1. 18 Jul, 2017 37 commits
    • Johan Hovold's avatar
      net: wimax/i2400m: fix NULL-deref at probe · 83bf5609
      Johan Hovold authored
      commit 6e526fdf upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer or accessing memory beyond the endpoint array should a
      malicious device lack the expected endpoints.
      
      The endpoints are specifically dereferenced in the i2400m_bootrom_init
      path during probe (e.g. in i2400mu_tx_bulk_out).
      
      Fixes: f398e424 ("i2400m/USB: probe/disconnect, dev init/shutdown
      and reset backends")
      Cc: Inaky Perez-Gonzalez <inaky@linux.intel.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      83bf5609
    • Johan Hovold's avatar
      isdn/gigaset: fix NULL-deref at probe · dd470c92
      Johan Hovold authored
      commit 68c32f9c upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: cf7776dc ("[PATCH] isdn4linux: Siemens Gigaset drivers -
      direct USB connection")
      Cc: Hansjoerg Lipp <hjlipp@web.de>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dd470c92
    • Sabrina Dubroca's avatar
      ipv6: make ECMP route replacement less greedy · 731cf50c
      Sabrina Dubroca authored
      commit 67e19400 upstream.
      
      Commit 27596472 ("ipv6: fix ECMP route replacement") introduced a
      loop that removes all siblings of an ECMP route that is being
      replaced. However, this loop doesn't stop when it has replaced
      siblings, and keeps removing other routes with a higher metric.
      We also end up triggering the WARN_ON after the loop, because after
      this nsiblings < 0.
      
      Instead, stop the loop when we have taken care of all routes with the
      same metric as the route being replaced.
      
        Reproducer:
        ===========
          #!/bin/sh
      
          ip netns add ns1
          ip netns add ns2
          ip -net ns1 link set lo up
      
          for x in 0 1 2 ; do
              ip link add veth$x netns ns2 type veth peer name eth$x netns ns1
              ip -net ns1 link set eth$x up
              ip -net ns2 link set veth$x up
          done
      
          ip -net ns1 -6 r a 2000::/64 nexthop via fe80::0 dev eth0 \
                  nexthop via fe80::1 dev eth1 nexthop via fe80::2 dev eth2
          ip -net ns1 -6 r a 2000::/64 via fe80::42 dev eth0 metric 256
          ip -net ns1 -6 r a 2000::/64 via fe80::43 dev eth0 metric 2048
      
          echo "before replace, 3 routes"
          ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
          echo
      
          ip -net ns1 -6 r c 2000::/64 nexthop via fe80::4 dev eth0 \
                  nexthop via fe80::5 dev eth1 nexthop via fe80::6 dev eth2
      
          echo "after replace, only 2 routes, metric 2048 is gone"
          ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
      
      Fixes: 27596472 ("ipv6: fix ECMP route replacement")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      731cf50c
    • Kinglong Mee's avatar
      NFSv4: fix a reference leak caused WARNING messages · 7c8951f3
      Kinglong Mee authored
      commit 366a1569 upstream.
      
      Because nfs4_opendata_access() has close the state when access is denied,
      so the state isn't leak.
      Rather than revert the commit a974deee, I'd like clean the strange state close.
      
