1. 16 Jan, 2015 40 commits
    • Alex Williamson's avatar
      driver core: Fix unbalanced device reference in drivers_probe · 27be7835
      Alex Williamson authored
      commit bb34cb6b upstream.
      
      bus_find_device_by_name() acquires a device reference which is never
      released.  This results in an object leak, which on older kernels
      results in failure to release all resources of PCI devices.  libvirt
      uses drivers_probe to re-attach devices to the host after assignment
      and is therefore a common trigger for this leak.
      
      Example:
      
      # cd /sys/bus/pci/
      # dmesg -C
      # echo 1 > devices/0000\:01\:00.0/sriov_numvfs
      # echo 0 > devices/0000\:01\:00.0/sriov_numvfs
      # dmesg | grep 01:10
       pci 0000:01:10.0: [8086:10ca] type 00 class 0x020000
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_add_internal: parent: '0000:00:01.0', set: 'devices'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): kobject_cleanup, parent           (null)
       kobject: '0000:01:10.0' (ffff8801d79cd0a8): calling ktype release
       kobject: '0000:01:10.0': free name
      
      [kobject freed as expected]
      
      # dmesg -C
      # echo 1 > devices/0000\:01\:00.0/sriov_numvfs
      # echo 0000:01:10.0 > drivers_probe
      # echo 0 > devices/0000\:01\:00.0/sriov_numvfs
      # dmesg | grep 01:10
       pci 0000:01:10.0: [8086:10ca] type 00 class 0x020000
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_add_internal: parent: '0000:00:01.0', set: 'devices'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): kobject_uevent_env
       kobject: '0000:01:10.0' (ffff8801d79ce0a8): fill_kobj_path: path = '/devices/pci0000:00/0000:00:01.0/0000:01:10.0'
      
      [no free]
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27be7835
    • Andy Lutomirski's avatar
      x86, vdso: Use asm volatile in __getcpu · ccf82969
      Andy Lutomirski authored
      commit 1ddf0b1b upstream.
      
      In Linux 3.18 and below, GCC hoists the lsl instructions in the
      pvclock code all the way to the beginning of __vdso_clock_gettime,
      slowing the non-paravirt case significantly.  For unknown reasons,
      presumably related to the removal of a branch, the performance issue
      is gone as of
      
      e76b027e x86,vdso: Use LSL unconditionally for vgetcpu
      
      but I don't trust GCC enough to expect the problem to stay fixed.
      
      There should be no correctness issue, because the __getcpu calls in
      __vdso_vlock_gettime were never necessary in the first place.
      
      Note to stable maintainers: In 3.18 and below, depending on
      configuration, gcc 4.9.2 generates code like this:
      
           9c3:       44 0f 03 e8             lsl    %ax,%r13d
           9c7:       45 89 eb                mov    %r13d,%r11d
           9ca:       0f 03 d8                lsl    %ax,%ebx
      
      This patch won't apply as is to any released kernel, but I'll send a
      trivial backported version if needed.
      
      [
       Backported by Andy Lutomirski.  Should apply to all affected
       versions.  This fixes a functionality bug as well as a performance
       bug: buggy kernels can infinite loop in __vdso_clock_gettime on
       affected compilers.  See, for exammple:
      
       https://bugzilla.redhat.com/show_bug.cgi?id=1178975
      ]
      
      Fixes: 51c19b4f x86: vdso: pvclock gettime support
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Acked-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ccf82969
    • Andy Lutomirski's avatar
      x86_64, vdso: Fix the vdso address randomization algorithm · ef44baf6
      Andy Lutomirski authored
      commit 394f56fe upstream.
      
      The theory behind vdso randomization is that it's mapped at a random
      offset above the top of the stack.  To avoid wasting a page of
      memory for an extra page table, the vdso isn't supposed to extend
      past the lowest PMD into which it can fit.  Other than that, the
      address should be a uniformly distributed address that meets all of
      the alignment requirements.
      
      The current algorithm is buggy: the vdso has about a 50% probability
      of being at the very end of a PMD.  The current algorithm also has a
      decent chance of failing outright due to incorrect handling of the
      case where the top of the stack is near the top of its PMD.
      
      This fixes the implementation.  The paxtest estimate of vdso
      "randomisation" improves from 11 bits to 18 bits.  (Disclaimer: I
      don't know what the paxtest code is actually calculating.)
      
      It's worth noting that this algorithm is inherently biased: the vdso
      is more likely to end up near the end of its PMD than near the
      beginning.  Ideally we would either nix the PMD sharing requirement
      or jointly randomize the vdso and the stack to reduce the bias.
      
      In the mean time, this is a considerable improvement with basically
      no risk of compatibility issues, since the allowed outputs of the
      algorithm are unchanged.
      
      As an easy test, doing this:
      
      for i in `seq 10000`
        do grep -P vdso /proc/self/maps |cut -d- -f1
      done |sort |uniq -d
      
      used to produce lots of output (1445 lines on my most recent run).
      A tiny subset looks like this:
      
      7fffdfffe000
      7fffe01fe000
      7fffe05fe000
      7fffe07fe000
      7fffe09fe000
      7fffe0bfe000
      7fffe0dfe000
      
      Note the suspicious fe000 endings.  With the fix, I get a much more
      palatable 76 repeated addresses.
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef44baf6
    • Paolo Bonzini's avatar
      kvm: x86: drop severity of "generation wraparound" message · 032e45d8
      Paolo Bonzini authored
      commit a629df7e upstream.
      
      Since most virtual machines raise this message once, it is a bit annoying.
      Make it KERN_DEBUG severity.
      
