1. 06 Aug, 2014 23 commits
    • Thomas Hellstrom's avatar
      drm/vmwgfx: Fix incorrect write to read-only register v2: · 34762248
      Thomas Hellstrom authored
      commit 4e578080 upstream.
      
      Commit "drm/vmwgfx: correct fb_fix_screeninfo.line_length", while fixing a
      vmwgfx fbdev bug, also writes the pitch to a supposedly read-only register:
      SVGA_REG_BYTES_PER_LINE, while it should be (and also in fact is) written to
      SVGA_REG_PITCHLOCK.
      
      This patch is Cc'd stable because of the unknown effects writing to this
      register might have, particularly on older device versions.
      
      v2: Updated log message.
      
      Cc: Christopher Friedt <chrisfriedt@gmail.com>
      Tested-by: default avatarChristopher Friedt <chrisfriedt@gmail.com>
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: default avatarJakob Bornecrantz <jakob@vmware.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      34762248
    • Emmanuel Grumbach's avatar
      iwlwifi: dvm: don't enable CTS to self · 94f85e69
      Emmanuel Grumbach authored
      commit 43d826ca upstream.
      
      We should always prefer to use full RTS protection. Using
      CTS to self gives a meaningless improvement, but this flow
      is much harder for the firmware which is likely to have
      issues with it.
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      [bwh: Backported to 3.2:
       - Adjust filename
       - Condition for RXON_FLG_SELF_CTS_EN in iwlagn_commit_rxon() was different]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      94f85e69
    • David Vrabel's avatar
      xen/manage: fix potential deadlock when resuming the console · 8a9c266c
      David Vrabel authored
      commit 1b647823 upstream.
      
      Calling xen_console_resume() in xen_suspend() causes a warning because
      it locks irq_mapping_update_lock (a mutex) and this may sleep.  If a
      userspace process is using the evtchn device then this mutex may be
      locked at the point of the stop_machine() call and
      xen_console_resume() would then deadlock.
      
      Resuming the console after stop_machine() returns avoids this
      deadlock.
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8a9c266c
    • NeilBrown's avatar
      md: flush writes before starting a recovery. · 74d31de6
      NeilBrown authored
      commit 133d4527 upstream.
      
      When we write to a degraded array which has a bitmap, we
      make sure the relevant bit in the bitmap remains set when
      the write completes (so a 're-add' can quickly rebuilt a
      temporarily-missing device).
      
      If, immediately after such a write starts, we incorporate a spare,
      commence recovery, and skip over the region where the write is
      happening (because the 'needs recovery' flag isn't set yet),
      then that write will not get to the new device.
      
      Once the recovery finishes the new device will be trusted, but will
      have incorrect data, leading to possible corruption.
      
      We cannot set the 'needs recovery' flag when we start the write as we
      do not know easily if the write will be "degraded" or not.  That
      depends on details of the particular raid level and particular write
      request.
      
      This patch fixes a corruption issue of long standing and so it
      suitable for any -stable kernel.  It applied correctly to 3.0 at
      least and will minor editing to earlier kernels.
      Reported-by: default avatarBill <billstuff2001@sbcglobal.net>
      Tested-by: default avatarBill <billstuff2001@sbcglobal.net>
      Link: http://lkml.kernel.org/r/53A518BB.60709@sbcglobal.netSigned-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      74d31de6
    • HATAYAMA Daisuke's avatar
      perf/x86/intel: ignore CondChgd bit to avoid false NMI handling · 0fda3056
      HATAYAMA Daisuke authored
      commit b292d7a1 upstream.
      
      Currently, any NMI is falsely handled by a NMI handler of NMI watchdog
      if CondChgd bit in MSR_CORE_PERF_GLOBAL_STATUS MSR is set.
      
      For example, we use external NMI to make system panic to get crash
      dump, but in this case, the external NMI is falsely handled do to the
      issue.
      
      This commit deals with the issue simply by ignoring CondChgd bit.
      
      Here is explanation in detail.
      