      [ 1615.094218] ------------[ cut here ]------------
      [ 1615.094607] WARNING: CPU: 0 PID: 23702 at lib/list_debug.c:31 __list_add_valid+0x8e/0xa0
      [ 1615.094913] list_add double add: new=ffff9d7901d9f608, prev=ffff9d7901d9f608, next=ffff9d7901ee8dd0.
      [ 1615.095458] Modules linked in: nfsv4(E) nfs(E) nfsd(E) tun bridge stp llc fuse ip_set nfnetlink vmw_vsock_vmci_transport vsock f2fs snd_seq_midi snd_seq_midi_event fscrypto coretemp ppdev crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_rapl_perf vmw_balloon snd_ens1371 joydev gameport snd_ac97_codec ac97_bus snd_seq snd_pcm snd_rawmidi snd_timer snd_seq_device snd soundcore nfit parport_pc parport acpi_cpufreq tpm_tis tpm_tis_core tpm i2c_piix4 vmw_vmci shpchp auth_rpcgss nfs_acl lockd(E) grace sunrpc(E) xfs libcrc32c vmwgfx drm_kms_helper ttm drm crc32c_intel mptspi e1000 serio_raw scsi_transport_spi mptscsih mptbase ata_generic pata_acpi fjes [last unloaded: nfs]
      [ 1615.097663] CPU: 0 PID: 23702 Comm: fstest Tainted: G        W   E   4.11.0-rc1+ #517
      [ 1615.098015] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
      [ 1615.098807] Call Trace:
      [ 1615.099183]  dump_stack+0x63/0x86
      [ 1615.099578]  __warn+0xcb/0xf0
      [ 1615.099967]  warn_slowpath_fmt+0x5f/0x80
      [ 1615.100370]  __list_add_valid+0x8e/0xa0
      [ 1615.100760]  nfs4_put_state_owner+0x75/0xc0 [nfsv4]
      [ 1615.101136]  __nfs4_close+0x109/0x140 [nfsv4]
      [ 1615.101524]  nfs4_close_state+0x15/0x20 [nfsv4]
      [ 1615.101949]  nfs4_close_context+0x21/0x30 [nfsv4]
      [ 1615.102691]  __put_nfs_open_context+0xb8/0x110 [nfs]
      [ 1615.103155]  put_nfs_open_context+0x10/0x20 [nfs]
      [ 1615.103586]  nfs4_file_open+0x13b/0x260 [nfsv4]
      [ 1615.103978]  do_dentry_open+0x20a/0x2f0
      [ 1615.104369]  ? nfs4_copy_file_range+0x30/0x30 [nfsv4]
      [ 1615.104739]  vfs_open+0x4c/0x70
      [ 1615.105106]  ? may_open+0x5a/0x100
      [ 1615.105469]  path_openat+0x623/0x1420
      [ 1615.105823]  do_filp_open+0x91/0x100
      [ 1615.106174]  ? __alloc_fd+0x3f/0x170
      [ 1615.106568]  do_sys_open+0x130/0x220
      [ 1615.106920]  ? __put_cred+0x3d/0x50
      [ 1615.107256]  SyS_open+0x1e/0x20
      [ 1615.107588]  entry_SYSCALL_64_fastpath+0x1a/0xa9
      [ 1615.107922] RIP: 0033:0x7fab599069b0
      [ 1615.108247] RSP: 002b:00007ffcf0600d78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
      [ 1615.108575] RAX: ffffffffffffffda RBX: 00007fab59bcfae0 RCX: 00007fab599069b0
      [ 1615.108896] RDX: 0000000000000200 RSI: 0000000000000200 RDI: 00007ffcf060255e
      [ 1615.109211] RBP: 0000000000040010 R08: 0000000000000000 R09: 0000000000000016
      [ 1615.109515] R10: 00000000000006a1 R11: 0000000000000246 R12: 0000000000041000
      [ 1615.109806] R13: 0000000000040010 R14: 0000000000001000 R15: 0000000000002710
      [ 1615.110152] ---[ end trace 96ed63b1306bf2f3 ]---
      
      Fixes: a974deee ("NFSv4: Fix memory and state leak in...")
      Signed-off-by: default avatarKinglong Mee <kinglongmee@gmail.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7c8951f3
    • Andy Shevchenko's avatar
      x86/platform/intel-mid: Correct MSI IRQ line for watchdog device · d95b95c8
      Andy Shevchenko authored
      commit 80354c29 upstream.
      
      The interrupt line used for the watchdog is 12, according to the official
      Intel Edison BSP code.
      
      And indeed after fixing it we start getting an interrupt and thus the
      watchdog starts working again:
      
        [  191.699951] Kernel panic - not syncing: Kernel Watchdog
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: David Cohen <david.a.cohen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 78a3bb9e ("x86: intel-mid: add watchdog platform code for Merrifield")
      Link: http://lkml.kernel.org/r/20170312150744.45493-1-andriy.shevchenko@linux.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d95b95c8
    • Edwin Chan's avatar
      net: bcmgenet: add begin/complete ethtool ops · f3139612
      Edwin Chan authored
      commit 89316fa3 upstream.
      
      Make sure clock is enabled for ethtool ops.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarEdwin Chan <edwin.chan@broadcom.com>
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f3139612
    • Doug Berger's avatar
      net: bcmgenet: Power up the internal PHY before probing the MII · 4a2a92a6
      Doug Berger authored
      commit 6be371b0 upstream.
      
      When using the internal PHY it must be powered up when the MII is probed
      or the PHY will not be detected.  Since the PHY is powered up at reset
      this has not been a problem.  However, when the kernel is restarted with
      kexec the PHY will likely be powered down when the kernel starts so it
      will not be detected and the Ethernet link will not be established.
      
      This commit explicitly powers up the internal PHY when the GENET driver
      is probed to correct this behavior.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4a2a92a6
    • Doug Berger's avatar
      net: bcmgenet: synchronize irq0 status between the isr and task · 0b3e9014
      Doug Berger authored
      commit 07c52d6a upstream.
      
      Add a spinlock to ensure that irq0_stat is not unintentionally altered
      as the result of preemption.  Also removed unserviced irq0 interrupts
      and removed irq1_stat since there is no bottom half service for those
      interrupts.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16:
       - bcmgenet_irq_task() only handles UMAC_IRQ_LINK_UP and UMAC_IRQ_LINK_DOWN
         status flags
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0b3e9014
    • Doug Berger's avatar
      net: bcmgenet: correct MIB access of UniMAC RUNT counters · f1ab736d
      Doug Berger authored
      commit 1ad3d225 upstream.
      
      The gap between the Tx status counters and the Rx RUNT counters is now
      being added to allow correct reporting of the registers.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f1ab736d
    • Doug Berger's avatar
      net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values · 42641b91
      Doug Berger authored
      commit ffff7132 upstream.
      
