1. 28 Aug, 2015 40 commits
    • Yao-Wen Mao's avatar
      ALSA: usb-audio: add dB range mapping for some devices · 5f2c3556
      Yao-Wen Mao authored
      commit 2d1cb7f6 upstream.
      
      Add the correct dB ranges of Bose Companion 5 and Drangonfly DAC 1.2.
      Signed-off-by: default avatarYao-Wen Mao <yaowen@google.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      5f2c3556
    • Takashi Iwai's avatar
      ALSA: hda - Apply a fixup to Dell Vostro 5480 · f8e18c7d
      Takashi Iwai authored
      commit 3a05d12f upstream.
      
      Dell Vostro 5480 (1028:069a) needs the very same quirk used for Vostro
      5470 model to make bass speakers properly working.
      Reported-and-tested-by: default avatarPaulo Roberto de Oliveira Castro <p.oliveira.castro@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      f8e18c7d
    • Dave Chinner's avatar
      xfs: remote attributes need to be considered data · bcb8607c
      Dave Chinner authored
      commit df150ed1 upstream.
      
      We don't log remote attribute contents, and instead write them
      synchronously before we commit the block allocation and attribute
      tree update transaction. As a result we are writing to the allocated
      space before the allcoation has been made permanent.
      
      As a result, we cannot consider this allocation to be a metadata
      allocation. Metadata allocation can take blocks from the free list
      and so reuse them before the transaction that freed the block is
      committed to disk. This behaviour is perfectly fine for journalled
      metadata changes as log recovery will ensure the free operation is
      replayed before the overwrite, but for remote attribute writes this
      is not the case.
      
      Hence we have to consider the remote attribute blocks to contain
      data and allocate accordingly. We do this by dropping the
      XFS_BMAPI_METADATA flag from the block allocation. This means the
      allocation will not use blocks that are on the busy list without
      first ensuring that the freeing transaction has been committed to
      disk and the blocks removed from the busy list. This ensures we will
      never overwrite a freed block without first ensuring that it is
      really free.
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      bcb8607c
    • Dave Chinner's avatar
      xfs: remote attribute headers contain an invalid LSN · 20149e85
      Dave Chinner authored
      commit e3c32ee9 upstream.
      
      In recent testing, a system that crashed failed log recovery on
      restart with a bad symlink buffer magic number:
      
      XFS (vda): Starting recovery (logdev: internal)
      XFS (vda): Bad symlink block magic!
      XFS: Assertion failed: 0, file: fs/xfs/xfs_log_recover.c, line: 2060
      
      On examination of the log via xfs_logprint, none of the symlink
      buffers in the log had a bad magic number, nor were any other types
      of buffer log format headers mis-identified as symlink buffers.
      Tracing was used to find the buffer the kernel was tripping over,
      and xfs_db identified it's contents as:
      
      000: 5841524d 00000000 00000346 64d82b48 8983e692 d71e4680 a5f49e2c b317576e
      020: 00000000 00602038 00000000 006034ce d0020000 00000000 4d4d4d4d 4d4d4d4d
      040: 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d
      060: 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d 4d4d4d4d
      .....
      
      This is a remote attribute buffer, which are notable in that they
      are not logged but are instead written synchronously by the remote
      attribute code so that they exist on disk before the attribute
      transactions are committed to the journal.
      
      The above remote attribute block has an invalid LSN in it - cycle
      0xd002000, block 0 - which means when log recovery comes along to
      determine if the transaction that writes to the underlying block
      should be replayed, it sees a block that has a future LSN and so
      does not replay the buffer data in the transaction. Instead, it
      validates the buffer magic number and attaches the buffer verifier
      to it.  It is this buffer magic number check that is failing in the
      above assert, indicating that we skipped replay due to the LSN of
      the underlying buffer.
      
      The problem here is that the remote attribute buffers cannot have a
      valid LSN placed into them, because the transaction that contains
      the attribute tree pointer changes and the block allocation that the
      attribute data is being written to hasn't yet been committed. Hence
      the LSN field in the attribute block is completely unwritten,
      thereby leaving the underlying contents of the block in the LSN
      field. It could have any value, and hence a future overwrite of the
      block by log recovery may or may not work correctly.
      
      Fix this by always writing an invalid LSN to the remote attribute
      block, as any buffer in log recovery that needs to write over the
      remote attribute should occur. We are protected from having old data
      written over the attribute by the fact that freeing the block before
      the remote attribute is written will result in the buffer being
      marked stale in the log and so all changes prior to the buffer stale
      transaction will be cancelled by log recovery.
      
      Hence it is safe to ignore the LSN in the case or synchronously
      written, unlogged metadata such as remote attribute blocks, and to
      ensure we do that correctly, we need to write an invalid LSN to all
      remote attribute blocks to trigger immediate recovery of metadata
      that is written over the top.
      
      As a further protection for filesystems that may already have remote
      attribute blocks with bad LSNs on disk, change the log recovery code
      to always trigger immediate recovery of metadata over remote
      attribute blocks.
      Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarBrian Foster <bfoster@redhat.com>
      Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      20149e85
    • Ard Biesheuvel's avatar
      arm64/efi: map the entire UEFI vendor string before reading it · 410f970d
      Ard Biesheuvel authored
      commit f91b1fea upstream.
      
      At boot, the UTF-16 UEFI vendor string is copied from the system
      table into a char array with a size of 100 bytes. However, this
      size of 100 bytes is also used for memremapping() the source,
      which may not be sufficient if the vendor string exceeds 50
      UTF-16 characters, and the placement of the vendor string inside
      a 4 KB page happens to leave the end unmapped.
      
      So use the correct '100 * sizeof(efi_char16_t)' for the size of
      the mapping.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Fixes: f84d0275 ("arm64: add EFI runtime services")
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      410f970d
    • Marc-André Lureau's avatar
      vhost: actually track log eventfd file · 43514b23
      Marc-André Lureau authored
      commit 7932c0bd upstream.
      
