1. 18 Jul, 2017 40 commits
    • Peter Zijlstra's avatar
      futex: Fix potential use-after-free in FUTEX_REQUEUE_PI · bdeee63c
      Peter Zijlstra authored
      commit c236c8e9 upstream.
      
      While working on the futex code, I stumbled over this potential
      use-after-free scenario. Dmitry triggered it later with syzkaller.
      
      pi_mutex is a pointer into pi_state, which we drop the reference on in
      unqueue_me_pi(). So any access to that pointer after that is bad.
      
      Since other sites already do rt_mutex_unlock() with hb->lock held, see
      for example futex_lock_pi(), simply move the unlock before
      unqueue_me_pi().
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarDarren Hart <dvhart@linux.intel.com>
      Cc: juri.lelli@arm.com
      Cc: bigeasy@linutronix.de
      Cc: xlpang@redhat.com
      Cc: rostedt@goodmis.org
      Cc: mathieu.desnoyers@efficios.com
      Cc: jdesfossez@efficios.com
      Cc: dvhart@infradead.org
      Cc: bristot@redhat.com
      Link: http://lkml.kernel.org/r/20170304093558.801744246@infradead.orgSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bdeee63c
    • Anssi Hannula's avatar
      mmc: sdhci-of-arasan: fix incorrect timeout clock · eef338c8
      Anssi Hannula authored
      commit 16681037 upstream.
      
      sdhci_arasan_get_timeout_clock() divides the frequency it has with (1 <<
      (13 + divisor)).
      
      However, the divisor is not some Arasan-specific value, but instead is
      just the Data Timeout Counter Value from the SDHCI Timeout Control
      Register.
      
      Applying it here like this is wrong as the sdhci driver already takes
      that value into account when calculating timeouts, and in fact it *sets*
      that register value based on how long a timeout is wanted.
      
      Additionally, sdhci core interprets the .get_timeout_clock callback
      return value as if it were read from hardware registers, i.e. the unit
      should be kHz or MHz depending on SDHCI_TIMEOUT_CLK_UNIT capability bit.
      This bit is set at least on the tested Zynq-7000 SoC.
      
      With the tested hardware (SDHCI_TIMEOUT_CLK_UNIT set) this results in
      too high a timeout clock rate being reported, causing the core to use
      longer-than-needed timeouts. Additionally, on a partitioned MMC
      (therefore having erase_group_def bit set) mmc_calc_max_discard()
      disables discard support as it looks like controller does not support
      the long timeouts needed for that.
      
      Do not apply the extra divisor and return the timeout clock in the
      expected unit.
      
      Tested with a Zynq-7000 SoC and a partitioned Toshiba THGBMAG5A1JBAWR
      eMMC card.
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@bitwise.fi>
      Fixes: e3ec3a3d ("mmc: arasan: Add driver for Arasan SDHCI")
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      eef338c8
    • Dan Williams's avatar
      USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems · 0eb58a02
      Dan Williams authored
      commit 6e9f44ea upstream.
      
      Add Quectel UC15, UC20, EC21, and EC25.  The EC20 is handled by
      qcserial due to a USB VID/PID conflict with an existing Acer
      device.
      Signed-off-by: default avatarDan Williams <dcbw@redhat.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0eb58a02
    • Samuel Thibault's avatar
      usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk · f7fdc5e2
      Samuel Thibault authored
      commit 3243367b upstream.
      
      Some USB 2.0 devices erroneously report millisecond values in
      bInterval. The generic config code manages to catch most of them,
      but in some cases it's not completely enough.
      
      The case at stake here is a USB 2.0 braille device, which wants to
      announce 10ms and thus sets bInterval to 10, but with the USB 2.0
      computation that yields to 64ms.  It happens that one can type fast
      enough to reach this interval and get the device buffers overflown,
      leading to problematic latencies.  The generic config code does not
      catch this case because the 64ms is considered a sane enough value.
      
      This change thus adds a USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL quirk
      to mark devices which actually report milliseconds in bInterval,
      and marks Vario Ultra devices as needing it.
      Signed-off-by: default avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f7fdc5e2
    • Johan Hovold's avatar
      uwb: i1480-dfu: fix NULL-deref at probe · 9c313915
      Johan Hovold authored
      commit 4ce36271 upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Note that the dereference happens in the cmd and wait_init_done
      callbacks which are called during probe.
      
      Fixes: 1ba47da5 ("uwb: add the i1480 DFU driver")
      Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
      Cc: David Vrabel <david.vrabel@csr.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9c313915
    • Johan Hovold's avatar
      uwb: hwa-rc: fix NULL-deref at probe · baf1b523
      Johan Hovold authored
      commit daf229b1 upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Note that the dereference happens in the start callback which is called
      during probe.
      
      Fixes: de520b8b ("uwb: add HWA radio controller driver")
      Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
      Cc: David Vrabel <david.vrabel@csr.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      baf1b523
    • Johan Hovold's avatar
      USB: wusbcore: fix NULL-deref at probe · bb04b1e9
      Johan Hovold authored
      commit 03ace948 upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer or accessing memory beyond the endpoint array should a
      malicious device lack the expected endpoints.
      
      This specifically fixes the NULL-pointer dereference when probing HWA HC
      devices.
      
