commit e157447efd85bb2e6f8deaabbb62663bccd9bad2 Author: Greg Kroah-Hartman Date: Sun May 10 10:26:37 2020 +0200 Linux 4.4.223 commit 2dca328914cdf09ac293eb4cb946839481a77896 Author: Thomas Pedersen Date: Mon Jan 13 21:59:40 2020 -0800 mac80211: add ieee80211_is_any_nullfunc() commit 30b2f0be23fb40e58d0ad2caf8702c2a44cda2e1 upstream. commit 08a5bdde3812 ("mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED") Fixed a bug where we failed to take into account a nullfunc frame can be either non-QoS or QoS. It turns out there is at least one more bug in ieee80211_sta_tx_notify(), introduced in commit 7b6ddeaf27ec ("mac80211: use QoS NDP for AP probing"), where we forgot to check for the QoS variant and so assumed the QoS nullfunc frame never went out Fix this by adding a helper ieee80211_is_any_nullfunc() which consolidates the check for non-QoS and QoS nullfunc frames. Replace existing compound conditionals and add a couple more missing checks for QoS variant. Signed-off-by: Thomas Pedersen Link: https://lore.kernel.org/r/20200114055940.18502-3-thomas@adapt-ip.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 3eca2b1d639e9e6c29621109a0b09fae60829e29 Author: Takashi Iwai Date: Fri Apr 24 08:12:22 2020 +0200 ALSA: hda: Match both PCI ID and SSID for driver blacklist commit 977dfef40c8996b69afe23a9094d184049efb7bb upstream. The commit 3c6fd1f07ed0 ("ALSA: hda: Add driver blacklist") added a new blacklist for the devices that are known to have empty codecs, and one of the entries was ASUS ROG Zenith II (PCI SSID 1043:874f). However, it turned out that the very same PCI SSID is used for the previous model that does have the valid HD-audio codecs and the change broke the sound on it. Since the empty codec problem appear on the certain AMD platform (PCI ID 1022:1487), this patch changes the blacklist matching to both PCI ID and SSID using pci_match_id(). Also, the entry that was removed by the previous fix for ASUS ROG Zenigh II is re-added. Link: https://lore.kernel.org/r/20200424061222.19792-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3ae706ea32039936c3fba515232897d6d78365be Author: Jere Leppänen Date: Tue Apr 21 22:03:42 2020 +0300 sctp: Fix SHUTDOWN CTSN Ack in the peer restart case commit 12dfd78e3a74825e6f0bc8df7ef9f938fbc6bfe3 upstream. When starting shutdown in sctp_sf_do_dupcook_a(), get the value for SHUTDOWN Cumulative TSN Ack from the new association, which is reconstructed from the cookie, instead of the old association, which the peer doesn't have anymore. Otherwise the SHUTDOWN is either ignored or replied to with an ABORT by the peer because CTSN Ack doesn't match the peer's Initial TSN. Fixes: bdf6fa52f01b ("sctp: handle association restarts when the socket is closed.") Signed-off-by: Jere Leppänen Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 26f2a93b7c688eb7dc1d1c8ae4cf64f451d62fbd Author: Herbert Xu Date: Wed Jun 1 11:43:00 2016 +0800 macvlan: Fix potential use-after free for broadcasts commit 260916dfb48c374f7840f3b86e69afd3afdb6e96 upstream. When we postpone a broadcast packet we save the source port in the skb if it is local. However, the source port can disappear before we get a chance to process the packet. This patch fixes this by holding a ref count on the netdev. It also delays the skb->cb modification until after we allocate the new skb as you should not modify shared skbs. Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue") Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 69101271ba86aca3202c5ff746e0666f900added Author: Florian Fainelli Date: Sun Dec 4 19:22:05 2016 -0800 net: ep93xx_eth: Do not crash unloading module commit c823abac17926767fb50175e098f087a6ac684c3 upstream. When we unload the ep93xx_eth, whether we have opened the network interface or not, we will either hit a kernel paging request error, or a simple NULL pointer de-reference because: - if ep93xx_open has been called, we have created a valid DMA mapping for ep->descs, when we call ep93xx_stop, we also call ep93xx_free_buffers, ep->descs now has a stale value - if ep93xx_open has not been called, we have a NULL pointer for ep->descs, so performing any operation against that address just won't work Fix this by adding a NULL pointer check for ep->descs which means that ep93xx_free_buffers() was able to successfully tear down the descriptors and free the DMA cookie as well. Fixes: 1d22e05df818 ("[PATCH] Cirrus Logic ep93xx ethernet driver") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5601a885975551f9d3650bcafab9610a55c768a7 Author: Shmulik Ladkani Date: Tue Sep 20 12:48:36 2016 +0300 net: skbuff: Remove errornous length validation in skb_vlan_pop() commit 636c2628086e40c86dac7ddc84a1c4b4fcccc6e3 upstream. In 93515d53b1 "net: move vlan pop/push functions into common code" skb_vlan_pop was moved from its private location in openvswitch to skbuff common code. In case skb has non hw-accel vlan tag, the original 'pop_vlan()' assured that skb->len is sufficient (if skb->len < VLAN_ETH_HLEN then pop was considered a no-op). This validation was moved as is into the new common 'skb_vlan_pop'. Alas, in its original location (openvswitch), there was a guarantee that 'data' points to the mac_header, therefore the 'skb->len < VLAN_ETH_HLEN' condition made sense. However there's no such guarantee in the generic 'skb_vlan_pop'. For short packets received in rx path going through 'skb_vlan_pop', this causes 'skb_vlan_pop' to fail pop-ing a valid vlan hdr (in the non hw-accel case) or to fail moving next tag into hw-accel tag. Remove the 'skb->len < VLAN_ETH_HLEN' condition entirely: It is superfluous since inner '__skb_vlan_pop' already verifies there are VLAN_ETH_HLEN writable bytes at the mac_header. Note this presents a slight change to skb_vlan_pop() users: In case total length is smaller than VLAN_ETH_HLEN, skb_vlan_pop() now returns an error, as opposed to previous "no-op" behavior. Existing callers (e.g. tc act vlan, ovs) usually drop the packet if 'skb_vlan_pop' fails. Fixes: 93515d53b1 ("net: move vlan pop/push functions into common code") Signed-off-by: Shmulik Ladkani Cc: Pravin Shelar Reviewed-by: Pravin B Shelar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fff70051a18e96d2e758ef261b3b19c9e33c8d28 Author: Ivan Vecera Date: Thu Sep 15 22:47:51 2016 +0200 bna: add missing per queue ethtool stat commit 2835d2d9e366a2985b24051d228333bfba82f3a7 upstream. Commit ba5ca784 "bna: check for dma mapping errors" added besides other things a statistic that counts number of DMA buffer mapping failures per each Rx queue. This counter is not included in ethtool stats output. Fixes: ba5ca784 "bna: check for dma mapping errors" Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d7633eef5de379595beb18a42a33534de8c206aa Author: Toshiaki Makita Date: Thu Aug 4 11:11:19 2016 +0900 bridge: Fix problems around fdb entries pointing to the bridge device commit 7bb90c3715a496c650b2e879225030f9dd9cfafb upstream. Adding fdb entries pointing to the bridge device uses fdb_insert(), which lacks various checks and does not respect added_by_user flag. As a result, some inconsistent behavior can happen: * Adding temporary entries succeeds but results in permanent entries. * Same goes for "dynamic" and "use". * Changing mac address of the bridge device causes deletion of user-added entries. * Replacing existing entries looks successful from userspace but actually not, regardless of NLM_F_EXCL flag. Use the same logic as other entries and fix them. Fixes: 3741873b4f73 ("bridge: allow adding of fdb entries pointing to the bridge device") Signed-off-by: Toshiaki Makita Acked-by: Roopa Prabhu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7f9b6b0a1eadf99d7974958233da0b2bbe19d9a0 Author: Arend Van Spriel Date: Fri Jul 15 12:16:12 2016 +0200 brcmfmac: restore stopping netdev queue when bus clogs up commit 82bc9ab6a8f577d2174a736c33f3d4ecf7d9ef47 upstream. When the host-interface bus has hard time handling transmit packets it informs higher layer about this and it would stop the netdev queue when needed. However, since commit 9cd18359d31e ("brcmfmac: Make FWS queueing configurable.") this was broken. With this patch the behaviour is restored. Cc: stable@vger.kernel.org # v4.5, v4.6, v4.7 Fixes: 9cd18359d31e ("brcmfmac: Make FWS queueing configurable.") Tested-by: Per Förlin Reviewed-by: Hante Meuleman Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit a4334ec2235760178177908ad2d98d3c074263d2 Author: Jaap Jan Meijer Date: Thu May 12 18:25:08 2016 +0200 brcmfmac: add fallback for devices that do not report per-chain values commit 94abd778a7bb00ed5d00f56d9fbfcbf5b7c02a5c upstream. If brcmf_cfg80211_get_station fails to determine the RSSI from the per-chain values get the value individually as a fallback. Fixes: 1f0dc59a6de9 ("brcmfmac: rework .get_station() callback") Signed-off-by: Jaap Jan Meijer Acked-by: Arend van Spriel Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 46fb1bd80b325a3fb170727bceb36172874428ca Author: Laxman Dewangan Date: Mon May 2 22:53:24 2016 +0530 pinctrl: tegra: Correctly check the supported configuration commit b22ef2a0979f2b91cfeeabb086e4d665183a93a1 upstream. The pincontrol registers of Tegra chips has multiple filed per registers. There is two type of registers mux and drive. All configurations belongs to one of these registers. If any configurations are supported then _bit is set to bit position of these registers otherwise -1 to not support it. The member is defined as s32 _bit:6; So if config is not supported ifor given SoC then it is set to -1 in soc pinmmux table. In common driver code, to find out that given config is supported or not, it is checked as: s8 bit = _bit; if (bit > 31) { /* Not supported config */ } But in this case, bit is s8 and hence for non supporting it is -1. Correct the check as: if (bit < 0) { /* Not supported config */ } Fixes: e4c02dced975cb ("pinctrl: tegra: use signed bitfields for optional fields") Signed-off-by: Laxman Dewangan Acked-by: Stephen Warren Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 3c5a1b47dd54898417a1aa104bf1e775f0957a0b Author: Mans Rullgard Date: Tue Apr 26 12:03:02 2016 +0300 ata: sata_dwc_460ex: remove incorrect locking commit 55e610cdd28c0ad3dce0652030c0296d549673f3 upstream. This lock is already taken in ata_scsi_queuecmd() a few levels up the call stack so attempting to take it here is an error. Moreover, it is pointless in the first place since it only protects a single, atomic assignment. Enabling lock debugging gives the following output: ============================================= [ INFO: possible recursive locking detected ] 4.4.0-rc5+ #189 Not tainted --------------------------------------------- kworker/u2:3/37 is trying to acquire lock: (&(&host->lock)->rlock){-.-...}, at: [<90283294>] sata_dwc_exec_command_by_tag.constprop.14+0x44/0x8c but task is already holding lock: (&(&host->lock)->rlock){-.-...}, at: [<902761ac>] ata_scsi_queuecmd+0x2c/0x330 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&host->lock)->rlock); lock(&(&host->lock)->rlock); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by kworker/u2:3/37: #0: ("events_unbound"){.+.+.+}, at: [<9003a0a4>] process_one_work+0x12c/0x430 #1: ((&entry->work)){+.+.+.}, at: [<9003a0a4>] process_one_work+0x12c/0x430 #2: (&bdev->bd_mutex){+.+.+.}, at: [<9011fd54>] __blkdev_get+0x50/0x380 #3: (&(&host->lock)->rlock){-.-...}, at: [<902761ac>] ata_scsi_queuecmd+0x2c/0x330 stack backtrace: CPU: 0 PID: 37 Comm: kworker/u2:3 Not tainted 4.4.0-rc5+ #189 Workqueue: events_unbound async_run_entry_fn Stack : 90b38e30 00000021 00000003 9b2a6040 00000000 9005f3f0 904fc8dc 00000025 906b96e4 00000000 90528648 9b3336c4 904fc8dc 9009bf18 00000002 00000004 00000000 00000000 9b3336c4 9b3336e4 904fc8dc 9003d074 00000000 90500000 9005e738 00000000 00000000 00000000 00000000 00000000 00000000 00000000 6e657665 755f7374 756f626e 0000646e 00000000 00000000 9b00ca00 9b025000 ... Call Trace: [<90009d6c>] show_stack+0x88/0xa4 [<90057744>] __lock_acquire+0x1ce8/0x2154 [<900583e4>] lock_acquire+0x64/0x8c [<9045ff10>] _raw_spin_lock_irqsave+0x54/0x78 [<90283294>] sata_dwc_exec_command_by_tag.constprop.14+0x44/0x8c [<90283484>] sata_dwc_qc_issue+0x1a8/0x24c [<9026b39c>] ata_qc_issue+0x1f0/0x410 [<90273c6c>] ata_scsi_translate+0xb4/0x200 [<90276234>] ata_scsi_queuecmd+0xb4/0x330 [<9025800c>] scsi_dispatch_cmd+0xd0/0x128 [<90259934>] scsi_request_fn+0x58c/0x638 [<901a3e50>] __blk_run_queue+0x40/0x5c [<901a83d4>] blk_queue_bio+0x27c/0x28c [<901a5914>] generic_make_request+0xf0/0x188 [<901a5a54>] submit_bio+0xa8/0x194 [<9011adcc>] submit_bh_wbc.isra.23+0x15c/0x17c [<9011c908>] block_read_full_page+0x3e4/0x428 [<9009e2e0>] do_read_cache_page+0xac/0x210 [<9009fd90>] read_cache_page+0x18/0x24 [<901bbd18>] read_dev_sector+0x38/0xb0 [<901bd174>] msdos_partition+0xb4/0x5c0 [<901bcb8c>] check_partition+0x140/0x274 [<901bba60>] rescan_partitions+0xa0/0x2b0 [<9011ff68>] __blkdev_get+0x264/0x380 [<901201ac>] blkdev_get+0x128/0x36c [<901b9378>] add_disk+0x3c0/0x4bc [<90268268>] sd_probe_async+0x100/0x224 [<90043a44>] async_run_entry_fn+0x50/0x124 [<9003a11c>] process_one_work+0x1a4/0x430 [<9003a4f4>] worker_thread+0x14c/0x4fc [<900408f4>] kthread+0xd0/0xe8 [<90004338>] ret_from_kernel_thread+0x14/0x1c Fixes: 62936009f35a ("[libata] Add 460EX on-chip SATA driver, sata_dwc_460ex") Tested-by: Christian Lamparter Signed-off-by: Mans Rullgard Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 213ac7e7a0b44ab51c570de189ec607a815202b3 Author: Neil Armstrong Date: Wed Apr 20 10:56:45 2016 +0200 net: ethernet: davinci_emac: Fix platform_data overwrite commit 210990b05a1247886539078e857cd038881bb2d6 upstream. When the DaVinci emac driver is removed and re-probed, the actual pdev->dev.platform_data is populated with an unwanted valid pointer saved by the previous davinci_emac_of_get_pdata() call, causing a kernel crash when calling priv->int_disable() in emac_int_disable(). Unable to handle kernel paging request at virtual address c8622a80 ... [] (emac_int_disable) from [] (emac_dev_open+0x290/0x5f8) [] (emac_dev_open) from [] (__dev_open+0xb8/0x120) [] (__dev_open) from [] (__dev_change_flags+0x88/0x14c) [] (__dev_change_flags) from [] (dev_change_flags+0x18/0x48) [] (dev_change_flags) from [] (devinet_ioctl+0x6b4/0x7ac) [] (devinet_ioctl) from [] (sock_ioctl+0x1d8/0x2c0) [] (sock_ioctl) from [] (do_vfs_ioctl+0x41c/0x600) [] (do_vfs_ioctl) from [] (SyS_ioctl+0x6c/0x7c) [] (SyS_ioctl) from [] (ret_fast_syscall+0x0/0x1c) Fixes: 42f59967a091 ("net: ethernet: davinci_emac: add OF support") Cc: Brian Hutchinson Signed-off-by: Neil Armstrong Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e1a3b70bb1e8ebc1199add0a9c278272164251ab Author: Aneesh Kumar K.V Date: Wed Apr 20 03:59:47 2016 -0400 cxl: Fix DAR check & use REGION_ID instead of opencoding commit 3b1dbfa14f97188ec33fdfc7acb66bea59a3bb21 upstream. The current code will set _PAGE_USER to the access flags for any fault address, because the ~ operation will be true for all address we take a fault on. But setting _PAGE_USER also means that the fault will be handled only if the page table have _PAGE_USER set. Hence there is no security hole with the current code. Now if it is an user space access, then the change in this patch really don't have an impact because we have (!ctx->kernel) set true and we take the if condition true. Now kernel context created fault on an address in the kernel range will result in a fault loop because we will not insert the hash pte due to access and pte permission mismatch. This patch fix the above issue. Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access") Reviewed-by: Andrew Donnellan Acked-by: Ian Munsie Signed-off-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit a4c60ebccf64370660076028658003066d278a70 Author: Sergei Shtylyov Date: Wed Mar 23 00:44:40 2016 +0300 at803x: fix reset handling commit d57019d1858a6f9b3ca05d76d793466ae428cfa3 upstream. The driver of course "knows" that the chip's reset signal is active low, so it drives the GPIO to 0 to reset the PHY and to 1 otherwise; however all this will only work iff the GPIO is specified as active-high in the device tree! I think both the driver and the device trees (if there are any -- I was unable to find them) need to be fixed in this case... Fixes: 13a56b449325 ("net: phy: at803x: Add support for hardware reset") Signed-off-by: Sergei Shtylyov Acked-by: Uwe Kleine-König Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f289001749c5b90b6b1b3addf19d551b27fdeb70 Author: Vivien Didelot Date: Thu Jan 28 16:54:37 2016 -0500 net: dsa: mv88e6xxx: fix port VLAN maps commit be1faa92e83b1252d9200c59d8c98aab44463f1e upstream. Currently the port based VLAN maps should be configured to allow every port to egress frames on all other ports, except themselves. The debugfs interface shows that they are misconfigured. For instance, a 7-port switch has the following content in the related register 0x06: GLOBAL GLOBAL2 SERDES 0 1 2 3 4 5 6 ... 6: 1fa4 1f0f 4 7f 7e 7d 7c 7b 7a 79 ... This means that port 3 is allowed to talk to port 2-6, but cannot talk to ports 0 and 1. With this fix, port 3 can correctly talk to all ports except 3 itself: GLOBAL GLOBAL2 SERDES 0 1 2 3 4 5 6 ... 6: 1fa4 1f0f 4 7e 7d 7b 77 6f 5f 3f ... Fixes: ede8098d0fef ("net: dsa: mv88e6xxx: bridges do not need an FID") Reported-by: Kevin Smith Signed-off-by: Vivien Didelot Reviewed-by: Andrew Lunn Tested-by: Kevin Smith Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 706bfc9245371ba69735949aad006a132900bd02 Author: Charles Keepax Date: Tue Jan 26 16:38:59 2016 +0000 regulator: core: Rely on regulator_dev_release to free constraints commit 6333ef46bbe514a8ece6c432aab6bcf8637b2d7c upstream. As we now free the constraints in regulator_dev_release we will still call free on the constraints pointer even if we went down an error path in regulator_register, because it is only allocated after the device_register. As such we no longer need to free rdev->constraints on the error paths, so this patch removes said frees. Fixes: 29f5f4860a8e ("regulator: core: Move more deallocation into class unregister") Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 5884abeab820b70fcb209ac213a4ff03e509e774 Author: Nicolas Schichan Date: Tue Jan 26 16:12:35 2016 +0100 net: mv643xx_eth: fix packet corruption with TSO and tiny unaligned packets. commit 3b89624ab54b9dc2d92fc08ce2670e5f19ad8ec8 upstream. The code in txq_put_data() would use txq->tx_curr_desc to index the tso_hdrs/tso_hdrs_dma buffers, for less than 8 bytes unaligned fragments, which is already moved to the next descriptor at the beginning of the function. If that fragment was the last of the the skb, the next skb would use that same space to place the ip headers, overwritting that small fragment data. Fixes: 91986fd3d335 (net: mv643xx_eth: Ensure proper data alignment in TSO TX path) Signed-off-by: Nicolas Schichan Reviewed-by: Philipp Kirchhofer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 885fc27636e093fffc03ac80c1505d7648316d54 Author: Nicolas Dichtel Date: Mon Jun 13 10:31:05 2016 +0200 ovs/vxlan: fix rtnl notifications on iface deletion commit cf5da330bbdd0c06b05c525a3d1d58ccd82c87a6 upstream. The function vxlan_dev_create() (only used by ovs) never calls rtnl_configure_link(). The consequence is that dev->rtnl_link_state is never set to RTNL_LINK_INITIALIZED. During the deletion phase, the function rollback_registered_many() sends a RTM_DELLINK only if dev->rtnl_link_state is set to RTNL_LINK_INITIALIZED. Note that the function vxlan_dev_create() is moved after the rtnl stuff so that vxlan_dellink() can be called in this function. Fixes: dcc38c033b32 ("openvswitch: Re-add CONFIG_OPENVSWITCH_VXLAN") CC: Thomas Graf CC: Pravin B Shelar Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 10be8a1102c681b67e9e72b9fb8a505d62df93df Author: Florian Fainelli Date: Tue Jul 12 16:04:35 2016 -0700 net: ethoc: Fix early error paths commit 386512d18b268c6182903239f9f3390f03ce4c7b upstream. In case any operation fails before we can successfully go the point where we would register a MDIO bus, we would be going to an error label which involves unregistering then freeing this yet to be created MDIO bus. Update all error paths to go to label free which is the only one valid until either the clock is enabled, or the MDIO bus is allocated and registered. This fixes kernel oops observed while trying to dereference the MDIO bus structure which is not yet allocated. Fixes: a1702857724f ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b1f88cb2ca8526e77e482c80a5c5bf6ab041cbe1 Author: pravin shelar Date: Fri Aug 5 17:45:37 2016 -0700 net: vxlan: lwt: Fix vxlan local traffic. commit bbec7802c6948c8626b71a4fe31283cb4691c358 upstream. vxlan driver has bypass for local vxlan traffic, but that depends on information about all VNIs on local system in vxlan driver. This is not available in case of LWT. Therefore following patch disable encap bypass for LWT vxlan traffic. Fixes: ee122c79d42 ("vxlan: Flow based tunneling"). Reported-by: Jakub Libosvar Signed-off-by: Pravin B Shelar Acked-by: Jiri Benc Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 183ed2b1df13c38955a9e9011835e1213de2ed9a Author: Arnd Bergmann Date: Thu Nov 24 17:28:12 2016 +0100 mvpp2: use correct size for memset commit e8f967c3d88489fc1562a31d4e44d905ac1d3aff upstream. gcc-7 detects a short memset in mvpp2, introduced in the original merge of the driver: drivers/net/ethernet/marvell/mvpp2.c: In function 'mvpp2_cls_init': drivers/net/ethernet/marvell/mvpp2.c:3296:2: error: 'memset' used with length equal to number of elements without multiplication by element size [-Werror=memset-elt-size] The result seems to be that we write uninitialized data into the flow table registers, although we did not get any warning about that uninitialized data usage. Using sizeof() lets us initialize then entire array instead. Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e3ca76fc5cd6c5833e2ae609f9d97dc2ac9298aa Author: Geert Uytterhoeven Date: Sat May 7 13:17:11 2016 +0200 ravb: Add missing free_irq() call to ravb_close() commit 7fa816b92c52e2c304f2ff6401e0d51e1d229ca5 upstream. When reopening the network device on ra7795/salvator-x, e.g. after a DHCP timeout: IP-Config: Reopening network devices... genirq: Flags mismatch irq 139. 00000000 (eth0:ch24:emac) vs. 00000000 (eth0:ch24:emac) ravb e6800000.ethernet eth0: cannot request IRQ eth0:ch24:emac IP-Config: Failed to open eth0 IP-Config: No network devices available The "mismatch" is due to requesting an IRQ that is already in use, while IRQF_PROBE_SHARED wasn't set. However, the real cause is that ravb_close() doesn't release the R-Car Gen3-specific secondary IRQ. Add the missing free_irq() call to fix this. Fixes: 22d4df8ff3a3cc72 ("ravb: Add support for r8a7795 SoC") Signed-off-by: Geert Uytterhoeven Acked-by: Sergei Shtylyov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 236de7848762ec6b2296f4ea341581c2fa2ab1bd Author: Cyrille Pitchen Date: Thu Mar 24 15:40:04 2016 +0100 net: macb: replace macb_writel() call by queue_writel() to update queue ISR commit ba5049945421b8d2f3e2af786a15d13b82316503 upstream. macb_interrupt() should not use macb_writel(bp, ISR, ) but only queue_writel(queue, ISR, ). There is one IRQ and one set of {ISR, IER, IDR, IMR} [1] registers per queue on gem hardware, though only queue0 is actually used for now to receive frames: other queues can already be used to transmit frames. The queue_readl() and queue_writel() helper macros are designed to access the relevant IRQ registers. [1] ISR: Interrupt Status Register IER: Interrupt Enable Register IDR: Interrupt Disable Register IMR: Interrupt Mask Register Signed-off-by: Cyrille Pitchen Fixes: bfbb92c44670 ("net: macb: Handle the RXUBR interrupt on all devices") Acked-by: Nicolas Ferre Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4cbe341dce1686602bbf83f525cf360af61756ab Author: Jisheng Zhang Date: Wed Jan 20 16:36:25 2016 +0800 net: mvneta: fix trivial cut-off issue in mvneta_ethtool_update_stats commit 2c832293e09be2f998ea916650927c8ccd5b4b3b upstream. When s->type is T_REG_64, the high 32bits are lost in val. This patch fixes this trivial issue. Signed-off-by: Jisheng Zhang Fixes: 9b0cdefa4cd5 ("net: mvneta: add ethtool statistics") Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a0598fb1a289cd6205669d8c9e217ba45fc7a2a9 Author: David Ahern Date: Mon Nov 7 12:03:09 2016 -0800 net: icmp_route_lookup should use rt dev to determine L3 domain commit 9d1a6c4ea43e48c7880c85971c17939b56832d8a upstream. icmp_send is called in response to some event. The skb may not have the device set (skb->dev is NULL), but it is expected to have an rt. Update icmp_route_lookup to use the rt on the skb to determine L3 domain. Fixes: 613d09b30f8b ("net: Use VRF device index for lookups on TX") Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1c8cd7b64efe9f928b0f21eb88cdd9341f30ab85 Author: Krzysztof Kozlowski Date: Mon Mar 14 09:07:15 2016 +0900 hwrng: exynos - Disable runtime PM on driver unbind commit 27d80fa8bccf8d28bef4f89709638efc624fef9a upstream. Driver enabled runtime PM but did not revert this on removal. Re-binding of a device triggered warning: exynos-rng 10830400.rng: Unbalanced pm_runtime_enable! Fixes: b329669ea0b5 ("hwrng: exynos - Add support for Exynos random number generator") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 35a017009751dc18b365fe9ec8886a2632f42c18 Author: Sabrina Dubroca Date: Fri Sep 2 10:22:54 2016 +0200 l2tp: fix use-after-free during module unload commit 2f86953e7436c9b9a4690909c5e2db24799e173b upstream. Tunnel deletion is delayed by both a workqueue (l2tp_tunnel_delete -> wq -> l2tp_tunnel_del_work) and RCU (sk_destruct -> RCU -> l2tp_tunnel_destruct). By the time l2tp_tunnel_destruct() runs to destroy the tunnel and finish destroying the socket, the private data reserved via the net_generic mechanism has already been freed, but l2tp_tunnel_destruct() actually uses this data. Make sure tunnel deletion for the netns has completed before returning from l2tp_exit_net() by first flushing the tunnel removal workqueue, and then waiting for RCU callbacks to complete. Fixes: 167eb17e0b17 ("l2tp: create tunnel sockets in the right namespace") Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0c17b22c8c5aa1f71a30974066fea2d4b2511980 Author: xypron.glpk@gmx.de Date: Tue May 17 22:28:54 2016 +0200 net: ehea: avoid null pointer dereference commit 1740c29a46b30a2f157afc473156f157e599d4c2 upstream. ehea_get_port may return NULL. Do not dereference NULL value. Fixes: 8c4877a4128e ("ehea: Use the standard logging functions") Signed-off-by: Heinrich Schuchardt Acked-by: Thadeu Lima de Souza Cascardo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6417d8fe3e507e14194a5a4778581a85769e0cc5 Author: Vivien Didelot Date: Thu Apr 14 14:42:08 2016 -0400 net: dsa: mv88e6xxx: enable SA learning on DSA ports commit 996ecb8246676100af2a4dc1cfed747712a3c85f upstream. In multi-chip systems, DSA Tag ports must learn SA addresses in order to correctly switch frames between interconnected chips. This fixes cross-chip hardware bridging in a VLAN filtering aware system, because a bridge group gets implemented as an hardware 802.1Q VLAN and thus DSA and user ports share the same FDB. Fixes: 4c7ea3c0791e ("net: dsa: mv88e6xxx: disable SA learning for DSA and CPU ports") Signed-off-by: Vivien Didelot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c94875da94590e2b41df4804cc17c6bd79d80b79 Author: Nikolay Aleksandrov Date: Tue Aug 30 17:44:29 2016 +0200 net: bridge: don't increment tx_dropped in br_do_proxy_arp commit 85a3d4a9356b595d5440c3f1bf07ee7cecca1567 upstream. pskb_may_pull may fail due to various reasons (e.g. alloc failure), but the skb isn't changed/dropped and processing continues so we shouldn't increment tx_dropped. CC: Kyeyoon Park CC: Roopa Prabhu CC: Stephen Hemminger CC: bridge@lists.linux-foundation.org Fixes: 958501163ddd ("bridge: Add support for IEEE 802.11 Proxy ARP") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6c0c7c62caab52144582ccc67b143e7bd9243d72 Author: Johan Hovold Date: Thu Nov 3 18:40:22 2016 +0100 net: hns: fix device reference leaks commit 2271150bfb814b72ec57ae2fdf66e39da2eafafd upstream. Make sure to drop the reference taken by class_find_device() in hnae_get_handle() on errors and when later releasing the handle. Fixes: 6fe6611ff275 ("net: add Hisilicon Network Subsystem...") Cc: Yisen Zhuang Cc: Salil Mehta Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b5ec0bdc572c2ee119a847a3774d9eea4711882d Author: Johan Hovold Date: Thu Nov 17 17:40:02 2016 +0100 net: ethernet: ti: cpsw: fix secondary-emac probe error path commit a7fe9d466f6a33558a38c7ca9d58bcc83512d577 upstream. Make sure to deregister the primary device in case the secondary emac fails to probe. kernel BUG at /home/johan/work/omicron/src/linux/net/core/dev.c:7743! ... [] (free_netdev) from [] (cpsw_probe+0x9cc/0xe50) [] (cpsw_probe) from [] (platform_drv_probe+0x5c/0xc0) Fixes: d9ba8f9e6298 ("driver: net: ethernet: cpsw: dual emac interface implementation") Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d637933dec07aa434ccc38382888e0c85bf65f76 Author: Johan Hovold Date: Thu Nov 3 18:40:20 2016 +0100 net: ethernet: ti: cpsw: fix device and of_node leaks commit c7262aaace1b17a650598063e3b9ee1785fde377 upstream. Make sure to drop the references taken by of_get_child_by_name() and bus_find_device() before returning from cpsw_phy_sel(). Note that holding a reference to the