      Fixes: 7a2e8aafSigned-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      032e45d8
    • Christian Borntraeger's avatar
      KVM: s390: Fix ipte locking · cec145a8
      Christian Borntraeger authored
      commit 1365039d upstream.
      
      ipte_unlock_siif uses cmpxchg to replace the in-memory data of the ipte
      lock together with ACCESS_ONCE for the intial read.
      
      union ipte_control {
              unsigned long val;
              struct {
                      unsigned long k  : 1;
                      unsigned long kh : 31;
                      unsigned long kg : 32;
              };
      };
      [...]
      static void ipte_unlock_siif(struct kvm_vcpu *vcpu)
      {
              union ipte_control old, new, *ic;
      
              ic = &vcpu->kvm->arch.sca->ipte_control;
              do {
                      new = old = ACCESS_ONCE(*ic);
                      new.kh--;
                      if (!new.kh)
                              new.k = 0;
              } while (cmpxchg(&ic->val, old.val, new.val) != old.val);
              if (!new.kh)
                      wake_up(&vcpu->kvm->arch.ipte_wq);
      }
      
      The new value, is loaded twice from memory with gcc 4.7.2 of
      fedora 18, despite the ACCESS_ONCE:
      
      --->
      
      l       %r4,0(%r3)      <--- load first 32 bit of lock (k and kh) in r4
      alfi    %r4,2147483647  <--- add -1 to r4
      llgtr   %r4,%r4         <--- zero out the sign bit of r4
      lg      %r1,0(%r3)      <--- load all 64 bit of lock into new
      lgr     %r2,%r1         <--- load the same into old
      risbg   %r1,%r4,1,31,32 <--- shift and insert r4 into the bits 1-31 of
      new
      llihf   %r4,2147483647
      ngrk    %r4,%r1,%r4
      jne     aa0 <ipte_unlock+0xf8>
      nihh    %r1,32767
      lgr     %r4,%r2
      csg     %r4,%r1,0(%r3)
      cgr     %r2,%r4
      jne     a70 <ipte_unlock+0xc8>
      
      If the memory value changes between the first load (l) and the second
      load (lg) we are broken. If that happens VCPU threads will hang
      (unkillable) in handle_ipte_interlock.
      
      Andreas Krebbel analyzed this and tracked it down to a compiler bug in
      that version:
      "while it is not that obvious the C99 standard basically forbids
      duplicating the memory access also in that case. For an argumentation of
      a similiar case please see:
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=22278#c43
      
      For the implementation-defined cases regarding volatile there are some
      GCC-specific clarifications which can be found here:
      https://gcc.gnu.org/onlinedocs/gcc/Volatiles.html#Volatiles
      
      I've tracked down the problem with a reduced testcase. The problem was
      that during a tree level optimization (SRA - scalar replacement of
      aggregates) the volatile marker is lost. And an RTL level optimizer (CSE
      - common subexpression elimination) then propagated the memory read into
        its second use introducing another access to the memory location. So
      indeed Christian's suspicion that the union access has something to do
      with it is correct (since it triggered the SRA optimization).
      
      This issue has been reported and fixed in the GCC 4.8 development cycle:
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145"
      
      This patch replaces the ACCESS_ONCE scheme with a barrier() based scheme
      that should work for all supported compilers.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cec145a8
    • Christian Borntraeger's avatar
      KVM: s390: flush CPU on load control · 31408f1a
      Christian Borntraeger authored
      commit 2dca485f upstream.
      
      some control register changes will flush some aspects of the CPU, e.g.
      POP explicitely mentions that for CR9-CR11 "TLBs may be cleared".
      Instead of trying to be clever and only flush on specific CRs, let
      play safe and flush on all lctl(g) as future machines might define
      new bits in CRs. Load control intercept should not happen that often.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Acked-by: default avatarCornelia Huck <cornelia.huck@de.ibm.com>
      Reviewed-by: default avatarDavid Hildenbrand <dahi@linux.vnet.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31408f1a
    • Thomas Huth's avatar
      KVM: s390: Fix size of monitor-class number field · c3e724b8
      Thomas Huth authored
      commit a36c5393 upstream.
      
      The monitor-class number field is only 16 bits, so we have to use
      a u16 pointer to access it.
      Signed-off-by: default avatarThomas Huth <thuth@linux.vnet.ibm.com>
      Reviewed-by: default avatarDavid Hildenbrand <dahi@linux.vnet.ibm.com>
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c3e724b8
    • Paolo Bonzini's avatar
      kvm: x86: mask out XSAVES · d3105d56
      Paolo Bonzini authored
      commit b65d6e17 upstream.
      
      This feature is not supported inside KVM guests yet, because we do not emulate
      MSR_IA32_XSS.  Mask it out.
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d3105d56
    • Nadav Amit's avatar
      KVM: x86: em_ret_far overrides cpl · 09e365b4
      Nadav Amit authored
      commit ab646f54 upstream.
      
      commit d50eaa18 ("KVM: x86: Perform limit checks when assigning EIP")
      mistakenly used zero as cpl on em_ret_far. Use the actual one.
      
      Fixes: d50eaa18Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09e365b4
    • Paolo Bonzini's avatar
      KVM: x86: support XSAVES usage in the host · c4a52541
      Paolo Bonzini authored
      commit df1daba7 upstream.
      
      Userspace is expecting non-compacted format for KVM_GET_XSAVE, but
      struct xsave_struct might be using the compacted format.  Convert
      in order to preserve userspace ABI.
      
      Likewise, userspace is passing non-compacted format for KVM_SET_XSAVE
      but the kernel will pass it to XRSTORS, and we need to convert back.
      
