1. 18 Jul, 2017 27 commits
    • Alexey Kodanev's avatar
      udp: avoid ufo handling on IP payload compression packets · e3e9c1c7
      Alexey Kodanev authored
      commit 4b3b45ed upstream.
      
      commit c146066a ("ipv4: Don't use ufo handling on later transformed
      packets") and commit f89c56ce ("ipv6: Don't use ufo handling on
      later transformed packets") added a check that 'rt->dst.header_len' isn't
      zero in order to skip UFO, but it doesn't include IPcomp in transport mode
      where it equals zero.
      
      Packets, after payload compression, may not require further fragmentation,
      and if original length exceeds MTU, later compressed packets will be
      transmitted incorrectly. This can be reproduced with LTP udp_ipsec.sh test
      on veth device with enabled UFO, MTU is 1500 and UDP payload is 2000:
      
      * IPv4 case, offset is wrong + unnecessary fragmentation
          udp_ipsec.sh -p comp -m transport -s 2000 &
          tcpdump -ni ltp_ns_veth2
          ...
          IP (tos 0x0, ttl 64, id 45203, offset 0, flags [+],
            proto Compressed IP (108), length 49)
            10.0.0.2 > 10.0.0.1: IPComp(cpi=0x1000)
          IP (tos 0x0, ttl 64, id 45203, offset 1480, flags [none],
            proto UDP (17), length 21) 10.0.0.2 > 10.0.0.1: ip-proto-17
      
      * IPv6 case, sending small fragments
          udp_ipsec.sh -6 -p comp -m transport -s 2000 &
          tcpdump -ni ltp_ns_veth2
          ...
          IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
            payload length: 37) fd00::2 > fd00::1: IPComp(cpi=0x1000)
          IP6 (flowlabel 0x6b9ba, hlim 64, next-header Compressed IP (108)
            payload length: 21) fd00::2 > fd00::1: IPComp(cpi=0x1000)
      
      Fix it by checking 'rt->dst.xfrm' pointer to 'xfrm_state' struct, skip UFO
      if xfrm is set. So the new check will include both cases: IPcomp and IPsec.
      
      Fixes: c146066a ("ipv4: Don't use ufo handling on later transformed packets")
      Fixes: f89c56ce ("ipv6: Don't use ufo handling on later transformed packets")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e3e9c1c7
    • Shaohua Li's avatar
      md/raid1/10: fix potential deadlock · 67c14169
      Shaohua Li authored
      commit 61eb2b43 upstream.
      
      Neil Brown pointed out a potential deadlock in raid 10 code with
      bio_split/chain. The raid1 code could have the same issue, but recent
      barrier rework makes it less likely to happen. The deadlock happens in
      below sequence:
      
      1. generic_make_request(bio), this will set current->bio_list
      2. raid10_make_request will split bio to bio1 and bio2
      3. __make_request(bio1), wait_barrer, add underlayer disk bio to
      current->bio_list
      4. __make_request(bio2), wait_barrer
      
      If raise_barrier happens between 3 & 4, since wait_barrier runs at 3,
      raise_barrier waits for IO completion from 3. And since raise_barrier
      sets barrier, 4 waits for raise_barrier. But IO from 3 can't be
      dispatched because raid10_make_request() doesn't finished yet.
      
      The solution is to adjust the IO ordering. Quotes from Neil:
      "
      It is much safer to:
      
          if (need to split) {
              split = bio_split(bio, ...)
              bio_chain(...)
              make_request_fn(split);
              generic_make_request(bio);
         } else
              make_request_fn(mddev, bio);
      
      This way we first process the initial section of the bio (in 'split')
      which will queue some requests to the underlying devices.  These
      requests will be queued in generic_make_request.
      Then we queue the remainder of the bio, which will be added to the end
      of the generic_make_request queue.
      Then we return.
      generic_make_request() will pop the lower-level device requests off the
      queue and handle them first.  Then it will process the remainder
      of the original bio once the first section has been fully processed.
      "
      
      Note, this only happens in read path. In write path, the bio is flushed to
      underlaying disks either by blk flush (from schedule) or offladed to raid1/10d.
      It's queued in current->bio_list.
      