      Fixes: df365423 ("wusb: add the Wire Adapter (WA) core")
      Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
      Cc: David Vrabel <david.vrabel@csr.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bb04b1e9
    • Johan Hovold's avatar
      USB: uss720: fix NULL-deref at probe · 4ef4acca
      Johan Hovold authored
      commit f259ca3e upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer or accessing memory beyond the endpoint array should a
      malicious device lack the expected endpoints.
      
      Note that the endpoint access that causes the NULL-deref is currently
      only used for debugging purposes during probe so the oops only happens
      when dynamic debugging is enabled. This means the driver could be
      rewritten to continue to accept device with only two endpoints, should
      such devices exist.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4ef4acca
    • Johan Hovold's avatar
      USB: idmouse: fix NULL-deref at probe · 5b6dacbc
      Johan Hovold authored
      commit b0addd3f upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5b6dacbc
    • Jon Maxwell's avatar
      dccp/tcp: fix routing redirect race · d81550ad
      Jon Maxwell authored
      commit 45caeaa5 upstream.
      
      As Eric Dumazet pointed out this also needs to be fixed in IPv6.
      v2: Contains the IPv6 tcp/Ipv6 dccp patches as well.
      
      We have seen a few incidents lately where a dst_enty has been freed
      with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that
      dst_entry. If the conditions/timings are right a crash then ensues when the
      freed dst_entry is referenced later on. A Common crashing back trace is:
      
       #8 [] page_fault at ffffffff8163e648
          [exception RIP: __tcp_ack_snd_check+74]
      .
      .
       #9 [] tcp_rcv_established at ffffffff81580b64
      #10 [] tcp_v4_do_rcv at ffffffff8158b54a
      #11 [] tcp_v4_rcv at ffffffff8158cd02
      #12 [] ip_local_deliver_finish at ffffffff815668f4
      #13 [] ip_local_deliver at ffffffff81566bd9
      #14 [] ip_rcv_finish at ffffffff8156656d
      #15 [] ip_rcv at ffffffff81566f06
      #16 [] __netif_receive_skb_core at ffffffff8152b3a2
      #17 [] __netif_receive_skb at ffffffff8152b608
      #18 [] netif_receive_skb at ffffffff8152b690
      #19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3]
      #20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3]
      #21 [] net_rx_action at ffffffff8152bac2
      #22 [] __do_softirq at ffffffff81084b4f
      #23 [] call_softirq at ffffffff8164845c
      #24 [] do_softirq at ffffffff81016fc5
      #25 [] irq_exit at ffffffff81084ee5
      #26 [] do_IRQ at ffffffff81648ff8
      
      Of course it may happen with other NIC drivers as well.
      
      It's found the freed dst_entry here:
      
       224 static bool tcp_in_quickack_mode(struct sock *sk)
       225 {
       226 ▹       const struct inet_connection_sock *icsk = inet_csk(sk);
       227 ▹       const struct dst_entry *dst = __sk_dst_get(sk);
       228 
       229 ▹       return (dst && dst_metric(dst, RTAX_QUICKACK)) ||
       230 ▹       ▹       (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);
       231 }
      
      But there are other backtraces attributed to the same freed dst_entry in
      netfilter code as well.
      
      All the vmcores showed 2 significant clues:
      
      - Remote hosts behind the default gateway had always been redirected to a
      different gateway. A rtable/dst_entry will be added for that host. Making
      more dst_entrys with lower reference counts. Making this more probable.
      
      - All vmcores showed a postitive LockDroppedIcmps value, e.g:
      
      LockDroppedIcmps                  267
      
      A closer look at the tcp_v4_err() handler revealed that do_redirect() will run
      regardless of whether user space has the socket locked. This can result in a
      race condition where the same dst_entry cached in sk->sk_dst_entry can be
      decremented twice for the same socket via:
      
      do_redirect()->__sk_dst_check()-> dst_release().
      
      Which leads to the dst_entry being prematurely freed with another socket
      pointing to it via sk->sk_dst_cache and a subsequent crash.
      
      To fix this skip do_redirect() if usespace has the socket locked. Instead let
      the redirect take place later when user space does not have the socket
      locked.
      
      The dccp/IPv6 code is very similar in this respect, so fixing it there too.
      
      As Eric Garver pointed out the following commit now invalidates routes. Which
      can set the dst->obsolete flag so that ipv4_dst_check() returns null and
      triggers the dst_release().
      
      Fixes: ceb33206 ("ipv4: Kill routes during PMTU/redirect updates.")
      Cc: Eric Garver <egarver@redhat.com>
      Cc: Hannes Sowa <hsowa@redhat.com>
      Signed-off-by: default avatarJon Maxwell <jmaxwell37@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d81550ad
    • Johan Hovold's avatar
      net: wimax/i2400m: fix NULL-deref at probe · 83bf5609
      Johan Hovold authored
      commit 6e526fdf upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer or accessing memory beyond the endpoint array should a
      malicious device lack the expected endpoints.
      
      The endpoints are specifically dereferenced in the i2400m_bootrom_init
      path during probe (e.g. in i2400mu_tx_bulk_out).
      
      Fixes: f398e424 ("i2400m/USB: probe/disconnect, dev init/shutdown
      and reset backends")
      Cc: Inaky Perez-Gonzalez <inaky@linux.intel.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      83bf5609
    • Johan Hovold's avatar
      isdn/gigaset: fix NULL-deref at probe · dd470c92
      Johan Hovold authored
      commit 68c32f9c upstream.
      