      Fixes: f31a9f7c
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: H. Peter Anvin <hpa@linux.intel.com>
      Tested-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Reviewed-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c4a52541
    • Paolo Bonzini's avatar
      x86: export get_xsave_addr · 1f92632c
      Paolo Bonzini authored
      commit ba7b3920 upstream.
      
      get_xsave_addr is the API to access XSAVE states, and KVM would
      like to use it.  Export it.
      
      Cc: x86@kernel.org
      Cc: H. Peter Anvin <hpa@linux.intel.com>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f92632c
    • Giedrius Statkevičius's avatar
      HID: Add a new id 0x501a for Genius MousePen i608X · 1cafdf52
      Giedrius Statkevičius authored
      commit 2bacedad upstream.
      
      New Genius MousePen i608X devices have a new id 0x501a instead of the
      old 0x5011 so add a new #define with "_2" appended and change required
      places.
      
      The remaining two checkpatch warnings about line length
      being over 80 characters are present in the original files too and this
      patch was made in the same style (no line break).
      
      Just adding a new id and changing the required places should make the
      new device work without any issues according to the bug report in the
      following url.
      
      This patch was made according to and fixes:
      https://bugzilla.kernel.org/show_bug.cgi?id=67111Signed-off-by: default avatarGiedrius Statkevičius <giedrius.statkevicius@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cafdf52
    • Karl Relton's avatar
      HID: add battery quirk for USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO keyboard · 4fe49b18
      Karl Relton authored
      commit da940db4 upstream.
      
      Apple bluetooth wireless keyboard (sold in UK) has always reported zero
      for battery strength no matter what condition the batteries are actually
      in. With this patch applied (applying same quirk as other Apple
      keyboards), the battery strength is now correctly reported.
      Signed-off-by: default avatarKarl Relton <karllinuxtest.relton@ntlworld.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4fe49b18
    • Mika Westerberg's avatar
      HID: i2c-hid: Do not free buffers in i2c_hid_stop() · e0c4b585
      Mika Westerberg authored
      commit 5b44c53a upstream.
      
      When a hid driver that uses i2c-hid as transport is unloaded, the hid core
      will call i2c_hid_stop() which releases all the buffers associated with the
      device. This includes also the command buffer.
      
      Now, when the i2c-hid driver itself is unloaded it tries to power down the
      device by sending it PWR_SLEEP command. Since the command buffer is already
      released we get following crash:
      
       [   79.691459] BUG: unable to handle kernel NULL pointer dereference at           (null)
       [   79.691532] IP: [<ffffffffa05bc049>] __i2c_hid_command+0x49/0x310 [i2c_hid]
       ...
       [   79.693467] Call Trace:
       [   79.693494]  [<ffffffff810424e1>] ? __unmask_ioapic+0x21/0x30
       [   79.693537]  [<ffffffff81042855>] ? unmask_ioapic+0x25/0x40
       [   79.693581]  [<ffffffffa05bc35b>] ? i2c_hid_set_power+0x4b/0xa0 [i2c_hid]
       [   79.693632]  [<ffffffffa05bc3cf>] ? i2c_hid_runtime_resume+0x1f/0x30 [i2c_hid]
       [   79.693689]  [<ffffffff814c08fb>] ? __rpm_callback+0x2b/0x70
       [   79.693733]  [<ffffffff814c0961>] ? rpm_callback+0x21/0x90
       [   79.693776]  [<ffffffff814c0dec>] ? rpm_resume+0x41c/0x600
       [   79.693820]  [<ffffffff814c1e1c>] ? __pm_runtime_resume+0x4c/0x80
       [   79.693868]  [<ffffffff814b8588>] ? __device_release_driver+0x28/0x100
       [   79.693917]  [<ffffffff814b8d90>] ? driver_detach+0xa0/0xb0
       [   79.693959]  [<ffffffff814b82cc>] ? bus_remove_driver+0x4c/0xb0
       [   79.694006]  [<ffffffff810d1cfd>] ? SyS_delete_module+0x11d/0x1d0
       [   79.694054]  [<ffffffff8165f107>] ? int_signal+0x12/0x17
       [   79.694095]  [<ffffffff8165ee69>] ? system_call_fastpath+0x12/0x17
      
      Fix this so that we only free buffers when the i2c-hid driver itself is
      removed.
      
      Fixes: 34f439e4 ("HID: i2c-hid: add runtime PM support")
      Reported-by: default avatarGabriele Mazzotta <gabriele.mzt@gmail.com>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0c4b585
    • Dan Carpenter's avatar
      HID: roccat: potential out of bounds in pyra_sysfs_write_settings() · 8ccb93d2
      Dan Carpenter authored
      commit 606185b2 upstream.
      
      This is a static checker fix.  We write some binary settings to the
      sysfs file.  One of the settings is the "->startup_profile".  There
      isn't any checking to make sure it fits into the
      pyra->profile_settings[] array in the profile_activated() function.
      
      I added a check to pyra_sysfs_write_settings() in both places because
      I wasn't positive that the other callers were correct.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8ccb93d2
    • Gwendal Grignou's avatar
      HID: i2c-hid: prevent buffer overflow in early IRQ · e788b6db
      Gwendal Grignou authored
      commit d1c7e29e upstream.
      
      Before ->start() is called, bufsize size is set to HID_MIN_BUFFER_SIZE,
      64 bytes. While processing the IRQ, we were asking to receive up to
      wMaxInputLength bytes, which can be bigger than 64 bytes.
      
      Later, when ->start is run, a proper bufsize will be calculated.
      