      Cc: Coly Li <colyli@suse.de>
      Suggested-by: default avatarNeilBrown <neilb@suse.com>
      Reviewed-by: default avatarJack Wang <jinpu.wang@profitbricks.com>
      Signed-off-by: default avatarShaohua Li <shli@fb.com>
      [bwh: For 3.16, drop the raid10 part as advised]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      67c14169
    • Johan Hovold's avatar
      USB: iowarrior: fix NULL-deref in write · f9d23397
      Johan Hovold authored
      commit de46e566 upstream.
      
      Make sure to verify that we have the required interrupt-out endpoint for
      IOWarrior56 devices to avoid dereferencing a NULL-pointer in write
      should a malicious device lack such an endpoint.
      
      Fixes: 946b960d ("USB: add driver for iowarrior devices.")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f9d23397
    • Stefan Brüns's avatar
      dvb-usb-firmware: don't do DMA on stack · e9b38044
      Stefan Brüns authored
      commit 67b0503d upstream.
      
      The buffer allocation for the firmware data was changed in
      commit 43fab979 ("[media] dvb-usb: don't use stack for firmware load")
      but the same applies for the reset value.
      
      Fixes: 43fab979 ("[media] dvb-usb: don't use stack for firmware load")
      Signed-off-by: default avatarStefan Brüns <stefan.bruens@rwth-aachen.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e9b38044
    • Mauro Carvalho Chehab's avatar
      dvb-usb: don't use stack for firmware load · 51aa8ee4
      Mauro Carvalho Chehab authored
      commit 43fab979 upstream.
      
      As reported by Marc Duponcheel <marc@offline.be>, firmware load on
      dvb-usb is using the stack, with is not allowed anymore on default
      Kernel configurations:
      
      [ 1025.958836] dvb-usb: found a 'WideView WT-220U PenType Receiver (based on ZL353)' in cold state, will try to load a firmware
      [ 1025.958853] dvb-usb: downloading firmware from file 'dvb-usb-wt220u-zl0353-01.fw'
      [ 1025.958855] dvb-usb: could not stop the USB controller CPU.
      [ 1025.958856] dvb-usb: error while transferring firmware (transferred size: -11, block size: 3)
      [ 1025.958856] dvb-usb: firmware download failed at 8 with -22
      [ 1025.958867] usbcore: registered new interface driver dvb_usb_dtt200u
      
