1. 24 Mar, 2016 38 commits
    • Daniele Palmas's avatar
      USB: serial: option: add support for Telit LE922 PID 0x1045 · dca4f44b
      Daniele Palmas authored
      commit 5deef555 upstream.
      
      This patch adds support for 0x1045 PID of Telit LE922.
      Signed-off-by: default avatarDaniele Palmas <dnlplm@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      dca4f44b
    • Vittorio Alfieri's avatar
      USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder · 1a3d39e6
      Vittorio Alfieri authored
      commit 3c4c615d upstream.
      
      The Parrot NMEA GPS Flight Recorder is a USB composite device
      consisting of hub, flash storage, and cp210x usb to serial chip.
      It is an accessory to the mass-produced Parrot AR Drone 2.
      The device emits standard NMEA messages which make the it compatible
      with NMEA compatible software. It was tested using gpsd version 3.11-3
      as an NMEA interpreter and using the official Parrot Flight Recorder.
      Signed-off-by: default avatarVittorio Alfieri <vittorio88@gmail.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1a3d39e6
    • Patrik Halfar's avatar
      USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3) · 90bf0f3e
      Patrik Halfar authored
      commit 013dd239 upstream.
      
      New revision of Dell Wireless 5809e Gobi 4G HSPA+ Mobile Broadband Card
      has new idProduct.
      
      Bus 002 Device 006: ID 413c:81b3 Dell Computer Corp.
      Device Descriptor:
        bLength                18
        bDescriptorType         1
        bcdUSB               2.00
        bDeviceClass            0
        bDeviceSubClass         0
        bDeviceProtocol         0
        bMaxPacketSize0        64
        idVendor           0x413c Dell Computer Corp.
        idProduct          0x81b3
        bcdDevice            0.06
        iManufacturer           1 Sierra Wireless, Incorporated
        iProduct                2 Dell Wireless 5809e Gobi 4G HSPA+ Mobile Broadband Card
        iSerial                 3
        bNumConfigurations      2
      Signed-off-by: default avatarPatrik Halfar <patrik_halfar@halfarit.cz>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      90bf0f3e
    • Takashi Iwai's avatar
      ALSA: hdsp: Fix wrong boolean ctl value accesses · a8d0b8d4
      Takashi Iwai authored
      commit eab3c4db upstream.
      
      snd-hdsp driver accesses enum item values (int) instead of boolean
      values (long) wrongly for some ctl elements.  This patch fixes them.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      a8d0b8d4
    • Takashi Iwai's avatar
      ALSA: hdspm: Fix zero-division · d6a93f74
      Takashi Iwai authored
      commit c1099c32 upstream.
      
      HDSPM driver contains a code issuing zero-division potentially in
      system sample rate ctl code.  This patch fixes it by not processing
      a zero or invalid rate value as a divisor, as well as excluding the
      invalid value to be passed via the given ctl element.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d6a93f74
    • Takashi Iwai's avatar
      ALSA: hdspm: Fix wrong boolean ctl value accesses · f9171a05
      Takashi Iwai authored
      commit 537e4813 upstream.
      
      snd-hdspm driver accesses enum item values (int) instead of boolean
      values (long) wrongly for some ctl elements.  This patch fixes them.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f9171a05
    • Michael S. Tsirkin's avatar
      arm/arm64: KVM: Fix ioctl error handling · 7f7d89c7
      Michael S. Tsirkin authored
      commit 4cad67fc upstream.
      
      Calling return copy_to_user(...) in an ioctl will not
      do the right thing if there's a pagefault:
      copy_to_user returns the number of bytes not copied
      in this case.
      
      Fix up kvm to do
      	return copy_to_user(...)) ?  -EFAULT : 0;
      
      everywhere.
      Acked-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      [ luis: backported to 3.16:
        - dropped changes to arch/arm64/kvm/guest.c ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      7f7d89c7
    • Yadan Fan's avatar
      Fix cifs_uniqueid_to_ino_t() function for s390x · 386d632d
      Yadan Fan authored
      commit 1ee9f4bd upstream.
      
      This issue is caused by commit 02323db1 ("cifs: fix
      cifs_uniqueid_to_ino_t not to ever return 0"), when BITS_PER_LONG
      is 64 on s390x, the corresponding cifs_uniqueid_to_ino_t()
      function will cast 64-bit fileid to 32-bit by using (ino_t)fileid,
      because ino_t (typdefed __kernel_ino_t) is int type.
      
      It's defined in arch/s390/include/uapi/asm/posix_types.h
      
          #ifndef __s390x__
      
          typedef unsigned long   __kernel_ino_t;
          ...
          #else /* __s390x__ */
      
          typedef unsigned int    __kernel_ino_t;
      
      So the #ifdef condition is wrong for s390x, we can just still use
      one cifs_uniqueid_to_ino_t() function with comparing sizeof(ino_t)
      and sizeof(u64) to choose the correct execution accordingly.
      Signed-off-by: default avatarYadan Fan <ydfan@suse.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      386d632d
    • Pavel Shilovsky's avatar
      CIFS: Fix SMB2+ interim response processing for read requests · 7835d73f
      Pavel Shilovsky authored
      commit 6cc3b242 upstream.
      
      For interim responses we only need to parse a header and update
      a number credits. Now it is done for all SMB2+ command except
      SMB2_READ which is wrong. Fix this by adding such processing.
      Signed-off-by: default avatarPavel Shilovsky <pshilovsky@samba.org>
      Tested-by: default avatarShirish Pargaonkar <shirishpargaonkar@gmail.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      7835d73f
    • Justin Maggard's avatar
      cifs: fix out-of-bounds access in lease parsing · 5182893e
      Justin Maggard authored
      commit deb7deff upstream.
      