      On x86 NMI watchdog uses performance monitoring feature to
      periodically signal NMI each time performance counter gets overflowed.
      
      intel_pmu_handle_irq() is called as a NMI_LOCAL handler from a NMI
      handler of NMI watchdog, perf_event_nmi_handler(). It identifies an
      owner of a given NMI by looking at overflow status bits in
      MSR_CORE_PERF_GLOBAL_STATUS MSR. If some of the bits are set, then it
      handles the given NMI as its own NMI.
      
      The problem is that the intel_pmu_handle_irq() doesn't distinguish
      CondChgd bit from other bits. Unlike the other status bits, CondChgd
      bit doesn't represent overflow status for performance counters. Thus,
      CondChgd bit cannot be thought of as a mark indicating a given NMI is
      NMI watchdog's.
      
      As a result, if CondChgd bit is set, any NMI is falsely handled by the
      NMI handler of NMI watchdog. Also, if type of the falsely handled NMI
      is either NMI_UNKNOWN, NMI_SERR or NMI_IO_CHECK, the corresponding
      action is never performed until CondChgd bit is cleared.
      
      I noticed this behavior on systems with Ivy Bridge processors: Intel
      Xeon CPU E5-2630 v2 and Intel Xeon CPU E7-8890 v2. On both systems,
      CondChgd bit in MSR_CORE_PERF_GLOBAL_STATUS MSR has already been set
      in the beginning at boot. Then the CondChgd bit is immediately cleared
      by next wrmsr to MSR_CORE_PERF_GLOBAL_CTRL MSR and appears to remain
      0.
      
      On the other hand, on older processors such as Nehalem, Xeon E7540,
      CondChgd bit is not set in the beginning at boot.
      
      I'm not sure about exact behavior of CondChgd bit, in particular when
      this bit is set. Although I read Intel System Programmer's Manual to
      figure out that, the descriptions I found are:
      
        In 18.9.1:
      
        "The MSR_PERF_GLOBAL_STATUS MSR also provides a ¡sticky bit¢ to
         indicate changes to the state of performancmonitoring hardware"
      
        In Table 35-2 IA-32 Architectural MSRs
      
        63 CondChg: status bits of this register has changed.
      
      These are different from the bahviour I see on the actual system as I
      explained above.
      
      At least, I think ignoring CondChgd bit should be enough for NMI
      watchdog perspective.
      Signed-off-by: default avatarHATAYAMA Daisuke <d.hatayama@jp.fujitsu.com>
      Acked-by: default avatarDon Zickus <dzickus@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: linux-kernel@vger.kernel.org
      Link: http://lkml.kernel.org/r/20140625.103503.409316067.d.hatayama@jp.fujitsu.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0fda3056
    • Alan Stern's avatar
      usb-storage/SCSI: Add broken_fua blacklist flag · 27bbd86f
      Alan Stern authored
      commit b14bf2d0 upstream.
      
      Some buggy JMicron USB-ATA bridges don't know how to translate the FUA
      bit in READs or WRITEs.  This patch adds an entry in unusual_devs.h
      and a blacklist flag to tell the sd driver not to use FUA.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarMichael Büsch <m@bues.ch>
      Tested-by: default avatarMichael Büsch <m@bues.ch>
      Acked-by: default avatarJames Bottomley <James.Bottomley@HansenPartnership.com>
      CC: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2:
       - Adjust context
       - Use sd_printk() not sd_first_printk()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      27bbd86f
    • Michal Nazarewicz's avatar
      tools: ffs-test: fix header values endianess · 949ff4d6
      Michal Nazarewicz authored
      commit f35f7124 upstream.
      
      It appears that no one ever run ffs-test on a big-endian machine,
      since it used cpu-endianess for fs_count and hs_count fields which
      should be in little-endian format.  Fix by wrapping the numbers in
      cpu_to_le32.
      Signed-off-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      949ff4d6
    • J. Bruce Fields's avatar
      nfsd: fix rare symlink decoding bug · fde2b7c5
      J. Bruce Fields authored
      commit 76f47128 upstream.
      
      An NFS operation that creates a new symlink includes the symlink data,
      which is xdr-encoded as a length followed by the data plus 0 to 3 bytes
      of zero-padding as required to reach a 4-byte boundary.
      
      The vfs, on the other hand, wants null-terminated data.
      
      The simple way to handle this would be by copying the data into a newly
      allocated buffer with space for the final null.
      