      While reviewing vhost log code, I found out that log_file is never
      set. Note: I haven't tested the change (QEMU doesn't use LOG_FD yet).
      Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      43514b23
    • Ilia Mirkin's avatar
      drm/nouveau/fbcon/nv11-: correctly account for ring space usage · 64416b81
      Ilia Mirkin authored
      commit d108142c upstream.
      
      The RING_SPACE macro accounts how much space is used up so it's
      important to ask it for the right amount. Incorrect accounting of this
      can cause page faults down the line as writes are attempted outside of
      the ring.
      Signed-off-by: default avatarIlia Mirkin <imirkin@alum.mit.edu>
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      64416b81
    • Takashi Iwai's avatar
      ALSA: hda - Apply fixup for another Toshiba Satellite S50D · 657f2c25
      Takashi Iwai authored
      commit b9d9c9ef upstream.
      
      Toshiba Satellite S50D has another model with a different PCI SSID
      (1179:fa93) while the previous fixup was for 1179:fa91.  Adjust the
      fixup entry with SND_PCI_QUIRK_MASK() to match with both devices.
      Reported-by: default avatarTim Sample <timsample@gmail.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      657f2c25
    • Denis Carikli's avatar
      ARM: dts: i.MX35: Fix can support. · 14906dc1
      Denis Carikli authored
      commit e053f96b upstream.
      
      Since commit 3d42a379
      ("can: flexcan: add 2nd clock to support imx53 and newer")
      the can driver requires a dt nodes to have a second clock.
      Add them to imx35 to fix probing the flex can driver on the
      respective platforms.
      Signed-off-by: default avatarDenis Carikli <denis@eukrea.com>
      Signed-off-by: default avatarShawn Guo <shawnguo@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      14906dc1
    • Nicholas Bellinger's avatar
      iscsi-target: Fix iser explicit logout TX kthread leak · 917d0efc
      Nicholas Bellinger authored
      commit 007d038b upstream.
      
      This patch fixes a regression introduced with the following commit
      in v4.0-rc1 code, where an explicit iser-target logout would result
      in ->tx_thread_active being incorrectly cleared by the logout post
      handler, and subsequent TX kthread leak:
      
          commit 88dcd2da
          Author: Nicholas Bellinger <nab@linux-iscsi.org>
          Date:   Thu Feb 26 22:19:15 2015 -0800
      
              iscsi-target: Convert iscsi_thread_set usage to kthread.h
      
      To address this bug, change iscsit_logout_post_handler_closesession()
      and iscsit_logout_post_handler_samecid() to only cmpxchg() on
      ->tx_thread_active for traditional iscsi/tcp connections.
      
      This is required because iscsi/tcp connections are invoking logout
      post handler logic directly from TX kthread context, while iser
      connections are invoking logout post handler logic from a seperate
      workqueue context.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      917d0efc
    • Nicholas Bellinger's avatar
      iscsi-target: Fix iscsit_start_kthreads failure OOPs · 6ee45fe2
      Nicholas Bellinger authored
      commit e5419865 upstream.
      
      This patch fixes a regression introduced with the following commit
      in v4.0-rc1 code, where a iscsit_start_kthreads() failure triggers
      a NULL pointer dereference OOPs:
      
          commit 88dcd2da
          Author: Nicholas Bellinger <nab@linux-iscsi.org>
          Date:   Thu Feb 26 22:19:15 2015 -0800
      
              iscsi-target: Convert iscsi_thread_set usage to kthread.h
      
      To address this bug, move iscsit_start_kthreads() immediately
      preceeding the transmit of last login response, before signaling
      a successful transition into full-feature-phase within existing
      iscsi_target_do_tx_login_io() logic.
      
      This ensures that no target-side resource allocation failures can
      occur after the final login response has been successfully sent.
      
      Also, it adds a iscsi_conn->rx_login_comp to allow the RX thread
      to sleep to prevent other socket related failures until the final
      iscsi_post_login_handler() call is able to complete.
      
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ kamal: backport to 3.19-stable: iscsi_target_core.h path ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      6ee45fe2
    • Nicholas Bellinger's avatar
      iscsi-target: Convert iscsi_thread_set usage to kthread.h · 3dc1cff8
      Nicholas Bellinger authored
      commit 88dcd2da upstream.
      
      This patch converts iscsi-target code to use modern kthread.h API
      callers for creating RX/TX threads for each new iscsi_conn descriptor,
      and releasing associated RX/TX threads during connection shutdown.
      
      This is done using iscsit_start_kthreads() -> kthread_run() to start
      new kthreads from within iscsi_post_login_handler(), and invoking
      kthread_stop() from existing iscsit_close_connection() code.
      
      Also, convert iscsit_logout_post_handler_closesession() code to use
      cmpxchg when determing when iscsit_cause_connection_reinstatement()
      needs to sleep waiting for completion.
      Reported-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Tested-by: default avatarSagi Grimberg <sagig@mellanox.com>
      Cc: Slava Shwartsman <valyushash@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ kamal: backport to 3.19-stable: iscsi_target_core.h path ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      3dc1cff8
    • Nicholas Bellinger's avatar
      iscsi-target: Fix use-after-free during TPG session shutdown · 3b9b1d90
      Nicholas Bellinger authored
      commit 417c20a9 upstream.
      
      This patch fixes a use-after-free bug in iscsit_release_sessions_for_tpg()
      where se_portal_group->session_lock was incorrectly released/re-acquired
      while walking the active se_portal_group->tpg_sess_list.
      
      The can result in a NULL pointer dereference when iscsit_close_session()
      shutdown happens in the normal path asynchronously to this code, causing
      a bogus dereference of an already freed list entry to occur.
      
      To address this bug, walk the session list checking for the same state
      as before, but move entries to a local list to avoid dropping the lock
      while walking the active list.
      
      As before, signal using iscsi_session->session_restatement=1 for those
      list entries to be released locally by iscsit_free_session() code.
      Reported-by: default avatarSunilkumar Nadumuttlu <sjn@datera.io>
      Cc: Sunilkumar Nadumuttlu <sjn@datera.io>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      3b9b1d90
    • Alexei Potashnik's avatar
      qla2xxx: terminate exchange when command is aborted by LIO · 1261c7fb
      Alexei Potashnik authored
      commit 7359df25 upstream.
      