      Make sure to check the number of endpoints to avoid dereferencing a
      NULL-pointer should a malicious device lack endpoints.
      
      Fixes: cf7776dc ("[PATCH] isdn4linux: Siemens Gigaset drivers -
      direct USB connection")
      Cc: Hansjoerg Lipp <hjlipp@web.de>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dd470c92
    • Sabrina Dubroca's avatar
      ipv6: make ECMP route replacement less greedy · 731cf50c
      Sabrina Dubroca authored
      commit 67e19400 upstream.
      
      Commit 27596472 ("ipv6: fix ECMP route replacement") introduced a
      loop that removes all siblings of an ECMP route that is being
      replaced. However, this loop doesn't stop when it has replaced
      siblings, and keeps removing other routes with a higher metric.
      We also end up triggering the WARN_ON after the loop, because after
      this nsiblings < 0.
      
      Instead, stop the loop when we have taken care of all routes with the
      same metric as the route being replaced.
      
        Reproducer:
        ===========
          #!/bin/sh
      
          ip netns add ns1
          ip netns add ns2
          ip -net ns1 link set lo up
      
          for x in 0 1 2 ; do
              ip link add veth$x netns ns2 type veth peer name eth$x netns ns1
              ip -net ns1 link set eth$x up
              ip -net ns2 link set veth$x up
          done
      
          ip -net ns1 -6 r a 2000::/64 nexthop via fe80::0 dev eth0 \
                  nexthop via fe80::1 dev eth1 nexthop via fe80::2 dev eth2
          ip -net ns1 -6 r a 2000::/64 via fe80::42 dev eth0 metric 256
          ip -net ns1 -6 r a 2000::/64 via fe80::43 dev eth0 metric 2048
      
          echo "before replace, 3 routes"
          ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
          echo
      
          ip -net ns1 -6 r c 2000::/64 nexthop via fe80::4 dev eth0 \
                  nexthop via fe80::5 dev eth1 nexthop via fe80::6 dev eth2
      
          echo "after replace, only 2 routes, metric 2048 is gone"
          ip -net ns1 -6 r | grep -v '^fe80\|^ff00'
      
      Fixes: 27596472 ("ipv6: fix ECMP route replacement")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Reviewed-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      731cf50c
    • Kinglong Mee's avatar
      NFSv4: fix a reference leak caused WARNING messages · 7c8951f3
      Kinglong Mee authored
      commit 366a1569 upstream.
      
      Because nfs4_opendata_access() has close the state when access is denied,
      so the state isn't leak.
      Rather than revert the commit a974deee, I'd like clean the strange state close.
      
      [ 1615.094218] ------------[ cut here ]------------
      [ 1615.094607] WARNING: CPU: 0 PID: 23702 at lib/list_debug.c:31 __list_add_valid+0x8e/0xa0
      [ 1615.094913] list_add double add: new=ffff9d7901d9f608, prev=ffff9d7901d9f608, next=ffff9d7901ee8dd0.
      [ 1615.095458] Modules linked in: nfsv4(E) nfs(E) nfsd(E) tun bridge stp llc fuse ip_set nfnetlink vmw_vsock_vmci_transport vsock f2fs snd_seq_midi snd_seq_midi_event fscrypto coretemp ppdev crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_rapl_perf vmw_balloon snd_ens1371 joydev gameport snd_ac97_codec ac97_bus snd_seq snd_pcm snd_rawmidi snd_timer snd_seq_device snd soundcore nfit parport_pc parport acpi_cpufreq tpm_tis tpm_tis_core tpm i2c_piix4 vmw_vmci shpchp auth_rpcgss nfs_acl lockd(E) grace sunrpc(E) xfs libcrc32c vmwgfx drm_kms_helper ttm drm crc32c_intel mptspi e1000 serio_raw scsi_transport_spi mptscsih mptbase ata_generic pata_acpi fjes [last unloaded: nfs]
      [ 1615.097663] CPU: 0 PID: 23702 Comm: fstest Tainted: G        W   E   4.11.0-rc1+ #517
      [ 1615.098015] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
      [ 1615.098807] Call Trace:
      [ 1615.099183]  dump_stack+0x63/0x86
      [ 1615.099578]  __warn+0xcb/0xf0
      [ 1615.099967]  warn_slowpath_fmt+0x5f/0x80
      [ 1615.100370]  __list_add_valid+0x8e/0xa0
      [ 1615.100760]  nfs4_put_state_owner+0x75/0xc0 [nfsv4]
      [ 1615.101136]  __nfs4_close+0x109/0x140 [nfsv4]
      [ 1615.101524]  nfs4_close_state+0x15/0x20 [nfsv4]
      [ 1615.101949]  nfs4_close_context+0x21/0x30 [nfsv4]
      [ 1615.102691]  __put_nfs_open_context+0xb8/0x110 [nfs]
      [ 1615.103155]  put_nfs_open_context+0x10/0x20 [nfs]
      [ 1615.103586]  nfs4_file_open+0x13b/0x260 [nfsv4]
      [ 1615.103978]  do_dentry_open+0x20a/0x2f0
      [ 1615.104369]  ? nfs4_copy_file_range+0x30/0x30 [nfsv4]
      [ 1615.104739]  vfs_open+0x4c/0x70
      [ 1615.105106]  ? may_open+0x5a/0x100
      [ 1615.105469]  path_openat+0x623/0x1420
      [ 1615.105823]  do_filp_open+0x91/0x100
      [ 1615.106174]  ? __alloc_fd+0x3f/0x170
      [ 1615.106568]  do_sys_open+0x130/0x220
      [ 1615.106920]  ? __put_cred+0x3d/0x50
      [ 1615.107256]  SyS_open+0x1e/0x20
      [ 1615.107588]  entry_SYSCALL_64_fastpath+0x1a/0xa9
      [ 1615.107922] RIP: 0033:0x7fab599069b0
      [ 1615.108247] RSP: 002b:00007ffcf0600d78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
      [ 1615.108575] RAX: ffffffffffffffda RBX: 00007fab59bcfae0 RCX: 00007fab599069b0
      [ 1615.108896] RDX: 0000000000000200 RSI: 0000000000000200 RDI: 00007ffcf060255e
      [ 1615.109211] RBP: 0000000000040010 R08: 0000000000000000 R09: 0000000000000016
      [ 1615.109515] R10: 00000000000006a1 R11: 0000000000000246 R12: 0000000000041000
      [ 1615.109806] R13: 0000000000040010 R14: 0000000000001000 R15: 0000000000002710
      [ 1615.110152] ---[ end trace 96ed63b1306bf2f3 ]---
      