      The current nfsd_symlink code tries to be more clever by skipping that
      step in the (likely) case where the byte following the string is already
      0.
      
      But that assumes that the byte following the string is ours to look at.
      In fact, it might be the first byte of a page that we can't read, or of
      some object that another task might modify.
      
      Worse, the NFSv4 code tries to fix the problem by actually writing to
      that byte.
      
      In the NFSv2/v3 cases this actually appears to be safe:
      
      	- nfs3svc_decode_symlinkargs explicitly null-terminates the data
      	  (after first checking its length and copying it to a new
      	  page).
      	- NFSv2 limits symlinks to 1k.  The buffer holding the rpc
      	  request is always at least a page, and the link data (and
      	  previous fields) have maximum lengths that prevent the request
      	  from reaching the end of a page.
      
      In the NFSv4 case the CREATE op is potentially just one part of a long
      compound so can end up on the end of a page if you're unlucky.
      
      The minimal fix here is to copy and null-terminate in the NFSv4 case.
      The nfsd_symlink() interface here seems too fragile, though.  It should
      really either do the copy itself every time or just require a
      null-terminated string.
      Reported-by: default avatarJeff Layton <jlayton@primarydata.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fde2b7c5
    • Amitkumar Karwar's avatar
      mwifiex: fix Tx timeout issue · e70acb57
      Amitkumar Karwar authored
      commit d76744a9 upstream.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=70191
      https://bugzilla.kernel.org/show_bug.cgi?id=77581
      
      It is observed that sometimes Tx packet is downloaded without
      adding driver's txpd header. This results in firmware parsing
      garbage data as packet length. Sometimes firmware is unable
      to read the packet if length comes out as invalid. This stops
      further traffic and timeout occurs.
      
      The root cause is uninitialized fields in tx_info(skb->cb) of
      packet used to get garbage values. In this case if
      MWIFIEX_BUF_FLAG_REQUEUED_PKT flag is mistakenly set, txpd
      header was skipped. This patch makes sure that tx_info is
      correctly initialized to fix the problem.
      Reported-by: default avatarAndrew Wiley <wiley.andrew.j@gmail.com>
      Reported-by: default avatarLinus Gasser <list@markas-al-nour.org>
      Reported-by: default avatarMichael Hirsch <hirsch@teufel.de>
      Tested-by: default avatarXinming Hu <huxm@marvell.com>
      Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: default avatarMaithili Hinge <maithili@marvell.com>
      Signed-off-by: default avatarAvinash Patil <patila@marvell.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e70acb57
    • Gu Zheng's avatar
      cpuset,mempolicy: fix sleeping function called from invalid context · 08c7de52
      Gu Zheng authored
      commit 391acf97 upstream.
      
      When runing with the kernel(3.15-rc7+), the follow bug occurs:
      [ 9969.258987] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:586
      [ 9969.359906] in_atomic(): 1, irqs_disabled(): 0, pid: 160655, name: python
      [ 9969.441175] INFO: lockdep is turned off.
      [ 9969.488184] CPU: 26 PID: 160655 Comm: python Tainted: G       A      3.15.0-rc7+ #85
      [ 9969.581032] Hardware name: FUJITSU-SV PRIMEQUEST 1800E/SB, BIOS PRIMEQUEST 1000 Series BIOS Version 1.39 11/16/2012
      [ 9969.706052]  ffffffff81a20e60 ffff8803e941fbd0 ffffffff8162f523 ffff8803e941fd18
      [ 9969.795323]  ffff8803e941fbe0 ffffffff8109995a ffff8803e941fc58 ffffffff81633e6c
      [ 9969.884710]  ffffffff811ba5dc ffff880405c6b480 ffff88041fdd90a0 0000000000002000
      [ 9969.974071] Call Trace:
      [ 9970.003403]  [<ffffffff8162f523>] dump_stack+0x4d/0x66
      [ 9970.065074]  [<ffffffff8109995a>] __might_sleep+0xfa/0x130
      [ 9970.130743]  [<ffffffff81633e6c>] mutex_lock_nested+0x3c/0x4f0
      [ 9970.200638]  [<ffffffff811ba5dc>] ? kmem_cache_alloc+0x1bc/0x210
      [ 9970.272610]  [<ffffffff81105807>] cpuset_mems_allowed+0x27/0x140
      [ 9970.344584]  [<ffffffff811b1303>] ? __mpol_dup+0x63/0x150
      [ 9970.409282]  [<ffffffff811b1385>] __mpol_dup+0xe5/0x150
      [ 9970.471897]  [<ffffffff811b1303>] ? __mpol_dup+0x63/0x150
      [ 9970.536585]  [<ffffffff81068c86>] ? copy_process.part.23+0x606/0x1d40
      [ 9970.613763]  [<ffffffff810bf28d>] ? trace_hardirqs_on+0xd/0x10
      [ 9970.683660]  [<ffffffff810ddddf>] ? monotonic_to_bootbased+0x2f/0x50
      [ 9970.759795]  [<ffffffff81068cf0>] copy_process.part.23+0x670/0x1d40
      [ 9970.834885]  [<ffffffff8106a598>] do_fork+0xd8/0x380
      [ 9970.894375]  [<ffffffff81110e4c>] ? __audit_syscall_entry+0x9c/0xf0
      [ 9970.969470]  [<ffffffff8106a8c6>] SyS_clone+0x16/0x20
      [ 9971.030011]  [<ffffffff81642009>] stub_clone+0x69/0x90
      [ 9971.091573]  [<ffffffff81641c29>] ? system_call_fastpath+0x16/0x1b
      