      When opening a file, SMB2_open() attempts to parse the lease state from the
      SMB2 CREATE Response.  However, the parsing code was not careful to ensure
      that the create contexts are not empty or invalid, which can lead to out-
      of-bounds memory access.  This can be seen easily by trying
      to read a file from a OSX 10.11 SMB3 server.  Here is sample crash output:
      
      BUG: unable to handle kernel paging request at ffff8800a1a77cc6
      IP: [<ffffffff8828a734>] SMB2_open+0x804/0x960
      PGD 8f77067 PUD 0
      Oops: 0000 [#1] SMP
      Modules linked in:
      CPU: 3 PID: 2876 Comm: cp Not tainted 4.5.0-rc3.x86_64.1+ #14
      Hardware name: NETGEAR ReadyNAS 314          /ReadyNAS 314          , BIOS 4.6.5 10/11/2012
      task: ffff880073cdc080 ti: ffff88005b31c000 task.ti: ffff88005b31c000
      RIP: 0010:[<ffffffff8828a734>]  [<ffffffff8828a734>] SMB2_open+0x804/0x960
      RSP: 0018:ffff88005b31fa08  EFLAGS: 00010282
      RAX: 0000000000000015 RBX: 0000000000000000 RCX: 0000000000000006
      RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff88007eb8c8b0
      RBP: ffff88005b31fad8 R08: 666666203d206363 R09: 6131613030383866
      R10: 3030383866666666 R11: 00000000000002b0 R12: ffff8800660fd800
      R13: ffff8800a1a77cc2 R14: 00000000424d53fe R15: ffff88005f5a28c0
      FS:  00007f7c8a2897c0(0000) GS:ffff88007eb80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: ffff8800a1a77cc6 CR3: 000000005b281000 CR4: 00000000000006e0
      Stack:
       ffff88005b31fa70 ffffffff88278789 00000000000001d3 ffff88005f5a2a80
       ffffffff00000003 ffff88005d029d00 ffff88006fde05a0 0000000000000000
       ffff88005b31fc78 ffff88006fde0780 ffff88005b31fb2f 0000000100000fe0
      Call Trace:
       [<ffffffff88278789>] ? cifsConvertToUTF16+0x159/0x2d0
       [<ffffffff8828cf68>] smb2_open_file+0x98/0x210
       [<ffffffff8811e80c>] ? __kmalloc+0x1c/0xe0
       [<ffffffff882685f4>] cifs_open+0x2a4/0x720
       [<ffffffff88122cef>] do_dentry_open+0x1ff/0x310
       [<ffffffff88268350>] ? cifsFileInfo_get+0x30/0x30
       [<ffffffff88123d92>] vfs_open+0x52/0x60
       [<ffffffff88131dd0>] path_openat+0x170/0xf70
       [<ffffffff88097d48>] ? remove_wait_queue+0x48/0x50
       [<ffffffff88133a29>] do_filp_open+0x79/0xd0
       [<ffffffff8813f2ca>] ? __alloc_fd+0x3a/0x170
       [<ffffffff881240c4>] do_sys_open+0x114/0x1e0
       [<ffffffff881241a9>] SyS_open+0x19/0x20
       [<ffffffff8896e257>] entry_SYSCALL_64_fastpath+0x12/0x6a
      Code: 4d 8d 6c 07 04 31 c0 4c 89 ee e8 47 6f e5 ff 31 c9 41 89 ce 44 89 f1 48 c7 c7 28 b1 bd 88 31 c0 49 01 cd 4c 89 ee e8 2b 6f e5 ff <45> 0f b7 75 04 48 c7 c7 31 b1 bd 88 31 c0 4d 01 ee 4c 89 f6 e8
      RIP  [<ffffffff8828a734>] SMB2_open+0x804/0x960
       RSP <ffff88005b31fa08>
      CR2: ffff8800a1a77cc6
      ---[ end trace d9f69ba64feee469 ]---
      Signed-off-by: default avatarJustin Maggard <jmaggard@netgear.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      5182893e
    • Takashi Iwai's avatar
      ALSA: timer: Fix ioctls for X32 ABI · 4dc90a86
      Takashi Iwai authored
      commit b24e7ad1 upstream.
      
      X32 ABI takes the 64bit timespec, thus the timer user status ioctl becomes
      incompatible with IA32.  This results in NOTTY error when the ioctl is
      issued.
      
      Meanwhile, this struct in X32 is essentially identical with the one in
      X86-64, so we can just bypassing to the existing code for this
      specific compat ioctl.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      4dc90a86
    • Takashi Iwai's avatar
      ALSA: timer: Fix broken compat timer user status ioctl · d2199759
      Takashi Iwai authored
      commit 3a72494a upstream.
      
      The timer user status compat ioctl returned the bogus struct used for
      64bit architectures instead of the 32bit one.  This patch addresses
      it to return the proper struct.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d2199759
    • Takashi Iwai's avatar
      ALSA: rawmidi: Fix ioctls X32 ABI · ec8ecaeb
      Takashi Iwai authored
      commit 2251fbbc upstream.
      
      Like the previous fixes for ctl and PCM, we need a fix for
      incompatible X32 ABI regarding the rawmidi: namely, struct
      snd_rawmidi_status has the timespec, and the size and the alignment on
      X32 differ from IA32.
      
      This patch fixes the incompatible ioctl for X32.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      ec8ecaeb
    • Takashi Iwai's avatar
      ALSA: ctl: Fix ioctls for X32 ABI · febe81aa
      Takashi Iwai authored
      commit 6236d8bb upstream.
      
      The X32 ABI takes the same alignment like x86-64, and this may result
      in the incompatible struct size from ia32.  Unfortunately, we hit this
      in some control ABI: struct snd_ctl_elem_value differs between them
      due to the position of 64bit variable array.  This ends up with the
      unknown ioctl (ENOTTY) error.
      
      The fix is to add the compat entries for the new aligned struct.
      Reported-and-tested-by: default avatarSteven Newbury <steve@snewbury.org.uk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      febe81aa
    • Michael S. Tsirkin's avatar
      vfio: fix ioctl error handling · 58b09b08
      Michael S. Tsirkin authored
      commit 8160c4e4 upstream.
      