      Given wMaxInputLength is said to be unreliable in other part of the
      code, set to receive only what we can even if it results in truncated
      reports.
      Signed-off-by: default avatarGwendal Grignou <gwendal@chromium.org>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e788b6db
    • Jean-Baptiste Maneyrol's avatar
      HID: i2c-hid: fix race condition reading reports · db8bf517
      Jean-Baptiste Maneyrol authored
      commit 6296f4a8 upstream.
      
      Current driver uses a common buffer for reading reports either
      synchronously in i2c_hid_get_raw_report() and asynchronously in
      the interrupt handler.
      There is race condition if an interrupt arrives immediately after
      the report is received in i2c_hid_get_raw_report(); the common
      buffer is modified by the interrupt handler with the new report
      and then i2c_hid_get_raw_report() proceed using wrong data.
      
      Fix it by using a separate buffers for synchronous reports.
      Signed-off-by: default avatarJean-Baptiste Maneyrol <jmaneyrol@invensense.com>
      [Antonio Borneo: cleanup, rebase to v3.17, submit mainline]
      Signed-off-by: default avatarAntonio Borneo <borneo.antonio@gmail.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db8bf517
    • Benjamin Tissoires's avatar
      HID: wacom: fix freeze on open when autosuspend is on · 8bb664fb
      Benjamin Tissoires authored
      commit dff67416 upstream.
      
      Since the conversion from USB to HID (in v3.17), some people reported a
      freeze on boot with the wacom driver. Hans managed to get a stacktrace:
      
      [  240.272331] Call Trace:
      [  240.272338]  [<ffffffff813de7b9>] ? usb_hcd_submit_urb+0xa9/0xb10
      [  240.272347]  [<ffffffff81555579>] schedule+0x29/0x70
      [  240.272355]  [<ffffffff815559e6>] schedule_preempt_disabled+0x16/0x20
      [  240.272363]  [<ffffffff81557365>] __mutex_lock_slowpath+0xe5/0x230
      [  240.272372]  [<ffffffff815574c7>] mutex_lock+0x17/0x30
      [  240.272380]  [<ffffffffa063c1d2>] wacom_resume+0x22/0x50 [wacom]
      [  240.272396]  [<ffffffffa01aea8a>] hid_resume_common+0xba/0x110 [usbhid]
      [  240.272404]  [<ffffffff813e5890>] ? usb_runtime_suspend+0x80/0x80
      [  240.272417]  [<ffffffffa01aeb1d>] hid_resume+0x3d/0x70 [usbhid]
      [  240.272425]  [<ffffffff813e44a6>] usb_resume_interface.isra.6+0xb6/0x120
      [  240.272432]  [<ffffffff813e4774>] usb_resume_both+0x74/0x140
      [  240.272439]  [<ffffffff813e58aa>] usb_runtime_resume+0x1a/0x20
      [  240.272446]  [<ffffffff813b1912>] __rpm_callback+0x32/0x70
      [  240.272453]  [<ffffffff813b1976>] rpm_callback+0x26/0xa0
      [  240.272460]  [<ffffffff813b2d71>] rpm_resume+0x4b1/0x690
      [  240.272468]  [<ffffffff812ab992>] ? radix_tree_lookup_slot+0x22/0x50
      [  240.272475]  [<ffffffff813b2c1a>] rpm_resume+0x35a/0x690
      [  240.272482]  [<ffffffff8116e9c9>] ? zone_statistics+0x89/0xa0
      [  240.272489]  [<ffffffff813b2f90>] __pm_runtime_resume+0x40/0x60
      [  240.272497]  [<ffffffff813e4272>] usb_autopm_get_interface+0x22/0x60
      [  240.272509]  [<ffffffffa01ae8d9>] usbhid_open+0x59/0xe0 [usbhid]
      [  240.272517]  [<ffffffffa063ac85>] wacom_open+0x35/0x50 [wacom]
      [  240.272525]  [<ffffffff813f37b9>] input_open_device+0x79/0xa0
      [  240.272534]  [<ffffffffa048d1c1>] evdev_open+0x1b1/0x200 [evdev]
      [  240.272543]  [<ffffffff811c899e>] chrdev_open+0xae/0x1f0
      [  240.272549]  [<ffffffff811c88f0>] ? cdev_put+0x30/0x30
      [  240.272556]  [<ffffffff811c17e2>] do_dentry_open+0x1d2/0x320
      [  240.272562]  [<ffffffff811c1cd1>] finish_open+0x31/0x50
      [  240.272571]  [<ffffffff811d2202>] do_last.isra.36+0x652/0xe50
      [  240.272579]  [<ffffffff811d2ac7>] path_openat+0xc7/0x6f0
      [  240.272586]  [<ffffffff811cf012>] ? final_putname+0x22/0x50
      [  240.272594]  [<ffffffff811d42d2>] ? user_path_at_empty+0x72/0xd0
      [  240.272602]  [<ffffffff811d43fd>] do_filp_open+0x4d/0xc0
      [...]
      
      So here, wacom_open is called, and then wacom_resume is called by the
      PM system. However, wacom_open already took the lock when wacom_resume
      tries to get it. Freeze.
      
      A little bit of history shows that this already happened in the past
      - commit f6cd3783 ("Input: wacom - fix runtime PM related deadlock"),
      and the solution was to call first the PM function before taking the lock.
      
      The lock was introduced in commit commit e7224094 ("Input: wacom -
      implement suspend and autosuspend") when the autosuspend feature has
      been added. Given that usbhid already takes care of this very same
      locking between suspend/resume, I think we can simply kill the lock
      in open/close.
      
      The lock is now used also with LEDs, so we can not remove it completely.
      Reported-by: default avatarHans Spath <inbox-546@hans-spath.de>
      Tested-by: default avatarHans Spath <inbox-546@hans-spath.de>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8bb664fb
    • Benjamin Tissoires's avatar
      HID: wacom: re-add accidentally dropped Lenovo PID · 15c1c0a1
      Benjamin Tissoires authored
      commit 00d6f227 upstream.
      