      Fixes: a974deee ("NFSv4: Fix memory and state leak in...")
      Signed-off-by: default avatarKinglong Mee <kinglongmee@gmail.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7c8951f3
    • Andy Shevchenko's avatar
      x86/platform/intel-mid: Correct MSI IRQ line for watchdog device · d95b95c8
      Andy Shevchenko authored
      commit 80354c29 upstream.
      
      The interrupt line used for the watchdog is 12, according to the official
      Intel Edison BSP code.
      
      And indeed after fixing it we start getting an interrupt and thus the
      watchdog starts working again:
      
        [  191.699951] Kernel panic - not syncing: Kernel Watchdog
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: David Cohen <david.a.cohen@linux.intel.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 78a3bb9e ("x86: intel-mid: add watchdog platform code for Merrifield")
      Link: http://lkml.kernel.org/r/20170312150744.45493-1-andriy.shevchenko@linux.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d95b95c8
    • Edwin Chan's avatar
      net: bcmgenet: add begin/complete ethtool ops · f3139612
      Edwin Chan authored
      commit 89316fa3 upstream.
      
      Make sure clock is enabled for ethtool ops.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarEdwin Chan <edwin.chan@broadcom.com>
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f3139612
    • Doug Berger's avatar
      net: bcmgenet: Power up the internal PHY before probing the MII · 4a2a92a6
      Doug Berger authored
      commit 6be371b0 upstream.
      
      When using the internal PHY it must be powered up when the MII is probed
      or the PHY will not be detected.  Since the PHY is powered up at reset
      this has not been a problem.  However, when the kernel is restarted with
      kexec the PHY will likely be powered down when the kernel starts so it
      will not be detected and the Ethernet link will not be established.
      
      This commit explicitly powers up the internal PHY when the GENET driver
      is probed to correct this behavior.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4a2a92a6
    • Doug Berger's avatar
      net: bcmgenet: synchronize irq0 status between the isr and task · 0b3e9014
      Doug Berger authored
      commit 07c52d6a upstream.
      
      Add a spinlock to ensure that irq0_stat is not unintentionally altered
      as the result of preemption.  Also removed unserviced irq0 interrupts
      and removed irq1_stat since there is no bottom half service for those
      interrupts.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16:
       - bcmgenet_irq_task() only handles UMAC_IRQ_LINK_UP and UMAC_IRQ_LINK_DOWN
         status flags
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0b3e9014
    • Doug Berger's avatar
      net: bcmgenet: correct MIB access of UniMAC RUNT counters · f1ab736d
      Doug Berger authored
      commit 1ad3d225 upstream.
      
      The gap between the Tx status counters and the Rx RUNT counters is now
      being added to allow correct reporting of the registers.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f1ab736d
    • Doug Berger's avatar
      net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values · 42641b91
      Doug Berger authored
      commit ffff7132 upstream.
      
      The location of the RBUF overflow and error counters has moved between
      different version of the GENET MAC.  This commit corrects the driver to
      read from the correct locations depending on the version of the GENET
      MAC.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarDoug Berger <opendmb@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      42641b91
    • Alexey Kodanev's avatar
      udp: avoid ufo handling on IP payload compression packets · e3e9c1c7
      Alexey Kodanev authored
      commit 4b3b45ed upstream.
      
      commit c146066a ("ipv4: Don't use ufo handling on later transformed
      packets") and commit f89c56ce ("ipv6: Don't use ufo handling on
      later transformed packets") added a check that 'rt->dst.header_len' isn't
      zero in order to skip UFO, but it doesn't include IPcomp in transport mode
      where it equals zero.
      