      [    2.789902] dvb-usb: downloading firmware from file 'dvb-usb-wt220u-zl0353-01.fw'
      [    2.789905] ------------[ cut here ]------------
      [    2.789911] WARNING: CPU: 3 PID: 2196 at drivers/usb/core/hcd.c:1584 usb_hcd_map_urb_for_dma+0x430/0x560 [usbcore]
      [    2.789912] transfer buffer not dma capable
      [    2.789912] Modules linked in: btusb dvb_usb_dtt200u(+) dvb_usb_af9035(+) btrtl btbcm dvb_usb dvb_usb_v2 btintel dvb_core bluetooth rc_core rfkill x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd drm_kms_helper syscopyarea sysfillrect pcspkr i2c_i801 sysimgblt fb_sys_fops drm i2c_smbus i2c_core r8169 lpc_ich mfd_core mii thermal fan rtc_cmos video button acpi_cpufreq processor snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd crc32c_intel ahci libahci libata xhci_pci ehci_pci xhci_hcd ehci_hcd usbcore usb_common dm_mirror dm_region_hash dm_log dm_mod
      [    2.789936] CPU: 3 PID: 2196 Comm: systemd-udevd Not tainted 4.9.0-gentoo #1
      [    2.789937] Hardware name: ASUS All Series/H81I-PLUS, BIOS 0401 07/23/2013
      [    2.789938]  ffffc9000339b690 ffffffff812bd397 ffffc9000339b6e0 0000000000000000
      [    2.789939]  ffffc9000339b6d0 ffffffff81055c86 000006300339b6a0 ffff880116c0c000
      [    2.789941]  0000000000000000 0000000000000000 0000000000000001 ffff880116c08000
      [    2.789942] Call Trace:
      [    2.789945]  [<ffffffff812bd397>] dump_stack+0x4d/0x66
      [    2.789947]  [<ffffffff81055c86>] __warn+0xc6/0xe0
      [    2.789948]  [<ffffffff81055cea>] warn_slowpath_fmt+0x4a/0x50
      [    2.789952]  [<ffffffffa006d460>] usb_hcd_map_urb_for_dma+0x430/0x560 [usbcore]
      [    2.789954]  [<ffffffff814ed5a8>] ? io_schedule_timeout+0xd8/0x110
      [    2.789956]  [<ffffffffa006e09c>] usb_hcd_submit_urb+0x9c/0x980 [usbcore]
      [    2.789958]  [<ffffffff812d0ebf>] ? copy_page_to_iter+0x14f/0x2b0
      [    2.789960]  [<ffffffff81126818>] ? pagecache_get_page+0x28/0x240
      [    2.789962]  [<ffffffff8118c2a0>] ? touch_atime+0x20/0xa0
      [    2.789964]  [<ffffffffa006f7c4>] usb_submit_urb+0x2c4/0x520 [usbcore]
      [    2.789967]  [<ffffffffa006feca>] usb_start_wait_urb+0x5a/0xe0 [usbcore]
      [    2.789969]  [<ffffffffa007000c>] usb_control_msg+0xbc/0xf0 [usbcore]
      [    2.789970]  [<ffffffffa067903d>] usb_cypress_writemem+0x3d/0x40 [dvb_usb]
      [    2.789972]  [<ffffffffa06791cf>] usb_cypress_load_firmware+0x4f/0x130 [dvb_usb]
      [    2.789973]  [<ffffffff8109dbbe>] ? console_unlock+0x2fe/0x5d0
      [    2.789974]  [<ffffffff8109e10c>] ? vprintk_emit+0x27c/0x410
      [    2.789975]  [<ffffffff8109e40a>] ? vprintk_default+0x1a/0x20
      [    2.789976]  [<ffffffff81124d76>] ? printk+0x43/0x4b
      [    2.789977]  [<ffffffffa0679310>] dvb_usb_download_firmware+0x60/0xd0 [dvb_usb]
      [    2.789979]  [<ffffffffa0679898>] dvb_usb_device_init+0x3d8/0x610 [dvb_usb]
      [    2.789981]  [<ffffffffa069e302>] dtt200u_usb_probe+0x92/0xd0 [dvb_usb_dtt200u]
      [    2.789984]  [<ffffffffa007420c>] usb_probe_interface+0xfc/0x270 [usbcore]
      [    2.789985]  [<ffffffff8138bf95>] driver_probe_device+0x215/0x2d0
      [    2.789986]  [<ffffffff8138c0e6>] __driver_attach+0x96/0xa0
      [    2.789987]  [<ffffffff8138c050>] ? driver_probe_device+0x2d0/0x2d0
      [    2.789988]  [<ffffffff81389ffb>] bus_for_each_dev+0x5b/0x90
      [    2.789989]  [<ffffffff8138b7b9>] driver_attach+0x19/0x20
      [    2.789990]  [<ffffffff8138b33c>] bus_add_driver+0x11c/0x220
      [    2.789991]  [<ffffffff8138c91b>] driver_register+0x5b/0xd0
      [    2.789994]  [<ffffffffa0072f6c>] usb_register_driver+0x7c/0x130 [usbcore]
      [    2.789994]  [<ffffffffa06a5000>] ? 0xffffffffa06a5000
      [    2.789996]  [<ffffffffa06a501e>] dtt200u_usb_driver_init+0x1e/0x20 [dvb_usb_dtt200u]
      [    2.789997]  [<ffffffff81000408>] do_one_initcall+0x38/0x140
      [    2.789998]  [<ffffffff8116001c>] ? __vunmap+0x7c/0xc0
      [    2.789999]  [<ffffffff81124fb0>] ? do_init_module+0x22/0x1d2
      [    2.790000]  [<ffffffff81124fe8>] do_init_module+0x5a/0x1d2
      [    2.790002]  [<ffffffff810c96b1>] load_module+0x1e11/0x2580
      [    2.790003]  [<ffffffff810c68b0>] ? show_taint+0x30/0x30
      [    2.790004]  [<ffffffff81177250>] ? kernel_read_file+0x100/0x190
      [    2.790005]  [<ffffffff810c9ffa>] SyS_finit_module+0xba/0xc0
      [    2.790007]  [<ffffffff814f13e0>] entry_SYSCALL_64_fastpath+0x13/0x94
      [    2.790008] ---[ end trace c78a74e78baec6fc ]---
      