      The newly introduced aborted_task TFO callback has to terminate
      exchange with QLogic driver, since command is being deleted and
      no status will be queued to the driver at a later point.
      
      This patch also moves the burden of releasing one cmd refcount to
      the aborted_task handler.
      
      Changed iSCSI aborted_task logic to satisfy the above requirement.
      Signed-off-by: default avatarAlexei Potashnik <alexei@purestorage.com>
      Acked-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ kamal: backport to 3.19-stable: s/se_cmd->tag/cmd->tag/ ]
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      1261c7fb
    • Alexei Potashnik's avatar
      qla2xxx: drop cmds/tmrs arrived while session is being deleted · a37a90cb
      Alexei Potashnik authored
      commit e52a8b45 upstream.
      
      If a new initiator (different WWN) shows up on the same fcport, old
      initiator's session is scheduled for deletion. But there is a small
      window between it being marked with QLA_SESS_DELETION_IN_PROGRESS
      and qlt_unret_sess getting called when new session's commands will
      keep finding old session in the fcport map.
      
      This patch drops cmds/tmrs if they find session in the progress of
      being deleted.
      Signed-off-by: default avatarAlexei Potashnik <alexei@purestorage.com>
      Acked-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      a37a90cb
    • Alexei Potashnik's avatar
      qla2xxx: disable scsi_transport_fc registration in target mode · 2652a100
      Alexei Potashnik authored
      commit d20ed91b upstream.
      
      There are multiple reasons for disabling this:
      
      1. It provides no functional benefit. We pretty much only get a few more
      sysfs entries for each port, but all that information is already
      available from /sys/kernel/debug/target/qla-session-X
      
      2. It already only works in private-loop mode. By disabling we'll be
      getting more uniform behavior with fabric mode.
      
      3. It creates complications for the new PLOGI handling mechanism:
      scsi_transport_fc port deletion timer could race with new session
      from initiator and cause logout after successful login.
      Signed-off-by: default avatarAlexei Potashnik <alexei@purestorage.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      2652a100
    • Alexei Potashnik's avatar
      qla2xxx: added sess generations to detect RSCN update races · 11e5f637
      Alexei Potashnik authored
      commit df673274 upstream.
      
      RSCN processing in qla2xxx driver can run in parallel with ELS/IO
      processing. As such the decision to remove disappeared fc port's
      session could be stale, because a new login sequence has occurred
      since and created a brand new session.
      
      Previous mechanism of dealing with this by delaying deletion request
      was prone to erroneous deletions if the event that was supposed to
      cancel the deletion never arrived or has been delayed in processing.
      
      New mechanism relies on a time-like generation counter to serialize
      RSCN updates relative to ELS/IO updates.
      Signed-off-by: default avatarAlexei Potashnik <alexei@purestorage.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      11e5f637
    • Alexei Potashnik's avatar
      qla2xxx: Abort stale cmds on qla_tgt_wq when plogi arrives · 4fc84e9e
      Alexei Potashnik authored
      commit daddf5cf upstream.
      
      cancel any commands from initiator's s_id that are still waiting
      on qla_tgt_wq when PLOGI arrives.
      Signed-off-by: default avatarAlexei Potashnik <alexei@purestorage.com>
      Acked-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      4fc84e9e
    • Alexei Potashnik's avatar
      qla2xxx: delay plogi/prli ack until existing sessions are deleted · 65b2d8f1
      Alexei Potashnik authored
      commit a6ca8878 upstream.
      
      - keep qla_tgt_sess object on the session list until it's freed
      
      - modify use of sess->deleted flag to differentiate delayed
        session deletion that can be cancelled from irreversible one:
        QLA_SESS_DELETION_PENDING vs QLA_SESS_DELETION_IN_PROGRESS
      
      - during IN_PROGRESS deletion all newly arrived commands and TMRs will
        be rejected, existing commands and TMRs will be terminated when
        given by the core to the fabric or simply dropped if session logout
        has already happened (logout terminates all existing exchanges)
      
      - new PLOGI will initiate deletion of the following sessions
        (unless deletion is already IN_PROGRESS):
        - with the same port_name (with logout)
        - different port_name, different loop_id but the same port_id
          (with logout)
        - different port_name, different port_id, but the same loop_id
          (without logout)
      
      - additionally each new PLOGI will store imm notify iocb in the
        same port_name session being deleted. When deletion process
        completes this iocb will be acked. Only the most recent PLOGI
        iocb is stored. The older ones will be terminated when replaced.
      
      - new PRLI will initiate deletion of the following sessions
        (unless deletion is already IN_PROGRESS):
        - different port_name, different port_id, but the same loop_id
         (without logout)
      Signed-off-by: default avatarAlexei Potashnik <alexei@purestorage.com>
      Acked-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      65b2d8f1
    • Swapnil Nagle's avatar
      qla2xxx: cleanup cmd in qla workqueue before processing TMR · 40b53b86
      Swapnil Nagle authored
      commit 8b2f5ff3 upstream.
      
      Since cmds go into qla_tgt_wq and TMRs don't, it's possible that TMR
      like TASK_ABORT can be queued over the cmd for which it was meant.
      To avoid this race, use a per-port list to keep track of cmds that
      are enqueued to qla_tgt_wq but not yet processed. When a TMR arrives,
      iterate through this list and remove any cmds that match the TMR.
      This patch supports TASK_ABORT and LUN_RESET.
      Signed-off-by: default avatarSwapnil Nagle <swapnil.nagle@purestorage.com>
      Signed-off-by: default avatarAlexei Potashnik <alexei@purestorage.com>
      Acked-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      40b53b86
    • Roland Dreier's avatar
      qla2xxx: kill sessions/log out initiator on RSCN and port down events · 6e726471
      Roland Dreier authored
      commit b2032fd5 upstream.
      