      Packets, after payload compression, may not require further fragmentation,
      and if original length exceeds MTU, later compressed packets will be
      transmitted incorrectly. This can be reproduced with LTP udp_ipsec.sh test
      on veth device with enabled UFO, MTU is 1500 and UDP payload is 2000:
      
      * IPv4 case, offset is wrong + unnecessary fragmentation
          udp_ipsec.sh -p comp -m transport -s 2000 &
          tcpdump -ni ltp_ns_veth2
          ...
          IP (tos 0x0, ttl 64, id 45203, offset 0, flags [+],
            proto Compressed IP (108), length 49)
            10.0.0.2 > 10.0.0.1: IPComp(cpi=0x1000)
          IP (tos 0x0, ttl 64, id 45203, offset 1480, flags [none],
            proto UDP (17), length 21) 10.0.0.2 > 10.0.0.1: ip-proto-17
      
      * IPv6 case, sending small fragments
          udp_ipsec.sh -6 -p comp -m transport -s 2000 &
          tcpdump -ni ltp_ns_veth2
          ...
          IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
            payload length: 37) fd00::2 > fd00::1: IPComp(cpi=0x1000)
          IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
            payload length: 21) fd00::2 > fd00::1: IPComp(cpi=0x1000)
      
      Fix it by checking 'rt->dst.xfrm' pointer to 'xfrm_state' struct, skip UFO
      if xfrm is set. So the new check will include both cases: IPcomp and IPsec.
      
      Fixes: c146066a ("ipv4: Don't use ufo handling on later transformed packets")
      Fixes: f89c56ce ("ipv6: Don't use ufo handling on later transformed packets")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e3e9c1c7
    • Shaohua Li's avatar
      md/raid1/10: fix potential deadlock · 67c14169
      Shaohua Li authored
      commit 61eb2b43 upstream.
      
      Neil Brown pointed out a potential deadlock in raid 10 code with
      bio_split/chain. The raid1 code could have the same issue, but recent
      barrier rework makes it less likely to happen. The deadlock happens in
      below sequence:
      
      1. generic_make_request(bio), this will set current->bio_list
      2. raid10_make_request will split bio to bio1 and bio2
      3. __make_request(bio1), wait_barrer, add underlayer disk bio to
      current->bio_list
      4. __make_request(bio2), wait_barrer
      
      If raise_barrier happens between 3 & 4, since wait_barrier runs at 3,
      raise_barrier waits for IO completion from 3. And since raise_barrier
      sets barrier, 4 waits for raise_barrier. But IO from 3 can't be
      dispatched because raid10_make_request() doesn't finished yet.
      
      The solution is to adjust the IO ordering. Quotes from Neil:
      "
      It is much safer to:
      
          if (need to split) {
              split = bio_split(bio, ...)
              bio_chain(...)
              make_request_fn(split);
              generic_make_request(bio);
         } else
              make_request_fn(mddev, bio);
      
      This way we first process the initial section of the bio (in 'split')
      which will queue some requests to the underlying devices.  These
      requests will be queued in generic_make_request.
      Then we queue the remainder of the bio, which will be added to the end
      of the generic_make_request queue.
      Then we return.
      generic_make_request() will pop the lower-level device requests off the
      queue and handle them first.  Then it will process the remainder
      of the original bio once the first section has been fully processed.
      "
      
      Note, this only happens in read path. In write path, the bio is flushed to
      underlaying disks either by blk flush (from schedule) or offladed to raid1/10d.
      It's queued in current->bio_list.
      
      Cc: Coly Li <colyli@suse.de>
      Suggested-by: default avatarNeilBrown <neilb@suse.com>
      Reviewed-by: default avatarJack Wang <jinpu.wang@profitbricks.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      [bwh: For 3.16, drop the raid10 part as advised]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      67c14169
    • Johan Hovold's avatar
      USB: iowarrior: fix NULL-deref in write · f9d23397
      Johan Hovold authored
      commit de46e566 upstream.
      
      Make sure to verify that we have the required interrupt-out endpoint for
      IOWarrior56 devices to avoid dereferencing a NULL-pointer in write
      should a malicious device lack such an endpoint.
      
      Fixes: 946b960d ("USB: add driver for iowarrior devices.")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f9d23397
    • Stefan Brüns's avatar
      dvb-usb-firmware: don't do DMA on stack · e9b38044
      Stefan Brüns authored
      commit 67b0503d upstream.
      
      The buffer allocation for the firmware data was changed in
      commit 43fab979 ("[media] dvb-usb: don't use stack for firmware load")
      but the same applies for the reset value.
      
      Fixes: 43fab979 ("[media] dvb-usb: don't use stack for firmware load")
      Signed-off-by: default avatarStefan Brüns <stefan.bruens@rwth-aachen.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e9b38044
    • Mauro Carvalho Chehab's avatar
      dvb-usb: don't use stack for firmware load · 51aa8ee4
      Mauro Carvalho Chehab authored
      commit 43fab979 upstream.
      
