dobrowolski <robert.dobrowolski@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      28441c2d
    • Rui Salvaterra's avatar
      lib: lz4: fixed zram with lz4 on big endian machines · 9cbbd5aa
      Rui Salvaterra authored
      commit 3e26a691 upstream.
      
      Based on Sergey's test patch [1], this fixes zram with lz4 compression
      on big endian cpus.
      
      Note that the 64-bit preprocessor test is not a cleanup, it's part of
      the fix, since those identifiers are bogus (for example, __ppc64__
      isn't defined anywhere else in the kernel, which means we'd fall into
      the 32-bit definitions on ppc64).
      
      Tested on ppc64 with no regression on x86_64.
      
      [1] http://marc.info/?l=linux-kernel&m=145994470805853&w=4Suggested-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Signed-off-by: default avatarRui Salvaterra <rsalvaterra@gmail.com>
      Reviewed-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      9cbbd5aa
    • Andy Shevchenko's avatar
      dmaengine: dw: fix master selection · 0a547dcf
      Andy Shevchenko authored
      commit 3fe6409c upstream.
      
      The commit 89500520 ("dmaengine: dw: apply both HS interfaces and remove
      slave_id usage") cleaned up the code to avoid usage of depricated slave_id
      member of generic slave configuration.
      
      Meanwhile it broke the master selection by removing important call to
      dwc_set_masters() in ->device_alloc_chan_resources() which copied masters from
      custom slave configuration to the internal channel structure.
      
      Everything works until now since there is no customized connection of
      DesignWare DMA IP to the bus, i.e. one bus and one or more masters are in use.
      The configurations where 2 masters are connected to the different masters are
      not working anymore. We are expecting one user of such configuration and need
      to select masters properly. Besides that it is obviously a performance
      regression since only one master is in use in multi-master configuration.
      
      Select masters in accordance with what user asked for. Keep this patch in a form
      more suitable for back porting.
      
      We are safe to take necessary data in ->device_alloc_chan_resources() because
      we don't support generic slave configuration embedded into custom one, and thus
      the only way to provide such is to use the parameter to a filter function which
      is called exactly before channel resource allocation.
      
      While here, replase BUG_ON to less noisy dev_warn() and prevent channel
      allocation in case of error.
      
      Fixes: 89500520 ("dmaengine: dw: apply both HS interfaces and remove slave_id usage")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      0a547dcf
    • Hyungwon Hwang's avatar
      ALSA: hda - Fix regression of monitor_present flag in eld proc file · c3f480d2
      Hyungwon Hwang authored
      commit 023d8218 upstream.
      
      The commit [bd481285: ALSA: hda - Fix forgotten HDMI
      monitor_present update] covered the missing update of monitor_present
      flag, but this caused a regression for devices without the i915 eld
      notifier.  Since the old code supposed that pin_eld->monitor_present
      was updated by the caller side, the hdmi_present_sense_via_verbs()
      doesn't update the temporary eld->monitor_present but only
      pin_eld->monitor_present, which is now overridden in update_eld().
      
      The fix is to update pin_eld->monitor_present as well before calling
      update_eld().
      
      Note that this may still leave monitor_present flag in an inconsistent
      state when the driver repolls, but this is at least the old behavior.
      More proper fix will follow in the later patch.
      
      Fixes: bd481285 ('ALSA: hda - Fix forgotten HDMI monitor_present update')
      Signed-off-by: default avatarHyungwon Hwang <hyungwon.hwang7@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      c3f480d2
    • Dmitry Ivanov's avatar
      nl80211: check netlink protocol in socket release notification · 94291717
      Dmitry Ivanov authored
      commit 8f815cdd upstream.
      
      A non-privileged user can create a netlink socket with the same port_id as
      used by an existing open nl80211 netlink socket (e.g. as used by a hostapd
      process) with a different protocol number.
      
      Closing this socket will then lead to the notification going to nl80211's
      socket release notification handler, and possibly cause an action such as
      removing a virtual interface.
      
      Fix this issue by checking that the netlink protocol is NETLINK_GENERIC.
      Since generic netlink has no notifier chain of its own, we can't fix the
      problem more generically.
      