      Calling return copy_to_user(...) in an ioctl will not
      do the right thing if there's a pagefault:
      copy_to_user returns the number of bytes not copied
      in this case.
      
      Fix up vfio to do
      	return copy_to_user(...)) ?
      		-EFAULT : 0;
      
      everywhere.
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      [ luis: backported to 3.16:
        - dropped changes to vfio_platform_common.c ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      58b09b08
    • Harvey Hunt's avatar
      libata: Align ata_device's id on a cacheline · 740b87f7
      Harvey Hunt authored
      commit 4ee34ea3 upstream.
      
      The id buffer in ata_device is a DMA target, but it isn't explicitly
      cacheline aligned. Due to this, adjacent fields can be overwritten with
      stale data from memory on non coherent architectures. As a result, the
      kernel is sometimes unable to communicate with an ATA device.
      
      Fix this by ensuring that the id buffer is cacheline aligned.
      
      This issue is similar to that fixed by Commit 84bda12a
      ("libata: align ap->sector_buf").
      Signed-off-by: default avatarHarvey Hunt <harvey.hunt@imgtec.com>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      740b87f7
    • Suravee Suthikulpanit's avatar
      iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered · 6786eb65
      Suravee Suthikulpanit authored
      commit 38e45d02 upstream.
      
      The setup code for the performance counters in the AMD IOMMU driver
      tests whether the counters can be written. It tests to setup a counter
      for device 00:00.0, which fails on systems where this particular device
      is not covered by the IOMMU.
      
      Fix this by not relying on device 00:00.0 but only on the IOMMU being
      present.
      Signed-off-by: default avatarSuravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6786eb65
    • David Woodhouse's avatar
      Fix directory hardlinks from deleted directories · 122a7b3a
      David Woodhouse authored
      commit be629c62 upstream.
      
      When a directory is deleted, we don't take too much care about killing off
      all the dirents that belong to it — on the basis that on remount, the scan
      will conclude that the directory is dead anyway.
      
      This doesn't work though, when the deleted directory contained a child
      directory which was moved *out*. In the early stages of the fs build
      we can then end up with an apparent hard link, with the child directory
      appearing both in its true location, and as a child of the original
      directory which are this stage of the mount process we don't *yet* know
      is defunct.
      
      To resolve this, take out the early special-casing of the "directories
      shall not have hard links" rule in jffs2_build_inode_pass1(), and let the
      normal nlink processing happen for directories as well as other inodes.
      
      Then later in the build process we can set ic->pino_nlink to the parent
      inode#, as is required for directories during normal operaton, instead
      of the nlink. And complain only *then* about hard links which are still
      in evidence even after killing off all the unreachable paths.
      Reported-by: default avatarLiu Song <liu.song11@zte.com.cn>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      122a7b3a
    • David Woodhouse's avatar
      jffs2: Fix page lock / f->sem deadlock · d6e29517
      David Woodhouse authored
      commit 49e91e70 upstream.
      
      With this fix, all code paths should now be obtaining the page lock before
      f->sem.
      Reported-by: default avatarSzabó Tamás <sztomi89@gmail.com>
      Tested-by: default avatarThomas Betker <thomas.betker@rohde-schwarz.com>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      d6e29517
    • Thomas Betker's avatar
      Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin" · 319f6c38
      Thomas Betker authored
      commit 157078f6 upstream.
      
      This reverts commit 5ffd3412
      ("jffs2: Fix lock acquisition order bug in jffs2_write_begin").
      
      The commit modified jffs2_write_begin() to remove a deadlock with
      jffs2_garbage_collect_live(), but this introduced new deadlocks found
      by multiple users. page_lock() actually has to be called before
      mutex_lock(&c->alloc_sem) or mutex_lock(&f->sem) because
      jffs2_write_end() and jffs2_readpage() are called with the page locked,
      and they acquire c->alloc_sem and f->sem, resp.
      
      In other words, the lock order in jffs2_write_begin() was correct, and
      it is the jffs2_garbage_collect_live() path that has to be changed.
      
      Revert the commit to get rid of the new deadlocks, and to clear the way
      for a better fix of the original deadlock.
      Reported-by: default avatarDeng Chao <deng.chao1@zte.com.cn>
      Reported-by: default avatarMing Liu <liu.ming50@gmail.com>
      Reported-by: default avatarwangzaiwei <wangzaiwei@top-vision.cn>
      Signed-off-by: default avatarThomas Betker <thomas.betker@rohde-schwarz.com>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      319f6c38
    • Peter Chen's avatar
      usb: chipidea: otg: change workqueue ci_otg as freezable · 2e33adc8
      Peter Chen authored
      commit d144dfea upstream.
      
      If we use USB ID pin as wakeup source, and there is a USB block
      device on this USB OTG (ID) cable, the system will be deadlock
      after system resume.
      
      The root cause for this problem is: the workqueue ci_otg may try
      to remove hcd before the driver resume has finished, and hcd will
      disconnect the device on it, then, it will call device_release_driver,
      and holds the device lock "dev->mutex", but it is never unlocked since
      it waits workqueue writeback to run to flush the block information, but
      the workqueue writeback is freezable, it is not thawed before driver
      resume has finished.
      
      When the driver (device: sd 0:0:0:0:) resume goes to dpm_complete, it
      tries to get its device lock "dev->mutex", but it can't get it forever,
      then the deadlock occurs. Below call stacks show the situation.
      
      So, in order to fix this problem, we need to change workqueue ci_otg
      as freezable, then the work item in this workqueue will be run after
      driver's resume, this workqueue will not be blocked forever like above
      case since the workqueue writeback has been thawed too.
      
      Tested at: i.mx6qdl-sabresd and i.mx6sx-sdb.
      