      The location of the RBUF overflow and error counters has moved between
      different version of the GENET MAC.  This commit corrects the driver to
      read from the correct locations depending on the version of the GENET
      MAC.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      42641b91
    • Alexey Kodanev's avatar
      udp: avoid ufo handling on IP payload compression packets · e3e9c1c7
      Alexey Kodanev authored
      commit 4b3b45ed upstream.
      
      commit c146066a ("ipv4: Don't use ufo handling on later transformed
      packets") and commit f89c56ce ("ipv6: Don't use ufo handling on
      later transformed packets") added a check that 'rt->dst.header_len' isn't
      zero in order to skip UFO, but it doesn't include IPcomp in transport mode
      where it equals zero.
      
      Packets, after payload compression, may not require further fragmentation,
      and if original length exceeds MTU, later compressed packets will be
      transmitted incorrectly. This can be reproduced with LTP udp_ipsec.sh test
      on veth device with enabled UFO, MTU is 1500 and UDP payload is 2000:
      
      * IPv4 case, offset is wrong + unnecessary fragmentation
          udp_ipsec.sh -p comp -m transport -s 2000 &
          tcpdump -ni ltp_ns_veth2
          ...
          IP (tos 0x0, ttl 64, id 45203, offset 0, flags [+],
            proto Compressed IP (108), length 49)
            10.0.0.2 > 10.0.0.1: IPComp(cpi=0x1000)
          IP (tos 0x0, ttl 64, id 45203, offset 1480, flags [none],
            proto UDP (17), length 21) 10.0.0.2 > 10.0.0.1: ip-proto-17
      
      * IPv6 case, sending small fragments
          udp_ipsec.sh -6 -p comp -m transport -s 2000 &
          tcpdump -ni ltp_ns_veth2
          ...
          IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
            payload length: 37) fd00::2 > fd00::1: IPComp(cpi=0x1000)
          IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
            payload length: 21) fd00::2 > fd00::1: IPComp(cpi=0x1000)
      
      Fix it by checking 'rt->dst.xfrm' pointer to 'xfrm_state' struct, skip UFO
      if xfrm is set. So the new check will include both cases: IPcomp and IPsec.
      
      Fixes: c146066a ("ipv4: Don't use ufo handling on later transformed packets")
      Fixes: f89c56ce ("ipv6: Don't use ufo handling on later transformed packets")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e3e9c1c7
    • Shaohua Li's avatar
      md/raid1/10: fix potential deadlock · 67c14169
      Shaohua Li authored
      commit 61eb2b43 upstream.
      
      Neil Brown pointed out a potential deadlock in raid 10 code with
      bio_split/chain. The raid1 code could have the same issue, but recent
      barrier rework makes it less likely to happen. The deadlock happens in
      below sequence:
      
      1. generic_make_request(bio), this will set current->bio_list
      2. raid10_make_request will split bio to bio1 and bio2
      3. __make_request(bio1), wait_barrer, add underlayer disk bio to
      current->bio_list
      4. __make_request(bio2), wait_barrer
      
      If raise_barrier happens between 3 & 4, since wait_barrier runs at 3,
      raise_barrier waits for IO completion from 3. And since raise_barrier
      sets barrier, 4 waits for raise_barrier. But IO from 3 can't be
      dispatched because raid10_make_request() doesn't finished yet.
      
      The solution is to adjust the IO ordering. Quotes from Neil:
      "
      It is much safer to:
      
          if (need to split) {
              split = bio_split(bio, ...)
              bio_chain(...)
              make_request_fn(split);
              generic_make_request(bio);
         } else
              make_request_fn(mddev, bio);
      
      This way we first process the initial section of the bio (in 'split')
      which will queue some requests to the underlying devices.  These
      requests will be queued in generic_make_request.
      Then we queue the remainder of the bio, which will be added to the end
      of the generic_make_request queue.
      Then we return.
      generic_make_request() will pop the lower-level device requests off the
      queue and handle them first.  Then it will process the remainder
      of the original bio once the first section has been fully processed.
      "
      
      Note, this only happens in read path. In write path, the bio is flushed to
      underlaying disks either by blk flush (from schedule) or offladed to raid1/10d.
      It's queued in current->bio_list.
      
      Cc: Coly Li <colyli@suse.de>
      Suggested-by: default avatarNeilBrown <neilb@suse.com>
      Reviewed-by: default avatarJack Wang <jinpu.wang@profitbricks.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      [bwh: For 3.16, drop the raid10 part as advised]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      67c14169
    • Johan Hovold's avatar
      USB: iowarrior: fix NULL-deref in write · f9d23397
      Johan Hovold authored
      commit de46e566 upstream.
      
      Make sure to verify that we have the required interrupt-out endpoint for
      IOWarrior56 devices to avoid dereferencing a NULL-pointer in write
      should a malicious device lack such an endpoint.
      
      Fixes: 946b960d ("USB: add driver for iowarrior devices.")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f9d23397
    • Stefan Brüns's avatar
      dvb-usb-firmware: don't do DMA on stack · e9b38044
      Stefan Brüns authored
      commit 67b0503d upstream.
      
      The buffer allocation for the firmware data was changed in
      commit 43fab979 ("[media] dvb-usb: don't use stack for firmware load")
      but the same applies for the reset value.
      