      Dropped in the following commit:
      
      commit a3e6f654 ("Input: wacom - keep wacom_ids ordered")
      Reported-by: default avatarHans Spath <inbox-546@hans-spath.de>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      15c1c0a1
    • Oliver Neukum's avatar
      HID: yet another buggy ELAN touchscreen · 7e4cec40
      Oliver Neukum authored
      commit a32c99e7 upstream.
      
      The touchscreen needs the same quirk as the other models.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
      Reported-by: default avatarBryan Poling <poli0048@umn.edu>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e4cec40
    • Takashi Iwai's avatar
      blk-mq: Fix uninitialized kobject at CPU hotplugging · fa5e4747
      Takashi Iwai authored
      commit 06a41a99 upstream.
      
      When a CPU is hotplugged, the current blk-mq spews a warning like:
      
        kobject '(null)' (ffffe8ffffc8b5d8): tried to add an uninitialized object, something is seriously wrong.
        CPU: 1 PID: 1386 Comm: systemd-udevd Not tainted 3.18.0-rc7-2.g088d59b-default #1
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_171129-lamiak 04/01/2014
         0000000000000000 0000000000000002 ffffffff81605f07 ffffe8ffffc8b5d8
         ffffffff8132c7a0 ffff88023341d370 0000000000000020 ffff8800bb05bd58
         ffff8800bb05bd08 000000000000a0a0 000000003f441940 0000000000000007
        Call Trace:
         [<ffffffff81005306>] dump_trace+0x86/0x330
         [<ffffffff81005644>] show_stack_log_lvl+0x94/0x170
         [<ffffffff81006d21>] show_stack+0x21/0x50
         [<ffffffff81605f07>] dump_stack+0x41/0x51
         [<ffffffff8132c7a0>] kobject_add+0xa0/0xb0
         [<ffffffff8130aee1>] blk_mq_register_hctx+0x91/0xb0
         [<ffffffff8130b82e>] blk_mq_sysfs_register+0x3e/0x60
         [<ffffffff81309298>] blk_mq_queue_reinit_notify+0xf8/0x190
         [<ffffffff8107cfdc>] notifier_call_chain+0x4c/0x70
         [<ffffffff8105fd23>] cpu_notify+0x23/0x50
         [<ffffffff81060037>] _cpu_up+0x157/0x170
         [<ffffffff810600d9>] cpu_up+0x89/0xb0
         [<ffffffff815fa5b5>] cpu_subsys_online+0x35/0x80
         [<ffffffff814323cd>] device_online+0x5d/0xa0
         [<ffffffff81432485>] online_store+0x75/0x80
         [<ffffffff81236a5a>] kernfs_fop_write+0xda/0x150
         [<ffffffff811c5532>] vfs_write+0xb2/0x1f0
         [<ffffffff811c5f42>] SyS_write+0x42/0xb0
         [<ffffffff8160c4ed>] system_call_fastpath+0x16/0x1b
         [<00007f0132fb24e0>] 0x7f0132fb24e0
      
      This is indeed because of an uninitialized kobject for blk_mq_ctx.
      The blk_mq_ctx kobjects are initialized in blk_mq_sysfs_init(), but it
      goes loop over hctx_for_each_ctx(), i.e. it initializes only for
      online CPUs.  Thus, when a CPU is hotplugged, the ctx for the newly
      onlined CPU is registered without initialization.
      
      This patch fixes the issue by initializing the all ctx kobjects
      belonging to each queue.
      
      Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=908794Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa5e4747
    • Bart Van Assche's avatar
      blk-mq: Fix a race between bt_clear_tag() and bt_get() · 3a6d4005
      Bart Van Assche authored
      commit c38d185d upstream.
      
      What we need is the following two guarantees:
      * Any thread that observes the effect of the test_and_set_bit() by
        __bt_get_word() also observes the preceding addition of 'current'
        to the appropriate wait list. This is guaranteed by the semantics
        of the spin_unlock() operation performed by prepare_and_wait().
        Hence the conversion of test_and_set_bit_lock() into
        test_and_set_bit().
      * The wait lists are examined by bt_clear() after the tag bit has
        been cleared. clear_bit_unlock() guarantees that any thread that
        observes that the bit has been cleared also observes the store
        operations preceding clear_bit_unlock(). However,
        clear_bit_unlock() does not prevent that the wait lists are examined
        before that the tag bit is cleared. Hence the addition of a memory
        barrier between clear_bit() and the wait list examination.
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Robert Elliott <elliott@hp.com>
      Cc: Ming Lei <ming.lei@canonical.com>
      Cc: Alexander Gordeev <agordeev@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a6d4005
    • Bart Van Assche's avatar
      blk-mq: Avoid that __bt_get_word() wraps multiple times · d04e14ab
      Bart Van Assche authored
      commit 9e98e9d7 upstream.
      
      If __bt_get_word() is called with last_tag != 0, if the first
      find_next_zero_bit() fails, if after wrap-around the
      test_and_set_bit() call fails and find_next_zero_bit() succeeds,
      if the next test_and_set_bit() call fails and subsequently
      find_next_zero_bit() does not find a zero bit, then another
      wrap-around will occur. Avoid this by introducing an additional
      local variable.
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Robert Elliott <elliott@hp.com>
      Cc: Ming Lei <ming.lei@canonical.com>
      Cc: Alexander Gordeev <agordeev@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d04e14ab
    • Bart Van Assche's avatar
      blk-mq: Fix a use-after-free · b041392d
      Bart Van Assche authored
      commit 45a9c9d9 upstream.
      
      blk-mq users are allowed to free the memory request_queue.tag_set
      points at after blk_cleanup_queue() has finished but before
      blk_release_queue() has started. This can happen e.g. in the SCSI
      core. The SCSI core namely embeds the tag_set structure in a SCSI
      host structure. The SCSI host structure is freed by
      scsi_host_dev_release(). This function is called after
      blk_cleanup_queue() finished but can be called before
      blk_release_queue().
      