      As reported by Marc Duponcheel <marc@offline.be>, firmware load on
      dvb-usb is using the stack, with is not allowed anymore on default
      Kernel configurations:
      
      [ 1025.958836] dvb-usb: found a 'WideView WT-220U PenType Receiver (based on ZL353)' in cold state, will try to load a firmware
      [ 1025.958853] dvb-usb: downloading firmware from file 'dvb-usb-wt220u-zl0353-01.fw'
      [ 1025.958855] dvb-usb: could not stop the USB controller CPU.
      [ 1025.958856] dvb-usb: error while transferring firmware (transferred size: -11, block size: 3)
      [ 1025.958856] dvb-usb: firmware download failed at 8 with -22
      [ 1025.958867] usbcore: registered new interface driver dvb_usb_dtt200u
      
      [    2.789902] dvb-usb: downloading firmware from file 'dvb-usb-wt220u-zl0353-01.fw'
      [    2.789905] ------------[ cut here ]------------
      [    2.789911] WARNING: CPU: 3 PID: 2196 at drivers/usb/core/hcd.c:1584 usb_hcd_map_urb_for_dma+0x430/0x560 [usbcore]
      [    2.789912] transfer buffer not dma capable
      [    2.789912] Modules linked in: btusb dvb_usb_dtt200u(+) dvb_usb_af9035(+) btrtl btbcm dvb_usb dvb_usb_v2 btintel dvb_core bluetooth rc_core rfkill x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd drm_kms_helper syscopyarea sysfillrect pcspkr i2c_i801 sysimgblt fb_sys_fops drm i2c_smbus i2c_core r8169 lpc_ich mfd_core mii thermal fan rtc_cmos video button acpi_cpufreq processor snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd crc32c_intel ahci libahci libata xhci_pci ehci_pci xhci_hcd ehci_hcd usbcore usb_common dm_mirror dm_region_hash dm_log dm_mod
      [    2.789936] CPU: 3 PID: 2196 Comm: systemd-udevd Not tainted 4.9.0-gentoo #1
      [    2.789937] Hardware name: ASUS All Series/H81I-PLUS, BIOS 0401 07/23/2013
      [    2.789938]  ffffc9000339b690 ffffffff812bd397 ffffc9000339b6e0 0000000000000000
      [    2.789939]  ffffc9000339b6d0 ffffffff81055c86 000006300339b6a0 ffff880116c0c000
      [    2.789941]  0000000000000000 0000000000000000 0000000000000001 ffff880116c08000
      [    2.789942] Call Trace:
      [    2.789945]  [<ffffffff812bd397>] dump_stack+0x4d/0x66
      [    2.789947]  [<ffffffff81055c86>] __warn+0xc6/0xe0
      [    2.789948]  [<ffffffff81055cea>] warn_slowpath_fmt+0x4a/0x50
      [    2.789952]  [<ffffffffa006d460>] usb_hcd_map_urb_for_dma+0x430/0x560 [usbcore]
      [    2.789954]  [<ffffffff814ed5a8>] ? io_schedule_timeout+0xd8/0x110
      [    2.789956]  [<ffffffffa006e09c>] usb_hcd_submit_urb+0x9c/0x980 [usbcore]
      [    2.789958]  [<ffffffff812d0ebf>] ? copy_page_to_iter+0x14f/0x2b0
      [    2.789960]  [<ffffffff81126818>] ? pagecache_get_page+0x28/0x240
      [    2.789962]  [<ffffffff8118c2a0>] ? touch_atime+0x20/0xa0
      [    2.789964]  [<ffffffffa006f7c4>] usb_submit_urb+0x2c4/0x520 [usbcore]
      [    2.789967]  [<ffffffffa006feca>] usb_start_wait_urb+0x5a/0xe0 [usbcore]
      [    2.789969]  [<ffffffffa007000c>] usb_control_msg+0xbc/0xf0 [usbcore]
      [    2.789970]  [<ffffffffa067903d>] usb_cypress_writemem+0x3d/0x40 [dvb_usb]
      [    2.789972]  [<ffffffffa06791cf>] usb_cypress_load_firmware+0x4f/0x130 [dvb_usb]
      [    2.789973]  [<ffffffff8109dbbe>] ? console_unlock+0x2fe/0x5d0
      [    2.789974]  [<ffffffff8109e10c>] ? vprintk_emit+0x27c/0x410
      [    2.789975]  [<ffffffff8109e40a>] ? vprintk_default+0x1a/0x20
      [    2.789976]  [<ffffffff81124d76>] ? printk+0x43/0x4b
      [    2.789977]  [<ffffffffa0679310>] dvb_usb_download_firmware+0x60/0xd0 [dvb_usb]
      [    2.789979]  [<ffffffffa0679898>] dvb_usb_device_init+0x3d8/0x610 [dvb_usb]
      [    2.789981]  [<ffffffffa069e302>] dtt200u_usb_probe+0x92/0xd0 [dvb_usb_dtt200u]
      [    2.789984]  [<ffffffffa007420c>] usb_probe_interface+0xfc/0x270 [usbcore]
      [    2.789985]  [<ffffffff8138bf95>] driver_probe_device+0x215/0x2d0
      [    2.789986]  [<ffffffff8138c0e6>] __driver_attach+0x96/0xa0
      [    2.789987]  [<ffffffff8138c050>] ? driver_probe_device+0x2d0/0x2d0
      [    2.789988]  [<ffffffff81389ffb>] bus_for_each_dev+0x5b/0x90
      [    2.789989]  [<ffffffff8138b7b9>] driver_attach+0x19/0x20
      [    2.789990]  [<ffffffff8138b33c>] bus_add_driver+0x11c/0x220
      [    2.789991]  [<ffffffff8138c91b>] driver_register+0x5b/0xd0
      [    2.789994]  [<ffffffffa0072f6c>] usb_register_driver+0x7c/0x130 [usbcore]
      [    2.789994]  [<ffffffffa06a5000>] ? 0xffffffffa06a5000
      [    2.789996]  [<ffffffffa06a501e>] dtt200u_usb_driver_init+0x1e/0x20 [dvb_usb_dtt200u]
      [    2.789997]  [<ffffffff81000408>] do_one_initcall+0x38/0x140
      [    2.789998]  [<ffffffff8116001c>] ? __vunmap+0x7c/0xc0
      [    2.789999]  [<ffffffff81124fb0>] ? do_init_module+0x22/0x1d2
      [    2.790000]  [<ffffffff81124fe8>] do_init_module+0x5a/0x1d2
      [    2.790002]  [<ffffffff810c96b1>] load_module+0x1e11/0x2580
      [    2.790003]  [<ffffffff810c68b0>] ? show_taint+0x30/0x30
      [    2.790004]  [<ffffffff81177250>] ? kernel_read_file+0x100/0x190
      [    2.790005]  [<ffffffff810c9ffa>] SyS_finit_module+0xba/0xc0
      [    2.790007]  [<ffffffff814f13e0>] entry_SYSCALL_64_fastpath+0x13/0x94
      [    2.790008] ---[ end trace c78a74e78baec6fc ]---
      