      Fixes: 026331c4 ("cfg80211/mac80211: allow registering for and sending action frames")
      Signed-off-by: default avatarDmitry Ivanov <dima@ubnt.com>
      [rewrite commit message]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      94291717
    • Kailang Yang's avatar
      ALSA: usb-audio: Skip volume controls triggers hangup on Dell USB Dock · 233346ef
      Kailang Yang authored
      commit adcdd0d5 upstream.
      
      This is Dell usb dock audio workaround.
      It was fixed the master volume keep lower.
      
      [Some background: the patch essentially skips the controls of a couple
       of FU volumes.  Although the firmware exposes the dB and the value
       information via the usb descriptor, changing the values (we set the
       min volume as default) screws up the device.  Although this has been
       fixed in the newer firmware, the devices are shipped with the old
       firmware, thus we need the workaround in the driver side.  -- tiwai]
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      233346ef
    • Jerome Marchand's avatar
      assoc_array: don't call compare_object() on a node · ea8cd335
      Jerome Marchand authored
      commit 8d4a2ec1 upstream.
      
      Changes since V1: fixed the description and added KASan warning.
      
      In assoc_array_insert_into_terminal_node(), we call the
      compare_object() method on all non-empty slots, even when they're
      not leaves, passing a pointer to an unexpected structure to
      compare_object(). Currently it causes an out-of-bound read access
      in keyring_compare_object detected by KASan (see below). The issue
      is easily reproduced with keyutils testsuite.
      Only call compare_object() when the slot is a leave.
      
      KASan warning:
      ==================================================================
      BUG: KASAN: slab-out-of-bounds in keyring_compare_object+0x213/0x240 at addr ffff880060a6f838
      Read of size 8 by task keyctl/1655
      =============================================================================
      BUG kmalloc-192 (Not tainted): kasan: bad access detected
      -----------------------------------------------------------------------------
      
      Disabling lock debugging due to kernel taint
      INFO: Allocated in assoc_array_insert+0xfd0/0x3a60 age=69 cpu=1 pid=1647
      	___slab_alloc+0x563/0x5c0
      	__slab_alloc+0x51/0x90
      	kmem_cache_alloc_trace+0x263/0x300
      	assoc_array_insert+0xfd0/0x3a60
      	__key_link_begin+0xfc/0x270
      	key_create_or_update+0x459/0xaf0
      	SyS_add_key+0x1ba/0x350
      	entry_SYSCALL_64_fastpath+0x12/0x76
      INFO: Slab 0xffffea0001829b80 objects=16 used=8 fp=0xffff880060a6f550 flags=0x3fff8000004080
      INFO: Object 0xffff880060a6f740 @offset=5952 fp=0xffff880060a6e5d1
      
      Bytes b4 ffff880060a6f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f740: d1 e5 a6 60 00 88 ff ff 0e 00 00 00 00 00 00 00  ...`............
      Object ffff880060a6f750: 02 cf 8e 60 00 88 ff ff 02 c0 8e 60 00 88 ff ff  ...`.......`....
      Object ffff880060a6f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7d0: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880060a6f7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      CPU: 0 PID: 1655 Comm: keyctl Tainted: G    B           4.5.0-rc4-kasan+ #291
      Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
       0000000000000000 000000001b2800b4 ffff880060a179e0 ffffffff81b60491
       ffff88006c802900 ffff880060a6f740 ffff880060a17a10 ffffffff815e2969
       ffff88006c802900 ffffea0001829b80 ffff880060a6f740 ffff880060a6e650
      Call Trace:
       [<ffffffff81b60491>] dump_stack+0x85/0xc4
       [<ffffffff815e2969>] print_trailer+0xf9/0x150
       [<ffffffff815e9454>] object_err+0x34/0x40
       [<ffffffff815ebe50>] kasan_report_error+0x230/0x550
       [<ffffffff819949be>] ? keyring_get_key_chunk+0x13e/0x210
       [<ffffffff815ec62d>] __asan_report_load_n_noabort+0x5d/0x70
       [<ffffffff81994cc3>] ? keyring_compare_object+0x213/0x240
       [<ffffffff81994cc3>] keyring_compare_object+0x213/0x240
       [<ffffffff81bc238c>] assoc_array_insert+0x86c/0x3a60
       [<ffffffff81bc1b20>] ? assoc_array_cancel_edit+0x70/0x70
       [<ffffffff8199797d>] ? __key_link_begin+0x20d/0x270
       [<ffffffff8199786c>] __key_link_begin+0xfc/0x270
       [<ffffffff81993389>] key_create_or_update+0x459/0xaf0
       [<ffffffff8128ce0d>] ? trace_hardirqs_on+0xd/0x10
       [<ffffffff81992f30>] ? key_type_lookup+0xc0/0xc0
       [<ffffffff8199e19d>] ? lookup_user_key+0x13d/0xcd0
       [<ffffffff81534763>] ? memdup_user+0x53/0x80
       [<ffffffff819983ea>] SyS_add_key+0x1ba/0x350
       [<ffffffff81998230>] ? key_get_type_from_user.constprop.6+0xa0/0xa0
       [<ffffffff828bcf4e>] ? retint_user+0x18/0x23
       [<ffffffff8128cc7e>] ? trace_hardirqs_on_caller+0x3fe/0x580
       [<ffffffff81004017>] ? trace_hardirqs_on_thunk+0x17/0x19
       [<ffffffff828bc432>] entry_SYSCALL_64_fastpath+0x12/0x76
      Memory state around the buggy address:
       ffff880060a6f700: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
       ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
      >ffff880060a6f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
       ffff880060a6f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff880060a6f900: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
      ==================================================================
      Signed-off-by: default avatarJerome Marchand <jmarchan@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ea8cd335
    • Vladis Dronov's avatar
      Input: gtco - fix crash on detecting device without endpoints · af7fad32
      Vladis Dronov authored
      commit 162f98de upstream.
      