      So, allocate the structure dynamically.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      51aa8ee4
    • Johan Hovold's avatar
      USB: serial: safe_serial: fix information leak in completion handler · 6cce4490
      Johan Hovold authored
      commit 8c76d7cd upstream.
      
      Add missing sanity check to the bulk-in completion handler to avoid an
      integer underflow that could be triggered by a malicious device.
      
      This avoids leaking up to 56 bytes from after the URB transfer buffer to
      user space.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6cce4490
    • Johan Hovold's avatar
      USB: serial: io_ti: fix NULL-deref in interrupt callback · 794bbd75
      Johan Hovold authored
      commit 0b1d250a upstream.
      
      Fix a NULL-pointer dereference in the interrupt callback should a
      malicious device send data containing a bad port number by adding the
      missing sanity check.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      794bbd75
    • Paul Burton's avatar
      MIPS: End spinlocks with .insn · 71071ed7
      Paul Burton authored
      commit 4b5347a2 upstream.
      
      When building for microMIPS we need to ensure that the assembler always
      knows that there is code at the target of a branch or jump. Recent
      toolchains will fail to link a microMIPS kernel when this isn't the case
      due to what it thinks is a branch to non-microMIPS code.
      
      mips-mti-linux-gnu-ld kernel/built-in.o: .spinlock.text+0x2fc: Unsupported branch between ISA modes.
      mips-mti-linux-gnu-ld final link failed: Bad value
      
      This is due to inline assembly labels in spinlock.h not being followed
      by an instruction mnemonic, either due to a .subsection pseudo-op or the
      end of the inline asm block.
      
      Fix this with a .insn direction after such labels.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Reviewed-by: default avatarMaciej W. Rozycki <macro@imgtec.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/15325/Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      71071ed7
    • Max Lohrmann's avatar
      target: Fix VERIFY_16 handling in sbc_parse_cdb · 438141f9
      Max Lohrmann authored
      commit 13603685 upstream.
      
      As reported by Max, the Windows 2008 R2 chkdsk utility expects
      VERIFY_16 to be supported, and does not handle the returned
      CHECK_CONDITION properly, resulting in an infinite loop.
      
      The kernel will log huge amounts of this error:
      
      kernel: TARGET_CORE[iSCSI]: Unsupported SCSI Opcode 0x8f, sending
      CHECK_CONDITION.
      Signed-off-by: default avatarMax Lohrmann <post@wickenrode.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      438141f9
    • Nicholas Bellinger's avatar
      target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export · af3c9669
      Nicholas Bellinger authored
      commit a04e54f2 upstream.
      
      The following fixes a divide by zero OOPs with TYPE_TAPE
      due to pscsi_tape_read_blocksize() failing causing a zero
      sd->sector_size being propigated up via dev_attrib.hw_block_size.
      