      So, allocate the structure dynamically.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      51aa8ee4
    • Johan Hovold's avatar
      USB: serial: safe_serial: fix information leak in completion handler · 6cce4490
      Johan Hovold authored
      commit 8c76d7cd upstream.
      
      Add missing sanity check to the bulk-in completion handler to avoid an
      integer underflow that could be triggered by a malicious device.
      
      This avoids leaking up to 56 bytes from after the URB transfer buffer to
      user space.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6cce4490
    • Johan Hovold's avatar
      USB: serial: io_ti: fix NULL-deref in interrupt callback · 794bbd75
      Johan Hovold authored
      commit 0b1d250a upstream.
      
      Fix a NULL-pointer dereference in the interrupt callback should a
      malicious device send data containing a bad port number by adding the
      missing sanity check.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      794bbd75
    • Paul Burton's avatar
      MIPS: End spinlocks with .insn · 71071ed7
      Paul Burton authored
      commit 4b5347a2 upstream.
      
      When building for microMIPS we need to ensure that the assembler always
      knows that there is code at the target of a branch or jump. Recent
      toolchains will fail to link a microMIPS kernel when this isn't the case
      due to what it thinks is a branch to non-microMIPS code.
      
      mips-mti-linux-gnu-ld kernel/built-in.o: .spinlock.text+0x2fc: Unsupported branch between ISA modes.
      mips-mti-linux-gnu-ld final link failed: Bad value
      
      This is due to inline assembly labels in spinlock.h not being followed
      by an instruction mnemonic, either due to a .subsection pseudo-op or the
      end of the inline asm block.
      
      Fix this with a .insn direction after such labels.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Reviewed-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/15325/Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      71071ed7
    • Max Lohrmann's avatar
      target: Fix VERIFY_16 handling in sbc_parse_cdb · 438141f9
      Max Lohrmann authored
      commit 13603685 upstream.
      
      As reported by Max, the Windows 2008 R2 chkdsk utility expects
      VERIFY_16 to be supported, and does not handle the returned
      CHECK_CONDITION properly, resulting in an infinite loop.
      
      The kernel will log huge amounts of this error:
      
      kernel: TARGET_CORE[iSCSI]: Unsupported SCSI Opcode 0x8f, sending
      CHECK_CONDITION.
      Signed-off-by: default avatarMax Lohrmann <post@wickenrode.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      438141f9
    • Nicholas Bellinger's avatar
      target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export · af3c9669
      Nicholas Bellinger authored
      commit a04e54f2 upstream.
      
      The following fixes a divide by zero OOPs with TYPE_TAPE
      due to pscsi_tape_read_blocksize() failing causing a zero
      sd->sector_size being propigated up via dev_attrib.hw_block_size.
      
      It also fixes another long-standing bug where TYPE_TAPE and
      TYPE_MEDIMUM_CHANGER where using pscsi_create_type_other(),
      which does not call scsi_device_get() to take the device
      reference.  Instead, rename pscsi_create_type_rom() to
      pscsi_create_type_nondisk() and use it for all cases.
      
      Finally, also drop a dump_stack() in pscsi_get_blocks() for
      non TYPE_DISK, which in modern target-core can get invoked
      via target_sense_desc_format() during CHECK_CONDITION.
      Reported-by: default avatarMalcolm Haak <insanemal@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [bwh: Backported to 3.16:
       - Deleted log format is slightly different
       - Cast Scsi_Host::max_sectors from unsigned short to unsigned int, to avoid
         a warning about differing types in min_not_zero()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      af3c9669
    • Anton Blanchard's avatar
      scsi: lpfc: Add shutdown method for kexec · bf0637d0
      Anton Blanchard authored
      commit 85e8a239 upstream.
      
      We see lpfc devices regularly fail during kexec. Fix this by adding a
      shutdown method which mirrors the remove method.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Reviewed-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Tested-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bf0637d0
    • Michael Ellerman's avatar
      powerpc/boot: Fix zImage TOC alignment · 66c427ba
      Michael Ellerman authored
      commit 97ee351b upstream.
      