      To fix some issues talking to ESX, this patch modifies the qla2xxx driver
      so that it never logs into remote ports.  This has the side effect of
      getting rid of the "rports" entirely, which means we never log out of
      initiators and never tear down sessions when an initiator goes away.
      
      This is mostly OK, except that we can run into trouble if we have
      initiator A assigned FC address X:Y:Z by the fabric talking to us, and
      then initiator A goes away.  Some time (could be a long time) later,
      initiator B comes along and also gets FC address X:Y:Z (which is
      available again, because initiator A is gone).  If initiator B starts
      talking to us, then we'll still have the session for initiator A, and
      since we look up incoming IO based on the FC address X:Y:Z, initiator B
      will end up using ACLs for initiator A.
      
      Fix this by:
      
       1. Handling RSCN events somewhat differently; instead of completely
          skipping the processing of fcports, we look through the list, and if
          an fcport disappears, we tell the target code the tear down the
          session and tell the HBA FW to release the N_Port handle.
      
       2. Handling "port down" events by flushing all of our sessions.  The
          firmware was already releasing the N_Port handle but we want the
          target code to drop all the sessions too.
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarAlexei Potashnik <alexei@purestorage.com>
      Acked-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      6e726471
    • Kanoj Sarcar's avatar
    • Himanshu Madhani's avatar
      qla2xxx: Remove msleep in qlt_send_term_exchange · eac555ee
      Himanshu Madhani authored
      commit 6bc85dd5 upstream.
      
      Remove unnecessary msleep from qlt_send_term_exchange as it
      adds latency of 250 msec while sending terminate exchange to
      an aborted task.
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Signed-off-by: default avatarGiridhar Malavali <giridhar.malavali@qlogic.com>
      Reviewed-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      eac555ee
    • Quinn Tran's avatar
      qla2xxx: release request queue reservation. · 399c0b7a
      Quinn Tran authored
      commit 810e30bc upstream.
      
      Request IOCB queue element(s) is reserved during
      good path IO.  Under error condition such as unable
      to allocate IOCB handle condition, the IOCB count
      that was reserved is not released.
      Signed-off-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Reviewed-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      399c0b7a
    • Saurav Kashyap's avatar
      qla2xxx: Fix hardware lock/unlock issue causing kernel panic. · 1555a857
      Saurav Kashyap authored
      commit ba9f6f64 upstream.
      
      [ Upstream commit ef86cb20 ]
      
      This patch fixes a kernel panic for qla2xxx Target core
      Module driver introduced by a fix in the qla2xxx initiator code.
      
      Commit ef86cb20 ("qla2xxx: Mark port lost when we receive an RSCN for it.")
      introduced the regression for qla2xxx Target driver.
      
      Stack trace will have following signature
      
       --- <NMI exception stack> ---
      [ffff88081faa3cc8] _raw_spin_lock_irqsave at ffffffff815b1f03
      [ffff88081faa3cd0] qlt_fc_port_deleted at ffffffffa096ccd0 [qla2xxx]
      [ffff88081faa3d20] qla2x00_schedule_rport_del at ffffffffa0913831[qla2xxx]
      [ffff88081faa3d50] qla2x00_mark_device_lost at ffffffffa09159c5[qla2xxx]
      [ffff88081faa3db0] qla2x00_async_event at ffffffffa0938d59 [qla2xxx]
      [ffff88081faa3e30] qla24xx_msix_default at ffffffffa093a326 [qla2xxx]
      [ffff88081faa3e90] handle_irq_event_percpu at ffffffff810a7b8d
      [ffff88081faa3ee0] handle_irq_event at ffffffff810a7d32
      [ffff88081faa3f10] handle_edge_irq at ffffffff810ab6b9
      [ffff88081faa3f30] handle_irq at ffffffff8100619c
      [ffff88081faa3f70] do_IRQ at ffffffff815b4b1c
       --- <IRQ stack> ---
      Signed-off-by: default avatarSaurav Kashyap <saurav.kashyap@qlogic.com>
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@qlogic.com>
      Reviewed-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      1555a857
    • Axel Lin's avatar
      ASoC: pcm1681: Fix setting de-emphasis sampling rate selection · 7519d919
      Axel Lin authored
      commit fa8173a3 upstream.
      
      The de-emphasis sampling rate selection is controlled by BIT[3:4] of
      PCM1681_DEEMPH_CONTROL register. Do proper left shift to set it.
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Acked-by: default avatarMarek Belisko <marek.belisko@streamunlimited.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      7519d919
    • Roger Quadros's avatar
      ARM: OMAP2+: hwmod: Fix _wait_target_ready() for hwmods without sysc · 230fcca2
      Roger Quadros authored
      commit 9a258afa upstream.
      
      For hwmods without sysc, _init_mpu_rt_base(oh) won't be called and so
      _find_mpu_rt_port(oh) will return NULL thus preventing ready state check
      on those modules after the module is enabled.
      
      This can potentially cause a bus access error if the module is accessed
      before the module is ready.
      
      Fix this by unconditionally calling _init_mpu_rt_base() during hwmod
      _init(). Do ioremap only if we need SYSC access.
      
      Eventhough _wait_target_ready() check doesn't really need MPU RT port but
      just the PRCM registers, we still mandate that the hwmod must have an
      MPU RT port if ready state check needs to be done. Else it would mean that
      the module is not accessible by MPU so there is no point in waiting
      for target to be ready.
      
      e.g. this fixes the below DCAN bus access error on AM437x-gp-evm.
      