      The gtco driver expects at least one valid endpoint. If given malicious
      descriptors that specify 0 for the number of endpoints, it will crash in
      the probe function. Ensure there is at least one endpoint on the interface
      before using it.
      
      Also let's fix a minor coding style issue.
      
      The full correct report of this issue can be found in the public
      Red Hat Bugzilla:
      
      https://bugzilla.redhat.com/show_bug.cgi?id=1283385Reported-by: default avatarRalf Spenneberg <ralf@spenneberg.net>
      Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      af7fad32
    • John Keeping's avatar
      drm/qxl: fix cursor position with non-zero hotspot · ed26292f
      John Keeping authored
      commit d59a1f71 upstream.
      
      The SPICE protocol considers the position of a cursor to be the location
      of its active pixel on the display, so the cursor is drawn with its
      top-left corner at "(x - hot_spot_x, y - hot_spot_y)" but the DRM cursor
      position gives the location where the top-left corner should be drawn,
      with the hotspot being a hint for drivers that need it.
      
      This fixes the location of the window resize cursors when using Fluxbox
      with the QXL DRM driver and both the QXL and modesetting X drivers.
      Signed-off-by: default avatarJohn Keeping <john@metanate.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: http://patchwork.freedesktop.org/patch/msgid/1447845445-2116-1-git-send-email-john@metanate.comSigned-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ed26292f
    • Lokesh Vutla's avatar
      ARM: OMAP2+: hwmod: Fix updating of sysconfig register · 2f4a26ac
      Lokesh Vutla authored
      commit 3ca4a238 upstream.
      
      Commit 127500cc ("ARM: OMAP2+: Only write the sysconfig on idle
      when necessary") talks about verification of sysconfig cache value before
      updating it, only during idle path. But the patch is adding the
      verification in the enable path. So, adding the check in a proper place
      as per the commit description.
      
      Not keeping this check during enable path as there is a chance of losing
      context and it is safe to do on idle as the context of the register will
      never be lost while the device is active.
      Signed-off-by: default avatarLokesh Vutla <lokeshvutla@ti.com>
      Acked-by: default avatarTero Kristo <t-kristo@ti.com>
      Cc: Jon Hunter <jonathanh@nvidia.com>
      Fixes: commit 127500cc "ARM: OMAP2+: Only write the sysconfig on idle when necessary"
      [paul@pwsan.com: appears to have been caused by my own mismerge of the
       originally posted patch]
      Signed-off-by: default avatarPaul Walmsley <paul@pwsan.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      2f4a26ac
    • Alan Stern's avatar
      HID: usbhid: fix inconsistent reset/resume/reset-resume behavior · ca083b27
      Alan Stern authored
      commit 972e6a99 upstream.
      