      Recent toolchains force the TOC to be 256 byte aligned. We need to
      enforce this alignment in the zImage linker script, otherwise pointers
      to our TOC variables (__toc_start) could be incorrect. If the actual
      start of the TOC and __toc_start don't have the same value we crash
      early in the zImage wrapper.
      Suggested-by: default avatarAlan Modra <amodra@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      66c427ba
    • Kai-Heng Feng's avatar
      Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 · 9f019712
      Kai-Heng Feng authored
      commit 45838660 upstream.
      
      The aux port does not get detected without noloop quirk, so external PS/2
      mouse cannot work as result.
      
      The PS/2 mouse can work with this quirk.
      
      BugLink: https://bugs.launchpad.net/bugs/1591053Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Reviewed-by: default avatarMarcos Paulo de Souza <marcos.souza.org@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9f019712
    • Ilya Dryomov's avatar
      libceph: don't set weight to IN when OSD is destroyed · df138293
      Ilya Dryomov authored
      commit b581a585 upstream.
      
      Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
      osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
      This changes the result of applying an incremental for clients, not
      just OSDs.  Because CRUSH computations are obviously affected,
      pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
      object placement, resulting in misdirected requests.
      
      Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.
      
      Fixes: 930c5328 ("libceph: apply new_state before new_up_client on incrementals")
      Link: http://tracker.ceph.com/issues/19122Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      df138293
    • Raghava Aditya Renukunta's avatar
      scsi: aacraid: Fix typo in blink status · eddc7255
      Raghava Aditya Renukunta authored
      commit 934767c5 upstream.
      
      The return status of the adapter check on KERNEL_PANIC is supposed to be
      the upper 16 bits of the OMR status register.
      
      Fixes: c421530b (scsi: aacraid: Reorder Adpater status check)
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
      Reviewed-by: default avatarDave Carroll <david.carroll@microsemi.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      eddc7255
    • Johan Hovold's avatar
      USB: serial: digi_acceleport: fix OOB-event processing · 785fd5e9
      Johan Hovold authored
      commit 2e46565c upstream.
      
      A recent change claimed to fix an off-by-one error in the OOB-port
      completion handler, but instead introduced such an error. This could
      specifically led to modem-status changes going unnoticed, effectively
      breaking TIOCMGET.
      
      Note that the offending commit fixes a loop-condition underflow and is
      marked for stable, but should not be backported without this fix.
      Reported-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Fixes: 2d380889 ("USB: serial: digi_acceleport: fix OOB data sanity
      check")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      785fd5e9
    • Felipe Balbi's avatar
      usb: gadget: function: f_fs: pass companion descriptor along · 26447e2d
      Felipe Balbi authored
      commit 2bfa0719 upstream.
      
      If we're dealing with SuperSpeed endpoints, we need
      to make sure to pass along the companion descriptor
      and initialize fields needed by the Gadget
      API. Eventually, f_fs.c should be converted to use
      config_ep_by_speed() like all other functions,
      though.
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      26447e2d
    • Felipe Balbi's avatar
      usb: dwc3: gadget: make Set Endpoint Configuration macros safe · 69ceee0a
      Felipe Balbi authored
      commit 7369090a upstream.
      
      Some gadget drivers are bad, bad boys. We notice
      that ADB was passing bad Burst Size which caused top
      bits of param0 to be overwritten which confused DWC3
      when running this command.
      
      In order to avoid future issues, we're going to make
      sure values passed by macros are always safe for the
      controller. Note that ADB still needs a fix to *not*
      pass bad values.
      Reported-by: default avatarMohamed Abbas <mohamed.abbas@intel.com>
      Sugested-by: default avatarAdam Andruszak <adam.andruszak@intel.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      69ceee0a
    • Florian Fainelli's avatar
      net: phy: Do not perform software reset for Generic PHY · 1d33b989
      Florian Fainelli authored
      commit 0878fff1 upstream.
      
      The Generic PHY driver is a catch-all PHY driver and it should preserve
      whatever prior initialization has been done by boot loader or firmware
      agents. For specific PHY device configuration it is expected that a
      specialized PHY driver would take over that role.
      
      Resetting the generic PHY was a bad idea that has lead to several
      complaints and downstream workarounds e.g: in OpenWrt/LEDE so restore
      the behavior prior to 87aa9f9c ("net: phy: consolidate PHY
      reset in phy_init_hw()").
      Reported-by: default avatarFelix Fietkau <nbd@nbd.name>
      Fixes: 87aa9f9c ("net: phy: consolidate PHY reset in phy_init_hw()")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1d33b989
    • Jon Mason's avatar
      ARM: dts: BCM5301X: Correct GIC_PPI interrupt flags · 92171949
      Jon Mason authored
      commit 0c2bf9f9 upstream.
      
      GIC_PPI flags were misconfigured for the timers, resulting in errors
      like:
      [    0.000000] GIC: PPI11 is secure or misconfigured
      
      Changing them to being edge triggered corrects the issue
      Suggested-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Signed-off-by: default avatarJon Mason <jon.mason@broadcom.com>
      Fixes: d27509f1 ("ARM: BCM5301X: add dts files for BCM4708 SoC")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      92171949