      Fixes: 43fab979 ("[media] dvb-usb: don't use stack for firmware load")
      Signed-off-by: default avatarStefan Brüns <stefan.bruens@rwth-aachen.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e9b38044
    • Mauro Carvalho Chehab's avatar
      dvb-usb: don't use stack for firmware load · 51aa8ee4
      Mauro Carvalho Chehab authored
      commit 43fab979 upstream.
      
      As reported by Marc Duponcheel <marc@offline.be>, firmware load on
      dvb-usb is using the stack, with is not allowed anymore on default
      Kernel configurations:
      
      [ 1025.958836] dvb-usb: found a 'WideView WT-220U PenType Receiver (based on ZL353)' in cold state, will try to load a firmware
      [ 1025.958853] dvb-usb: downloading firmware from file 'dvb-usb-wt220u-zl0353-01.fw'
      [ 1025.958855] dvb-usb: could not stop the USB controller CPU.
      [ 1025.958856] dvb-usb: error while transferring firmware (transferred size: -11, block size: 3)
      [ 1025.958856] dvb-usb: firmware download failed at 8 with -22
      [ 1025.958867] usbcore: registered new interface driver dvb_usb_dtt200u
      
      [    2.789902] dvb-usb: downloading firmware from file 'dvb-usb-wt220u-zl0353-01.fw'
      [    2.789905] ------------[ cut here ]------------
      [    2.789911] WARNING: CPU: 3 PID: 2196 at drivers/usb/core/hcd.c:1584 usb_hcd_map_urb_for_dma+0x430/0x560 [usbcore]
      [    2.789912] transfer buffer not dma capable
      [    2.789912] Modules linked in: btusb dvb_usb_dtt200u(+) dvb_usb_af9035(+) btrtl btbcm dvb_usb dvb_usb_v2 btintel dvb_core bluetooth rc_core rfkill x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd drm_kms_helper syscopyarea sysfillrect pcspkr i2c_i801 sysimgblt fb_sys_fops drm i2c_smbus i2c_core r8169 lpc_ich mfd_core mii thermal fan rtc_cmos video button acpi_cpufreq processor snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd crc32c_intel ahci libahci libata xhci_pci ehci_pci xhci_hcd ehci_hcd usbcore usb_common dm_mirror dm_region_hash dm_log dm_mod
      [    2.789936] CPU: 3 PID: 2196 Comm: systemd-udevd Not tainted 4.9.0-gentoo #1
      [    2.789937] Hardware name: ASUS All Series/H81I-PLUS, BIOS 0401 07/23/2013
      [    2.789938]  ffffc9000339b690 ffffffff812bd397 ffffc9000339b6e0 0000000000000000
      [    2.789939]  ffffc9000339b6d0 ffffffff81055c86 000006300339b6a0 ffff880116c0c000
      [    2.789941]  0000000000000000 0000000000000000 0000000000000001 ffff880116c08000
      [    2.789942] Call Trace:
      [    2.789945]  [<ffffffff812bd397>] dump_stack+0x4d/0x66
      [    2.789947]  [<ffffffff81055c86>] __warn+0xc6/0xe0
      [    2.789948]  [<ffffffff81055cea>] warn_slowpath_fmt+0x4a/0x50
      [    2.789952]  [<ffffffffa006d460>] usb_hcd_map_urb_for_dma+0x430/0x560 [usbcore]
      [    2.789954]  [<ffffffff814ed5a8>] ? io_schedule_timeout+0xd8/0x110
      [    2.789956]  [<ffffffffa006e09c>] usb_hcd_submit_urb+0x9c/0x980 [usbcore]
      [    2.789958]  [<ffffffff812d0ebf>] ? copy_page_to_iter+0x14f/0x2b0
      [    2.789960]  [<ffffffff81126818>] ? pagecache_get_page+0x28/0x240
      [    2.789962]  [<ffffffff8118c2a0>] ? touch_atime+0x20/0xa0
      [    2.789964]  [<ffffffffa006f7c4>] usb_submit_urb+0x2c4/0x520 [usbcore]
      [    2.789967]  [<ffffffffa006feca>] usb_start_wait_urb+0x5a/0xe0 [usbcore]
      [    2.789969]  [<ffffffffa007000c>] usb_control_msg+0xbc/0xf0 [usbcore]
      [    2.789970]  [<ffffffffa067903d>] usb_cypress_writemem+0x3d/0x40 [dvb_usb]
      [    2.789972]  [<ffffffffa06791cf>] usb_cypress_load_firmware+0x4f/0x130 [dvb_usb]
      [    2.789973]  [<ffffffff8109dbbe>] ? console_unlock+0x2fe/0x5d0
      [    2.789974]  [<ffffffff8109e10c>] ? vprintk_emit+0x27c/0x410
      [    2.789975]  [<ffffffff8109e40a>] ? vprintk_default+0x1a/0x20
      [    2.789976]  [<ffffffff81124d76>] ? printk+0x43/0x4b
      [    2.789977]  [<ffffffffa0679310>] dvb_usb_download_firmware+0x60/0xd0 [dvb_usb]
      [    2.789979]  [<ffffffffa0679898>] dvb_usb_device_init+0x3d8/0x610 [dvb_usb]
      [    2.789981]  [<ffffffffa069e302>] dtt200u_usb_probe+0x92/0xd0 [dvb_usb_dtt200u]
      [    2.789984]  [<ffffffffa007420c>] usb_probe_interface+0xfc/0x270 [usbcore]
      [    2.789985]  [<ffffffff8138bf95>] driver_probe_device+0x215/0x2d0
      [    2.789986]  [<ffffffff8138c0e6>] __driver_attach+0x96/0xa0
      [    2.789987]  [<ffffffff8138c050>] ? driver_probe_device+0x2d0/0x2d0
      [    2.789988]  [<ffffffff81389ffb>] bus_for_each_dev+0x5b/0x90
      [    2.789989]  [<ffffffff8138b7b9>] driver_attach+0x19/0x20
      [    2.789990]  [<ffffffff8138b33c>] bus_add_driver+0x11c/0x220
      [    2.789991]  [<ffffffff8138c91b>] driver_register+0x5b/0xd0
      [    2.789994]  [<ffffffffa0072f6c>] usb_register_driver+0x7c/0x130 [usbcore]
      [    2.789994]  [<ffffffffa06a5000>] ? 0xffffffffa06a5000
      [    2.789996]  [<ffffffffa06a501e>] dtt200u_usb_driver_init+0x1e/0x20 [dvb_usb_dtt200u]
      [    2.789997]  [<ffffffff81000408>] do_one_initcall+0x38/0x140
      [    2.789998]  [<ffffffff8116001c>] ? __vunmap+0x7c/0xc0
      [    2.789999]  [<ffffffff81124fb0>] ? do_init_module+0x22/0x1d2
      [    2.790000]  [<ffffffff81124fe8>] do_init_module+0x5a/0x1d2
      [    2.790002]  [<ffffffff810c96b1>] load_module+0x1e11/0x2580
      [    2.790003]  [<ffffffff810c68b0>] ? show_taint+0x30/0x30
      [    2.790004]  [<ffffffff81177250>] ? kernel_read_file+0x100/0x190
      [    2.790005]  [<ffffffff810c9ffa>] SyS_finit_module+0xba/0xc0
      [    2.790007]  [<ffffffff814f13e0>] entry_SYSCALL_64_fastpath+0x13/0x94
      [    2.790008] ---[ end trace c78a74e78baec6fc ]---
      