      The cause is that cpuset_mems_allowed() try to take
      mutex_lock(&callback_mutex) under the rcu_read_lock(which was hold in
      __mpol_dup()). And in cpuset_mems_allowed(), the access to cpuset is
      under rcu_read_lock, so in __mpol_dup, we can reduce the rcu_read_lock
      protection region to protect the access to cpuset only in
      current_cpuset_is_being_rebound(). So that we can avoid this bug.
      
      This patch is a temporary solution that just addresses the bug
      mentioned above, can not fix the long-standing issue about cpuset.mems
      rebinding on fork():
      
      "When the forker's task_struct is duplicated (which includes
       ->mems_allowed) and it races with an update to cpuset_being_rebound
       in update_tasks_nodemask() then the task's mems_allowed doesn't get
       updated. And the child task's mems_allowed can be wrong if the
       cpuset's nodemask changes before the child has been added to the
       cgroup's tasklist."
      Signed-off-by: default avatarGu Zheng <guz.fnst@cn.fujitsu.com>
      Acked-by: default avatarLi Zefan <lizefan@huawei.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      08c7de52
    • Brian King's avatar
      ibmvscsi: Add memory barriers for send / receive · a89c6d3b
      Brian King authored
      commit 7114aae0 upstream.
      
      Add a memory barrier prior to sending a new command to the VIOS
      to ensure the VIOS does not receive stale data in the command buffer.
      Also add a memory barrier when processing the CRQ for completed commands.
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Acked-by: default avatarNathan Fontenot <nfont@linux.vnet.ibm.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      [bwh: Backported to 3.2: as the iSeries code is still present, these
       functions have different names and live in rpa_vscsi.c.]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a89c6d3b
    • Brian King's avatar
      ibmvscsi: Abort init sequence during error recovery · d9916e33
      Brian King authored
      commit 9ee75597 upstream.
      
      If a CRQ reset is triggered for some reason while in the middle
      of performing VSCSI adapter initialization, we don't want to
      call the done function for the initialization MAD commands as
      this will only result in two threads attempting initialization
      at the same time, resulting in failures.
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Acked-by: default avatarNathan Fontenot <nfont@linux.vnet.ibm.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d9916e33
    • Wang, Yu's avatar
      xhci: Fix runtime suspended xhci from blocking system suspend. · 54f216e4
      Wang, Yu authored
      commit d6236f6d upstream.
      
      The system suspend flow as following:
      1, Freeze all user processes and kenrel threads.
      
      2, Try to suspend all devices.
      
      2.1, If pci device is in RPM suspended state, then pci driver will try
      to resume it to RPM active state in the prepare stage.
      
      2.2, xhci_resume function calls usb_hcd_resume_root_hub to queue two
      workqueue items to resume usb2&usb3 roothub devices.
      
      2.3, Call suspend callbacks of devices.
      