cpsw-phy-sel device does not prevent the devres-managed private data from going away. Fixes: 5892cd135e16 ("drivers: net: cpsw-phy-sel: Add new driver...") Cc: Mugunthan V N Cc: Grygorii Strashko Cc: linux-omap@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c5f70f452cd59b7326754aa6cdc3b1885795a309 Author: Andrew Lunn Date: Thu Nov 24 00:08:13 2016 +0100 net: ethernet: mvneta: Remove IFF_UNICAST_FLT which is not implemented commit 97db8afa2ab919fc400fe982f5054060868bdf07 upstream. The mvneta driver advertises it supports IFF_UNICAST_FLT. However, it actually does not. The hardware probably does support it, but there is no code to configure the filter. As a quick and simple fix, remove the flag. This will cause the core to fall back to promiscuous mode. Signed-off-by: Andrew Lunn Fixes: b50b72de2f2f ("net: mvneta: enable features before registering the driver") Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0697b3069b5eac0f718fae5dcff521b943fdd89a Author: Neil Armstrong Date: Mon Apr 25 19:41:38 2016 +0200 net: ethernet: davinci_emac: Fix devioctl while in fixed link commit 62522ef3c399996f6c8120bfd14b94280bc9f490 upstream. When configured in fixed link, the DaVinci emac driver sets the priv->phydev to NULL and further ioctl calls to the phy_mii_ioctl() causes the kernel to crash. Cc: Brian Hutchinson Fixes: 1bb6aa56bb38 ("net: davinci_emac: Add support for fixed-link PHY") Signed-off-by: Neil Armstrong Reviewed-by: Mugunthan V N Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit de57817d971a54d415981f7a61fa7c50749a3f70 Author: Florian Fainelli Date: Mon Jul 18 13:02:47 2016 -0700 bnxt_en: Remove locking around txr->dev_state commit cbce91cad4ee39070bf3c7873767194e4be88e16 upstream. txr->dev_state was not consistently manipulated with the acquisition of the per-queue lock, after further inspection the lock does not seem necessary, either the value is read as BNXT_DEV_STATE_CLOSING or 0. Reported-by: coverity (CID 1339583) Fixes: c0c050c58d840 ("bnxt_en: New Broadcom ethernet driver.") Signed-off-by: Florian Fainelli Acked-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 45f35048a173f2fd003be8df24550c5ca4818588 Author: Wei Yongjun Date: Tue Jul 19 11:23:24 2016 +0000 net: axienet: Fix return value check in axienet_probe() commit 3ad7b1477ef9b01988ac052b02be9cd410c95157 upstream. In case of error, the function of_parse_phandle() returns NULL pointer not ERR_PTR(). The IS_ERR() test in the return value check should be replaced with NULL test. Fixes: 46aa27df8853 ('net: axienet: Use devm_* calls') Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 27e81a60fcb6d0c6256ea5c87deab95f6c57328c Author: Eric Dumazet Date: Wed Aug 24 09:39:02 2016 -0700 qdisc: fix a module refcount leak in qdisc_create_dflt() commit 166ee5b87866de07a3e56c1b757f2b5cabba72a5 upstream. Should qdisc_alloc() fail, we must release the module refcount we got right before. Fixes: 6da7c8fcbcbd ("qdisc: allow setting default queuing discipline") Signed-off-by: Eric Dumazet Acked-by: John Fastabend Acked-by: John Fastabend Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0ca38a1cb631b1262f87fb08616670de144df9e1 Author: Eric Dumazet Date: Wed Nov 16 06:31:52 2016 -0800 bnxt: add a missing rcu synchronization commit e5f6f564fd191d365fcd775c06a732a488205588 upstream. Add a missing synchronize_net() call to avoid potential use after free, since we explicitly call napi_hash_del() to factorize the RCU grace period. Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") Signed-off-by: Eric Dumazet Cc: Michael Chan Acked-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 959c8d63b47eceacf3890450b1cad44f22e6a139 Author: Nicolas Dichtel Date: Mon Jun 13 10:31:07 2016 +0200 ovs/geneve: fix rtnl notifications on iface deletion commit 41009481b690493c169ce85f591b9d32c6fd9422 upstream. The function geneve_dev_create_fb() (only used by ovs) never calls rtnl_configure_link(). The consequence is that dev->rtnl_link_state is never set to RTNL_LINK_INITIALIZED. During the deletion phase, the function rollback_registered_many() sends a RTM_DELLINK only if dev->rtnl_link_state is set to RTNL_LINK_INITIALIZED. Fixes: e305ac6cf5a1 ("geneve: Add support to collect tunnel metadata.") CC: Pravin B Shelar CC: Jesse Gross CC: Thomas Graf Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b7ad8f035e6703622a91e70d5682589346295a68 Author: Johan Hovold Date: Wed Nov 30 15:29:52 2016 +0100 net: ethernet: stmmac: dwmac-generic: fix probe error path commit 939b20022765bc338b0f72cbf1eed60a907398d7 upstream. Make sure to call any exit() callback to undo the effect of init() before returning on late probe errors. Fixes: cf3f047b9af4 ("stmmac: move hw init in the probe (v2)") Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ae6cfa66021a40cbe5739a6e363323436ed3b7be Author: Eric Dumazet Date: Mon Jun 6 09:12:39 2016 -0700 fq_codel: return non zero qlen in class dumps commit aafddbf0cffeb790f919436285328c762279b5d4 upstream. We properly scan the flow list to count number of packets, but John passed 0 to gnet_stats_copy_queue() so we report a zero value to user space instead of the result. Fixes: 640158536632 ("net: sched: restrict use of qstats qlen") Signed-off-by: Eric Dumazet Cc: John Fastabend Acked-by: John Fastabend Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7b7954183bef7e7e9ca3fd4f20751ee882bc6680 Author: Johan Hovold Date: Wed Nov 30 15:29:51 2016 +0100 net: ethernet: stmmac: dwmac-rk: fix probe error path commit 2d222656db08b8eef3b53b56cf1ce4a90fe8cd78 upstream. Make sure to disable runtime PM, power down the PHY, and disable clocks before returning on late probe errors. Fixes: 27ffefd2d109 ("stmmac: dwmac-rk: create a new probe function") Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7474448706b752408121b587d105fc69c5e586ef Author: Mathias Krause Date: Mon Nov 7 23:22:19 2016 +0100 rtnl: reset calcit fptr in rtnl_unregister() commit f567e950bf51290755a2539ff2aaef4c26f735d3 upstream. To avoid having dangling function pointers left behind, reset calcit in rtnl_unregister(), too. This is no issue so far, as only the rtnl core registers a netlink handler with a calcit hook which won't be unregistered, but may become one if new code makes use of the calcit hook. Fixes: c7ac8679bec9 ("rtnetlink: Compute and store minimum ifinfo...") Cc: Jeff Kirsher Cc: Greg Rose Signed-off-by: Mathias Krause Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 19bbaed4733562baca3572e065f86616fcd4ef90 Author: Johan Hovold Date: Wed Nov 30 15:29:50 2016 +0100 net: ethernet: stmmac: dwmac-sti: fix probe error path commit 0a9e22715ee384cf2a714c28f24ce8881b9fd815 upstream. Make sure to disable clocks before returning on late probe errors. Fixes: 8387ee21f972 ("stmmac: dwmac-sti: turn setup callback into a probe function") Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0c2e3b36172562ea687fa4dae4ca706aaba29135 Author: Florian Fainelli Date: Fri Jul 15 16:40:22 2016 -0700 et131x: Fix logical vs bitwise check in et131x_tx_timeout() commit de702da7a823ab0c4a1e53ed79a2695f0d453855 upstream. We should be using a logical check here instead of a bitwise operation to check if the device is closed already in et131x_tx_timeout(). Reported-by: coverity (CID 146498) Fixes: 38df6492eb511 ("et131x: Add PCIe gigabit ethernet driver et131x to drivers/net") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 12003a72a164689011b7f22b1b6388c8509a80e1 Author: David Ahern Date: Thu Nov 3 16:17:26 2016 -0700 net: icmp6_send should use dst dev to determine L3 domain commit 5d41ce29e3b91ef305f88d23f72b3359de329cec upstream. icmp6_send is called in response to some event. The skb may not have the device set (skb->dev is NULL), but it is expected to have a dst set. Update icmp6_send to use the dst on the skb to determine L3 domain. Fixes: ca254490c8dfd ("net: Add VRF support to IPv6 stack") Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 720ef97e3c7fa7c7fa2333fb1d1503bc2920a3ef Author: Wei Yongjun Date: Wed Aug 24 13:32:19 2016 +0000 tipc: fix the error handling in tipc_udp_enable() commit a5de125dd46c851fc962806135953c1bd0a0f0df upstream. Fix to return a negative error code in enable_mcast() error handling case, and release udp socket when necessary. Fixes: d0f91938bede ("tipc: add ip/udp media type") Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 302257df964f8f08dc6f3a3e4f819d55fff7a571 Author: Eric Dumazet Date: Fri May 6 05:58:21 2016 -0700 macvtap: segmented packet is consumed commit be0bd3160165e42783d8215f426e41c07179c08a upstream. If GSO packet is segmented and its segments are properly queued, we call consume_skb() instead of kfree_skb() to be drop monitor friendly. Fixes: 3e4f8b7873709 ("macvtap: Perform GSO on forwarding path.") Signed-off-by: Eric Dumazet Cc: Vlad Yasevich Reviewed-by: Shmulik Ladkani Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ae2326b512eb940cf14e4d40c7d7a1da483d20d0 Author: Wei Yongjun Date: Fri Aug 12 15:43:54 2016 +0000 net: macb: add missing free_netdev() on error in macb_probe() commit b22ae0b4d9669495158a7fa0fd027bd0fcd8896e upstream. Add the missing free_netdev() before return from function macb_probe() in the platform_get_irq() error handling case. Fixes: c69618b3e4f2 ("net/macb: fix probe sequence to setup clocks earlier") Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 105f12ad444ba07f3a9ebce2d798718f2bd3f2bd Author: Jiri Benc Date: Fri Apr 22 13:09:13 2016 +0200 cxgbi: fix uninitialized flowi6 commit 3d6d30d60abb19ba9a20e53ce65b18a9c148fcd1 upstream. ip6_route_output looks into different fields in the passed flowi6 structure, yet cxgbi passes garbage in nearly all those fields. Zero the structure out first. Fixes: fc8d0590d9142 ("libcxgbi: Add ipv6 api to driver") Signed-off-by: Jiri Benc Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c5beacae2bf0248afcd11d936fe0260aac12766d Author: Florian Fainelli Date: Thu Jun 30 13:27:20 2016 -0700 net: bcmsysport: Device stats are unsigned long commit 016eb55157166132b094e53434748cae35e18455 upstream. On 64bits kernels, device stats are 64bits wide, not 32bits. Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 80cb976cb2eb940b2bd311f17307bdbcf26245bc Author: Bert Kenward Date: Fri Nov 11 15:56:51 2016 +0000 sfc: clear napi_hash state when copying channels commit 46d054f8f540612f09987a53154aa39ae15f2e4c upstream. efx_copy_channel() doesn't correctly clear the napi_hash related state. This means that when napi_hash_add is called for that channel nothing is done, and we are left with a copy of the napi_hash_node from the old channel. When we later call napi_hash_del() on this channel we have a stale napi_hash_node. Corruption is only seen when there are multiple entries in one of the napi_hash lists. This is made more likely by having a very large number of channels. Testing was carried out with 512 channels - 32 channels on each of 16 ports. This failure typically appears as protection faults within napi_by_id() or napi_hash_add(). efx_copy_channel() is only used when tx or rx ring sizes are changed (ethtool -G). Fixes: 36763266bbe8 ("sfc: Add support for busy polling") Signed-off-by: Bert Kenward Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 46c7e03b46c75329fcebb016c680296fadfc9d86 Author: Andrew Rybchenko Date: Fri Aug 26 11:19:34 2016 +0100 sfc: fix potential stack corruption from running past stat bitmask commit e70c70c38d7a5ced76fc8b1c4a7ccee76e9c2911 upstream. On 32-bit systems, mask is only an array of 3 longs, not 4, so don't try to write to mask[3]. Also include build-time checks in case the size of the bitmask changes. Fixes: 3c36a2aded8c ("sfc: display vadaptor statistics for all interfaces") Signed-off-by: Edward Cree Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4283ce49aaeff967bb51251766311ad963ae0496 Author: Jiri Benc Date: Wed Apr 27 14:08:01 2016 +0200 gre: reject GUE and FOU in collect metadata mode commit 946b636f1730c64e05ff7fe8cf7136422fa8ea70 upstream. The collect metadata mode does not support GUE nor FOU. This might be implemented later; until then, we should reject such config. I think this is okay to be changed. It's unlikely anyone has such configuration (as it doesn't work anyway) and we may need a way to distinguish whether it's supported or not by the kernel later. For backwards compatibility with iproute2, it's not possible to just check the attribute presence (iproute2 always includes the attribute), the actual value has to be checked, too. Fixes: 2e15ea390e6f4 ("ip_gre: Add support to collect tunnel metadata.") Signed-off-by: Jiri Benc Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f0dc27db66ee53bd0c6c7e81baa336c906f6aea3 Author: Jiri Benc Date: Wed Apr 27 11:29:07 2016 +0200 gre: build header correctly for collect metadata tunnels commit 2090714e1d6e80979dd6926be22b0de9ca432273 upstream. In ipgre (i.e. not gretap) + collect metadata mode, the skb was assumed to contain Ethernet header and was encapsulated as ETH_P_TEB. This is not the case, the interface is ARPHRD_IPGRE and the protocol to be used for encapsulation is skb->protocol. Fixes: 2e15ea390e6f4 ("ip_gre: Add support to collect tunnel metadata.") Signed-off-by: Jiri Benc Acked-by: Pravin B Shelar Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6ab8d40774eef8879466bb5157a1387e664d7e9d Author: Jiri Benc Date: Wed Apr 27 11:29:06 2016 +0200 gre: do not assign header_ops in collect metadata mode commit a64b04d86d14c81f50f68e102f79ef301e3d0a0e upstream. In ipgre mode (i.e. not gretap) with collect metadata flag set, the tunnel is incorrectly assumed to be mGRE in NBMA mode (see commit 6a5f44d7a048c). This is not the case, we're controlling the encapsulation addresses by lwtunnel metadata. And anyway, assigning dev->header_ops in collect metadata mode does not make sense. Although it would be more user firendly to reject requests that specify both the collect metadata flag and a remote/local IP address, this would break current users of gretap or introduce ugly code and differences in handling ipgre and gretap configuration. Keep the current behavior of remote/local IP address being ignored in such case. v3: Back to v1, added explanation paragraph. v2: Reject configuration specifying both remote/local address and collect metadata flag. Fixes: 2e15ea390e6f4 ("ip_gre: Add support to collect tunnel metadata.") Signed-off-by: Jiri Benc Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d65b4ef77ac4d79f47fdab9efb365dde019c3064 Author: Nicolas Dichtel Date: Mon Jun 13 10:31:06 2016 +0200 ovs/gre: fix rtnl notifications on iface deletion commit da6f1da819d4b9c081a477dec74dc468a0b44290 upstream. The function gretap_fb_dev_create() (only used by ovs) never calls rtnl_configure_link(). The consequence is that dev->rtnl_link_state is never set to RTNL_LINK_INITIALIZED. During