      So, allocate the structure dynamically.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      51aa8ee4
    • Johan Hovold's avatar
      USB: serial: safe_serial: fix information leak in completion handler · 6cce4490
      Johan Hovold authored
      commit 8c76d7cd upstream.
      
      Add missing sanity check to the bulk-in completion handler to avoid an
      integer underflow that could be triggered by a malicious device.
      
      This avoids leaking up to 56 bytes from after the URB transfer buffer to
      user space.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6cce4490
    • Johan Hovold's avatar
      USB: serial: io_ti: fix NULL-deref in interrupt callback · 794bbd75
      Johan Hovold authored
      commit 0b1d250a upstream.
      
      Fix a NULL-pointer dereference in the interrupt callback should a
      malicious device send data containing a bad port number by adding the
      missing sanity check.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      794bbd75
    • Paul Burton's avatar
      MIPS: End spinlocks with .insn · 71071ed7
      Paul Burton authored
      commit 4b5347a2 upstream.
      
      When building for microMIPS we need to ensure that the assembler always
      knows that there is code at the target of a branch or jump. Recent
      toolchains will fail to link a microMIPS kernel when this isn't the case
      due to what it thinks is a branch to non-microMIPS code.
      
      mips-mti-linux-gnu-ld kernel/built-in.o: .spinlock.text+0x2fc: Unsupported branch between ISA modes.
      mips-mti-linux-gnu-ld final link failed: Bad value
      
      This is due to inline assembly labels in spinlock.h not being followed
      by an instruction mnemonic, either due to a .subsection pseudo-op or the
      end of the inline asm block.
      
      Fix this with a .insn direction after such labels.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Reviewed-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/15325/Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      71071ed7
    • Max Lohrmann's avatar
      target: Fix VERIFY_16 handling in sbc_parse_cdb · 438141f9
      Max Lohrmann authored
      commit 13603685 upstream.
      
      As reported by Max, the Windows 2008 R2 chkdsk utility expects
      VERIFY_16 to be supported, and does not handle the returned
      CHECK_CONDITION properly, resulting in an infinite loop.
      
      The kernel will log huge amounts of this error:
      
      kernel: TARGET_CORE[iSCSI]: Unsupported SCSI Opcode 0x8f, sending
      CHECK_CONDITION.
      Signed-off-by: default avatarMax Lohrmann <post@wickenrode.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      438141f9
    • Nicholas Bellinger's avatar
      target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export · af3c9669
      Nicholas Bellinger authored
      commit a04e54f2 upstream.
      
      The following fixes a divide by zero OOPs with TYPE_TAPE
      due to pscsi_tape_read_blocksize() failing causing a zero
      sd->sector_size being propigated up via dev_attrib.hw_block_size.
      