      It also fixes another long-standing bug where TYPE_TAPE and
      TYPE_MEDIMUM_CHANGER where using pscsi_create_type_other(),
      which does not call scsi_device_get() to take the device
      reference.  Instead, rename pscsi_create_type_rom() to
      pscsi_create_type_nondisk() and use it for all cases.
      
      Finally, also drop a dump_stack() in pscsi_get_blocks() for
      non TYPE_DISK, which in modern target-core can get invoked
      via target_sense_desc_format() during CHECK_CONDITION.
      Reported-by: default avatarMalcolm Haak <insanemal@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [bwh: Backported to 3.16:
       - Deleted log format is slightly different
       - Cast Scsi_Host::max_sectors from unsigned short to unsigned int, to avoid
         a warning about differing types in min_not_zero()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      af3c9669
    • Anton Blanchard's avatar
      scsi: lpfc: Add shutdown method for kexec · bf0637d0
      Anton Blanchard authored
      commit 85e8a239 upstream.
      
      We see lpfc devices regularly fail during kexec. Fix this by adding a
      shutdown method which mirrors the remove method.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Reviewed-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Tested-by: default avatarMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bf0637d0
    • Michael Ellerman's avatar
      powerpc/boot: Fix zImage TOC alignment · 66c427ba
      Michael Ellerman authored
      commit 97ee351b upstream.
      
      Recent toolchains force the TOC to be 256 byte aligned. We need to
      enforce this alignment in the zImage linker script, otherwise pointers
      to our TOC variables (__toc_start) could be incorrect. If the actual
      start of the TOC and __toc_start don't have the same value we crash
      early in the zImage wrapper.
      Suggested-by: default avatarAlan Modra <amodra@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      66c427ba
    • Kai-Heng Feng's avatar
      Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 · 9f019712
      Kai-Heng Feng authored
      commit 45838660 upstream.
      
      The aux port does not get detected without noloop quirk, so external PS/2
      mouse cannot work as result.
      
      The PS/2 mouse can work with this quirk.
      
      BugLink: https://bugs.launchpad.net/bugs/1591053Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Reviewed-by: default avatarMarcos Paulo de Souza <marcos.souza.org@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9f019712
    • Ilya Dryomov's avatar
      libceph: don't set weight to IN when OSD is destroyed · df138293
      Ilya Dryomov authored
      commit b581a585 upstream.
      
      Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
      osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
      This changes the result of applying an incremental for clients, not
      just OSDs.  Because CRUSH computations are obviously affected,
      pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
      object placement, resulting in misdirected requests.
      
      Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.
      
      Fixes: 930c5328 ("libceph: apply new_state before new_up_client on incrementals")
      Link: http://tracker.ceph.com/issues/19122Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarSage Weil <sage@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      df138293
    • Raghava Aditya Renukunta's avatar
      scsi: aacraid: Fix typo in blink status · eddc7255
      Raghava Aditya Renukunta authored
      commit 934767c5 upstream.
      
      The return status of the adapter check on KERNEL_PANIC is supposed to be
      the upper 16 bits of the OMR status register.
      
      Fixes: c421530b (scsi: aacraid: Reorder Adpater status check)
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarRaghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
      Reviewed-by: default avatarDave Carroll <david.carroll@microsemi.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      eddc7255
    • Johan Hovold's avatar
      USB: serial: digi_acceleport: fix OOB-event processing · 785fd5e9
      Johan Hovold authored
      commit 2e46565c upstream.
      
      A recent change claimed to fix an off-by-one error in the OOB-port
      completion handler, but instead introduced such an error. This could
      specifically led to modem-status changes going unnoticed, effectively
      breaking TIOCMGET.
      
      Note that the offending commit fixes a loop-condition underflow and is
      marked for stable, but should not be backported without this fix.
      Reported-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Fixes: 2d380889 ("USB: serial: digi_acceleport: fix OOB data sanity
      check")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      785fd5e9
    • Felipe Balbi's avatar
      usb: gadget: function: f_fs: pass companion descriptor along · 26447e2d
      Felipe Balbi authored
      commit 2bfa0719 upstream.
      