      This means that it is not safe to access request_queue.tag_set from
      inside blk_release_queue(). Hence remove the blk_sync_queue() call
      from blk_release_queue(). This call is not necessary - outstanding
      requests must have finished before blk_release_queue() is
      called. Additionally, move the blk_mq_free_queue() call from
      blk_release_queue() to blk_cleanup_queue() to avoid that struct
      request_queue.tag_set gets accessed after it has been freed.
      
      This patch avoids that the following kernel oops can be triggered
      when deleting a SCSI host for which scsi-mq was enabled:
      
      Call Trace:
       [<ffffffff8109a7c4>] lock_acquire+0xc4/0x270
       [<ffffffff814ce111>] mutex_lock_nested+0x61/0x380
       [<ffffffff812575f0>] blk_mq_free_queue+0x30/0x180
       [<ffffffff8124d654>] blk_release_queue+0x84/0xd0
       [<ffffffff8126c29b>] kobject_cleanup+0x7b/0x1a0
       [<ffffffff8126c140>] kobject_put+0x30/0x70
       [<ffffffff81245895>] blk_put_queue+0x15/0x20
       [<ffffffff8125c409>] disk_release+0x99/0xd0
       [<ffffffff8133d056>] device_release+0x36/0xb0
       [<ffffffff8126c29b>] kobject_cleanup+0x7b/0x1a0
       [<ffffffff8126c140>] kobject_put+0x30/0x70
       [<ffffffff8125a78a>] put_disk+0x1a/0x20
       [<ffffffff811d4cb5>] __blkdev_put+0x135/0x1b0
       [<ffffffff811d56a0>] blkdev_put+0x50/0x160
       [<ffffffff81199eb4>] kill_block_super+0x44/0x70
       [<ffffffff8119a2a4>] deactivate_locked_super+0x44/0x60
       [<ffffffff8119a87e>] deactivate_super+0x4e/0x70
       [<ffffffff811b9833>] cleanup_mnt+0x43/0x90
       [<ffffffff811b98d2>] __cleanup_mnt+0x12/0x20
       [<ffffffff8107252c>] task_work_run+0xac/0xe0
       [<ffffffff81002c01>] do_notify_resume+0x61/0xa0
       [<ffffffff814d2c58>] int_signal+0x12/0x17
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Robert Elliott <elliott@hp.com>
      Cc: Ming Lei <ming.lei@canonical.com>
      Cc: Alexander Gordeev <agordeev@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b041392d
    • Jens Axboe's avatar
      blk-mq: use 'nr_cpu_ids' as highest CPU ID count for hwq <-> cpu map · 00de3a64
      Jens Axboe authored
      commit a33c1ba2 upstream.
      
      We currently use num_possible_cpus(), but that breaks on sparc64 where
      the CPU ID space is discontig. Use nr_cpu_ids as the highest CPU ID
      instead, so we don't end up reading from invalid memory.
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      00de3a64
    • Joerg Roedel's avatar
      iommu/vt-d: Fix dmar_domain leak in iommu_attach_device · 8c6aa9c5
      Joerg Roedel authored
      commit 62c22167 upstream.
      
      Since commit 1196c2fb a domain is only destroyed in the
      notifier path if it is hot-unplugged. This caused a
      domain leakage in iommu_attach_device when a driver was
      unbound from the device and bound to VFIO. In this case the
      device is attached to a new domain and unlinked from the old
      domain. At this point nothing points to the old domain
      anymore and its memory is leaked.
      Fix this by explicitly freeing the old domain in
      iommu_attach_domain.
      
      Fixes: 1196c2fb (iommu/vt-d: Fix dmar_domain leak in iommu_attach_device)
      Tested-by: default avatarJerry Hoemann <jerry.hoemann@hp.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c6aa9c5
    • Jiang Liu's avatar
      iommu/vt-d: Fix an off-by-one bug in __domain_mapping() · e7a4ae85
      Jiang Liu authored
      commit cc4f14aa upstream.
      
      There's an off-by-one bug in function __domain_mapping(), which may
      trigger the BUG_ON(nr_pages < lvl_pages) when
      	(nr_pages + 1) & superpage_mask == 0
      
      The issue was introduced by commit 9051aa02 "intel-iommu: Combine
      domain_pfn_mapping() and domain_sg_mapping()", which sets sg_res to
      "nr_pages + 1" to avoid some of the 'sg_res==0' code paths.
      
      It's safe to remove extra "+1" because sg_res is only used to calculate
      page size now.
      Reported-And-Tested-by: default avatarSudeep Dutt <sudeep.dutt@intel.com>
      Signed-off-by: default avatarJiang Liu <jiang.liu@linux.intel.com>
      Acked-By: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7a4ae85
    • Richard Weinberger's avatar
      UBI: Fix double free after do_sync_erase() · 49b99261
      Richard Weinberger authored
      commit aa5ad3b6 upstream.
      
      If the erase worker is unable to erase a PEB it will
      free the ubi_wl_entry itself.
      The failing ubi_wl_entry must not free()'d again after
      do_sync_erase() returns.
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      49b99261
    • Richard Weinberger's avatar
      UBI: Fix invalid vfree() · 85ce61f0
      Richard Weinberger authored
      commit f38aed97 upstream.
      