      It also fixes another long-standing bug where TYPE_TAPE and
      TYPE_MEDIMUM_CHANGER where using pscsi_create_type_other(),
      which does not call scsi_device_get() to take the device
      reference.  Instead, rename pscsi_create_type_rom() to
      pscsi_create_type_nondisk() and use it for all cases.
      
      Finally, also drop a dump_stack() in pscsi_get_blocks() for
      non TYPE_DISK, which in modern target-core can get invoked
      via target_sense_desc_format() during CHECK_CONDITION.
      Reported-by: default avatarMalcolm Haak <insanemal@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [bwh: Backported to 3.16:
       - Deleted log format is slightly different
       - Cast Scsi_Host::max_sectors from unsigned short to unsigned int, to avoid
         a warning about differing types in min_not_zero()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      af3c9669
    • Anton Blanchard's avatar
      scsi: lpfc: Add shutdown method for kexec · bf0637d0
      Anton Blanchard authored
      commit 85e8a239 upstream.
      
      We see lpfc devices regularly fail during kexec. Fix this by adding a
      shutdown method which mirrors the remove method.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Reviewed-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Tested-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bf0637d0
    • Michael Ellerman's avatar
      powerpc/boot: Fix zImage TOC alignment · 66c427ba
      Michael Ellerman authored
      commit 97ee351b upstream.
      
      Recent toolchains force the TOC to be 256 byte aligned. We need to
      enforce this alignment in the zImage linker script, otherwise pointers
      to our TOC variables (__toc_start) could be incorrect. If the actual
      start of the TOC and __toc_start don't have the same value we crash
      early in the zImage wrapper.
      Suggested-by: default avatarAlan Modra <amodra@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      66c427ba
    • Kai-Heng Feng's avatar
      Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 · 9f019712
      Kai-Heng Feng authored
      commit 45838660 upstream.
      
      The aux port does not get detected without noloop quirk, so external PS/2
      mouse cannot work as result.
      
      The PS/2 mouse can work with this quirk.
      
      BugLink: https://bugs.launchpad.net/bugs/1591053Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Reviewed-by: default avatarMarcos Paulo de Souza <marcos.souza.org@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9f019712
    • Ilya Dryomov's avatar
      libceph: don't set weight to IN when OSD is destroyed · df138293
      Ilya Dryomov authored
      commit b581a585 upstream.
      
      Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
      osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
      This changes the result of applying an incremental for clients, not
      just OSDs.  Because CRUSH computations are obviously affected,
      pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
      object placement, resulting in misdirected requests.
      
      Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.
      
      Fixes: 930c5328 ("libceph: apply new_state before new_up_client on incrementals")
      Link: http://tracker.ceph.com/issues/19122Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      df138293
    • Raghava Aditya Renukunta's avatar
      scsi: aacraid: Fix typo in blink status · eddc7255
      Raghava Aditya Renukunta authored
      commit 934767c5 upstream.
      
      The return status of the adapter check on KERNEL_PANIC is supposed to be
      the upper 16 bits of the OMR status register.
      
      Fixes: c421530b (scsi: aacraid: Reorder Adpater status check)
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
      Reviewed-by: default avatarDave Carroll <david.carroll@microsemi.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      eddc7255
    • Johan Hovold's avatar
      USB: serial: digi_acceleport: fix OOB-event processing · 785fd5e9
      Johan Hovold authored
      commit 2e46565c upstream.
      
      A recent change claimed to fix an off-by-one error in the OOB-port
      completion handler, but instead introduced such an error. This could
      specifically led to modem-status changes going unnoticed, effectively
      breaking TIOCMGET.
      
      Note that the offending commit fixes a loop-condition underflow and is
      marked for stable, but should not be backported without this fix.
      Reported-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Fixes: 2d380889 ("USB: serial: digi_acceleport: fix OOB data sanity
      check")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      785fd5e9
    • Felipe Balbi's avatar
      usb: gadget: function: f_fs: pass companion descriptor along · 26447e2d
      Felipe Balbi authored
      commit 2bfa0719 upstream.
      
      If we're dealing with SuperSpeed endpoints, we need
      to make sure to pass along the companion descriptor
      and initialize fields needed by the Gadget
      API. Eventually, f_fs.c should be converted to use
      config_ep_by_speed() like all other functions,
      though.
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      26447e2d
    • Felipe Balbi's avatar
      usb: dwc3: gadget: make Set Endpoint Configuration macros safe · 69ceee0a
      Felipe Balbi authored
      commit 7369090a upstream.
      
      Some gadget drivers are bad, bad boys. We notice
      that ADB was passing bad Burst Size which caused top
      bits of param0 to be overwritten which confused DWC3
      when running this command.
      
      In order to avoid future issues, we're going to make
      sure values passed by macros are always safe for the
      controller. Note that ADB still needs a fix to *not*
      pass bad values.
      Reported-by: default avatarMohamed Abbas <mohamed.abbas@intel.com>
      Sugested-by: default avatarAdam Andruszak <adam.andruszak@intel.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      69ceee0a
    • Florian Fainelli's avatar
      net: phy: Do not perform software reset for Generic PHY · 1d33b989
      Florian Fainelli authored
      commit 0878fff1 upstream.
      