      [  555.178869] kworker/u2:13   D c07de74c     0   826      2 0x00000000
      [  555.185310] Workqueue: ci_otg ci_otg_work
      [  555.189353] Backtrace:
      [  555.191849] [<c07de4fc>] (__schedule) from [<c07dec6c>] (schedule+0x48/0xa0)
      [  555.198912]  r10:ee471ba0 r9:00000000 r8:00000000 r7:00000002 r6:ee470000 r5:ee471ba4
      [  555.206867]  r4:ee470000
      [  555.209453] [<c07dec24>] (schedule) from [<c07e2fc4>] (schedule_timeout+0x15c/0x1e0)
      [  555.217212]  r4:7fffffff r3:edc2b000
      [  555.220862] [<c07e2e68>] (schedule_timeout) from [<c07df6c8>] (wait_for_common+0x94/0x144)
      [  555.229140]  r8:00000000 r7:00000002 r6:ee470000 r5:ee471ba4 r4:7fffffff
      [  555.235980] [<c07df634>] (wait_for_common) from [<c07df790>] (wait_for_completion+0x18/0x1c)
      [  555.244430]  r10:00000001 r9:c0b5563c r8:c0042e48 r7:ef086000 r6:eea4372c r5:ef131b00
      [  555.252383]  r4:00000000
      [  555.254970] [<c07df778>] (wait_for_completion) from [<c0043cb8>] (flush_work+0x19c/0x234)
      [  555.263177] [<c0043b1c>] (flush_work) from [<c0043fac>] (flush_delayed_work+0x48/0x4c)
      [  555.271106]  r8:ed5b5000 r7:c0b38a3c r6:eea439cc r5:eea4372c r4:eea4372c
      [  555.277958] [<c0043f64>] (flush_delayed_work) from [<c00eae18>] (bdi_unregister+0x84/0xec)
      [  555.286236]  r4:eea43520 r3:20000153
      [  555.289885] [<c00ead94>] (bdi_unregister) from [<c02c2154>] (blk_cleanup_queue+0x180/0x29c)
      [  555.298250]  r5:eea43808 r4:eea43400
      [  555.301909] [<c02c1fd4>] (blk_cleanup_queue) from [<c0417914>] (__scsi_remove_device+0x48/0xb8)
      [  555.310623]  r7:00000000 r6:20000153 r5:ededa950 r4:ededa800
      [  555.316403] [<c04178cc>] (__scsi_remove_device) from [<c0415e90>] (scsi_forget_host+0x64/0x68)
      [  555.325028]  r5:ededa800 r4:ed5b5000
      [  555.328689] [<c0415e2c>] (scsi_forget_host) from [<c0409828>] (scsi_remove_host+0x78/0x104)
      [  555.337054]  r5:ed5b5068 r4:ed5b5000
      [  555.340709] [<c04097b0>] (scsi_remove_host) from [<c04cdfcc>] (usb_stor_disconnect+0x50/0xb4)
      [  555.349247]  r6:ed5b56e4 r5:ed5b5818 r4:ed5b5690 r3:00000008
      [  555.355025] [<c04cdf7c>] (usb_stor_disconnect) from [<c04b3bc8>] (usb_unbind_interface+0x78/0x25c)
      [  555.363997]  r8:c13919b4 r7:edd3c000 r6:edd3c020 r5:ee551c68 r4:ee551c00 r3:c04cdf7c
      [  555.371892] [<c04b3b50>] (usb_unbind_interface) from [<c03dc248>] (__device_release_driver+0x8c/0x118)
      [  555.381213]  r10:00000001 r9:edd90c00 r8:c13919b4 r7:ee551c68 r6:c0b546e0 r5:c0b5563c
      [  555.389167]  r4:edd3c020
      [  555.391752] [<c03dc1bc>] (__device_release_driver) from [<c03dc2fc>] (device_release_driver+0x28/0x34)
      [  555.401071]  r5:edd3c020 r4:edd3c054
      [  555.404721] [<c03dc2d4>] (device_release_driver) from [<c03db304>] (bus_remove_device+0xe0/0x110)
      [  555.413607]  r5:edd3c020 r4:ef17f04c
      [  555.417253] [<c03db224>] (bus_remove_device) from [<c03d8128>] (device_del+0x114/0x21c)
      [  555.425270]  r6:edd3c028 r5:edd3c020 r4:ee551c00 r3:00000000
      [  555.431045] [<c03d8014>] (device_del) from [<c04b1560>] (usb_disable_device+0xa4/0x1e8)
      [  555.439061]  r8:edd3c000 r7:eded8000 r6:00000000 r5:00000001 r4:ee551c00
      [  555.445906] [<c04b14bc>] (usb_disable_device) from [<c04a8e54>] (usb_disconnect+0x74/0x224)
      [  555.454271]  r9:edd90c00 r8:ee551000 r7:ee551c68 r6:ee551c9c r5:ee551c00 r4:00000001
      [  555.462156] [<c04a8de0>] (usb_disconnect) from [<c04a8fb8>] (usb_disconnect+0x1d8/0x224)
      [  555.470259]  r10:00000001 r9:edd90000 r8:ee471e2c r7:ee551468 r6:ee55149c r5:ee551400
      [  555.478213]  r4:00000001
      [  555.480797] [<c04a8de0>] (usb_disconnect) from [<c04ae5ec>] (usb_remove_hcd+0xa0/0x1ac)
      [  555.488813]  r10:00000001 r9:ee471eb0 r8:00000000 r7:ef3d9500 r6:eded810c r5:eded80b0
      [  555.496765]  r4:eded8000
      [  555.499351] [<c04ae54c>] (usb_remove_hcd) from [<c04d4158>] (host_stop+0x28/0x64)
      [  555.506847]  r6:eeb50010 r5:eded8000 r4:eeb51010
      [  555.511563] [<c04d4130>] (host_stop) from [<c04d09b8>] (ci_otg_work+0xc4/0x124)
      [  555.518885]  r6:00000001 r5:eeb50010 r4:eeb502a0 r3:c04d4130
      [  555.524665] [<c04d08f4>] (ci_otg_work) from [<c00454f0>] (process_one_work+0x194/0x420)
      [  555.532682]  r6:ef086000 r5:eeb502a0 r4:edc44480
      [  555.537393] [<c004535c>] (process_one_work) from [<c00457b0>] (worker_thread+0x34/0x514)
      [  555.545496]  r10:edc44480 r9:ef086000 r8:c0b1a100 r7:ef086034 r6:00000088 r5:edc44498
      [  555.553450]  r4:ef086000
      [  555.556032] [<c004577c>] (worker_thread) from [<c004bab4>] (kthread+0xdc/0xf8)
      [  555.563268]  r10:00000000 r9:00000000 r8:00000000 r7:c004577c r6:edc44480 r5:eddc15c0
      [  555.571221]  r4:00000000
      [  555.573804] [<c004b9d8>] (kthread) from [<c000fef0>] (ret_from_fork+0x14/0x24)
      [  555.581040]  r7:00000000 r6:00000000 r5:c004b9d8 r4:eddc15c0
      