      The usbhid driver has inconsistently duplicated code in its post-reset,
      resume, and reset-resume pathways.
      
      	reset-resume doesn't check HID_STARTED before trying to
      	restart the I/O queues.
      
      	resume fails to clear the HID_SUSPENDED flag if HID_STARTED
      	isn't set.
      
      	resume calls usbhid_restart_queues() with usbhid->lock held
      	and the others call it without holding the lock.
      
      The first item in particular causes a problem following a reset-resume
      if the driver hasn't started up its I/O.  URB submission fails because
      usbhid->urbin is NULL, and this triggers an unending reset-retry loop.
      
      This patch fixes the problem by creating a new subroutine,
      hid_restart_io(), to carry out all the common activities.  It also
      adds some checks that were missing in the original code:
      
      	After a reset, there's no need to clear any halted endpoints.
      
      	After a resume, if a reset is pending there's no need to
      	restart any I/O until the reset is finished.
      
      	After a resume, if the interrupt-IN endpoint is halted there's
      	no need to submit the input URB until the halt has been
      	cleared.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarDaniel Fraga <fragabr@gmail.com>
      Tested-by: default avatarDaniel Fraga <fragabr@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ca083b27
    • Haishuang Yan's avatar
      ipv6: l2tp: fix a potential issue in l2tp_ip6_recv · 8e142b79
      Haishuang Yan authored
      [ Upstream commit be447f30 ]
      
      pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
      right place.
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      8e142b79
    • Haishuang Yan's avatar
      ipv4: l2tp: fix a potential issue in l2tp_ip_recv · 7f73ba8d
      Haishuang Yan authored
      [ Upstream commit 5745b823 ]
      
      pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
      right place.
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      7f73ba8d
    • Nicolas Dichtel's avatar
      rtnl: fix msg size calculation in if_nlmsg_size() · 1d68d84b
      Nicolas Dichtel authored
      [ Upstream commit c57c7a95 ]
      
      Size of the attribute IFLA_PHYS_PORT_NAME was missing.
      
      Fixes: db24a904 ("net: add support for phys_port_name")
      CC: David Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      1d68d84b
    • Bjørn Mork's avatar
      qmi_wwan: add "D-Link DWM-221 B1" device id · fc2f53e5
      Bjørn Mork authored
      [ Upstream commit e84810c7 ]
      
      Thomas reports:
      "Windows:
      
      00 diagnostics
      01 modem
      02 at-port
      03 nmea
      04 nic
      
      Linux:
      
      T:  Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2001 ProdID=7e19 Rev=02.32
      S:  Manufacturer=Mobile Connect
      S:  Product=Mobile Connect
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"
      Reported-by: default avatarThomas Schäfer <tschaefer@t-online.de>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      fc2f53e5
    • subashab@codeaurora.org's avatar
      xfrm: Fix crash observed during device unregistration and decryption · c15d4f3b
      subashab@codeaurora.org authored
      [ Upstream commit 071d36bf ]
      
      A crash is observed when a decrypted packet is processed in receive
      path. get_rps_cpus() tries to dereference the skb->dev fields but it
      appears that the device is freed from the poison pattern.
      
      [<ffffffc000af58ec>] get_rps_cpu+0x94/0x2f0
      [<ffffffc000af5f94>] netif_rx_internal+0x140/0x1cc
      [<ffffffc000af6094>] netif_rx+0x74/0x94
      [<ffffffc000bc0b6c>] xfrm_input+0x754/0x7d0
      [<ffffffc000bc0bf8>] xfrm_input_resume+0x10/0x1c
      [<ffffffc000ba6eb8>] esp_input_done+0x20/0x30
      [<ffffffc0000b64c8>] process_one_work+0x244/0x3fc
      [<ffffffc0000b7324>] worker_thread+0x2f8/0x418
      [<ffffffc0000bb40c>] kthread+0xe0/0xec
      
      -013|get_rps_cpu(
           |    dev = 0xFFFFFFC08B688000,
           |    skb = 0xFFFFFFC0C76AAC00 -> (
           |      dev = 0xFFFFFFC08B688000 -> (
           |        name =
      "......................................................
           |        name_hlist = (next = 0xAAAAAAAAAAAAAAAA, pprev =
      0xAAAAAAAAAAA
      
      Following are the sequence of events observed -
      
      - Encrypted packet in receive path from netdevice is queued
      - Encrypted packet queued for decryption (asynchronous)
      - Netdevice brought down and freed
      - Packet is decrypted and returned through callback in esp_input_done
      - Packet is queued again for process in network stack using netif_rx
      
      Since the device appears to have been freed, the dereference of
      skb->dev in get_rps_cpus() leads to an unhandled page fault
      exception.
      