      If we're dealing with SuperSpeed endpoints, we need
      to make sure to pass along the companion descriptor
      and initialize fields needed by the Gadget
      API. Eventually, f_fs.c should be converted to use
      config_ep_by_speed() like all other functions,
      though.
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      [bwh: Backported to 3.16: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      26447e2d
    • Felipe Balbi's avatar
      usb: dwc3: gadget: make Set Endpoint Configuration macros safe · 69ceee0a
      Felipe Balbi authored
      commit 7369090a upstream.
      
      Some gadget drivers are bad, bad boys. We notice
      that ADB was passing bad Burst Size which caused top
      bits of param0 to be overwritten which confused DWC3
      when running this command.
      
      In order to avoid future issues, we're going to make
      sure values passed by macros are always safe for the
      controller. Note that ADB still needs a fix to *not*
      pass bad values.
      Reported-by: default avatarMohamed Abbas <mohamed.abbas@intel.com>
      Sugested-by: default avatarAdam Andruszak <adam.andruszak@intel.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      69ceee0a
    • Florian Fainelli's avatar
      net: phy: Do not perform software reset for Generic PHY · 1d33b989
      Florian Fainelli authored
      commit 0878fff1 upstream.
      
      The Generic PHY driver is a catch-all PHY driver and it should preserve
      whatever prior initialization has been done by boot loader or firmware
      agents. For specific PHY device configuration it is expected that a
      specialized PHY driver would take over that role.
      
      Resetting the generic PHY was a bad idea that has lead to several
      complaints and downstream workarounds e.g: in OpenWrt/LEDE so restore
      the behavior prior to 87aa9f9c ("net: phy: consolidate PHY
      reset in phy_init_hw()").
      Reported-by: default avatarFelix Fietkau <nbd@nbd.name>
      Fixes: 87aa9f9c ("net: phy: consolidate PHY reset in phy_init_hw()")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1d33b989
    • Jon Mason's avatar
      ARM: dts: BCM5301X: Correct GIC_PPI interrupt flags · 92171949
      Jon Mason authored
      commit 0c2bf9f9 upstream.
      
      GIC_PPI flags were misconfigured for the timers, resulting in errors
      like:
      [    0.000000] GIC: PPI11 is secure or misconfigured
      
      Changing them to being edge triggered corrects the issue
      Suggested-by: default avatarRafał Miłecki <rafal@milecki.pl>
      Signed-off-by: default avatarJon Mason <jon.mason@broadcom.com>
      Fixes: d27509f1 ("ARM: BCM5301X: add dts files for BCM4708 SoC")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      92171949
    • Sven Eckelmann's avatar
      batman-adv: Keep fragments equally sized · 628b27c3
      Sven Eckelmann authored
      commit 1c2bcc76 upstream.
      
      The batman-adv fragmentation packets have the design problem that they
      cannot be refragmented and cannot handle padding by the underlying link.
      The latter often leads to problems when networks are incorrectly configured
      and don't use a common MTU.
      
      The sender could for example fragment a 1271 byte frame (plus external
      ethernet header (14) and batadv unicast header (10)) to fit in a 1280 bytes
      large MTU of the underlying link (max. 1294 byte frames). This would create
      a 1294 bytes large frame (fragment 2) and a 55 bytes large frame
      (fragment 1). The extra 54 bytes are the fragment header (20) added to each
      fragment and the external ethernet header (14) for the second fragment.
      
      Let us assume that the next hop is then not able to transport 1294 bytes to
      its next hop. The 1294 byte large frame will be dropped but the 55 bytes
      large fragment will still be forwarded to its destination.
      
      Or let us assume that the underlying hardware requires that each frame has
      a minimum size (e.g. 60 bytes). Then it will pad the 55 bytes frame to 60
      bytes. The receiver of the 60 bytes frame will no longer be able to
      correctly assemble the two frames together because it is not aware that 5
      bytes of the 60 bytes frame are padding and don't belong to the reassembled
      frame.
      