      2.3.1, All suspend callbacks of all hcd's children, including
      roothub devices are called.
      
      2.3.2, Finally, hcd_pci_suspend callback is called.
      
      Due to workqueue threads were already frozen in step 1, the workqueue
      items can't be scheduled, and the roothub devices can't be resumed in
      this flow. The HCD_FLAG_WAKEUP_PENDING flag which is set in
      usb_hcd_resume_root_hub won't be cleared. Finally,
      hcd_pci_suspend will return -EBUSY, and system suspend fails.
      
      The reason why this issue doesn't show up very often is due to that
      choose_wakeup will be called in step 2.3.1. In step 2.3.1, if
      udev->do_remote_wakeup is not equal to device_may_wakeup(&udev->dev), then
      udev will resume to RPM active for changing the wakeup settings. This
      has been a lucky hit which hides this issue.
      
      For some special xHCI controllers which have no USB2 port, then roothub
      will not match hub driver due to probe failed. Then its
      do_remote_wakeup will be set to zero, and we won't be as lucky.
      
      xhci driver doesn't need to resume roothub devices everytime like in
      the above case. It's only needed when there are pending event TRBs.
      
      This patch should be back-ported to kernels as old as 3.2, that
      contains the commit f69e3120
      "USB: XHCI: resume root hubs when the controller resumes"
      Signed-off-by: default avatarWang, Yu <yu.y.wang@intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      [use readl() instead of removed xhci_readl(), reword commit message -Mathias]
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      54f216e4
    • Lu Baolu's avatar
      xhci: clear root port wake on bits if controller isn't wake-up capable · 6833fc85
      Lu Baolu authored
      commit ff8cbf25 upstream.
      
      When xHCI PCI host is suspended, if do_wakeup is false in xhci_pci_suspend,
      xhci_bus_suspend needs to clear all root port wake on bits. Otherwise some Intel
      platforms may get a spurious wakeup, even if PCI PME# is disabled.
      
      This patch should be back-ported to kernels as old as 2.6.37, that
      contains the commit 9777e3ce
      "USB: xHCI: bus power management implementation".
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6833fc85
    • Mathias Nyman's avatar
      xhci: correct burst count field for isoc transfers on 1.0 xhci hosts · b85631ab
      Mathias Nyman authored
      commit 3213b151 upstream.
      
      The transfer burst count (TBC) field in xhci 1.0 hosts should be set
      to the number of bursts needed to transfer all packets in a isoc TD.
      Supported values are 0-2 (1 to 3 bursts per service interval).
      
      Formula for TBC calculation is given in xhci spec section 4.11.2.3:
      TBC = roundup( Transfer Descriptor Packet Count / Max Burst Size +1 ) - 1
      
      This patch should be applied to stable kernels since 3.0 that contain
      the commit 5cd43e33
      "xhci 1.0: Set transfer burst count field."
      Suggested-by: default avatarShiChun Ma <masc2008@qq.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b85631ab
    • Bjørn Mork's avatar
      usb: option: add/modify Olivetti Olicard modems · 31f8e87f
      Bjørn Mork authored
      commit b0ebef36 upstream.
      
      Adding a couple of Olivetti modems and blacklisting the net
      function on a couple which are already supported.
      Reported-by: default avatarLars Melin <larsm17@gmail.com>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      31f8e87f
    • Johan Hovold's avatar
      USB: ftdi_sio: fix null deref at port probe · a4518ea1
      Johan Hovold authored
      commit aea1ae87 upstream.
      
      Fix NULL-pointer dereference when probing an interface with no
      endpoints.
      
      These devices have two bulk endpoints per interface, but this avoids
      crashing the kernel if a user forces a non-FTDI device to be probed.
      
      Note that the iterator variable was made unsigned in order to avoid
      a maybe-uninitialized compiler warning for ep_desc after the loop.
      
      Fixes: 895f28ba ("USB: ftdi_sio: fix hi-speed device packet size
      calculation")
      Reported-by: default avatarMike Remski <mremski@mutualink.net>
      Tested-by: default avatarMike Remski <mremski@mutualink.net>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a4518ea1
    • Michal Nazarewicz's avatar
      usb: gadget: f_fs: fix NULL pointer dereference when there are no strings · 9919dc4b
      Michal Nazarewicz authored
      commit f0688c8b upstream.
      