      [  553.429383] sh              D c07de74c     0   694    691 0x00000000
      [  553.435801] Backtrace:
      [  553.438295] [<c07de4fc>] (__schedule) from [<c07dec6c>] (schedule+0x48/0xa0)
      [  553.445358]  r10:edd3c054 r9:edd3c078 r8:edddbd50 r7:edcbbc00 r6:c1377c34 r5:60000153
      [  553.453313]  r4:eddda000
      [  553.455896] [<c07dec24>] (schedule) from [<c07deff8>] (schedule_preempt_disabled+0x10/0x14)
      [  553.464261]  r4:edd3c058 r3:0000000a
      [  553.467910] [<c07defe8>] (schedule_preempt_disabled) from [<c07e0bbc>] (mutex_lock_nested+0x1a0/0x3e8)
      [  553.477254] [<c07e0a1c>] (mutex_lock_nested) from [<c03e927c>] (dpm_complete+0xc0/0x1b0)
      [  553.485358]  r10:00561408 r9:edd3c054 r8:c0b4863c r7:edddbd90 r6:c0b485d8 r5:edd3c020
      [  553.493313]  r4:edd3c0d0
      [  553.495896] [<c03e91bc>] (dpm_complete) from [<c03e9388>] (dpm_resume_end+0x1c/0x20)
      [  553.503652]  r9:00000000 r8:c0b1a9d0 r7:c1334ec0 r6:c1334edc r5:00000003 r4:00000010
      [  553.511544] [<c03e936c>] (dpm_resume_end) from [<c0079894>] (suspend_devices_and_enter+0x158/0x504)
      [  553.520604]  r4:00000000 r3:c1334efc
      [  553.524250] [<c007973c>] (suspend_devices_and_enter) from [<c0079e74>] (pm_suspend+0x234/0x2cc)
      [  553.532961]  r10:00561408 r9:ed6b7300 r8:00000004 r7:c1334eec r6:00000000 r5:c1334ee8
      [  553.540914]  r4:00000003
      [  553.543493] [<c0079c40>] (pm_suspend) from [<c0078a6c>] (state_store+0x6c/0xc0)
      
      [  555.703684] 7 locks held by kworker/u2:13/826:
      [  555.708140]  #0:  ("%s""ci_otg"){++++.+}, at: [<c0045484>] process_one_work+0x128/0x420
      [  555.716277]  #1:  ((&ci->work)){+.+.+.}, at: [<c0045484>] process_one_work+0x128/0x420
      [  555.724317]  #2:  (usb_bus_list_lock){+.+.+.}, at: [<c04ae5e4>] usb_remove_hcd+0x98/0x1ac
      [  555.732626]  #3:  (&dev->mutex){......}, at: [<c04a8e28>] usb_disconnect+0x48/0x224
      [  555.740403]  #4:  (&dev->mutex){......}, at: [<c04a8e28>] usb_disconnect+0x48/0x224
      [  555.748179]  #5:  (&dev->mutex){......}, at: [<c03dc2f4>] device_release_driver+0x20/0x34
      [  555.756487]  #6:  (&shost->scan_mutex){+.+.+.}, at: [<c04097d0>] scsi_remove_host+0x20/0x104
      
      Cc: Jun Li <jun.li@nxp.com>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      2e33adc8
    • Hans Verkuil's avatar
      [media] adv7604: fix tx 5v detect regression · 75560f65
      Hans Verkuil authored
      commit 0ba4581c upstream.
      
      The 5 volt detect functionality broke in 3.14: the code reads IO register 0x70
      again after it has already been cleared. Instead it should use the cached
      irq_reg_0x70 value and the io_write to 0x71 to clear 0x70 can be dropped since
      this has already been done.
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      75560f65
    • Arnd Bergmann's avatar
      libata: fix HDIO_GET_32BIT ioctl · 02707764
      Arnd Bergmann authored
      commit 287e6611 upstream.
      
      As reported by Soohoon Lee, the HDIO_GET_32BIT ioctl does not
      work correctly in compat mode with libata.
      
      I have investigated the issue further and found multiple problems
      that all appeared with the same commit that originally introduced
      HDIO_GET_32BIT handling in libata back in linux-2.6.8 and presumably
      also linux-2.4, as the code uses "copy_to_user(arg, &val, 1)" to copy
      a 'long' variable containing either 0 or 1 to user space.
      
      The problems with this are:
      
      * On big-endian machines, this will always write a zero because it
        stores the wrong byte into user space.
      
      * In compat mode, the upper three bytes of the variable are updated
        by the compat_hdio_ioctl() function, but they now contain
        uninitialized stack data.
      