      This can partly be avoided by splitting frames more equally. In this
      example, the 675 and 674 bytes large fragment frames could both potentially
      reach its destination without being too large or too small.
      Reported-by: default avatarMartin Weinelt <martin@darmstadt.freifunk.net>
      Fixes: ee75ed88 ("batman-adv: Fragment and send skbs larger than mtu")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Acked-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      628b27c3
    • Rik van Riel's avatar
      tracing: Add #undef to fix compile error · 57d310d0
      Rik van Riel authored
      commit bf7165cf upstream.
      
      There are several trace include files that define TRACE_INCLUDE_FILE.
      
      Include several of them in the same .c file (as I currently have in
      some code I am working on), and the compile will blow up with a
      "warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls"
      
      Every other include file in include/trace/events/ avoids that issue
      by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h
      should have one, too.
      
      Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com
      
      Fixes: b8007ef7 ("tracing: Separate raw syscall from syscall tracer")
      Signed-off-by: default avatarRik van Riel <riel@redhat.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      57d310d0
    • Janosch Frank's avatar
      KVM: s390: Fix guest migration for huge guests resulting in panic · 6be3b43d
      Janosch Frank authored
      commit 2e4d8800 upstream.
      
      While we can technically not run huge page guests right now, we can
      setup a guest with huge pages. Trying to migrate it will trigger a
      VM_BUG_ON and, if the kernel is not configured to panic on a BUG, it
      will happily try to work on non-existing page table entries.
      
      With this patch, we always return "dirty" if we encounter a large page
      when migrating. This at least fixes the immediate problem until we
      have proper handling for both kind of pages.
      
      Fixes: 15f36ebd ("KVM: s390: Add proper dirty bitmap support to S390 kvm.")
      Signed-off-by: default avatarJanosch Frank <frankja@linux.vnet.ibm.com>
      Acked-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      [bwh: Backported to 3.16:
       - Use respectively gmap->mm, address and pte instead of mm, addr and ptep
       - Adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6be3b43d
    • Masami Hiramatsu's avatar
      kprobes/x86: Fix kernel panic when certain exception-handling addresses are probed · 9b3026f2
      Masami Hiramatsu authored
      commit 75013fb1 upstream.
      
      Fix to the exception table entry check by using probed address
      instead of the address of copied instruction.
      
      This bug may cause unexpected kernel panic if user probe an address
      where an exception can happen which should be fixup by __ex_table
      (e.g. copy_from_user.)
      
      Unless user puts a kprobe on such address, this doesn't
      cause any problem.
      
      This bug has been introduced years ago, by commit:
      
        46484688 ("x86/kprobes: Fix a bug which can modify kernel code permanently").
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 46484688 ("x86/kprobes: Fix a bug which can modify kernel code permanently")
      Link: http://lkml.kernel.org/r/148829899399.28855.12581062400757221722.stgit@devboxSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9b3026f2
    • Chris Leech's avatar
      scsi: libiscsi: add lock around task lists to fix list corruption regression · e57d9472
      Chris Leech authored
      commit 6f8830f5 upstream.
      
      There's a rather long standing regression from the commit "libiscsi:
      Reduce locking contention in fast path"
      
      Depending on iSCSI target behavior, it's possible to hit the case in
      iscsi_complete_task where the task is still on a pending list
      (!list_empty(&task->running)).  When that happens the task is removed
      from the list while holding the session back_lock, but other task list
      modification occur under the frwd_lock.  That leads to linked list
      corruption and eventually a panicked system.
      
      Rather than back out the session lock split entirely, in order to try
      and keep some of the performance gains this patch adds another lock to
      maintain the task lists integrity.
      