      [   16.672978] ------------[ cut here ]------------
      [   16.677885] WARNING: CPU: 0 PID: 1580 at drivers/bus/omap_l3_noc.c:147 l3_interrupt_handler+0x234/0x35c()
      [   16.687946] 44000000.ocp:L3 Custom Error: MASTER M2 (64-bit) TARGET L4_PER_0 (Read): Data Access in User mode during Functional access
      [   16.700654] Modules linked in: xhci_hcd btwilink ti_vpfe dwc3 videobuf2_core ov2659 bluetooth v4l2_common videodev ti_am335x_adc kfifo_buf industrialio c_can_platform videobuf2_dma_contig media snd_soc_tlv320aic3x pixcir_i2c_ts c_can dc
      [   16.731144] CPU: 0 PID: 1580 Comm: rpc.statd Not tainted 3.14.26-02561-gf733aa036398 #180
      [   16.739747] Backtrace:
      [   16.742336] [<c0011108>] (dump_backtrace) from [<c00112a4>] (show_stack+0x18/0x1c)
      [   16.750285]  r6:00000093 r5:00000009 r4:eab5b8a8 r3:00000000
      [   16.756252] [<c001128c>] (show_stack) from [<c05a4418>] (dump_stack+0x20/0x28)
      [   16.763870] [<c05a43f8>] (dump_stack) from [<c0037120>] (warn_slowpath_common+0x6c/0x8c)
      [   16.772408] [<c00370b4>] (warn_slowpath_common) from [<c00371e4>] (warn_slowpath_fmt+0x38/0x40)
      [   16.781550]  r8:c05d1f90 r7:c0730844 r6:c0730448 r5:80080003 r4:ed0cd210
      [   16.788626] [<c00371b0>] (warn_slowpath_fmt) from [<c027fa94>] (l3_interrupt_handler+0x234/0x35c)
      [   16.797968]  r3:ed0cd480 r2:c0730508
      [   16.801747] [<c027f860>] (l3_interrupt_handler) from [<c0063758>] (handle_irq_event_percpu+0x54/0x1bc)
      [   16.811533]  r10:ed005600 r9:c084855b r8:0000002a r7:00000000 r6:00000000 r5:0000002a
      [   16.819780]  r4:ed0e6d80
      [   16.822453] [<c0063704>] (handle_irq_event_percpu) from [<c00638f0>] (handle_irq_event+0x30/0x40)
      [   16.831789]  r10:eb2b6938 r9:eb2b6960 r8:bf011420 r7:fa240100 r6:00000000 r5:0000002a
      [   16.840052]  r4:ed005600
      [   16.842744] [<c00638c0>] (handle_irq_event) from [<c00661d8>] (handle_fasteoi_irq+0x74/0x128)
      [   16.851702]  r4:ed005600 r3:00000000
      [   16.855479] [<c0066164>] (handle_fasteoi_irq) from [<c0063068>] (generic_handle_irq+0x28/0x38)
      [   16.864523]  r4:0000002a r3:c0066164
      [   16.868294] [<c0063040>] (generic_handle_irq) from [<c000ef60>] (handle_IRQ+0x38/0x8c)
      [   16.876612]  r4:c081c640 r3:00000202
      [   16.880380] [<c000ef28>] (handle_IRQ) from [<c00084f0>] (gic_handle_irq+0x30/0x5c)
      [   16.888328]  r6:eab5ba38 r5:c0804460 r4:fa24010c r3:00000100
      [   16.894303] [<c00084c0>] (gic_handle_irq) from [<c05a8d80>] (__irq_svc+0x40/0x50)
      [   16.902193] Exception stack(0xeab5ba38 to 0xeab5ba80)
      [   16.907499] ba20:                                                       00000000 00000006
      [   16.916108] ba40: fa1d0000 fa1d0008 ed3d3000 eab5bab4 ed3d3460 c0842af4 bf011420 eb2b6960
      [   16.924716] ba60: eb2b6938 eab5ba8c eab5ba90 eab5ba80 bf035220 bf07702c 600f0013 ffffffff
      [   16.933317]  r7:eab5ba6c r6:ffffffff r5:600f0013 r4:bf07702c
      [   16.939317] [<bf077000>] (c_can_plat_read_reg_aligned_to_16bit [c_can_platform]) from [<bf035220>] (c_can_get_berr_counter+0x38/0x64 [c_can])
      [   16.952696] [<bf0351e8>] (c_can_get_berr_counter [c_can]) from [<bf010294>] (can_fill_info+0x124/0x15c [can_dev])
      [   16.963480]  r5:ec8c9740 r4:ed3d3000
      [   16.967253] [<bf010170>] (can_fill_info [can_dev]) from [<c0502fa8>] (rtnl_fill_ifinfo+0x58c/0x8fc)
      [   16.976749]  r6:ec8c9740 r5:ed3d3000 r4:eb2b6780
      [   16.981613] [<c0502a1c>] (rtnl_fill_ifinfo) from [<c0503408>] (rtnl_dump_ifinfo+0xf0/0x1dc)
      [   16.990401]  r10:ec8c9740 r9:00000000 r8:00000000 r7:00000000 r6:ebd4d1b4 r5:ed3d3000
      [   16.998671]  r4:00000000
      [   17.001342] [<c0503318>] (rtnl_dump_ifinfo) from [<c050e6e4>] (netlink_dump+0xa8/0x1e0)
      [   17.009772]  r10:00000000 r9:00000000 r8:c0503318 r7:ebf3e6c0 r6:ebd4d1b4 r5:ec8c9740
      [   17.018050]  r4:ebd4d000
      [   17.020714] [<c050e63c>] (netlink_dump) from [<c050ec10>] (__netlink_dump_start+0x104/0x154)
      [   17.029591]  r6:eab5bd34 r5:ec8c9980 r4:ebd4d000
      [   17.034454] [<c050eb0c>] (__netlink_dump_start) from [<c0505604>] (rtnetlink_rcv_msg+0x110/0x1f4)
      [   17.043778]  r7:00000000 r6:ec8c9980 r5:00000f40 r4:ebf3e6c0
      [   17.049743] [<c05054f4>] (rtnetlink_rcv_msg) from [<c05108e8>] (netlink_rcv_skb+0xb4/0xc8)
      [   17.058449]  r8:eab5bdac r7:ec8c9980 r6:c05054f4 r5:ec8c9980 r4:ebf3e6c0
      [   17.065534] [<c0510834>] (netlink_rcv_skb) from [<c0504134>] (rtnetlink_rcv+0x24/0x2c)
      [   17.073854]  r6:ebd4d000 r5:00000014 r4:ec8c9980 r3:c0504110
      [   17.079846] [<c0504110>] (rtnetlink_rcv) from [<c05102ac>] (netlink_unicast+0x180/0x1ec)
      [   17.088363]  r4:ed0c6800 r3:c0504110
      [   17.092113] [<c051012c>] (netlink_unicast) from [<c0510670>] (netlink_sendmsg+0x2ac/0x380)
      [   17.100813]  r10:00000000 r8:00000008 r7:ec8c9980 r6:ebd4d000 r5:eab5be70 r4:eab5bee4
      [   17.109083] [<c05103c4>] (netlink_sendmsg) from [<c04dfdb4>] (sock_sendmsg+0x90/0xb0)
      [   17.117305]  r10:00000000 r9:eab5a000 r8:becdda3c r7:0000000c r6:ea978400 r5:eab5be70
      [   17.125563]  r4:c05103c4
      [   17.128225] [<c04dfd24>] (sock_sendmsg) from [<c04e1c28>] (SyS_sendto+0xb8/0xdc)
      [   17.136001]  r6:becdda5c r5:00000014 r4:ecd37040
      [   17.140876] [<c04e1b70>] (SyS_sendto) from [<c000e680>] (ret_fast_syscall+0x0/0x30)
      [   17.148923]  r10:00000000 r8:c000e804 r7:00000122 r6:becdda5c r5:0000000c r4:becdda5c
      [   17.157169] ---[ end trace 2b71e15b38f58bad ]---
      