      Fix this by holding on to device reference when queueing packets
      asynchronously and releasing the reference on call back return.
      
      v2: Make the change generic to xfrm as mentioned by Steffen and
      update the title to xfrm
      Suggested-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJerome Stanislaus <jeromes@codeaurora.org>
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      c15d4f3b
    • Eric Dumazet's avatar
      bonding: fix bond_get_stats() · 82461a16
      Eric Dumazet authored
      [ Upstream commit fe30937b ]
      
      bond_get_stats() can be called from rtnetlink (with RTNL held)
      or from /proc/net/dev seq handler (with RCU held)
      
      The logic added in commit 5f0c5f73 ("bonding: make global bonding
      stats more reliable") kind of assumed only one cpu could run there.
      
      If multiple threads are reading /proc/net/dev, stats can be really
      messed up after a while.
      
      A second problem is that some fields are 32bit, so we need to properly
      handle the wrap around problem.
      
      Given that RTNL is not always held, we need to use
      bond_for_each_slave_rcu().
      
      Fixes: 5f0c5f73 ("bonding: make global bonding stats more reliable")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Reviewed-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      82461a16
    • Manish Chopra's avatar
      qlge: Fix receive packets drop. · e50948e2
      Manish Chopra authored
      [ Upstream commit 2c9a266a ]
      
      When running small packets [length < 256 bytes] traffic, packets were
      being dropped due to invalid data in those packets which were
      delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu
      ensures copying latest and updated data into skb from the receive buffer.
      Signed-off-by: default avatarSony Chacko <sony.chacko@qlogic.com>
      Signed-off-by: default avatarManish Chopra <manish.chopra@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      e50948e2
    • Arnd Bergmann's avatar
      farsync: fix off-by-one bug in fst_add_one · 65d686ee
      Arnd Bergmann authored
      [ Upstream commit e725a66c ]
      
      gcc-6 finds an out of bounds access in the fst_add_one function
      when calculating the end of the mmio area:
      
      drivers/net/wan/farsync.c: In function 'fst_add_one':
      drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds]
       #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                                           ^
      include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof'
        __builtin_offsetof(a, b)
                           ^
      drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof'
       #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                           ^~~~~~~~
      drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET'
                                        + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
                                          ^~~~~~~~~~
      
      The warning is correct, but not critical because this appears
      to be a write-only variable that is set by each WAN driver but
      never accessed afterwards.
      
      I'm taking the minimal fix here, using the correct pointer by
      pointing 'mem_end' to the last byte inside of the register area
      as all other WAN drivers do, rather than the first byte outside of
      it. An alternative would be to just remove the mem_end member
      entirely.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      65d686ee
    • Willem de Bruijn's avatar
      macvtap: always pass ethernet header in linear · 958a1e55
      Willem de Bruijn authored
      [ Upstream commit 8e2ad411 ]
      
      The stack expects link layer headers in the skb linear section.
      Macvtap can create skbs with llheader in frags in edge cases:
      when (IFF_VNET_HDR is off or vnet_hdr.hdr_len < ETH_HLEN) and
      prepad + len > PAGE_SIZE and vnet_hdr.flags has no or bad csum.
      
      Add checks to ensure linear is always at least ETH_HLEN.
      At this point, len is already ensured to be >= ETH_HLEN.
      
      For backwards compatiblity, rounds up short vnet_hdr.hdr_len.
      This differs from tap and packet, which return an error.
      
      Fixes b9fb9ee0 ("macvtap: add GSO/csum offload support")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      958a1e55
    • Sergei Shtylyov's avatar
      sh_eth: fix NULL pointer dereference in sh_eth_ring_format() · f6cb92d7
      Sergei Shtylyov authored
      [ Upstream commit c1b7fca6 ]
      
      In a low memory situation, if netdev_alloc_skb() fails on a first RX ring
      loop iteration  in sh_eth_ring_format(), 'rxdesc' is still NULL.  Avoid
      kernel oops by adding the 'rxdesc' check after the loop.
      Reported-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      f6cb92d7