      Major enterprise supported kernels have been backing out the lock split
      for while now, thanks to the efforts at IBM where a lab setup has the
      most reliable reproducer I've seen on this issue.  This patch has been
      tested there successfully.
      Signed-off-by: default avatarChris Leech <cleech@redhat.com>
      Fixes: 659743b0 ("[SCSI] libiscsi: Reduce locking contention in fast path")
      Reported-by: default avatarPrashantha Subbarao <psubbara@us.ibm.com>
      Reviewed-by: default avatarGuilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e57d9472
    • Dan Streetman's avatar
      xen: do not re-use pirq number cached in pci device msi msg data · da9865bf
      Dan Streetman authored
      commit c74fd80f upstream.
      
      Revert the main part of commit:
      af42b8d1 ("xen: fix MSI setup and teardown for PV on HVM guests")
      
      That commit introduced reading the pci device's msi message data to see
      if a pirq was previously configured for the device's msi/msix, and re-use
      that pirq.  At the time, that was the correct behavior.  However, a
      later change to Qemu caused it to call into the Xen hypervisor to unmap
      all pirqs for a pci device, when the pci device disables its MSI/MSIX
      vectors; specifically the Qemu commit:
      c976437c7dba9c7444fb41df45468968aaa326ad
      ("qemu-xen: free all the pirqs for msi/msix when driver unload")
      
      Once Qemu added this pirq unmapping, it was no longer correct for the
      kernel to re-use the pirq number cached in the pci device msi message
      data.  All Qemu releases since 2.1.0 contain the patch that unmaps the
      pirqs when the pci device disables its MSI/MSIX vectors.
      
      This bug is causing failures to initialize multiple NVMe controllers
      under Xen, because the NVMe driver sets up a single MSIX vector for
      each controller (concurrently), and then after using that to talk to
      the controller for some configuration data, it disables the single MSIX
      vector and re-configures all the MSIX vectors it needs.  So the MSIX
      setup code tries to re-use the cached pirq from the first vector
      for each controller, but the hypervisor has already given away that
      pirq to another controller, and its initialization fails.
      
      This is discussed in more detail at:
      https://lists.xen.org/archives/html/xen-devel/2017-01/msg00447.html
      
      Fixes: af42b8d1 ("xen: fix MSI setup and teardown for PV on HVM guests")
      Signed-off-by: default avatarDan Streetman <dan.streetman@canonical.com>
      Reviewed-by: default avatarStefano Stabellini <sstabellini@kernel.org>
      Acked-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      [bwh: Backported to 3.16: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      da9865bf
    • Florian Westphal's avatar
      xfrm: policy: init locks early · 6d7d4c06
      Florian Westphal authored
      commit c282222a upstream.
      
      Dmitry reports following splat:
       INFO: trying to register non-static key.
       the code is fine but needs lockdep annotation.
       turning off the locking correctness validator.
       CPU: 0 PID: 13059 Comm: syz-executor1 Not tainted 4.10.0-rc7-next-20170207 #1
      [..]
       spin_lock_bh include/linux/spinlock.h:304 [inline]
       xfrm_policy_flush+0x32/0x470 net/xfrm/xfrm_policy.c:963
       xfrm_policy_fini+0xbf/0x560 net/xfrm/xfrm_policy.c:3041
       xfrm_net_init+0x79f/0x9e0 net/xfrm/xfrm_policy.c:3091
       ops_init+0x10a/0x530 net/core/net_namespace.c:115
       setup_net+0x2ed/0x690 net/core/net_namespace.c:291
       copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
       create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
       unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
       SYSC_unshare kernel/fork.c:2281 [inline]
      
      Problem is that when we get error during xfrm_net_init we will call
      xfrm_policy_fini which will acquire xfrm_policy_lock before it was
      initialized.  Just move it around so locks get set up first.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Fixes: 283bc9f3 ("xfrm: Namespacify xfrm state/policy locks")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      [bwh: Backported to 3.2: xfrm_policy_lock is an rwlock]
      6d7d4c06
  2. 02 Jul, 2017 8 commits
  3. 05 Jun, 2017 5 commits