      Fixes: 6423d6df ("ARM: OMAP2+: hwmod: check for module address space during init")
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarPaul Walmsley <paul@pwsan.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      230fcca2
    • Ben Zhang's avatar
      ASoC: ssm4567: Keep TDM_BCLKS in ssm4567_set_dai_fmt · bb710dfe
      Ben Zhang authored
      commit a6c2a32a upstream.
      
      The regmap_write in ssm4567_set_dai_fmt accidentally clears the
      TDM_BCLKS field which was set earlier by ssm4567_set_tdm_slot.
      
      This patch fixes it by using regmap_update_bits with proper mask.
      Signed-off-by: default avatarBen Zhang <benzh@chromium.org>
      Acked-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Acked-by: default avatarAnatol Pomozov <anatol.pomozov@gmail.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      bb710dfe
    • Lars-Peter Clausen's avatar
      ASoC: dapm: Don't add prefix to widget stream name · 65d3a763
      Lars-Peter Clausen authored
      commit a798c24a upstream.
      
      Commit fdb6eb0a ("ASoC: dapm: Modify widget stream name according to
      prefix") fixed the case where a DAPM route between a DAI widget and a
      DAC/ADC/AIF widget with a matching stream name was not created when the
      DAPM context was using a prefix.
      
      Unfortunately the patch introduced a few issues on its own like leaking the
      dynamically allocated stream name memory and also not checking whether the
      allocation succeeded in the first place.
      
      It is also incomplete in that it still does not handle the case where
      stream name of the widget is a substring of the stream name of the DAI,
      which is explicitly allowed and works fine if no DAPM prefix is used.
      
      Revert the commit and take a slightly different approach to solving the
      issue. Instead of comparing the widget's stream name to the name of the DAI
      widget compare it to the stream name of the DAI widget. The stream name of
      the DAI widget is identical to the name of the DAI widget except that it
      wont have the DAPM prefix added. So this approach behaves identical
      regardless to whether the DAPM context uses a prefix or not.
      
      We don't have to worry about potentially matching with a widget with the
      same stream name, but from a different DAPM context with a different
      prefix, since the code already makes sure that both the DAI widget and the
      matched widget are from the same DAPM context.
      
      Fixes: fdb6eb0a ("ASoC: dapm: Modify widget stream name according to prefix")
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      65d3a763
    • Krzysztof Kozlowski's avatar
      dmaengine: pl330: Fix overflow when reporting residue in memcpy · 3f99e272
      Krzysztof Kozlowski authored
      commit ae128293 upstream.
      
      During memcpy operations the residue was always set to an u32 overflowed
      value.
      
      In pl330_tx_status() function number of currently transferred bytes was
      subtracted from internal "bytes_requested" field. However this
      "bytes_requested" was not initialized at start to length of memcpy
      buffer so transferred bytes were subtracted from 0 causing overflow.
      Signed-off-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Fixes: aee4d1fa ("dmaengine: pl330: improve pl330_tx_status() function")
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      3f99e272
    • Lars-Peter Clausen's avatar
      ASoC: dapm: Lock during userspace access · 72ddfd94
      Lars-Peter Clausen authored
      commit e50b1e06 upstream.
      
      The DAPM lock must be held when accessing the DAPM graph status through
      sysfs or debugfs, otherwise concurrent changes to the graph can result in
      undefined behaviour.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      72ddfd94
    • WANG Cong's avatar
      fq_codel: fix a use-after-free · a4b9e9c7
      WANG Cong authored
      commit 052cbda4 upstream.
      
      Fixes: 25331d6c ("net: sched: implement qstat helper routines")
      Cc: John Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarCong Wang <cwang@twopensource.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      a4b9e9c7
    • Nikolay Aleksandrov's avatar
      bonding: fix destruction of bond with devices different from arphrd_ether · 53c5911f
      Nikolay Aleksandrov authored
      commit 06f6d109 upstream.
      