      * The hdparm tool calling this ioctl uses a 'static long' variable
        to store the result. This means at least the upper bytes are
        initialized to zero, but calling another ioctl like HDIO_GET_MULTCOUNT
        would fill them with data that remains stale when the low byte
        is overwritten. Fortunately libata doesn't implement any of the
        affected ioctl commands, so this would only happen when we query
        both an IDE and an ATA device in the same command such as
        "hdparm -N -c /dev/hda /dev/sda"
      
      * The libata code for unknown reasons started using ATA_IOC_GET_IO32
        and ATA_IOC_SET_IO32 as aliases for HDIO_GET_32BIT and HDIO_SET_32BIT,
        while the ioctl commands that were added later use the normal
        HDIO_* names. This is harmless but rather confusing.
      
      This addresses all four issues by changing the code to use put_user()
      on an 'unsigned long' variable in HDIO_GET_32BIT, like the IDE subsystem
      does, and by clarifying the names of the ioctl commands.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reported-by: default avatarSoohoon Lee <Soohoon.Lee@f5.com>
      Tested-by: default avatarSoohoon Lee <Soohoon.Lee@f5.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      02707764
    • Luis Henriques's avatar
      Revert "drm/radeon: hold reference to fences in radeon_sa_bo_new" · f80be5a9
      Luis Henriques authored
      This reverts commit 73187980, which was
      commit f6ff4f67 upstream.
      
      This patch was triggering a Oops in stable kernel 3.10.99.  Christian
      agrees that the patch is correct but "assumes that radeon_fence_unref()
      can safely take NULL as the fence which is not the case for older
      kernels."
      Reported-by: default avatarErik Andersen <andersen@codepoet.org>
      Acked-by: default avatarChristian König <christian.koenig@amd.com>
      Cc: Nicolai Hähnle <nicolai.haehnle@amd.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      f80be5a9
    • Nicholas Bellinger's avatar
      target: Fix race with SCF_SEND_DELAYED_TAS handling · 9afdedac
      Nicholas Bellinger authored
      commit 310d3d31 upstream.
      
      This patch fixes a race between setting of SCF_SEND_DELAYED_TAS
      in transport_send_task_abort(), and check of the same bit in
      transport_check_aborted_status().
      
      It adds a __transport_check_aborted_status() version that is
      used by target_execute_cmd() when se_cmd->t_state_lock is
      held, and a transport_check_aborted_status() wrapper for
      all other existing callers.
      
      Also, it handles the case where the check happens before
      transport_send_task_abort() gets called.  For this, go
      ahead and set SCF_SEND_DELAYED_TAS early when necessary,
      and have transport_send_task_abort() send the abort.
      
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ luis: backported to 3.16: based on Nicholas' backport to 3.14 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      9afdedac
    • Nicholas Bellinger's avatar
      target: Fix remote-port TMR ABORT + se_cmd fabric stop · 3d7f13da
      Nicholas Bellinger authored
      commit 0f4a9431 upstream.
      
      To address the bug where fabric driver level shutdown
      of se_cmd occurs at the same time when TMR CMD_T_ABORTED
      is happening resulting in a -1 ->cmd_kref, this patch
      adds a CMD_T_FABRIC_STOP bit that is used to determine
      when TMR + driver I_T nexus shutdown is happening
      concurrently.
      
      It changes target_sess_cmd_list_set_waiting() to obtain
      se_cmd->cmd_kref + set CMD_T_FABRIC_STOP, and drop local
      reference in target_wait_for_sess_cmds() and invoke extra
      target_put_sess_cmd() during Task Aborted Status (TAS)
      when necessary.
      
      Also, it adds a new target_wait_free_cmd() wrapper around
      transport_wait_for_tasks() for the special case within
      transport_generic_free_cmd() to set CMD_T_FABRIC_STOP,
      and is now aware of CMD_T_ABORTED + CMD_T_TAS status
      bits to know when an extra transport_put_cmd() during
      TAS is required.
      
      Note transport_generic_free_cmd() is expected to block on
      cmd->cmd_wait_comp in order to follow what iscsi-target
      expects during iscsi_conn context se_cmd shutdown.
      
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@daterainc.com>
      [ luis: backported to 3.16: used Nicholas' backport to 3.14 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      3d7f13da
    • Nicholas Bellinger's avatar
      target: Fix TAS handling for multi-session se_node_acls · deedbd0c
      Nicholas Bellinger authored
      commit ebde1ca5 upstream.
      
      This patch fixes a bug in TMR task aborted status (TAS)
      handling when multiple sessions are connected to the
      same target WWPN endpoint and se_node_acl descriptor,
      resulting in TASK_ABORTED status to not be generated
      for aborted se_cmds on the remote port.
      
      This is due to core_tmr_handle_tas_abort() incorrectly
      comparing se_node_acl instead of se_session, for which
      the multi-session case is expected to be sharing the
      same se_node_acl.
      
      Instead, go ahead and update core_tmr_handle_tas_abort()
      to compare tmr_sess + cmd->se_sess in order to determine
      if the LUN_RESET was received on a different I_T nexus,
      and TASK_ABORTED status response needs to be generated.
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: Quinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ luis: backported to 3.16: used Nicholas' backport to 3.14 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      deedbd0c
    • Nicholas Bellinger's avatar
      target: Fix LUN_RESET active I/O handling for ACK_KREF · fcf934a1
      Nicholas Bellinger authored
      commit febe562c upstream.
      
      This patch fixes a NULL pointer se_cmd->cmd_kref < 0
      refcount bug during TMR LUN_RESET with active se_cmd
      I/O, that can be triggered during se_cmd descriptor
      shutdown + release via core_tmr_drain_state_list() code.
      
      To address this bug, add common __target_check_io_state()
      helper for ABORT_TASK + LUN_RESET w/ CMD_T_COMPLETE
      checking, and set CMD_T_ABORTED + obtain ->cmd_kref for
      both cases ahead of last target_put_sess_cmd() after
      TFO->aborted_task() -> transport_cmd_finish_abort()
      callback has completed.
      