      The logic of vfree()'ing vol->upd_buf is tied to vol->updating.
      In ubi_start_update() vol->updating is set long before vmalloc()'ing
      vol->upd_buf. If we encounter a write failure in ubi_start_update()
      before vmalloc() the UBI device release function will try to vfree()
      vol->upd_buf because vol->updating is set.
      Fix this by allocating vol->upd_buf directly after setting vol->updating.
      
      Fixes:
      [   31.559338] UBI warning: vol_cdev_release: update of volume 2 not finished, volume is damaged
      [   31.559340] ------------[ cut here ]------------
      [   31.559343] WARNING: CPU: 1 PID: 2747 at mm/vmalloc.c:1446 __vunmap+0xe3/0x110()
      [   31.559344] Trying to vfree() nonexistent vm area (ffffc90001f2b000)
      [   31.559345] Modules linked in:
      [   31.565620]  0000000000000bba ffff88002a0cbdb0 ffffffff818f0497 ffff88003b9ba148
      [   31.566347]  ffff88002a0cbde0 ffffffff8156f515 ffff88003b9ba148 0000000000000bba
      [   31.567073]  0000000000000000 0000000000000000 ffff88002a0cbe88 ffffffff8156c10a
      [   31.567793] Call Trace:
      [   31.568034]  [<ffffffff818f0497>] dump_stack+0x4e/0x7a
      [   31.568510]  [<ffffffff8156f515>] ubi_io_write_vid_hdr+0x155/0x160
      [   31.569084]  [<ffffffff8156c10a>] ubi_eba_write_leb+0x23a/0x870
      [   31.569628]  [<ffffffff81569b36>] vol_cdev_write+0x226/0x380
      [   31.570155]  [<ffffffff81179265>] vfs_write+0xb5/0x1f0
      [   31.570627]  [<ffffffff81179f8a>] SyS_pwrite64+0x6a/0xa0
      [   31.571123]  [<ffffffff818fde12>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      85ce61f0
    • Tony Lindgren's avatar
      pstore-ram: Allow optional mapping with pgprot_noncached · c7ba2d79
      Tony Lindgren authored
      commit 027bc8b0 upstream.
      
      On some ARMs the memory can be mapped pgprot_noncached() and still
      be working for atomic operations. As pointed out by Colin Cross
      <ccross@android.com>, in some cases you do want to use
      pgprot_noncached() if the SoC supports it to see a debug printk
      just before a write hanging the system.
      
      On ARMs, the atomic operations on strongly ordered memory are
      implementation defined. So let's provide an optional kernel parameter
      for configuring pgprot_noncached(), and use pgprot_writecombine() by
      default.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Rob Herring <robherring2@gmail.com>
      Cc: Randy Dunlap <rdunlap@infradead.org>
      Cc: Anton Vorontsov <anton@enomsg.org>
      Cc: Colin Cross <ccross@android.com>
      Cc: Olof Johansson <olof@lixom.net>
      Cc: Russell King <linux@arm.linux.org.uk>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c7ba2d79
    • Rob Herring's avatar
      pstore-ram: Fix hangs by using write-combine mappings · dedfc0ec
      Rob Herring authored
      commit 7ae9cb81 upstream.
      
      Currently trying to use pstore on at least ARMs can hang as we're
      mapping the peristent RAM with pgprot_noncached().
      
      On ARMs, pgprot_noncached() will actually make the memory strongly
      ordered, and as the atomic operations pstore uses are implementation
      defined for strongly ordered memory, they may not work. So basically
      atomic operations have undefined behavior on ARM for device or strongly
      ordered memory types.
      
      Let's fix the issue by using write-combine variants for mappings. This
      corresponds to normal, non-cacheable memory on ARM. For many other
      architectures, this change does not change the mapping type as by
      default we have:
      
      #define pgprot_writecombine pgprot_noncached
      
      The reason why pgprot_noncached() was originaly used for pstore
      is because Colin Cross <ccross@android.com> had observed lost
      debug prints right before a device hanging write operation on some
      systems. For the platforms supporting pgprot_noncached(), we can
      add a an optional configuration option to support that. But let's
      get pstore working first before adding new features.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Anton Vorontsov <cbouatmailru@gmail.com>
      Cc: Colin Cross <ccross@android.com>
      Cc: Olof Johansson <olof@lixom.net>
      Cc: linux-kernel@vger.kernel.org
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarRob Herring <rob.herring@calxeda.com>
      [tony@atomide.com: updated description]
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dedfc0ec
    • Hante Meuleman's avatar
      brcmfmac: Fix ifidx for rx data by msgbuf. · f2b80ae7
      Hante Meuleman authored
      commit 94a61208 upstream.
      
      The ifidx provided by FW needs to be offsetted when receiving data
      packets.
      Reviewed-by: default avatarArend Van Spriel <arend@broadcom.com>
      Reviewed-by: default avatarPieter-Paul Giesberts <pieterpg@broadcom.com>
      Signed-off-by: default avatarHante Meuleman <meuleman@broadcom.com>
      Signed-off-by: default avatarArend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2b80ae7
    • Myron Stowe's avatar
      PCI: Restore detection of read-only BARs · efdb9b95
      Myron Stowe authored
      commit 36e81648 upstream.
      
      Commit 6ac665c6 ("PCI: rewrite PCI BAR reading code") masked off
      low-order bits from 'l', but not from 'sz'.  Both are passed to pci_size(),
      which compares 'base == maxbase' to check for read-only BARs.  The masking
      of 'l' means that comparison will never be 'true', so the check for
      read-only BARs no longer works.
      