      The Generic PHY driver is a catch-all PHY driver and it should preserve
      whatever prior initialization has been done by boot loader or firmware
      agents. For specific PHY device configuration it is expected that a
      specialized PHY driver would take over that role.
      
      Resetting the generic PHY was a bad idea that has lead to several
      complaints and downstream workarounds e.g: in OpenWrt/LEDE so restore
      the behavior prior to 87aa9f9c ("net: phy: consolidate PHY
      reset in phy_init_hw()").
      Reported-by: default avatarFelix Fietkau <nbd@nbd.name>
      Fixes: 87aa9f9c ("net: phy: consolidate PHY reset in phy_init_hw()")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1d33b989
    • Jon Mason's avatar
      ARM: dts: BCM5301X: Correct GIC_PPI interrupt flags · 92171949
      Jon Mason authored
      commit 0c2bf9f9 upstream.
      
      GIC_PPI flags were misconfigured for the timers, resulting in errors
      like:
      [    0.000000] GIC: PPI11 is secure or misconfigured
      
      Changing them to being edge triggered corrects the issue
      Suggested-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Signed-off-by: default avatarJon Mason <jon.mason@broadcom.com>
      Fixes: d27509f1 ("ARM: BCM5301X: add dts files for BCM4708 SoC")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      92171949
    • Sven Eckelmann's avatar
      batman-adv: Keep fragments equally sized · 628b27c3
      Sven Eckelmann authored
      commit 1c2bcc76 upstream.
      
      The batman-adv fragmentation packets have the design problem that they
      cannot be refragmented and cannot handle padding by the underlying link.
      The latter often leads to problems when networks are incorrectly configured
      and don't use a common MTU.
      
      The sender could for example fragment a 1271 byte frame (plus external
      ethernet header (14) and batadv unicast header (10)) to fit in a 1280 bytes
      large MTU of the underlying link (max. 1294 byte frames). This would create
      a 1294 bytes large frame (fragment 2) and a 55 bytes large frame
      (fragment 1). The extra 54 bytes are the fragment header (20) added to each
      fragment and the external ethernet header (14) for the second fragment.
      
      Let us assume that the next hop is then not able to transport 1294 bytes to
      its next hop. The 1294 byte large frame will be dropped but the 55 bytes
      large fragment will still be forwarded to its destination.
      
      Or let us assume that the underlying hardware requires that each frame has
      a minimum size (e.g. 60 bytes). Then it will pad the 55 bytes frame to 60
      bytes. The receiver of the 60 bytes frame will no longer be able to
      correctly assemble the two frames together because it is not aware that 5
      bytes of the 60 bytes frame are padding and don't belong to the reassembled
      frame.
      
      This can partly be avoided by splitting frames more equally. In this
      example, the 675 and 674 bytes large fragment frames could both potentially
      reach its destination without being too large or too small.
      Reported-by: default avatarMartin Weinelt <martin@darmstadt.freifunk.net>
      Fixes: ee75ed88 ("batman-adv: Fragment and send skbs larger than mtu")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Acked-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      628b27c3
    • Rik van Riel's avatar
      tracing: Add #undef to fix compile error · 57d310d0
      Rik van Riel authored
      commit bf7165cf upstream.
      
      There are several trace include files that define TRACE_INCLUDE_FILE.
      
      Include several of them in the same .c file (as I currently have in
      some code I am working on), and the compile will blow up with a
      "warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls"
      
      Every other include file in include/trace/events/ avoids that issue
      by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h
      should have one, too.
      
      Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com
      
      Fixes: b8007ef7 ("tracing: Separate raw syscall from syscall tracer")
      Signed-off-by: default avatarRik van Riel <riel@redhat.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      57d310d0
    • Janosch Frank's avatar
      KVM: s390: Fix guest migration for huge guests resulting in panic · 6be3b43d
      Janosch Frank authored
      commit 2e4d8800 upstream.
      
      While we can technically not run huge page guests right now, we can
      setup a guest with huge pages. Trying to migrate it will trigger a
      VM_BUG_ON and, if the kernel is not configured to panic on a BUG, it
      will happily try to work on non-existing page table entries.
      
      With this patch, we always return "dirty" if we encounter a large page
      when migrating. This at least fixes the immediate problem until we
      have proper handling for both kind of pages.
      
      Fixes: 15f36ebd ("KVM: s390: Add proper dirty bitmap support to S390 kvm.")
      Signed-off-by: default avatarJanosch Frank <frankja@linux.vnet.ibm.com>
      Acked-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      [bwh: Backported to 3.16:
       - Use respectively gmap->mm, address and pte instead of mm, addr and ptep
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6be3b43d
    • Masami Hiramatsu's avatar
      kprobes/x86: Fix kernel panic when certain exception-handling addresses are probed · 9b3026f2
      Masami Hiramatsu authored
      commit 75013fb1 upstream.
      
      Fix to the exception table entry check by using probed address
      instead of the address of copied instruction.
      
      This bug may cause unexpected kernel panic if user probe an address
      where an exception can happen which should be fixup by __ex_table
      (e.g. copy_from_user.)
      
      Unless user puts a kprobe on such address, this doesn't
      cause any problem.
      