      If the descriptors do not need any strings and user space sends empty
      set of strings, the ffs->stringtabs field remains NULL.  Thus
      *ffs->stringtabs in functionfs_bind leads to a NULL pointer
      dereferenece.
      
      The bug was introduced by commit [fd7c9a00: “use usb_string_ids_n()”].
      
      While at it, remove double initialisation of lang local variable in
      that function.
      
      ffs->strings_count does not need to be checked in any way since in
      the above scenario it will remain zero and usb_string_ids_n() is
      a no-operation when colled with 0 argument.
      Signed-off-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9919dc4b
    • Paolo Bonzini's avatar
      KVM: x86: preserve the high 32-bits of the PAT register · 23f2204d
      Paolo Bonzini authored
      commit 7cb060a9 upstream.
      
      KVM does not really do much with the PAT, so this went unnoticed for a
      long time.  It is exposed however if you try to do rdmsr on the PAT
      register.
      Reported-by: default avatarValentine Sinitsyn <valentine.sinitsyn@gmail.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      23f2204d
    • Nadav Amit's avatar
      KVM: x86: Increase the number of fixed MTRR regs to 10 · 4314612c
      Nadav Amit authored
      commit 682367c4 upstream.
      
      Recent Intel CPUs have 10 variable range MTRRs. Since operating systems
      sometime make assumptions on CPUs while they ignore capability MSRs, it is
      better for KVM to be consistent with recent CPUs. Reporting more MTRRs than
      actually supported has no functional implications.
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4314612c
    • David R. Piegdon's avatar
      ARM: OMAP2+: Fix parser-bug in platform muxing code · d7a3e3ec
      David R. Piegdon authored
      commit c021f241 upstream.
      
      Fix a parser-bug in the omap2 muxing code where muxtable-entries will be
      wrongly selected if the requested muxname is a *prefix* of their
      m0-entry and they have a matching mN-entry. Fix by additionally checking
      that the length of the m0_entry is equal.
      
      For example muxing of "dss_data2.dss_data2" on omap32xx will fail
      because the prefix "dss_data2" will match the mux-entries "dss_data2" as
      well as "dss_data20", with the suffix "dss_data2" matching m0 (for
      dss_data2) and m4 (for dss_data20). Thus both are recognized as signal
      path candidates:
      
      Relevant muxentries from mux34xx.c:
              _OMAP3_MUXENTRY(DSS_DATA20, 90,
                      "dss_data20", NULL, "mcspi3_somi", "dss_data2",
                      "gpio_90", NULL, NULL, "safe_mode"),
              _OMAP3_MUXENTRY(DSS_DATA2, 72,
                      "dss_data2", NULL, NULL, NULL,
                      "gpio_72", NULL, NULL, "safe_mode"),
      
      This will result in a failure to mux the pin at all:
      
       _omap_mux_get_by_name: Multiple signal paths (2) for dss_data2.dss_data2
      
      Patch should apply to linus' latest master down to rather old linux-2.6
      trees.
      Signed-off-by: default avatarDavid R. Piegdon <lkml@p23q.org>
      [tony@atomide.com: updated description to include full description]
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d7a3e3ec
    • Ben Hutchings's avatar
      Revert "net: ip, ipv6: handle gso skbs in forwarding path" · 3d4a1eea
      Ben Hutchings authored
      This reverts commit caa53449, which
      was commit fe6cc55f upstream.  In 3.2,
      the transport header length is not calculated in the forwarding path,
      so skb_gso_network_seglen() returns an incorrect result.  We also have
      problems due to the local_df flag not being set correctly.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3d4a1eea
    • Ben Hutchings's avatar
      Revert "net: ipv4: ip_forward: fix inverted local_df test" · 8bbfe822
      Ben Hutchings authored
      This reverts commit 59d9f389, which
      was commit ca6c5d4a upstream.  It is a
      valid fix, but depends on sk_buff::local_df being set in all the right
      cases, which it wasn't in 3.2.  We need to defer it unless and until
      the other fixes are also backported to 3.2.y.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8bbfe822
  2. 11 Jul, 2014 17 commits