      When the bonding is being unloaded and the netdevice notifier is
      unregistered it executes NETDEV_UNREGISTER for each device which should
      remove the bond's proc entry but if the device enslaved is not of
      ARPHRD_ETHER type and is in front of the bonding, it may execute
      bond_release_and_destroy() first which would release the last slave and
      destroy the bond device leaving the proc entry and thus we will get the
      following error (with dynamic debug on for bond_netdev_event to see the
      events order):
      [  908.963051] eql: event: 9
      [  908.963052] eql: IFF_SLAVE
      [  908.963054] eql: event: 2
      [  908.963056] eql: IFF_SLAVE
      [  908.963058] eql: event: 6
      [  908.963059] eql: IFF_SLAVE
      [  908.963110] bond0: Releasing active interface eql
      [  908.976168] bond0: Destroying bond bond0
      [  908.976266] bond0 (unregistering): Released all slaves
      [  908.984097] ------------[ cut here ]------------
      [  908.984107] WARNING: CPU: 0 PID: 1787 at fs/proc/generic.c:575
      remove_proc_entry+0x112/0x160()
      [  908.984110] remove_proc_entry: removing non-empty directory
      'net/bonding', leaking at least 'bond0'
      [  908.984111] Modules linked in: bonding(-) eql(O) 9p nfsd auth_rpcgss
      oid_registry nfs_acl nfs lockd grace fscache sunrpc crct10dif_pclmul
      crc32_pclmul crc32c_intel ghash_clmulni_intel ppdev qxl drm_kms_helper
      snd_hda_codec_generic aesni_intel ttm aes_x86_64 glue_helper pcspkr lrw
      gf128mul ablk_helper cryptd snd_hda_intel virtio_console snd_hda_codec
      psmouse serio_raw snd_hwdep snd_hda_core 9pnet_virtio 9pnet evdev joydev
      drm virtio_balloon snd_pcm snd_timer snd soundcore i2c_piix4 i2c_core
      pvpanic acpi_cpufreq parport_pc parport processor thermal_sys button
      autofs4 ext4 crc16 mbcache jbd2 hid_generic usbhid hid sg sr_mod cdrom
      ata_generic virtio_blk virtio_net floppy ata_piix e1000 libata ehci_pci
      virtio_pci scsi_mod uhci_hcd ehci_hcd virtio_ring virtio usbcore
      usb_common [last unloaded: bonding]
      
      [  908.984168] CPU: 0 PID: 1787 Comm: rmmod Tainted: G        W  O
      4.2.0-rc2+ #8
      [  908.984170] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
      [  908.984172]  0000000000000000 ffffffff81732d41 ffffffff81525b34
      ffff8800358dfda8
      [  908.984175]  ffffffff8106c521 ffff88003595af78 ffff88003595af40
      ffff88003e3a4280
      [  908.984178]  ffffffffa058d040 0000000000000000 ffffffff8106c59a
      ffffffff8172ebd0
      [  908.984181] Call Trace:
      [  908.984188]  [<ffffffff81525b34>] ? dump_stack+0x40/0x50
      [  908.984193]  [<ffffffff8106c521>] ? warn_slowpath_common+0x81/0xb0
      [  908.984196]  [<ffffffff8106c59a>] ? warn_slowpath_fmt+0x4a/0x50
      [  908.984199]  [<ffffffff81218352>] ? remove_proc_entry+0x112/0x160
      [  908.984205]  [<ffffffffa05850e6>] ? bond_destroy_proc_dir+0x26/0x30
      [bonding]
      [  908.984208]  [<ffffffffa057540e>] ? bond_net_exit+0x8e/0xa0 [bonding]
      [  908.984217]  [<ffffffff8142f407>] ? ops_exit_list.isra.4+0x37/0x70
      [  908.984225]  [<ffffffff8142f52d>] ?
      unregister_pernet_operations+0x8d/0xd0
      [  908.984228]  [<ffffffff8142f58d>] ?
      unregister_pernet_subsys+0x1d/0x30
      [  908.984232]  [<ffffffffa0585269>] ? bonding_exit+0x23/0xdba [bonding]
      [  908.984236]  [<ffffffff810e28ba>] ? SyS_delete_module+0x18a/0x250
      [  908.984241]  [<ffffffff81086f99>] ? task_work_run+0x89/0xc0
      [  908.984244]  [<ffffffff8152b732>] ?
      entry_SYSCALL_64_fastpath+0x16/0x75
      [  908.984247] ---[ end trace 7c006ed4abbef24b ]---
      
      Thus remove the proc entry manually if bond_release_and_destroy() is
      used. Because of the checks in bond_remove_proc_entry() it's not a
      problem for a bond device to change namespaces (the bug fixed by the
      Fixes commit) but since commit
      f9399814 ("bonding: Don't allow bond devices to change network
      namespaces.") that can't happen anyway.
      Reported-by: default avatarCarol Soto <clsoto@linux.vnet.ibm.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Fixes: a64d49c3 ("bonding: Manage /proc/net/bonding/ entries from
                            the netdev events")
      Tested-by: default avatarCarol L Soto <clsoto@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      53c5911f
    • Edward Hyunkoo Jee's avatar
      inet: frags: fix defragmented packet's IP header for af_packet · 8d2015c6
      Edward Hyunkoo Jee authored
      [ Upstream commit 0848f642 ]
      
      When ip_frag_queue() computes positions, it assumes that the passed
      sk_buff does not contain L2 headers.
      
      However, when PACKET_FANOUT_FLAG_DEFRAG is used, IP reassembly
      functions can be called on outgoing packets that contain L2 headers.
      
      Also, IPv4 checksum is not corrected after reassembly.
      
      Fixes: 7736d33f ("packet: Add pre-defragmentation support for ipv4 fanouts.")
      Signed-off-by: default avatarEdward Hyunkoo Jee <edjee@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Cc: Jerry Chu <hkchu@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      8d2015c6
    • WANG Cong's avatar
      ipvlan: use rcu_deference_bh() in ipvlan_queue_xmit() · 0261cc10
      WANG Cong authored
      commit 0fba37a3 upstream.
      