      This bug has been introduced years ago, by commit:
      
        46484688 ("x86/kprobes: Fix a bug which can modify kernel code permanently").
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 46484688 ("x86/kprobes: Fix a bug which can modify kernel code permanently")
      Link: http://lkml.kernel.org/r/148829899399.28855.12581062400757221722.stgit@devboxSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9b3026f2
    • Chris Leech's avatar
      scsi: libiscsi: add lock around task lists to fix list corruption regression · e57d9472
      Chris Leech authored
      commit 6f8830f5 upstream.
      
      There's a rather long standing regression from the commit "libiscsi:
      Reduce locking contention in fast path"
      
      Depending on iSCSI target behavior, it's possible to hit the case in
      iscsi_complete_task where the task is still on a pending list
      (!list_empty(&task->running)).  When that happens the task is removed
      from the list while holding the session back_lock, but other task list
      modification occur under the frwd_lock.  That leads to linked list
      corruption and eventually a panicked system.
      
      Rather than back out the session lock split entirely, in order to try
      and keep some of the performance gains this patch adds another lock to
      maintain the task lists integrity.
      
      Major enterprise supported kernels have been backing out the lock split
      for while now, thanks to the efforts at IBM where a lab setup has the
      most reliable reproducer I've seen on this issue.  This patch has been
      tested there successfully.
      Signed-off-by: default avatarChris Leech <cleech@redhat.com>
      Fixes: 659743b0 ("[SCSI] libiscsi: Reduce locking contention in fast path")
      Reported-by: default avatarPrashantha Subbarao <psubbara@us.ibm.com>
      Reviewed-by: default avatarGuilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e57d9472
    • Dan Streetman's avatar
      xen: do not re-use pirq number cached in pci device msi msg data · da9865bf
      Dan Streetman authored
      commit c74fd80f upstream.
      
      Revert the main part of commit:
      af42b8d1 ("xen: fix MSI setup and teardown for PV on HVM guests")
      
      That commit introduced reading the pci device's msi message data to see
      if a pirq was previously configured for the device's msi/msix, and re-use
      that pirq.  At the time, that was the correct behavior.  However, a
      later change to Qemu caused it to call into the Xen hypervisor to unmap
      all pirqs for a pci device, when the pci device disables its MSI/MSIX
      vectors; specifically the Qemu commit:
      c976437c7dba9c7444fb41df45468968aaa326ad
      ("qemu-xen: free all the pirqs for msi/msix when driver unload")
      
      Once Qemu added this pirq unmapping, it was no longer correct for the
      kernel to re-use the pirq number cached in the pci device msi message
      data.  All Qemu releases since 2.1.0 contain the patch that unmaps the
      pirqs when the pci device disables its MSI/MSIX vectors.
      
      This bug is causing failures to initialize multiple NVMe controllers
      under Xen, because the NVMe driver sets up a single MSIX vector for
      each controller (concurrently), and then after using that to talk to
      the controller for some configuration data, it disables the single MSIX
      vector and re-configures all the MSIX vectors it needs.  So the MSIX
      setup code tries to re-use the cached pirq from the first vector
      for each controller, but the hypervisor has already given away that
      pirq to another controller, and its initialization fails.
      
      This is discussed in more detail at:
      https://lists.xen.org/archives/html/xen-devel/2017-01/msg00447.html
      
      Fixes: af42b8d1 ("xen: fix MSI setup and teardown for PV on HVM guests")
      Signed-off-by: default avatarDan Streetman <dan.streetman@canonical.com>
      Reviewed-by: default avatarStefano Stabellini <sstabellini@kernel.org>
      Acked-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      da9865bf
    • Florian Westphal's avatar
      xfrm: policy: init locks early · 6d7d4c06
      Florian Westphal authored
      commit c282222a upstream.
      
      Dmitry reports following splat:
       INFO: trying to register non-static key.
       the code is fine but needs lockdep annotation.
       turning off the locking correctness validator.
       CPU: 0 PID: 13059 Comm: syz-executor1 Not tainted 4.10.0-rc7-next-20170207 #1
      [..]
       spin_lock_bh include/linux/spinlock.h:304 [inline]
       xfrm_policy_flush+0x32/0x470 net/xfrm/xfrm_policy.c:963
       xfrm_policy_fini+0xbf/0x560 net/xfrm/xfrm_policy.c:3041
       xfrm_net_init+0x79f/0x9e0 net/xfrm/xfrm_policy.c:3091
       ops_init+0x10a/0x530 net/core/net_namespace.c:115
       setup_net+0x2ed/0x690 net/core/net_namespace.c:291
       copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
       create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
       unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
       SYSC_unshare kernel/fork.c:2281 [inline]
      
      Problem is that when we get error during xfrm_net_init we will call
      xfrm_policy_fini which will acquire xfrm_policy_lock before it was
      initialized.  Just move it around so locks get set up first.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Fixes: 283bc9f3 ("xfrm: Namespacify xfrm state/policy locks")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      [bwh: Backported to 3.2: xfrm_policy_lock is an rwlock]
      6d7d4c06
  2. 02 Jul, 2017 3 commits