      Resolve this by also masking off the low-order bits of 'sz' before passing
      it into pci_size() as 'maxbase'.  With this change, pci_size() will once
      again catch the problems that have been encountered to date:
      
        - AGP aperture BAR of AMD-7xx host bridges: if the AGP window is
          disabled, this BAR is read-only and read as 0x00000008 [1]
      
        - BARs 0-4 of ALi IDE controllers can be non-zero and read-only [1]
      
        - Intel Sandy Bridge - Thermal Management Controller [8086:0103];
          BAR 0 returning 0xfed98004 [2]
      
        - Intel Xeon E5 v3/Core i7 Power Control Unit [8086:2fc0];
          Bar 0 returning 0x00001a [3]
      
      Link: [1] https://git.kernel.org/cgit/linux/kernel/git/tglx/history.git/commit/drivers/pci/probe.c?id=1307ef6621991f1c4bc3cec1b5a4ebd6fd3d66b9 ("PCI: probing read-only BARs" (pre-git))
      Link: [2] https://bugzilla.kernel.org/show_bug.cgi?id=43331
      Link: [3] https://bugzilla.kernel.org/show_bug.cgi?id=85991Reported-by: default avatarWilliam Unruh <unruh@physics.ubc.ca>
      Reported-by: default avatarMartin Lucina <martin@lucina.net>
      Signed-off-by: default avatarMyron Stowe <myron.stowe@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      CC: Matthew Wilcox <willy@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      efdb9b95
    • Johan Hedberg's avatar
      Bluetooth: Fix accepting connections when not using mgmt · 2b81cffd
      Johan Hedberg authored
      commit 6a8fc95c upstream.
      
      When connectable mode is enabled (page scan on) through some non-mgmt
      method the HCI_CONNECTABLE flag will not be set. For backwards
      compatibility with user space versions not using mgmt we should not
      require HCI_CONNECTABLE to be set if HCI_MGMT is not set.
      Reported-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Tested-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2b81cffd
    • Marcel Holtmann's avatar
      Bluetooth: Fix controller configuration with HCI_QUIRK_INVALID_BDADDR · ad976d1c
      Marcel Holtmann authored
      commit 8bfe8442 upstream.
      
      When controllers set the HCI_QUIRK_INVALID_BDADDR flag, it is required
      by userspace to program a valid public Bluetooth device address into
      the controller before it can be used.
      
      After successful address configuration, the internal state changes and
      the controller runs the complete initialization procedure. However one
      small difference is that this is no longer the HCI_SETUP stage. The
      HCI_SETUP stage is only valid during initial controller setup. In this
      case the stack runs the initialization as part of the HCI_CONFIG stage.
      
      The controller version information, default name and supported commands
      are only stored during HCI_SETUP. While these information are static,
      they are not read initially when HCI_QUIRK_INVALID_BDADDR is set. So
      when running in HCI_CONFIG state, these information need to be updated
      as well.
      
      This especially impacts Bluetooth 4.1 and later controllers using
      extended feature pages and second event mask page.
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad976d1c
    • Marcel Holtmann's avatar
      Bluetooth: Clear LE white list when resetting controller · 0de8cd64
      Marcel Holtmann authored
      commit a4d5504d upstream.
      
      The internal representation of the LE white list needs to be cleared
      when receiving a successful HCI_Reset command. A reset of the controller
      is expected to start with an empty LE white list.
      
      When the LE white list is not cleared on controller reset, the passive
      background scanning might skip programming the remote devices. Only
      changes to the LE white list are programmed when passive background
      is started.
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0de8cd64
    • Johan Hedberg's avatar
      Bluetooth: Fix check for direct advertising · 18368232
      Johan Hedberg authored
      commit 0b1db38c upstream.
      
      These days we allow simultaneous LE scanning and advertising. Checking
      for whether advertising is enabled or not is therefore not a reliable
      way to determine whether directed advertising was used to trigger the
      connection creation. The appropriate place to check (instead of the hdev
      context) is the connection role that's stored in the hci_conn. This
      patch fixes such a check in le_conn_timeout() which could otherwise lead
      to incorrect HCI commands being sent.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18368232
    • Johan Hedberg's avatar
      Bluetooth: Fix LE connection timeout deadlock · f3d02a6c
      Johan Hedberg authored
      commit 980ffc0a upstream.
      
      The le_conn_timeout() may call hci_le_conn_failed() which in turn may
      call hci_conn_del(). Trying to use the _sync variant for cancelling the
      conn timeout from hci_conn_del() could therefore result in a deadlock.
      This patch converts hci_conn_del() to use the non-sync variant so the
      deadlock is not possible.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3d02a6c
    • Alexander Aring's avatar
      Bluetooth: 6lowpan: fix skb_unshare behaviour · bff7d3f0
      Alexander Aring authored
      commit b0c42cd7 upstream.
      
      This patch reverts commit:
      
      a7807d73 ("Bluetooth: 6lowpan: Avoid memory leak if memory allocation
      fails")
      
      which was wrong suggested by Alexander Aring. The function skb_unshare
      run also kfree_skb on failure.
      Signed-off-by: default avatarAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bff7d3f0
    • Dmitry Tunin's avatar
      Bluetooth: ath3k: Add support of MCI 13d3:3408 bt device · 767d8836
      Dmitry Tunin authored
      commit 3bb30a7c upstream.
      
      Add support for Bluetooth MCI WB335 (AR9565) Wi-Fi+bt module. This
      Bluetooth module requires loading patch and sysconfig by ath3k driver.
      
      T:  Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 20 Spd=12   MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3408 Rev= 0.02
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: default avatarDmitry Tunin <hanipouspilot@gmail.com>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      767d8836