      It also introduces SCF_ACK_KREF to determine when
      transport_cmd_finish_abort() needs to drop the second
      extra reference, ahead of calling target_put_sess_cmd()
      for the final kref_put(&se_cmd->cmd_kref).
      
      It also updates transport_cmd_check_stop() to avoid
      holding se_cmd->t_state_lock while dropping se_cmd
      device state via target_remove_from_state_list(), now
      that core_tmr_drain_state_list() is holding the
      se_device lock while checking se_cmd state from
      within TMR logic.
      
      Finally, move transport_put_cmd() release of SGL +
      TMR + extended CDB memory into target_free_cmd_mem()
      in order to avoid potential resource leaks in TMR
      ABORT_TASK + LUN_RESET code-paths.  Also update
      target_release_cmd_kref() accordingly.
      Reviewed-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ luis: backported to 3.16: used Nicholas' backport to 3.14 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      fcf934a1
    • Nicholas Bellinger's avatar
      target: Fix LUN_RESET active TMR descriptor handling · b33e3e40
      Nicholas Bellinger authored
      commit a6d9bb1c upstream.
      
      This patch fixes a NULL pointer se_cmd->cmd_kref < 0
      refcount bug during TMR LUN_RESET with active TMRs,
      triggered during se_cmd + se_tmr_req descriptor
      shutdown + release via core_tmr_drain_tmr_list().
      
      To address this bug, go ahead and obtain a local
      kref_get_unless_zero(&se_cmd->cmd_kref) for active I/O
      to set CMD_T_ABORTED, and transport_wait_for_tasks()
      followed by the final target_put_sess_cmd() to drop
      the local ->cmd_kref.
      
      Also add two new checks within target_tmr_work() to
      avoid CMD_T_ABORTED -> TFO->queue_tm_rsp() callbacks
      ahead of invoking the backend -> fabric put in
      transport_cmd_check_stop_to_fabric().
      
      For good measure, also change core_tmr_release_req()
      to use list_del_init() ahead of se_tmr_req memory
      free.
      Reviewed-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Cc: Himanshu Madhani <himanshu.madhani@qlogic.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.de>
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [ luis: backported to 3.16: used Nicholas' backport to 3.14 ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      b33e3e40
    • Neil Horman's avatar
      sctp: Fix port hash table size computation · 6773c408
      Neil Horman authored
      commit d9749fb5 upstream.
      
      Dmitry Vyukov noted recently that the sctp_port_hashtable had an error in
      its size computation, observing that the current method never guaranteed
      that the hashsize (measured in number of entries) would be a power of two,
      which the input hash function for that table requires.  The root cause of
      the problem is that two values need to be computed (one, the allocation
      order of the storage requries, as passed to __get_free_pages, and two the
      number of entries for the hash table).  Both need to be ^2, but for
      different reasons, and the existing code is simply computing one order
      value, and using it as the basis for both, which is wrong (i.e. it assumes
      that ((1<<order)*PAGE_SIZE)/sizeof(bucket) is still ^2 when its not).
      
      To fix this, we change the logic slightly.  We start by computing a goal
      allocation order (which is limited by the maximum size hash table we want
      to support.  Then we attempt to allocate that size table, decreasing the
      order until a successful allocation is made.  Then, with the resultant
      successful order we compute the number of buckets that hash table supports,
      which we then round down to the nearest power of two, giving us the number
      of entries the table actually supports.
      
      I've tested this locally here, using non-debug and spinlock-debug kernels,
      and the number of entries in the hashtable consistently work out to be
      powers of two in all cases.
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      CC: Dmitry Vyukov <dvyukov@google.com>
      CC: Vladislav Yasevich <vyasevich@gmail.com>
      CC: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      6773c408
    • Anton Protopopov's avatar
      rtnl: RTM_GETNETCONF: fix wrong return value · 1a0d99e2
      Anton Protopopov authored
      commit a97eb33f upstream.
      
      An error response from a RTM_GETNETCONF request can return the positive
      error value EINVAL in the struct nlmsgerr that can mislead userspace.
      Signed-off-by: default avatarAnton Protopopov <a.s.protopopov@gmail.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1a0d99e2
    • Xin Long's avatar
      route: check and remove route cache when we get route · 5ab10d3d
      Xin Long authored
      commit deed49df upstream.
      
      Since the gc of ipv4 route was removed, the route cached would has
      no chance to be removed, and even it has been timeout, it still could
      be used, cause no code to check it's expires.
      
      Fix this issue by checking  and removing route cache when we get route.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      5ab10d3d
    • Guillaume Nault's avatar
      pppoe: fix reference counting in PPPoE proxy · cee3655e
      Guillaume Nault authored
      commit 29e73269 upstream.
      
      Drop reference on the relay_po socket when __pppoe_xmit() succeeds.
      This is already handled correctly in the error path.
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      cee3655e
    • Bjørn Mork's avatar
      qmi_wwan: add "4G LTE usb-modem U901" · 128011a2
      Bjørn Mork authored
      commit aac8d3c2 upstream.
      
      Thomas reports:
      
      T:  Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=05c6 ProdID=6001 Rev=00.00
      S:  Manufacturer=USB Modem
      S:  Product=USB Modem
      S:  SerialNumber=1234567890ABCDEF
      C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
      Reported-by: default avatarThomas Schäfer <tschaefer@t-online.de>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      128011a2
    • Eric Dumazet's avatar
      ipv4: fix memory leaks in ip_cmsg_send() callers · 035c7999
      Eric Dumazet authored
      commit 91948309 upstream.
      
      Dmitry reported memory leaks of IP options allocated in
      ip_cmsg_send() when/if this function returns an error.
      
      Callers are responsible for the freeing.
      