      In tx path rcu_read_lock_bh() is held, so we need rcu_deference_bh().
      This fixes the following warning:
      
       ===============================
       [ INFO: suspicious RCU usage. ]
       4.1.0-rc1+ #1007 Not tainted
       -------------------------------
       drivers/net/ipvlan/ipvlan.h:106 suspicious rcu_dereference_check() usage!
      
       other info that might help us debug this:
      
       rcu_scheduler_active = 1, debug_locks = 0
       1 lock held by dhclient/1076:
        #0:  (rcu_read_lock_bh){......}, at: [<ffffffff817e8d84>] rcu_lock_acquire+0x0/0x26
      
       stack backtrace:
       CPU: 2 PID: 1076 Comm: dhclient Not tainted 4.1.0-rc1+ #1007
       Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
        0000000000000001 ffff8800d381bac8 ffffffff81a4154f 000000003c1a3c19
        ffff8800d4d0a690 ffff8800d381baf8 ffffffff810b849f ffff880117d41148
        ffff880117d40000 ffff880117d40068 0000000000000156 ffff8800d381bb18
       Call Trace:
        [<ffffffff81a4154f>] dump_stack+0x4c/0x65
        [<ffffffff810b849f>] lockdep_rcu_suspicious+0x107/0x110
        [<ffffffff8165a522>] ipvlan_port_get_rcu+0x47/0x4e
        [<ffffffff8165ad14>] ipvlan_queue_xmit+0x35/0x450
        [<ffffffff817ea45d>] ? rcu_read_unlock+0x3e/0x5f
        [<ffffffff810a20bf>] ? local_clock+0x19/0x22
        [<ffffffff810b4781>] ? __lock_is_held+0x39/0x52
        [<ffffffff8165b64c>] ipvlan_start_xmit+0x1b/0x44
        [<ffffffff817edf7f>] dev_hard_start_xmit+0x2ae/0x467
        [<ffffffff817ee642>] __dev_queue_xmit+0x50a/0x60c
        [<ffffffff817ee7a7>] dev_queue_xmit_sk+0x13/0x15
        [<ffffffff81997596>] dev_queue_xmit+0x10/0x12
        [<ffffffff8199b41c>] packet_sendmsg+0xb6b/0xbdf
        [<ffffffff810b5ea7>] ? mark_lock+0x2e/0x226
        [<ffffffff810a1fcc>] ? sched_clock_cpu+0x9e/0xb7
        [<ffffffff817d56f9>] sock_sendmsg_nosec+0x12/0x1d
        [<ffffffff817d7257>] sock_sendmsg+0x29/0x2e
        [<ffffffff817d72cc>] sock_write_iter+0x70/0x91
        [<ffffffff81199563>] __vfs_write+0x7e/0xa7
        [<ffffffff811996bc>] vfs_write+0x92/0xe8
        [<ffffffff811997d7>] SyS_write+0x47/0x7e
        [<ffffffff81a4d517>] system_call_fastpath+0x12/0x6f
      
      Fixes: 2ad7bf36 ("ipvlan: Initial check-in of the IPVLAN driver.")
      Cc: Mahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarMahesh Bandewar <maheshb@google.com>
      Acked-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      0261cc10
    • Daniel Borkmann's avatar
      sched: cls_flow: fix panic on filter replace · 708543ed
      Daniel Borkmann authored
      commit 32b2f4b1 upstream.
      
      The following test case causes a NULL pointer dereference in cls_flow:
      
        tc filter add dev foo parent 1: handle 0x1 flow hash keys dst action ok
        tc filter replace dev foo parent 1: pref 49152 handle 0x1 \
                  flow hash keys mark action drop
      
      To be more precise, actually two different panics are fixed, the first
      occurs because tcf_exts_init() is not called on the newly allocated
      filter when we do a replace. And the second panic uncovered after that
      happens since the arguments of list_replace_rcu() are swapped, the old
      element needs to be the first argument and the new element the second.
      
      Fixes: 70da9f0b ("net: sched: cls_flow use RCU")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      708543ed
    • Dan Carpenter's avatar
      net/xen-netback: off by one in BUG_ON() condition · 4ce79985
      Dan Carpenter authored
      commit 50c2e4dd upstream.
      
      The > should be >=.  I also added spaces around the '-' operations so
      the code is a little more consistent and matches the condition better.
      
      Fixes: f53c3fe8 ('xen-netback: Introduce TX grant mapping')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      4ce79985
    • Alexey Khoroshilov's avatar
      usb: gadget: mv_udc_core: fix phy_regs I/O memory leak · 41725ead
      Alexey Khoroshilov authored
      commit 53e20f2e upstream.
      
      There was an omission in transition to devm_xxx resource handling.
      iounmap(udc->phy_regs) were removed, but ioremap() was left
      without devm_.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Fixes: 3517c31a ("usb: gadget: mv_udc: use devm_xxx for probe")
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      41725ead
    • Nikolay Aleksandrov's avatar
      bridge: mdb: fix double add notification · 92bca148
      Nikolay Aleksandrov authored
      commit 5ebc7846 upstream.
      
      Since the mdb add/del code was introduced there have been 2 br_mdb_notify
      calls when doing br_mdb_add() resulting in 2 notifications on each add.
      
      Example:
       Command: bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent
       Before patch:
       root@debian:~# bridge monitor all
       [MDB]dev br0 port eth1 grp 239.0.0.1 permanent
       [MDB]dev br0 port eth1 grp 239.0.0.1 permanent
      
       After patch:
       root@debian:~# bridge monitor all
       [MDB]dev br0 port eth1 grp 239.0.0.1 permanent
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Fixes: cfd56754 ("bridge: add support of adding and deleting mdb entries")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      92bca148
    • Scott Wood's avatar
      mtd: nand: Fix NAND_USE_BOUNCE_BUFFER flag conflict · e9549d0d
      Scott Wood authored
      commit 5f867db6 upstream.
      
      Commit 66507c7b ("mtd: nand: Add support to use nand_base
      poi databuf as bounce buffer") added a flag NAND_USE_BOUNCE_BUFFER
      using the same bit value as the existing NAND_BUSWIDTH_AUTO.
      
      Cc: Kamal Dasu <kdasu.kdev@gmail.com>
      Fixes: 66507c7b ("mtd: nand: Add support to use nand_base
      	poi databuf as bounce buffer")
      Signed-off-by: default avatarScott Wood <scottwood@freescale.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      e9549d0d