      Many thanks to Dmitry for the report and diagnostic.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      035c7999
    • Siva Reddy Kallam's avatar
      tg3: Fix for tg3 transmit queue 0 timed out when too many gso_segs · 5a0df0bc
      Siva Reddy Kallam authored
      commit b7d98729 upstream.
      
      tg3_tso_bug() can hit a condition where the entire tx ring is not big
      enough to segment the GSO packet. For example, if MSS is very small,
      gso_segs can exceed the tx ring size. When we hit the condition, it
      will cause tx timeout.
      
      tg3_tso_bug() is called to handle TSO and DMA hardware bugs.
      For TSO bugs, if tg3_tso_bug() cannot succeed, we have to drop the packet.
      For DMA bugs, we can still fall back to linearize the SKB and let the
      hardware transmit the TSO packet.
      
      This patch adds a function tg3_tso_bug_gso_check() to check if there
      are enough tx descriptors for GSO before calling tg3_tso_bug().
      The caller will then handle the error appropriately - drop or
      lineraize the SKB.
      
      v2: Corrected patch description to avoid confusion.
      Signed-off-by: default avatarSiva Reddy Kallam <siva.kallam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
      Acked-by: default avatarPrashant Sreedharan <prashant@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      5a0df0bc
    • Hans Westgaard Ry's avatar
      net:Add sysctl_max_skb_frags · 1f3c2130
      Hans Westgaard Ry authored
      commit 5f74f82e upstream.
      
      Devices may have limits on the number of fragments in an skb they support.
      Current codebase uses a constant as maximum for number of fragments one
      skb can hold and use.
      When enabling scatter/gather and running traffic with many small messages
      the codebase uses the maximum number of fragments and may thereby violate
      the max for certain devices.
      The patch introduces a global variable as max number of fragments.
      Signed-off-by: default avatarHans Westgaard Ry <hans.westgaard.ry@oracle.com>
      Reviewed-by: default avatarHåkon Bugge <haakon.bugge@oracle.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      1f3c2130
    • Hangbin Liu's avatar
      net/ipv6: add sysctl option accept_ra_min_hop_limit · efd019f9
      Hangbin Liu authored
      commit 8013d1d7 upstream.
      
      Commit 6fd99094 ("ipv6: Don't reduce hop limit for an interface")
      disabled accept hop limit from RA if it is smaller than the current hop
      limit for security stuff. But this behavior kind of break the RFC definition.
      
      RFC 4861, 6.3.4.  Processing Received Router Advertisements
         A Router Advertisement field (e.g., Cur Hop Limit, Reachable Time,
         and Retrans Timer) may contain a value denoting that it is
         unspecified.  In such cases, the parameter should be ignored and the
         host should continue using whatever value it is already using.
      
         If the received Cur Hop Limit value is non-zero, the host SHOULD set
         its CurHopLimit variable to the received value.
      
      So add sysctl option accept_ra_min_hop_limit to let user choose the minimum
      hop limit value they can accept from RA. And set default to 1 to meet RFC
      standards.
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarYOSHIFUJI Hideaki <hideaki.yoshifuji@miraclelinux.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16:
        - added missing DEVCONF_* as suggested by Yoshfuji so that uapi contains
          the same values as mainline
        - adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      efd019f9
  2. 09 Mar, 2016 2 commits
    • Paolo Abeni's avatar
      ipv6/udp: use sticky pktinfo egress ifindex on connect() · c548b32a
      Paolo Abeni authored
      commit 1cdda918 upstream.
      
      Currently, the egress interface index specified via IPV6_PKTINFO
      is ignored by __ip6_datagram_connect(), so that RFC 3542 section 6.7
      can be subverted when the user space application calls connect()
      before sendmsg().
      Fix it by initializing properly flowi6_oif in connect() before
      performing the route lookup.
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      c548b32a
    • Eric Dumazet's avatar
      tcp: fix NULL deref in tcp_v4_send_ack() · 836bb5f7
      Eric Dumazet authored
      commit e62a123b upstream.
      
      Neal reported crashes with this stack trace :
      
       RIP: 0010:[<ffffffff8c57231b>] tcp_v4_send_ack+0x41/0x20f
      ...
       CR2: 0000000000000018 CR3: 000000044005c000 CR4: 00000000001427e0
      ...
        [<ffffffff8c57258e>] tcp_v4_reqsk_send_ack+0xa5/0xb4
        [<ffffffff8c1a7caa>] tcp_check_req+0x2ea/0x3e0
        [<ffffffff8c19e420>] tcp_rcv_state_process+0x850/0x2500
        [<ffffffff8c1a6d21>] tcp_v4_do_rcv+0x141/0x330
        [<ffffffff8c56cdb2>] sk_backlog_rcv+0x21/0x30
        [<ffffffff8c098bbd>] tcp_recvmsg+0x75d/0xf90
        [<ffffffff8c0a8700>] inet_recvmsg+0x80/0xa0
        [<ffffffff8c17623e>] sock_aio_read+0xee/0x110
        [<ffffffff8c066fcf>] do_sync_read+0x6f/0xa0
        [<ffffffff8c0673a1>] SyS_read+0x1e1/0x290
        [<ffffffff8c5ca262>] system_call_fastpath+0x16/0x1b
      
      The problem here is the skb we provide to tcp_v4_send_ack() had to
      be parked in the backlog of a new TCP fastopen child because this child
      was owned by the user at the time an out of window packet arrived.
      
      Before queuing a packet, TCP has to set skb->dev to NULL as the device
      could disappear before packet is removed from the queue.
      
      Fix this issue by using the net pointer provided by the socket (being a
      timewait or a request socket).
      
      IPv6 is immune to the bug : tcp_v6_send_response() already gets the net
      pointer from the socket if provided.
      
      Fixes: 168a8f58 ("tcp: TCP Fast Open Server - main code path")
      Reported-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jerry Chu <hkchu@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [ luis: backported to 3.16: adjusted context ]
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      836bb5f7