the deletion phase, the function rollback_registered_many() sends a RTM_DELLINK only if dev->rtnl_link_state is set to RTNL_LINK_INITIALIZED. Fixes: b2acd1dc3949 ("openvswitch: Use regular GRE net_device instead of vport") CC: Thomas Graf CC: Pravin B Shelar Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4d5906105b66a5aa87ceafb8ce159fcb5cec405a Author: Eric Dumazet Date: Fri Apr 15 10:47:52 2016 -0700 net: bcmgenet: device stats are unsigned long commit 6517eb59b03965689e6bb16bb2d480096b3ef95d upstream. On 64bit kernels, device stats are 64bit wide, not 32bit. Fixes: 1c1008c793fa4 ("net: bcmgenet: add main driver file") Signed-off-by: Eric Dumazet Cc: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1ba3fdf2e5b4bcd3ca5707c26cb96a868eb3b5b2 Author: Petri Gynther Date: Thu Mar 24 11:27:21 2016 -0700 net: bcmgenet: fix skb_len in bcmgenet_xmit_single() commit 7dd399130efb5a454daf24075b7563d197114e39 upstream. skb_len needs to be skb_headlen(skb) in bcmgenet_xmit_single(). Fragmented skbs can have only Ethernet + IP + TCP headers (14+20+20=54 bytes) in the linear buffer, followed by the rest in fragments. Bumping skb_len to ETH_ZLEN would be incorrect for this case, as it would introduce garbage between TCP header and the fragment data. This also works with regular/non-fragmented small packets < ETH_ZLEN bytes. Successfully tested this on GENETv3 with 42-byte ARP frames. For testing, I used: ethtool -K eth0 tx-checksum-ipv4 off ethtool -K eth0 tx-checksum-ipv6 off echo 0 > /proc/sys/net/ipv4/tcp_timestamps Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") Signed-off-by: Petri Gynther Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 67146e93e7335f7f8a318e4aec59f3cecccb5943 Author: Hariprasad Shenai Date: Thu Jul 28 13:28:57 2016 +0530 cxgb4/cxgb4vf: Fixes regression in perf when tx vlan offload is disabled commit 8d09e6b8b9c9969ac59496dc21e10b67fe727e7e upstream. The commit 637d3e997351 ("cxgb4: Discard the packet if the length is greater than mtu") introduced a regression in the VLAN interface performance when Tx VLAN offload is disabled. Check if skb is tagged, regardless of whether it is hardware accelerated or not. Presently we were checking only for hardware acclereated one, which caused performance to drop to ~0.17Mbps on a 10GbE adapter for VLAN interface, when tx vlan offload is turned off using ethtool. The ethernet head length calculation was going wrong in this case, and driver ended up dropping packets. Fixes: 637d3e997351 ("cxgb4: Discard the packet if the length is greater than mtu") Signed-off-by: Hariprasad Shenai Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4337bfa4b21ad405dde6361ecfffa0d1dfdedc65 Author: Simon Horman Date: Mon May 30 14:04:25 2016 +0900 openvswitch: update checksum in {push,pop}_mpls commit bc7cc5999fd392cc799630d7e375b2f4e29cc398 upstream. In the case of CHECKSUM_COMPLETE the skb checksum should be updated in {push,pop}_mpls() as they the type in the ethernet header. As suggested by Pravin Shelar. Cc: Pravin Shelar Fixes: 25cd9ba0abc0 ("openvswitch: Add basic MPLS support to kernel") Signed-off-by: Simon Horman Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 528b47364478a6fd7eeed45b88a4c17fe76fe0bc Author: Peter Ujfalusi Date: Wed Dec 16 15:19:05 2015 +0200 dmaengine: edma: Add probe callback to edma_tptc_driver commit 4fa2d09c1ae879c2ee2760ab419a4f97026dd97b upstream. Due to changes in device and platform code drivers w/o probe will fail to load. This means that the devices for eDMA TPTCs are goign to be without driver and omap hwmod code will turn them off after the kernel finished loading: [ 3.015900] platform 49800000.tptc: omap_device_late_idle: enabled but no driver. Idling [ 3.024671] platform 49a00000.tptc: omap_device_late_idle: enabled but no driver. Idling This will prevent eDMA to work since the TPTCs are not enabled. Signed-off-by: Peter Ujfalusi Fixes: 34635b1accb9 ("dmaengine: edma: Add dummy driver skeleton for edma3-tptc") Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 88be692d4c1fac90e31e42161effa27dff58ea7a Author: Tahsin Erdogan Date: Fri Jul 15 06:27:08 2016 -0700 dm: fix second blk_delay_queue() parameter to be in msec units not jiffies commit bd9f55ea1cf6e14eb054b06ea877d2d1fa339514 upstream. Commit d548b34b062 ("dm: reduce the queue delay used in dm_request_fn from 100ms to 10ms") always intended the value to be 10 msecs -- it just expressed it in jiffies because earlier commit 7eaceaccab ("block: remove per-queue plugging") did. Signed-off-by: Tahsin Erdogan Signed-off-by: Mike Snitzer Fixes: d548b34b062 ("dm: reduce the queue delay used in dm_request_fn from 100ms to 10ms") Cc: stable@vger.kernel.org # 4.1+ -- stable@ backports must be applied to drivers/md/dm.c Signed-off-by: Greg Kroah-Hartman commit 655a064b05763765c583112110de7c621c3ee657 Author: Bartlomiej Zolnierkiewicz Date: Mon May 16 09:54:47 2016 -0600 blk-mq: fix undefined behaviour in order_to_size() commit b3a834b1596ac668df206aa2bb1f191c31f5f5e4 upstream. When this_order variable in blk_mq_init_rq_map() becomes zero the code incorrectly decrements the variable and passes the result to order_to_size() helper causing undefined behaviour: UBSAN: Undefined behaviour in block/blk-mq.c:1459:27 shift exponent 4294967295 is too large for 32-bit type 'unsigned int' CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-rc6-00072-g33656a1 #22 Fix the code by checking this_order variable for not having the zero value first. Reported-by: Meelis Roos Fixes: 320ae51feed5 ("blk-mq: new multi-queue block IO queueing mechanism") Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 6612b07fedc4273ef5dddc5ff066212db1ce74c1 Author: Junxiao Bi Date: Tue Dec 22 08:06:08 2015 -0600 gfs2: fix flock panic issue commit a93a99838248bdab49db2eaac00236847670bc7f upstream. Commit 4f6563677ae8 ("Move locks API users to locks_lock_inode_wait()") moved flock/posix lock identify code to locks_lock_inode_wait(), but missed to set fl_flags to FL_FLOCK which will cause kernel panic in locks_lock_inode_wait(). Fixes: 4f6563677ae8 ("Move locks API users to locks_lock_inode_wait()") Signed-off-by: Junxiao Bi Signed-off-by: Bob Peterson Signed-off-by: Greg Kroah-Hartman commit d6a2dd37e58da8a7516dbabb4411a8cebb843106 Author: Vivien Didelot Date: Thu Apr 14 14:42:07 2016 -0400 net: dsa: mv88e6xxx: unlock DSA and CPU ports commit 65fa40276ac1318e75264e5a204547b57c2cf397 upstream. Locking a port generates an hardware interrupt when a new SA address is received. This enables CPU directed learning, which is needed for 802.1X MAC authentication. To disable automatic learning on a port, the only configuration needed is to set its Port Association Vector to all zero. Clear PAV when SA learning should be disabled instead of locking a port. Fixes: 4c7ea3c0791e ("net: dsa: mv88e6xxx: disable SA learning for DSA and CPU ports") Signed-off-by: Vivien Didelot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a039c41fb75ddc8f915b51822b4d49a33e117cb0 Author: Viresh Kumar Date: Tue Feb 9 09:01:35 2016 +0530 Revert "cpufreq: Drop rwsem lock around CPUFREQ_GOV_POLICY_EXIT" commit 68e80dae09033d778b98dc88e5bfe8fdade188e5 upstream. Earlier, when the struct freq-attr was used to represent governor attributes, the standard cpufreq show/store sysfs attribute callbacks were applied to the governor tunable attributes and they always acquire the policy->rwsem lock before carrying out the operation. That could have resulted in an ABBA deadlock if governor tunable attributes are removed under policy->rwsem while one of them is being accessed concurrently (if sysfs attributes removal wins the race, it will wait for the access to complete with policy->rwsem held while the attribute callback will block on policy->rwsem indefinitely). We attempted to address this issue by dropping policy->rwsem around governor tunable attributes removal (that is, around invocations of the ->governor callback with the event arg equal to CPUFREQ_GOV_POLICY_EXIT) in cpufreq_set_policy(), but that opened up race conditions that had not been possible with policy->rwsem held all the time. The previous commit, "cpufreq: governor: New sysfs show/store callbacks for governor tunables", fixed the original ABBA deadlock by adding new governor specific show/store callbacks. We don't have to drop rwsem around invocations of governor event CPUFREQ_GOV_POLICY_EXIT anymore, and original fix can be reverted now. Fixes: 955ef4833574 (cpufreq: Drop rwsem lock around CPUFREQ_GOV_POLICY_EXIT) Signed-off-by: Viresh Kumar Reported-by: Juri Lelli Tested-by: Juri Lelli Tested-by: Shilpasri G Bhat Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 50848ee25136bdd52164ed0ef0ec804c3a18a86e Author: Marcin Nowakowski Date: Wed Apr 19 14:07:43 2017 +0200 MIPS: perf: Remove incorrect odd/even counter handling for I6400 commit f7a31b5e7874f77464a4eae0a8ba84b9ae0b3a54 upstream. All performance counters on I6400 (odd and even) are capable of counting any of the available events, so drop current logic of using the extra bit to determine which counter to use. Signed-off-by: Marcin Nowakowski Fixes: 4e88a8621301 ("MIPS: Add cases for CPU_I6400") Fixes: fd716fca10fc ("MIPS: perf: Fix I6400 event numbers") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/15991/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 8bddcd242a8b1ce9f5b16c84e06a68581960bba7 Author: Tobias Jungel Date: Sun Oct 28 12:54:10 2018 +0100 bonding: fix length of actor system commit 414dd6fb9a1a1b59983aea7bf0f79f0085ecc5b8 upstream. The attribute IFLA_BOND_AD_ACTOR_SYSTEM is sent to user space having the length of sizeof(bond->params.ad_actor_system) which is 8 byte. This patch aligns the length to ETH_ALEN to have the same MAC address exposed as using sysfs. Fixes: f87fda00b6ed2 ("bonding: prevent out of bound accesses") Signed-off-by: Tobias Jungel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5a257454a7f690343b62ca5cf3e316a699a3a7ed Author: Andy Shevchenko Date: Sun Jul 16 21:40:03 2017 +0300 ALSA: fm801: Initialize chip after IRQ handler is registered commit 610e1ae9b533be82b3aa118b907e0a703256913d upstream. The commit b56fa687e02b ("ALSA: fm801: detect FM-only card earlier") rearranged initialization calls, i.e. it makes snd_fm801_chip_init() to be called before we register interrupt handler and set PCI bus mastering. Somehow it prevents FM801-AU to work properly. Thus, partially revert initialization order changed by commit mentioned above. Fixes: b56fa687e02b ("ALSA: fm801: detect FM-only card earlier") Reported-by: Émeric MASCHINO Tested-by: Émeric MASCHINO Signed-off-by: Andy Shevchenko Cc: # v4.5+ Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 78db3bcbfc41216230a255984e5e7e5b61b6616e Author: Chuck Lever Date: Thu Dec 14 20:56:09 2017 -0500 xprtrdma: Fix backchannel allocation of extra rpcrdma_reps commit d698c4a02ee02053bbebe051322ff427a2dad56a upstream. The backchannel code uses rpcrdma_recv_buffer_put to add new reps to the free rep list. This also decrements rb_recv_count, which spoofs the receive overrun logic in rpcrdma_buffer_get_rep. Commit 9b06688bc3b9 ("xprtrdma: Fix additional uses of spin_lock_irqsave(rb_lock)") replaced the original open-coded list_add with a call to rpcrdma_recv_buffer_put(), but then a year later, commit 05c974669ece ("xprtrdma: Fix receive buffer accounting") added rep accounting to rpcrdma_recv_buffer_put. It was an oversight to let the backchannel continue to use this function. The fix this, let's combine the "add to free list" logic with rpcrdma_create_rep. Also, do not allocate RPCRDMA_MAX_BC_REQUESTS rpcrdma_reps in rpcrdma_buffer_create and then allocate additional rpcrdma_reps in rpcrdma_bc_setup_reps. Allocating the extra reps during backchannel set-up is sufficient. Fixes: 05c974669ece ("xprtrdma: Fix receive buffer accounting") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 12468d592c8861cb869d2daa559552c526ed7ddf Author: Eric Dumazet Date: Fri Jan 13 08:39:24 2017 -0800 mlx4: do not call napi_schedule() without care commit 8cf699ec849f4ca1413cea01289bd7d37dbcc626 upstream. Disable BH around the call to napi_schedule() to avoid following warning [ 52.095499] NOHZ: local_softirq_pending 08 [ 52.421291] NOHZ: local_softirq_pending 08 [ 52.608313] NOHZ: local_softirq_pending 08 Fixes: 8d59de8f7bb3 ("net/mlx4_en: Process all completions in RX rings after port goes up") Signed-off-by: Eric Dumazet Cc: Erez Shitrit Cc: Eugenia Emantayev Cc: Tariq Toukan Acked-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4c27c6c05dd5365b47feb3d91ed2c7483dbd55af Author: David Ahern Date: Thu Nov 7 18:29:52 2019 +0000 ipv4: Fix table id reference in fib_sync_down_addr commit e0a312629fefa943534fc46f7bfbe6de3fdaf463 upstream. Hendrik reported routes in the main table using source address are not removed when the address is removed. The problem is that fib_sync_down_addr does not account for devices in the default VRF which are associated with the main table. Fix by updating the table id reference. Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs") Reported-by: Hendrik Donner Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 624f65847002664ce525ac3335acc08ea0737fcc Author: Nicolas Dichtel Date: Mon Sep 19 16:17:57 2016 +0200 vti6: fix input path commit 63c43787d35e45562a6b5927e2edc8f4783d95b8 upstream. Since commit 1625f4529957, vti6 is broken, all input packets are dropped (LINUX_MIB_XFRMINNOSTATES is incremented). XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 is set by vti6_rcv() before calling xfrm6_rcv()/xfrm6_rcv_spi(), thus we cannot set to NULL that value in xfrm6_rcv_spi(). A new function xfrm6_rcv_tnl() that enables to pass a value to xfrm6_rcv_spi() is added, so that xfrm6_rcv() is not touched (this function is used in several handlers). CC: Alexey Kodanev Fixes: 1625f4529957 ("net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key") Signed-off-by: Nicolas Dichtel Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 99519e406e6a5cc4f76f674402fb80747b6f8ee6 Author: Mark Tomlinson Date: Mon Sep 5 10:20:20 2016 +1200 net: Don't delete routes in different VRFs commit 5a56a0b3a45dd0cc5b2f7bec6afd053a474ed9f5 upstream. When deleting an IP address from an interface, there is a clean-up of routes which refer to this local address. However, there was no check to see that the VRF matched. This meant that deletion wasn't confined to the VRF it should have been. To solve this, a new field has been added to fib_info to hold a table id. When removing fib entries corresponding to a local ip address, this table id is also used in the comparison. The table id is populated when the fib_info is created. This was already done in some places, but not in ip_rt_ioctl(). This has now been fixed. Fixes: 021dd3b8a142 ("net: Add routes to the table associated with the device") Acked-by: David Ahern Tested-by: David Ahern Signed-off-by: Mark Tomlinson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 77ef57530f1140ce60b31125359819a185a68c58 Author: David Ahern Date: Thu Apr 7 11:10:06 2016 -0700 net: vrf: Fix dst reference counting commit 9ab179d83b4e31ea277a123492e419067c2f129a upstream. Vivek reported a kernel exception deleting a VRF with an active connection through it. The root cause is that the socket has a cached reference to a dst that is destroyed. Converting the dst_destroy to dst_release and letting proper reference counting kick in does not work as the dst has a reference to the device which needs to be released as well. I talked to Hannes about this at netdev and he pointed out the ipv4 and ipv6 dst handling has dst_ifdown for just this scenario. Rather than continuing with the reinvented dst wheel in VRF just remove it and leverage the ipv4 and ipv6 versions. Fixes: 193125dbd8eb2 ("net: Introduce VRF device driver") Fixes: 35402e3136634 ("net: Add IPv6 support to VRF device") Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 396250c2041a9190e1d8199dfb2598c461de4343 Author: Marcin Niestroj Date: Tue Jun 14 15:29:24 2016 +0200 power_supply: tps65217-charger: Fix NULL deref during property export commit 362761299eea7dfc3a4870551de36e08758b9254 upstream. This bug leads to: [ 1.906411] Unable to handle kernel NULL pointer dereference at virtual address 0000000c [ 1.914878] pgd = c0004000 [ 1.917786] [0000000c] *pgd=00000000 [ 1.921536] Internal error: Oops: 5 [#1] SMP ARM [ 1.926357] Modules linked in: [ 1.929556] CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.4.5 #18 [ 1.936006] Hardware name: Generic AM33XX (Flattened Device Tree) [ 1.942383] Workqueue: events power_supply_changed_work [ 1.947842] task: de2c41c0 ti: de2c8000 task.ti: de2c8000 [ 1.953483] PC is at tps65217_ac_get_property+0x14/0x28 [ 1.958937] LR is at tps65217_ac_get_property+0x10/0x28 Driver was trying to use drv_data in property get handler. However drv_data was not set, so it caused NULL pointer dereference. This patch properly sets drv_data during probe by power_supply_config parameter, so the property get handler works as desired. Signed-off-by: Marcin Niestroj Fixes: 3636859b280c ("power_supply: Add support for tps65217-charger") Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit 698c2e984f0833cb86bf12b4782e79d1c9b3ae1d Author: Liu Xiang Date: Sat Jan 9 22:10:39 2016 +0800 power: bq27xxx_battery: Fix bq27541 AveragePower register address commit 265b60497a57da56a4be7d5c72983ae89dc0765e upstream. Currently in bq27541 driver, the average power register address is incorrectly set to 0x76, which would result in an error: bq27xxx-battery 2-0055: error reading average power register 10: -11 According to the bq27541 datasheet, fix this problem by setting the average power register address to 0x24. Fixes: d74534c27775 ("power: bq27xxx_battery: Add support for additional bq27xxx family devices") Signed-off-by: Liu Xiang Acked-by: Andrew F. Davis Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit b9bf9131b1a44e56d47b63cbb2ccf834d1d64d8c Author: Sasha Levin Date: Tue Dec 22 12:43:36 2015 -0500 power: test_power: correctly handle empty writes commit 6b9140f39c2aaf76791197fbab0839c0e4af56e8 upstream. Writing 0 length data into test_power makes it access an invalid array location and kill the system. Fixes: f17ef9b2d ("power: Make test_power driver more dynamic.") Signed-off-by: Sasha Levin Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit a87674fe985b9319ecbbb4098355653793b688cb Author: H. Nikolaus Schaller Date: Thu Dec 17 11:12:54 2015 +0100 power: bq27xxx: fix register numbers of bq27500 commit 099867a16a0fa9fd5aafc32e3b1a6f8a90f17834 upstream. bug: according to data sheet some register numbers are wrong. tested: no Fixes: d74534c27775 ("power: bq27xxx_battery: Add support for additional bq27xxx family devices") Signed-off-by: H. Nikolaus Schaller Acked-by: Andrew F. Davis Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit 4617c0bff4039f843339f1d40dd69d722aa8986b Author: H. Nikolaus Schaller Date: Thu Dec 17 11:12:53 2015 +0100 power: bq27xxx: fix reading for bq27000 and bq27010 commit 549d7b317c761dbf4ed0c2945aec3acc9ca7ae14 upstream. bug: the driver reports funny capacity values: root@letux:/sys/class/power_supply/bq27000-battery# cat uevent POWER_SUPPLY_NAME=bq27000-battery POWER_SUPPLY_STATUS=Charging POWER_SUPPLY_PRESENT=1 POWER_SUPPLY_VOLTAGE_NOW=3702000 POWER_SUPPLY_CURRENT_NOW=-464635 POWER_SUPPLY_CAPACITY=1536 <- over 100% is magic POWER_SUPPLY_CAPACITY_LEVEL=Normal POWER_SUPPLY_TEMP=311 POWER_SUPPLY_TIME_TO_FULL_NOW=10440 POWER_SUPPLY_TECHNOLOGY=Li-ion POWER_SUPPLY_CHARGE_FULL=805450 POWER_SUPPLY_CHARGE_NOW=1068 POWER_SUPPLY_CHARGE_FULL_DESIGN=8844998 <- battery has just 1200 mAh POWER_SUPPLY_CYCLE_COUNT=21 POWER_SUPPLY_ENERGY_NOW=0 POWER_SUPPLY_POWER_AVG=0 POWER_SUPPLY_HEALTH=Good POWER_SUPPLY_MANUFACTURER=Texas Instruments reason: the state of charge and the design capacity register are single byte only. The design capacity returns the higer order byte. tested: GTA04 with Openmoko/FIC HF08x battery (using hdq) Fixes: d74534c27775 ("power: bq27xxx_battery: Add support for additional bq27xxx family devices") Signed-off-by: H. Nikolaus Schaller Acked-by: Andrew F. Davis Reviewed-by: Pali Rohár Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit d8e47de3a21682f8c724320036eb333248fb64ef Author: Peter Zijlstra Date: Mon May 16 15:01:11 2016 +0200 sched/preempt: Fix preempt_count manipulations commit 2e636d5e66c35dfcbaf617aa8fa963f6847478fe upstream. Vikram reported that his ARM64 compiler managed to 'optimize' away the preempt_count manipulations in code like: preempt_enable_no_resched(); put_user(); preempt_disable(); Irrespective of that fact that that is horrible code that should be fixed for many reasons, it does highlight a deficiency in the generic preempt_count manipulators. As it is never right to combine/elide preempt_count manipulations like this. Therefore sprinkle some volatile in the two generic accessors to ensure the compiler is aware of the fact that the preempt_count is observed outside of the regular program-order view and thus cannot be optimized away like this. x86; the only arch not using the generic code is not affected as we do all this in asm in order to use the segment base per-cpu stuff. Reported-by: Vikram Mulukutla Tested-by: Vikram Mulukutla Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: a787870924db ("sched, arch: Create asm/preempt.h") Link: http://lkml.kernel.org/r/20160516131751.GH3205@twins.programming.kicks-ass.net Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 191cf872190de28a92e1bd2b56d8860e37e07443 Author: Eric Dumazet Date: Thu Sep 15 16:20:01 2016 -0700 pkt_sched: fq: use proper locking in fq_dump_stats() commit 695b4ec0f0a9cf29deabd3ac075911d58b31f42b upstream. When fq is used on 32bit kernels, we need to lock the qdisc before copying 64bit fields. Otherwise "tc -s qdisc ..." might report bogus values. Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0869a49fe44d9c7b9a3828bfa18cda157b49952d Author: Hadar Hen Zion Date: Wed Aug 17 13:36:12 2016 +0300 net_sched: flower: Avoid dissection of unmasked keys commit 339ba878cfb01b68de3d281ba33fd5e4c9f76546 upstream. The current flower implementation checks the mask range and set all the keys included in that range as "used_keys", even if a specific key in the range has a zero mask. This behavior can cause a false positive return value of dissector_uses_key function and unnecessary dissection in __skb_flow_dissect. This patch checks explicitly the mask of each key and "used_keys" will be set accordingly. Fixes: 77b9900ef53a ('tc: introduce Flower classifier') Signed-off-by: Hadar Hen Zion Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d072303a2b5ea99de5560412d336f7a6ffdd3e7a Author: Peter Zijlstra Date: Fri Jun 24 16:11:02 2016 +0200 sched/fair: Fix calc_cfs_shares() fixed point arithmetics width confusion commit ea1dc6fc6242f991656e35e2ed3d90ec1cd13418 upstream. Commit: fde7d22e01aa ("sched/fair: Fix overly small weight for interactive group entities") did something non-obvious but also did it buggy yet latent. The problem was exposed for real by a later commit in the v4.7 merge window: 2159197d6677 ("sched/core: Enable increased load resolution on 64-bit kernels") ... after which tg->load_avg and cfs_rq->load.weight had different units (10 bit fixed point and 20 bit fixed point resp.). Add a comment to explain the use of cfs_rq->load.weight over the 'natural' cfs_rq->avg.load_avg and add scale_load_down() to correct for the difference in unit. Since this is (now, as per a previous commit) the only user of calc_tg_weight(), collapse it. The effects of this bug should be randomly inconsistent SMP-balancing of cgroups workloads. Reported-by: Jirka Hladky Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 2159197d6677 ("sched/core: Enable increased load resolution on 64-bit kernels") Fixes: fde7d22e01aa ("sched/fair: Fix overly small weight for interactive group entities") Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 1dbccb090c4d790585b63edff6151b3cb16e0e0c Author: Elad Raz Date: Thu Oct 20 16:05:44 2016 +0200 mlxsw: switchx2: Fix ethernet port initialization commit 7fb6a36bab6b0b158f93eb13faa1b440f8b26009 upstream. When creating an ethernet port fails, we must move the port to disable, otherwise putting the port in switch partition 0 (ETH) or 1 (IB) will always fails. Fixes: 31557f0f9755 ("mlxsw: Introduce Mellanox SwitchX-2 ASIC support") Signed-off-by: Elad Raz Reviewed-by: Jiri Pirko Reviewed-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a5cc5dda39b4fb77198e47699121e61a7f0f663e Author: Yotam Gigi Date: Tue Oct 4 09:46:05 2016 +0200 mlxsw: switchx2: Fix misuse of hard_header_len commit 251d41c58b765f00d73b1b4230cad256e25f2735 upstream. In order to specify that the mlxsw switchx2 driver needs additional headroom for packets, there have been use of the hard_header_len field of the netdevice struct. This commit changes that to use needed_headroom instead, as this is the correct way to do that. Fixes: 31557f0f9755 ("mlxsw: Introduce Mellanox SwitchX-2 ASIC support") Signed-off-by: Yotam Gigi Acked-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit afcc40d0bbf06c36c00736e41951d1a917b9d7da Author: Moshe Shemesh Date: Thu Sep 22 12:11:12 2016 +0300 net/mlx4_core: Fix QUERY FUNC CAP flags commit c9cc599a96a6822c52cd72ed31dd7f813d792b4f upstream. Separate QUERY_FUNC_CAP flags0 from QUERY_FUNC_CAP flags, as 'flags' is already used for another set of flags in FUNC CAP, while phv bit should be part of a different set of flags. Remove QUERY_FUNC_CAP port_flags field, as it is not in use. Fixes: 77fc29c4bbbb ('net/mlx4_core: Preparations for 802.1ad VLAN support') Fixes: 5cc914f10851 ('mlx4_core: Added FW commands and their wrappers for supporting SRIOV') Signed-off-by: Moshe Shemesh Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 009d7e7012aeb29b357ea44bca24433b759e4ee3 Author: Jack Morgenstein Date: Sun Nov 27 19:20:52 2016 +0200 net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode to device managed flow steering commit 44b911e77793d686b481608770d0c55c18055ba0 upstream. In procedure mlx4_flow_steer_promisc_add(), several fields were left uninitialized in the rule structure. Correctly initialize these fields. Fixes: 592e49dda812 ("net/mlx4: Implement promiscuous mode with device managed flow-steering") Signed-off-by: Jack Morgenstein Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 76d8310498143accf8c1e770a90c60ee8d914db7 Author: Jack Morgenstein Date: Thu Oct 27 16:27:21 2016 +0300 net/mlx4_en: Fix potential deadlock in port statistics flow commit d2582a03939ed0a80ffcd3ea5345505bc8067c54 upstream. mlx4_en_DUMP_ETH_STATS took the *counter mutex* and then called the FW command, with WRAPPED attribute. As a result, the fw command is wrapped on the Hypervisor when it calls mlx4_en_DUMP_ETH_STATS. The FW command wrapper flow on the hypervisor takes the *slave_cmd_mutex* during processing. At the same time, a VF could be in the process of coming up, and could call mlx4_QUERY_FUNC_CAP. On the hypervisor, the command flow takes the *slave_cmd_mutex*, then executes mlx4_QUERY_FUNC_CAP_wrapper. mlx4_QUERY_FUNC_CAP wrapper calls mlx4_get_default_counter_index(), which takes the *counter mutex*. DEADLOCK. The fix is that the DUMP_ETH_STATS fw command should be called with the NATIVE attribute, so that on the hypervisor, this command does not enter the wrapper flow. Since the Hypervisor no longer goes through the wrapper code, we also simply return 0 in mlx4_DUMP_ETH_STATS_wrapper (i.e.the function succeeds, but the returned data will be all zeroes). No need to test if it is the Hypervisor going through the wrapper. Fixes: f9baff509f8a ("mlx4_core: Add "native" argument to mlx4_cmd ...") Signed-off-by: Jack Morgenstein Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fb45737f8615d56f5801d83fb92e43a4694209b0 Author: Jack Morgenstein Date: Thu Oct 27 16:27:19 2016 +0300 net/mlx4_core: Do not access comm channel if it has not yet been initialized commit 81d184199e328fdad5633da139a10337327154e0 upstream. In the Hypervisor, there are several FW commands which are invoked before the comm channel is initialized (in mlx4_multi_func_init). These include MOD_STAT_CONFIG, QUERY_DEV_CAP, INIT_HCA, and others. If any of these commands fails, say with a timeout, the Hypervisor driver enters the internal error reset flow. In this flow, the driver attempts to notify all slaves via the comm channel that an internal error has occurred. Since the comm channel has not yet been initialized (i.e., mapped via ioremap), this will cause dereferencing a NULL pointer. To fix this, do not access the comm channel in the internal error flow if it has not yet been initialized. Fixes: 55ad359225b2 ("net/mlx4_core: Enable device recovery flow with SRIOV") Fixes: ab9c17a009ee ("mlx4_core: Modify driver initialization flow to accommodate SRIOV for Ethernet") Signed-off-by: Jack Morgenstein Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 42ad2426eb7571129abb81b0475e0016d9aa62fc Author: Erez Shitrit Date: Thu Oct 27 16:27:17 2016 +0300 net/mlx4_en: Process all completions in RX rings after port goes up commit 8d59de8f7bb3db296331c665779c653b0c8d13ba upstream. Currently there is a race between incoming traffic and initialization flow. HW is able to receive the packets after INIT_PORT is done and unicast steering is configured. Before we set priv->port_up NAPI is not scheduled and receive queues become full. Therefore we never get new interrupts about the completions. This issue could happen if running heavy traffic during bringing port up. The resolution is to schedule NAPI once port_up is set. If receive queues were full this will process all cqes and release them. Fixes: c27a02cd94d6 ("mlx4_en: Add driver for Mellanox ConnectX 10GbE NIC") Signed-off-by: Erez Shitrit Signed-off-by: Eugenia Emantayev Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2f03c7a6ffc4133ffb8870cdb88cc89398158ad3 Author: Jack Morgenstein Date: Thu Oct 27 16:27:13 2016 +0300 net/mlx4_core: Fix the resource-type enum in res tracker to conform to FW spec commit aa0c08feae8161b945520ada753d0dfe62b14fe7 upstream. The resource type enum in the resource tracker was incorrect. RES_EQ was put in the position of RES_NPORT_ID (a FC resource). Since the remaining resources maintain their current values, and RES_EQ is not passed from slaves to the hypervisor in any FW command, this change affects only the hypervisor. Therefore, there is no backwards-compatibility issue. Fixes: 623ed84b1f95 ("mlx4_core: initial header-file changes for SRIOV support") Signed-off-by: Jack Morgenstein Signed-off-by: Moshe Shemesh Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 69ef883d4f16162fca5de2cd36e2db8025db25f8 Author: Alex Vesker Date: Mon Jul 25 15:42:13 2016 +0300 net/mlx4_core: Check device state before unregistering it commit 9b022a6e0f26af108b9105b16b310393c898d9bd upstream. Verify that the device state is registered before un-registering it. This check is required to prevent an OOPS on flows that do re-registration of the device and its previous state was unregistered. Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") Signed-off-by: Alex Vesker Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e6411dccabcfe6c05759b185aedcc0e017b18f74 Author: Kamal Heib Date: Tue Jun 21 14:20:02 2016 +0300 net/mlx4_en: Fix the return value of a failure in VLAN VID add/kill commit 93c098af09455ea7bdc6f0f6b08f6ac14fa06cf4 upstream. Modify mlx4_en_vlan_rx_[add/kill]_vid to return error value in case of failure. Fixes: 8e586137e6b6 ('net: make vlan ndo_vlan_rx_[add/kill]_vid return error value') Signed-off-by: Kamal Heib Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 30336a3958e18003bdc48913d29fd1391a187faf Author: Tariq Toukan Date: Sun May 15 10:21:26 2016 +0300 net/mlx4_core: Fix access to uninitialized index commit 2bb07e155bb3e0c722c806723f737cf8020961ef upstream. Prevent using uninitialized or negative index when handling steering entries. Fixes: b12d93d63c32 ('mlx4: Add support for promiscuous mode in the new steering model.') Signed-off-by: Tariq Toukan Reported-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d0389a29cee10801c2f5678cba6776cc4385b841 Author: Eran Ben Elisha Date: Wed Feb 17 17:24:24 2016 +0200 net/mlx4_core: Fix potential corruption in counters database commit 6b94bab0ee8d5def6a2aac0ef6204ee6e24386b6 upstream. The error flow in procedure handle_existing_counter() is wrong. The procedure should exit after encountering the error, not continue as if everything is OK. Fixes: 68230242cdbc ('net/mlx4_core: Add port attribute when tracking counters') Signed-off-by: Eran Ben Elisha Signed-off-by: Jack Morgenstein Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 445c31d813bc647cac5202256b7eea409593b4ff Author: Daniel Borkmann Date: Fri Nov 4 00:56:31 2016 +0100 bpf: fix map not being uncharged during map creation failure commit 20b2b24f91f70e7d3f0918c077546cb21bd73a87 upstream. In map_create(), we first find and create the map, then once that suceeded, we charge it to the user's RLIMIT_MEMLOCK, and then fetch a new anon fd through anon_inode_getfd(). The problem is, once the latter fails f.e. due to RLIMIT_NOFILE limit, then we only destruct the map via map->ops->map_free(), but without uncharging the previously locked memory first. That means that the user_struct allocation is leaked as well as the accounted RLIMIT_MEMLOCK memory not released. Make the label names in the fix consistent with bpf_prog_load(). Fixes: aaac3ba95e4c ("bpf: charge user for creation of BPF maps and programs") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 529e188d899d30867b23d39ac446218b487f06a1 Author: Alexei Starovoitov Date: Wed Jun 15 18:25:39 2016 -0700 bpf, trace: check event type in bpf_perf_event_read commit ad572d174787daa59e24b8b5c83028c09cdb5ddb upstream. similar to bpf_perf_event_output() the bpf_perf_event_read() helper needs to check the type of the perf_event before reading the counter. Fixes: a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") Reported-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Acked-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fad207f2c734142b8ba4b211ce10af433d499430 Author: Zi Shen Lim Date: Thu May 12 23:37:58 2016 -0700 arm64: bpf: jit JMP_JSET_{X,K} commit 98397fc547e3f4553553a30ea56fa34d613f0a4c upstream. Original implementation commit e54bcde3d69d ("arm64: eBPF JIT compiler") had the relevant code paths, but due to an oversight always fail jiting. As a result, we had been falling back to BPF interpreter whenever a BPF program has JMP_JSET_{X,K} instructions. With this fix, we confirm that the corresponding tests in lib/test_bpf continue to pass, and also jited. ... [ 2.784553] test_bpf: #30 JSET jited:1 188 192 197 PASS [ 2.791373] test_bpf: #31 tcpdump port 22 jited:1 325 677 625 PASS [ 2.808800] test_bpf: #32 tcpdump complex jited:1 323 731 991 PASS ... [ 3.190759] test_bpf: #237 JMP_JSET_K: if (0x3 & 0x2) return 1 jited:1 110 PASS [ 3.192524] test_bpf: #238 JMP_JSET_K: if (0x3 & 0xffffffff) return 1 jited:1 98 PASS [ 3.211014] test_bpf: #249 JMP_JSET_X: if (0x3 & 0x2) return 1 jited:1 120 PASS [ 3.212973] test_bpf: #250 JMP_JSET_X: if (0x3 & 0xffffffff) return 1 jited:1 89 PASS ... Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler") Signed-off-by: Zi Shen Lim Acked-by: Will Deacon Acked-by: Yang Shi Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 832b5b7237f95564b3eb463cf47a79951b412a40 Author: Daniel Borkmann Date: Tue Mar 15 22:41:22 2016 +0100 cls_bpf: reset class and reuse major in da commit 3a461da1d03e7a857edfa6a002040d07e118c639 upstream. There are two issues with the current code. First one is that we need to set res->class to 0 in case we use non-default classid matching. This is important for the case where cls_bpf was initially set up with an optional binding to a default class with tcf_bind_filter(), where the underlying qdisc implements bind_tcf() that fills res->class and tests for it later on when doing the classification. Convention for these cases is that after tc_classify() was called, such qdiscs (atm, drr, qfq, cbq, hfsc, htb) first test class, and if 0, then they lookup based on classid. Second, there's a bug with da mode, where res->classid is only assigned a 16 bit minor, but it needs to expand to the full 32 bit major/minor combination instead, therefore we need to expand with the bound major. This is fine as classes belonging to a classful qdisc must share the same major. Fixes: 045efa82ff56 ("cls_bpf: introduce integrated actions") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7ac882670f8fa981943ac499c5d43a3378b0eb8b Author: Laura Abbott Date: Fri Oct 28 09:59:38 2016 -0700 clk: xgene: Don't call __pa on ioremaped address commit 06b113e9f28f8657715919087a3f54b77d1634ed upstream. ioremaped addresses are not linearly mapped so the physical address can not be figured out via __pa. More generally, there is no guarantee that backing value of an ioremapped address is a physical address at all. The value here is only used for debugging so just drop the call to __pa on the ioremapped address. Fixes: 6ae5fd381251 ("clk: xgene: Silence sparse warnings") Signed-off-by: Laura Abbott Acked-by: Loc Ho Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 2bf147618a8f9adb80709995a3cd483ff4b2ee54 Author: Dong Aisheng Date: Wed Jun 8 22:33:30 2016 +0800 clk: imx: clk-pllv3: fix incorrect handle of enet powerdown bit commit b3e76bdc0b2190e67427d31cd740debd01c03631 upstream. After commit f53947456f98 ("ARM: clk: imx: update pllv3 to support imx7"), the former used BM_PLL_POWER bit is not correct anymore for IMX7 ENET. Instead, pll->powerdown holds the correct bit, so using powerdown bit in clk_pllv3_{prepare | unprepare} functions. Fixes: f53947456f98 ("ARM: clk: imx: update pllv3 to support imx7") Signed-off-by: Dong Aisheng Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 433104f880283f881dd139c459533eb538f79ae4 Author: Maxime Ripard Date: Mon May 16 14:47:02 2016 +0200 clk: multiplier: Prevent the multiplier from under / over flowing commit 25f77a3aa4cb948666bf8e7fd972533ea487c3bd upstream. In the current multiplier base clock implementation, if the CLK_SET_RATE_PARENT flag isn't set, the code will not make sure that the multiplier computed remains within the boundaries of our clock. This means that if the clock we want to reach is below the parent rate, or if the multiplier is above the maximum that we can reach, we will end up with a completely bogus one that the clock cannot achieve. Fixes: f2e0a53271a4 ("clk: Add a basic multiplier clock") Signed-off-by: Maxime Ripard Signed-off-by: Michael Turquette Link: lkml.kernel.org/r/1463402840-17062-3-git-send-email-maxime.ripard@free-electrons.com Signed-off-by: Greg Kroah-Hartman commit 4879a1ddabda9cbf60aa86534c8c2ff93a092b1e Author: Tero Kristo Date: Sat Feb 20 13:12:57 2016 +0200 clk: ti: omap3+: dpll: use non-locking version of clk_get_rate commit a0d54c3899aaeb047969d9479263c6bcf385c331 upstream. As the code in this file is being executed within irq context in some cases, we must avoid the clk_get_rate which uses mutex internally. Switch the code to use clk_hw_get_rate instead which is non-locking. This fixes an issue where PM runtime will hang the system if enabled with a serial console before a suspend-resume cycle. Signed-off-by: Tero Kristo Tested-by: Tony Lindgren Fixes: a53ad8ef3dcc ("clk: ti: Convert to clk_hw based provider APIs") Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 2e75386d097315a61d23d941d5da082b56fcdc92 Author: Brian Norris Date: Wed Dec 16 10:35:03 2015 -0800 clk: gpio: handle error codes for of_clk_get_parent_count() commit 0b2e78865d92e2d70542cb1d4d7af1d4ea0a286d upstream. We might make bad memory allocations if we get (e.g.) -ENOSYS from of_clk_get_parent_count(). Noticed by Coverity. Fixes: f66541ba02d5 ("clk: gpio: Get parent clk names in of_gpio_clk_setup()") Signed-off-by: Brian Norris Cc: Jyri Sarha Cc: Sergej Sawazki Cc: Stephen Boyd Signed-off-by: Michael Turquette Signed-off-by: Greg Kroah-Hartman commit 7d674b26525676d16773c05cc7bc205fe739dee5 Author: Arnd Bergmann Date: Thu Nov 12 15:24:29 2015 +0100 clk: st: avoid uninitialized variable use commit 2dd52d7f6f9d9d03a82a68040ac3d221dd79af94 upstream. quadfs_pll_fs660c32_round_rate prints a few structure members that are never initialized, and also doesn't print the only one it cares about. We get a gcc warning about the ones that are printed: clk/st/clkgen-fsyn.c:560:93: warning: 'params.sdiv' may be used uninitialized in this function clk/st/clkgen-fsyn.c:560:93: warning: 'params.mdiv' may be used uninitialized in this function clk/st/clkgen-fsyn.c:560:93: warning: 'params.pe' may be used uninitialized in this function clk/st/clkgen-fsyn.c:560:93: warning: 'params.nsdiv' may be used uninitialized in this function This changes the code to no longer print uninitialized data, and for good measure it also prints the ndiv member that is being set. Signed-off-by: Arnd Bergmann Fixes: 5f7aa9071e93 ("clk: st: Support for QUADFS inside ClockGenB/C/D/E/F") Acked-by: Gabriel Fernandez Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 016eeb4edb4f711ae4eec14282b629db419e40c7 Author: Pablo Neira Date: Mon Nov 14 23:40:30 2016 +0100 udp: restore UDPlite many-cast delivery commit 73e2d5e34b6cdd1080038daf3d6d6d744a9eefe6 upstream. Honor udptable parameter that is passed to __udp*_lib_mcast_deliver(), otherwise udplite broadcast/multicast use the wrong table and it breaks. Fixes: 2dc41cff7545 ("udp: Use hash2 for long hash1 chains in __udp*_lib_mcast_deliver.") Signed-off-by: Pablo Neira Ayuso Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8030e0e8db085fd58db5e0c9f4d627746e111616 Author: Liping Zhang Date: Sat Oct 29 22:09:51 2016 +0800 netfilter: nft_dup: do not use sreg_dev if the user doesn't specify it commit b73b8a1ba598236296a46103d81c10d629d9a470 upstream. The NFTA_DUP_SREG_DEV attribute is not a must option, so we should use it in routing lookup only when the user specify it. Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression") Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 466a011343902816a851d5c4d8da34ddd690c6e5 Author: Liping Zhang Date: Sat Oct 29 22:03:05 2016 +0800 netfilter: nf_tables: destroy the set if fail to add transaction commit c17c3cdff10b9f59ef1244a14604f10949f17117 upstream. When the memory is exhausted, then we will fail to add the NFT_MSG_NEWSET transaction. In such case, we should destroy the set before we free it. Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 85042aa0f398b0a465f847a62ebe412dbccb8524 Author: Liping Zhang Date: Sat Oct 22 18:51:24 2016 +0800 netfilter: nft_dynset: fix panic if NFT_SET_HASH is not enabled commit bb6a6e8e091353770074608c1d1bfde0e20b8154 upstream. When CONFIG_NFT_SET_HASH is not enabled and I input the following rule: "nft add rule filter output flow table test {ip daddr counter }", kernel panic happened on my system: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Call Trace: [] ? nft_dynset_eval+0x56/0x100 [nf_tables] [] nft_do_chain+0xfb/0x4e0 [nf_tables] [] ? nf_conntrack_tuple_taken+0x61/0x210 [nf_conntrack] [] ? get_unique_tuple+0x136/0x560 [nf_nat] [] ? __nf_ct_ext_add_length+0x111/0x130 [nf_conntrack] [] ? nf_nat_setup_info+0x87/0x3b0 [nf_nat] [] ? ipt_do_table+0x327/0x610 [] ? __nf_nat_alloc_null_binding+0x57/0x80 [nf_nat] [] nft_ipv4_output+0xaf/0xd0 [nf_tables_ipv4] [] nf_iterate+0x55/0x60 [] nf_hook_slow+0x73/0xd0 Because in rbtree type set, ops->update is not implemented. So just keep it simple, in such case, report -EOPNOTSUPP to the user space. Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 49d0dd28af457f5f19fb26991ea29c1efcaf3f33 Author: Liping Zhang Date: Tue Jun 14 20:13:04 2016 +0800 netfilter: nf_tables: fix a wrong check to skip the inactive rules commit 8fff1722f705ce5023a0d6d77a31a9d013be2a34 upstream. nft_genmask_cur has already done left-shift operator on the gencursor, so there's no need to do left-shift operator on it again. Fixes: ea4bd995b0f2 ("netfilter: nf_tables: add transaction helper functions") Cc: Patrick McHardy Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 09d96c8d1bd2db1a40bd87fcb5354ad8131456a5 Author: David Ahern Date: Mon Oct 24 10:52:35 2016 -0700 net: ipv6: Fix processing of RAs in presence of VRF commit 830218c1add1da16519b71909e5cf21522b7d062 upstream. rt6_add_route_info and rt6_add_dflt_router were updated to pull the FIB table from the device index, but the corresponding rt6_get_route_info and rt6_get_dflt_router functions were not leading to the failure to process RA's: ICMPv6: RA: ndisc_router_discovery failed to add default route Fix the 'get' functions by using the table id associated with the device when applicable. Also, now that default routes can be added to tables other than the default table, rt6_purge_dflt_routers needs to be updated as well to look at all tables. To handle that efficiently, add a flag to the table denoting if it is has a default route via RA. Fixes: ca254490c8dfd ("net: Add VRF support to IPv6 stack") Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f387f775691fab225ff867b1715f05bc5bb823fa Author: Nicolas Dichtel Date: Tue Aug 30 10:09:21 2016 +0200 ipv6: add missing netconf notif when 'all' is updated commit d26c638c16cb54f6fb1507e27df93ede692db572 upstream. The 'default' value was not advertised. Fixes: f3a1bfb11ccb ("rtnl/ipv6: use netconf msg to advertise forwarding status") Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 20cb4e9180b8bd1ac35ca3c0c1ed544387a96a8f Author: Eric Dumazet Date: Fri Jul 8 05:46:04 2016 +0200 ipv6: do not abuse GFP_ATOMIC in inet6_netconf_notify_devconf() commit 927265bc6cd6374c9bafc43408ece4e92311b149 upstream. All inet6_netconf_notify_devconf() callers are in process context, so we can use GFP_KERNEL allocations if we take care of not holding a rwlock while not needed in ip6mr (we hold RTNL there) Fixes: d67b8c616b48 ("netconf: advertise mc_forwarding status") Fixes: f3a1bfb11ccb ("rtnl/ipv6: use netconf msg to advertise forwarding status") Signed-off-by: Eric Dumazet Cc: Nicolas Dichtel Acked-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ec2bb1ea9ee44bcd7179c2ef342ab28cd49e8efd Author: Hannes Frederic Sowa Date: Sat Jun 11 21:15:37 2016 +0200 ipv6: fix checksum annotation in udp6_csum_init commit c148d16369ff0095eca950d17968ba1d56a47b53 upstream. Cc: Tom Herbert Fixes: 4068579e1e098fa ("net: Implmement RFC 6936 (zero RX csums for UDP/IPv6") Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c3fff52f7aaf1238e51c43d97b440fb7ca57d301 Author: David Ahern Date: Thu Apr 7 11:10:41 2016 -0700 net: vrf: Fix dev refcnt leak due to IPv6 prefix route commit 4f7f34eaab9f68c9bcd45386b15c414c38b40587 upstream. ifupdown2 found a kernel bug with IPv6 routes and movement from the main table to the VRF table. Sequence of events: Create the interface and add addresses: ip link add dev eth4.105 link eth4 type vlan id 105 ip addr add dev eth4.105 8.105.105.10/24 ip -6 addr add dev eth4.105 2008:105:105::10/64 At this point IPv6 has inserted a prefix route in the main table even though the interface is 'down'. From there the VRF device is created: ip link add dev vrf105 type vrf table 105 ip addr add dev vrf105 9.9.105.10/32 ip -6 addr add dev vrf105 2000:9:105::10/128 ip link set vrf105 up Then the interface is enslaved, while still in the 'down' state: ip link set dev eth4.105 master vrf105 Since the device is down the VRF driver cycling the device does not send the NETDEV_UP and NETDEV_DOWN but rather the NETDEV_CHANGE event which does not flush the routes inserted prior. When the link is brought up ip link set dev eth4.105 up the prefix route is added in the VRF table, but does not remove the route from the main table. Fix by handling the NETDEV_CHANGEUPPER event similar what was implemented for IPv4 in 7f49e7a38b77 ("net: Flush local routes when device changes vrf association") Fixes: 35402e3136634 ("net: Add IPv6 support to VRF device") Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c4cbc3ebb9fc48f2137b74e313587d4142fbaf88 Author: Eric Dumazet Date: Wed Sep 7 21:52:56 2016 -0700 ipv4: accept u8 in IP_TOS ancillary data commit e895cdce683161081e3626c4f5a5c55cb72089f8 upstream. In commit f02db315b8d8 ("ipv4: IP_TOS and IP_TTL can be specified as ancillary data") Francesco added IP_TOS values specified as integer. However, kernel sends to userspace (at recvmsg() time) an IP_TOS value in a single byte, when IP_RECVTOS is set on the socket. It can be very useful to reflect all ancillary options as given by the kernel in a subsequent sendmsg(), instead of aborting the sendmsg() with EINVAL after Francesco patch. So this patch extends IP_TOS ancillary to accept an u8, so that an UDP server can simply reuse same ancillary block without having to mangle it. Jesper can then augment https://github.com/netoptimizer/network-testing/blob/master/src/udp_example02.c to add TOS reflection ;) Fixes: f02db315b8d8 ("ipv4: IP_TOS and IP_TTL can be specified as ancillary data") Signed-off-by: Eric Dumazet Cc: Francesco Fusco Cc: Jesper Dangaard Brouer Acked-by: Jesper Dangaard Brouer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b2b37f97abd9098639fd961612482995e39d6a44 Author: Eric Dumazet Date: Fri Jul 8 05:18:24 2016 +0200 ipv4: do not abuse GFP_ATOMIC in inet_netconf_notify_devconf() commit fa17806cde76fb1087532f07e72aa757a30e0500 upstream. inet_forward_change() runs with RTNL held. We are allowed to sleep if required. If we use __in_dev_get_rtnl() instead of __in_dev_get_rcu(), we no longer have to use GFP_ATOMIC allocations in inet_netconf_notify_devconf(), meaning we are less likely to miss notifications under memory pressure, and wont touch precious memory reserves either and risk dropping incoming packets. inet_netconf_get_devconf() can also use GFP_KERNEL allocation. Fixes: edc9e748934c ("rtnl/ipv4: use netconf msg to advertise forwarding status") Fixes: 9e5511106f99 ("rtnl/ipv4: add support of RTM_GETNETCONF") Signed-off-by: Eric Dumazet Cc: Nicolas Dichtel Acked-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 895db6cc3c473b1d5d58aabd2462b2c86c756247 Author: Hannes Frederic Sowa Date: Sun Jun 12 12:02:46 2016 +0200 ipv4: fix checksum annotation in udp4_csum_init commit b46d9f625b07f843c706c2c7d0210a90ccdf143b upstream. Reported-by: Cong Wang Cc: Cong Wang Cc: Tom Herbert Fixes: 4068579e1e098fa ("net: Implmement RFC 6936 (zero RX csums for UDP/IPv6") Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8345fec4b01e0e014f8f7cc3ed37634d6bf9f308 Author: Alexander Duyck Date: Wed Feb 24 09:29:38 2016 -0800 flow_dissector: Check for IP fragmentation even if not using IPv4 address commit 918c023f29ab2dd8c63cfcc6a1239ee15933871a upstream. This patch corrects the logic for the IPv4 parsing so that it is consistent with how we handle IPv6. Specifically if we do not have the flow key indicating we want the addresses we still may need to take a look at the IP fragmentation bits and to see if we should stop after we have recognized the L3 header. Fixes: 807e165dc44f ("flow_dissector: Add control/reporting of fragmentation") Signed-off-by: Alexander Duyck Acked-by: Tom Herbert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 35a040f74b18017bacff60d8da7c1606bc4fec9b Author: Alexander Duyck Date: Tue Nov 15 05:46:12 2016 -0500 ipv4: Fix memory leak in exception case for splitting tries commit 3114cdfe66c156345b0ae34e2990472f277e0c1b upstream. Fix a small memory leak that can occur where we leak a fib_alias in the event of us not being able to insert it into the local table. Fixes: 0ddcf43d5d4a0 ("ipv4: FIB Local/MAIN table collapse") Reported-by: Eric Dumazet Signed-off-by: Alexander Duyck Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c3589ff46ea17494273753022e9482548177ffa2 Author: Douglas Miller Date: Fri Mar 4 15:36:56 2016 -0600 be2net: Don't leak iomapped memory on removal. commit a69bf3c5b49ef488970c74e26ba0ec12f08491c2 upstream. The adapter->pcicfg resource is either mapped via pci_iomap() or derived from adapter->db. During be_remove() this resource was ignored and so could remain mapped after remove. Add a flag to track whether adapter->pcicfg was mapped or not, then use that flag in be_unmap_pci_bars() to unmap if required. Fixes: 25848c901 ("use PCI MMIO read instead of config read for errors") Signed-off-by: Douglas Miller Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 88b8fdff2e7c74862b19a10bd9e0ba8ed97f5105 Author: Stefan Wahren Date: Mon Dec 21 00:44:04 2015 +0000 pinctrl: bcm2835: Fix memory leak in error path commit 53653c6b91750debba6dc4503003c851257fd340 upstream. In case of an invalid pin value bcm2835_pctl_dt_node_to_map() would leak the pull configs of already assigned pins. So avoid this by calling the free map function in error case. Signed-off-by: Stefan Wahren Fixes: e1b2dc70cd5b ("pinctrl: add bcm2835 driver") Reviewed-by: Eric Anholt Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 0044588a761e2a93cb6e6e2bbe9bbef97978a3fe Author: Vince Hsu Date: Tue Sep 29 11:58:51 2015 +0200 memory/tegra: Add number of TLB lines for Tegra124 commit e2127ae7a5e80eb53ad431c39145767391da40cd upstream. Tegra124 was accidentally left out when the number of TLB lines was parameterized in commit 11cec15bf3fb ("iommu/tegra-smmu: Parameterize number of TLB lines"). Fortunately this doesn't cause any noticeable regressions upstream, presumably because there aren't any use-cases that exercise enough pressure on the SMMU. But it is a regression nonetheless, so let's fix it. Fixes: 11cec15bf3fb ("iommu/tegra-smmu: Parameterize number of TLB lines") Signed-off-by: Vince Hsu Signed-off-by: Tomasz Figa [treding@nvidia.com: extract from unrelated patch] Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit 983e62263abd16375f6d29659e68fdd85ffca001 Author: Bart Van Assche Date: Tue Jan 5 14:47:17 2016 +0100 target: Fix a memory leak in target_dev_lba_map_store() commit f0a8afecb29ad0005e7e946228a0ef5422058b85 upstream. strsep() modifies its first argument. Make the pointer passed to kfree() match the return value of kmalloc(). Fixes: 229d4f112fd6 (commit "target_core_alua: Referrals configfs integration") Signed-off-by: Bart Van Assche Cc: Hannes Reinecke Cc: Christoph Hellwig Cc: Andy Grover Cc: Sagi Grimberg Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 2b4690eb3308de65e50f5f374fe78be46eabedb9 Author: Dan Carpenter Date: Mon Jun 27 23:50:29 2016 +0300 qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag() commit 5b4d10f5e0369ed79434593b7cd8e85eebbe473f upstream. There is a static checker warning here "warn: mask and shift to zero" and the code sets "ring" to zero every time. From looking at how QLCNIC_FETCH_RING_ID() is used in qlcnic_83xx_process_rcv_ring() the qlcnic_83xx_hndl() should be removed. Fixes: 4be41e92f7c6 ('qlcnic: 83xx data path routines') Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b75b54f74f2397511958bdec6d2f39cdc7fdeb00 Author: Dan Carpenter Date: Tue May 10 22:20:04 2016 +0300 qlcnic: potential NULL dereference in qlcnic_83xx_get_minidump_template() commit 5f46feab87bb105d6a217d966b327fdc56696802 upstream. If qlcnic_fw_cmd_get_minidump_temp() fails then "fw_dump->tmpl_hdr" is NULL or possibly freed. It can lead to an oops later. Fixes: d01a6d3c8ae1 ('qlcnic: Add support to enable capability to extend minidump for iSCSI') Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5ff49c3fe5c8f181f489712e190331e736f7a375 Author: Dan Carpenter Date: Thu May 5 16:21:30 2016 +0300 qede: uninitialized variable in qede_start_xmit() commit 810810ffb2f6d46365d0790bbe77698a5534393a upstream. "data_split" was never set to false. It's just uninitialized. Fixes: 2950219d87b0 ('qede: Add basic network device support') Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ab161e30ec88997393acf756cac64e508b110e6b Author: Dan Carpenter Date: Thu May 5 16:18:02 2016 +0300 i40e: fix an uninitialized variable bug commit 1c306f7f62a38ee5f05f0ee994dfe82d654cf47c upstream. We removed this initialization but it is required. Let's put it back. Fixes: 895106a577c4 ('i40e: trivial fixes') Signed-off-by: Dan Carpenter Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Greg Kroah-Hartman commit c0f2f472326a647a6fccb5a55b2f16312073d969 Author: Dan Carpenter Date: Fri Mar 18 12:00:51 2016 +0300 power: ipaq-micro-battery: freeing the wrong variable commit b9223da41794030a5dfd5106c34ed1b98255e2ae upstream. We accidentally free "micro_ac_power" which is an error pointer and it leads to an oops. We intended to free "micro_batt_power". Fixes: a2c1d531854c ('power_supply: ipaq_micro_battery: Check return values in probe') Signed-off-by: Dan Carpenter Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman commit 9a8eac4120931d4b6bc1bbcc7d56366058ae5eb5 Author: Dan Carpenter Date: Wed Mar 16 10:45:10 2016 +0300 ethernet: micrel: fix some error codes commit 3af0d554c1ce11e9d0953381ff566271f9ab81a9 upstream. There were two issues here: 1) dma_mapping_error() return true/false but we want to return -ENOMEM 2) If dmaengine_prep_slave_sg() failed then "err" wasn't set but presumably that should be -ENOMEM as well. I changed the success path to "return 0;" instead of "return ret;" for clarity. Fixes: 94fe8c683cea ('ks8842: Support DMA when accessed via timberdale') Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 041d142bda8cb1c9e23a1d8ecaed64b3690c9a8a Author: Dan Carpenter Date: Fri Mar 11 11:11:39 2016 +0300 mfd: lp8788-irq: Uninitialized variable in irq handler commit 22aab38e7b59fd79ce1045006be69a9abab58e5a upstream. Instead to being true/false, the "handled" is true/uninitialized. Presumably this doesn't cause that many problems in real life because normally we handle the IRQ. Fixes: eea6b7cc53aa ('mfd: Add lp8788 mfd driver') Signed-off-by: Dan Carpenter Acked-by: Milo Kim Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 82272e6a256715474b081ac4cae80f8aa9eb2e02 Author: Dan Carpenter Date: Wed Mar 2 13:11:10 2016 +0300 net: moxa: fix an error code commit 1d3cd1773fddfdc9ffb0c2dec9a954c7a54bc207 upstream. We accidentally return IS_ERR(priv->base) which is 1 instead of PTR_ERR(priv->base) which is the error code. Fixes: 6c821bd9edc9 ('net: Add MOXA ART SoCs ethernet driver') Signed-off-by: Dan Carpenter Acked-by: Arnd Bergmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 50e3059e6e542b1d43090b41cd46ddd97c07bdce Author: Dan Carpenter Date: Thu Dec 17 15:27:07 2015 +0300 VFIO: platform: reset: fix a warning message condition commit 967628827f404b3063016c138ccc7b06c54350f8 upstream. This loop ends with count set to -1 and not zero so the warning message isn't printed when it should be. I've fixed this by change the postop to a preop. Fixes: 0990822c9866 ('VFIO: platform: reset: AMD xgbe reset module') Signed-off-by: Dan Carpenter Reviewed-by: Eric Auger Signed-off-by: Alex Williamson Signed-off-by: Greg Kroah-Hartman commit 12e4db13ea5c4baf83950dbb74663ad5fb0ac820 Author: Dan Carpenter Date: Fri Nov 6 13:01:20 2015 +0300 ath9k_htc: check for underflow in ath9k_htc_rx_msg() commit 3a318426e09a9c9266fe6440842e11238f640a20 upstream. We check for overflow here, but we don't check for underflow so it causes a static checker warning. Fixes: fb9987d0f748 ('ath9k_htc: Support for AR9271 chipset.') Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 78fd4e08b5541a301bf23e928dfa79b72c0e3aa1 Author: Dan Carpenter Date: Tue Mar 15 04:05:20 2016 -0300 cx23885: uninitialized variable in cx23885_av_work_handler() commit 60587bd0680507f48ae3a7360983228fd207de8a upstream. The "handled" variable could be uninitialized if the interrupt_service_routine() call back hasn't been implimented or if it has been implemented but doesn't initialize "handled" to zero at the start. For example, adv76xx_isr() only sets "handled" to true. Fixes: 44b153ca639f ('[media] m5mols: Add ISO sensitivity controls') Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 46f5fe48cac5e50cf1b7c08e06368e9e59bc1342 Author: Dan Carpenter Date: Tue Mar 15 04:04:12 2016 -0300 am437x-vpfe: fix an uninitialized variable bug commit e4bccada44c177cde31b9a236b7dfd7f76d403ed upstream. If we are doing V4L2_FIELD_NONE then "ret" is used uninitialized. Fixes: 417d2e507edc ('[media] media: platform: add VPFE capture driver support for AM437X') Signed-off-by: Dan Carpenter Acked-by: Lad, Prabhakar Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 32f8815fca323a434acf91aa5c424bc5e646113c Author: Alexey Khoroshilov Date: Sat Nov 14 16:17:56 2015 -0200 lirc_imon: do not leave imon_probe() with mutex held commit b833d0df943d70682e288c38c96b8e7bfff4023a upstream. Commit af8a819a2513 ("[media] lirc_imon: simplify error handling code") lost mutex_unlock(&context->ctx_lock), so imon_probe() exits with the context->ctx_lock mutex acquired. The patch adds mutex_unlock(&context->ctx_lock) back. Found by Linux Driver Verification project (linuxtesting.org). Fixes: af8a819a2513 ("[media] lirc_imon: simplify error handling code") Signed-off-by: Alexey Khoroshilov Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 623770a962079868d97810329e20c2af2bfd176c Author: Russell King Date: Thu Oct 15 13:15:24 2015 -0300 rc: allow rc modules to be loaded if rc-main is not a module commit 2ff56fadd94cdaeeaeccbc0a9b703a0101ada128 upstream. rc-main mistakenly uses #ifdef MODULE to determine whether it should load the rc keymap modules. This symbol is only defined if rc-main is being built as a module itself, and bears no relation to whether the rc keymaps are modules. Fix this to use CONFIG_MODULES instead. Fixes: 631493ecacd8 ("[media] rc-core: merge rc-map.c into rc-main.c") Signed-off-by: Russell King Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 468aa84dd2e974f0ea094449a5f6399aad623839 Author: Doug Berger Date: Thu Apr 23 16:13:30 2020 -0700 net: systemport: suppress warnings on failed Rx SKB allocations [ Upstream commit 3554e54a46125030c534820c297ed7f6c3907e24 ] The driver is designed to drop Rx packets and reclaim the buffers when an allocation fails, and the network interface needs to safely handle this packet loss. Therefore, an allocation failure of Rx SKBs is relatively benign. However, the output of the warning message occurs with a high scheduling priority that can cause excessive jitter/latency for other high priority processing. This commit suppresses the warning messages to prevent scheduling problems while retaining the failure count in the statistics of the network interface. Signed-off-by: Doug Berger Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 14809c505060187eda9562a347913fb5ac7fd870 Author: Doug Berger Date: Thu Apr 23 16:02:11 2020 -0700 net: bcmgenet: suppress warnings on failed Rx SKB allocations [ Upstream commit ecaeceb8a8a145d93c7e136f170238229165348f ] The driver is designed to drop Rx packets and reclaim the buffers when an allocation fails, and the network interface needs to safely handle this packet loss. Therefore, an allocation failure of Rx SKBs is relatively benign. However, the output of the warning message occurs with a high scheduling priority that can cause excessive jitter/latency for other high priority processing. This commit suppresses the warning messages to prevent scheduling problems while retaining the failure count in the statistics of the network interface. Signed-off-by: Doug Berger Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6ac2fbde233bb60fb2d11d0575f7ce55b1ed8c04 Author: Nathan Chancellor Date: Mon Apr 13 12:50:42 2020 -0700 lib/mpi: Fix building for powerpc with clang [ Upstream commit 5990cdee689c6885b27c6d969a3d58b09002b0bc ] 0day reports over and over on an powerpc randconfig with clang: lib/mpi/generic_mpih-mul1.c:37:13: error: invalid use of a cast in a inline asm context requiring an l-value: remove the cast or build with -fheinous-gnu-extensions Remove the superfluous casts, which have been done previously for x86 and arm32 in commit dea632cadd12 ("lib/mpi: fix build with clang") and commit 7b7c1df2883d ("lib/mpi/longlong.h: fix building with 32-bit x86"). Reported-by: kbuild test robot Signed-off-by: Nathan Chancellor Acked-by: Herbert Xu Signed-off-by: Michael Ellerman Link: https://github.com/ClangBuiltLinux/linux/issues/991 Link: https://lore.kernel.org/r/20200413195041.24064-1-natechancellor@gmail.com Signed-off-by: Sasha Levin commit 9dc6976d94be03785956bb1dafd35c2721a47f49 Author: Jeremie Francois (on alpha) Date: Fri Apr 10 18:57:40 2020 +0200 scripts/config: allow colons in option strings for sed [ Upstream commit e461bc9f9ab105637b86065d24b0b83f182d477c ] Sed broke on some strings as it used colon as a separator. I made it more robust by using \001, which is legit POSIX AFAIK. E.g. ./config --set-str CONFIG_USBNET_DEVADDR "de:ad:be:ef:00:01" failed with: sed: -e expression #1, char 55: unknown option to `s' Signed-off-by: Jeremie Francois (on alpha) Signed-off-by: Masahiro Yamada Signed-off-by: Sasha Levin commit a1a970285b1a58754580fe68c4b053ccd877941b Author: Ronnie Sahlberg Date: Tue Apr 21 12:37:39 2020 +1000 cifs: protect updating server->dstaddr with a spinlock [ Upstream commit fada37f6f62995cc449b36ebba1220594bfe55fe ] We use a spinlock while we are reading and accessing the destination address for a server. We need to also use this spinlock to protect when we are modifying this address from reconn_set_ipaddr(). Signed-off-by: Ronnie Sahlberg Reviewed-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 6fef65ab2562cd2ca943c3c2651fb8fcf5285386 Author: Xiyu Yang Date: Wed Apr 15 16:41:20 2020 +0800 wimax/i2400m: Fix potential urb refcnt leak [ Upstream commit 7717cbec172c3554d470023b4020d5781961187e ] i2400mu_bus_bm_wait_for_ack() invokes usb_get_urb(), which increases the refcount of the "notif_urb". When i2400mu_bus_bm_wait_for_ack() returns, local variable "notif_urb" becomes invalid, so the refcount should be decreased to keep refcount balanced. The issue happens in all paths of i2400mu_bus_bm_wait_for_ack(), which forget to decrease the refcnt increased by usb_get_urb(), causing a refcnt leak. Fix this issue by calling usb_put_urb() before the i2400mu_bus_bm_wait_for_ack() returns. Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fabbe023d90395ac224b6f5b67c23d398afe555f Author: Tyler Hicks Date: Mon Apr 13 15:21:45 2020 -0500 selftests/ipc: Fix test failure seen after initial test run [ Upstream commit b87080eab4c1377706c113fc9c0157f19ea8fed1 ] After successfully running the IPC msgque test once, subsequent runs result in a test failure: $ sudo ./run_kselftest.sh TAP version 13 1..1 # selftests: ipc: msgque # Failed to get stats for IPC queue with id 0 # Failed to dump queue: -22 # Bail out! # # Pass 0 Fail 0 Xfail 0 Xpass 0 Skip 0 Error 0 not ok 1 selftests: ipc: msgque # exit=1 The dump_queue() function loops through the possible message queue index values using calls to msgctl(kern_id, MSG_STAT, ...) where kern_id represents the index value. The first time the test is ran, the initial index value of 0 is valid and the test is able to complete. The index value of 0 is not valid in subsequent test runs and the loop attempts to try index values of 1, 2, 3, and so on until a valid index value is found that corresponds to the message queue created earlier in the test. The msgctl() syscall returns -1 and sets errno to EINVAL when invalid index values are used. The test failure is caused by incorrectly comparing errno to -EINVAL when cycling through possible index values. Fix invalid test failures on subsequent runs of the msgque test by correctly comparing errno values to a non-negated EINVAL. Fixes: 3a665531a3b7 ("selftests: IPC message queue copy feature test") Signed-off-by: Tyler Hicks Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 89536d507a61e499fa529915b4899714f869cff3 Author: YueHaibing Date: Tue Mar 10 22:16:54 2020 +0800 iio:ad7797: Use correct attribute_group [ Upstream commit 28535877ac5b2b84f0d394fd67a5ec71c0c48b10 ] It should use ad7797_attribute_group in ad7797_info, according to commit ("iio:ad7793: Add support for the ad7796 and ad7797"). Scale is fixed for the ad7796 and not programmable, hence should not have the scale_available attribute. Fixes: fd1a8b912841 ("iio:ad7793: Add support for the ad7796 and ad7797") Signed-off-by: YueHaibing Reviewed-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 255e262c7c2caa480c0ca3bee3c9e98d4facbc27 Author: Dan Carpenter Date: Mon Mar 21 12:02:31 2016 +0300 mdio-sun4i: oops in error handling in probe commit 227f33beab746aeec4ef3305bd17b1d374df09e7 upstream. We could end up dereferencing an error pointer when we call regulator_disable(). Fixes: 4bdcb1dd9feb ('net: Add MDIO bus driver for the Allwinner EMAC') Signed-off-by: Dan Carpenter Acked-by: Chen-Yu Tsai Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e53eb1b8c9792496495f8e38ccde1bc22b19b465 Author: Robin Murphy Date: Tue Aug 9 17:31:35 2016 +0100 iommu/dma: Respect IOMMU aperture when allocating commit c987ff0d3cb37d7fe1ddaa370811dfd9f73643fa upstream. Where a device driver has set a 64-bit DMA mask to indicate the absence of addressing limitations, we still need to ensure that we don't allocate IOVAs beyond the actual input size of the IOMMU. The reported aperture is the most reliable way we have of inferring that input address size, so use that to enforce a hard upper limit where available. Fixes: 0db2e5d18f76 ("iommu: Implement common IOMMU ops for DMA mapping") Signed-off-by: Robin Murphy Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 2251a2e560e7edf41647b2aa36764483bde1101d Author: David Rivshin Date: Wed Apr 27 21:38:26 2016 -0400 drivers: net: cpsw: don't ignore phy-mode if phy-handle is used commit ae092b5bded24d5dc7dae0e0aef4669c169ce874 upstream. The phy-mode emac property was only being processed in the phy_id or fixed-link cases. However if phy-handle was specified instead, an error message would complain about the lack of phy_id or fixed-link, and then jump past the of_get_phy_mode(). This would result in the PHY mode defaulting to MII, regardless of what the devicetree specified. Fixes: 9e42f715264f ("drivers: net: cpsw: add phy-handle parsing") Signed-off-by: David Rivshin Tested-by: Nicolas Chauvet Tested-by: Andrew Goodbody Reviewed-by: Mugunthan V N Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5733a9f4a3df384097c92c532aed34bc698a9acd Author: Johan Hovold Date: Mon Nov 28 19:24:54 2016 +0100 net: dsa: slave: fix of-node leak and phy priority commit 0d8f3c67151faaa80e332c254372dca58fb2a9d4 upstream. Make sure to drop the reference taken by of_parse_phandle() before returning from dsa_slave_phy_setup(). Note that this also modifies the PHY priority so that any fixed-link node is only parsed when no phy-handle is given, which is in accordance with the common scheme for this. Fixes: 0d8bcdd383b8 ("net: dsa: allow for more complex PHY setups") Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 12cf30cb9b6b7b806d9d857d16cdb4f9efc804ad Author: Roosen Henri Date: Thu Jan 7 09:31:15 2016 +0100 phy: micrel: Fix finding PHY properties in MAC node for KSZ9031. commit b4c19f71252e3b6b8c6478fd712c592f00b11438 upstream. Commit 651df2183543 ("phy: micrel: Fix finding PHY properties in MAC node.") only fixes finding PHY properties in MAC node for KSZ9021. This commit applies the same fix for KSZ9031. Fixes: 8b63ec1837fa ("phylib: Make PHYs children of their MDIO bus, not the bus' parent.") Acked-by: Andrew Lunn Signed-off-by: Henri Roosen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 620e769b26771da6f99b290d6c4c1802f9861957 Author: Johan Hovold Date: Wed Nov 16 15:20:36 2016 +0100 of_mdio: fix node leak in of_phy_register_fixed_link error path commit 48c1699d5335bc045b50989a06b1c526b17a25ff upstream. Make sure to drop the of_node reference also on failure to parse the speed property in of_phy_register_fixed_link(). Fixes: 3be2a49e5c08 ("of: provide a binding for fixed link PHYs") Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9ea08f4893304c04a0d80b0d2766d0a01e98eb12 Author: Florian Fainelli Date: Sat Feb 6 12:58:48 2016 -0800 net: phy: bcm7xxx: Fix shadow mode 2 disabling commit 50d899808d33a5b0aa82be23e824119944042689 upstream. The clear and set masks in the call to phy_set_clr_bits() called from bcm7xxx_config_init() are inverted. We need to fix this by swapping the two arguments, that is, set 0 bits, but clear the shade mode 2 enable bit. Fixes: b560a58c45c66 ("net: phy: add Broadcom BCM7xxx internal PHY driver") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b32dff21abc1b9a84d51e7b709d6519206fbf647 Author: Florian Fainelli Date: Mon Jan 18 19:33:07 2016 -0800 net: phy: Fix phy_mac_interrupt() commit deccd16f91f930af8e91ffbbfc839d0ad8da999d upstream. Commit 5ea94e7686a3 ("phy: add phy_mac_interrupt()") to use with PHY_IGNORE_INTERRUPT added a cancel_work_sync() into phy_mac_interrupt() which is allowed to sleep, whereas phy_mac_interrupt() is expected to be callable from interrupt context. Now that we have fixed how the PHY state machine treats PHY_IGNORE_INTERRUPT with respect to state changes, we can just set the new link state, and queue the PHY state machine for execution so it is going to read the new link state. For that to work properly, we need to update phy_change() not to try to invoke any interrupt callbacks if we have configured the PHY device for PHY_IGNORE_INTERRUPT, because that PHY device and its driver are not required to implement those. Fixes: 5ea94e7686a3 ("phy: add phy_mac_interrupt() to use with PHY_IGNORE_INTERRUPT") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0d1951fa23ba0d35a4c5498ff28d1c5206d6fcdd Author: Florian Fainelli Date: Mon Jan 18 19:33:06 2016 -0800 net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS commit d5c3d84657db57bd23ecd58b97f1c99dd42a7b80 upstream. Commit 2c7b49212a86 ("phy: fix the use of PHY_IGNORE_INTERRUPT") changed a hunk in phy_state_machine() in the PHY_RUNNING case which was not needed. The change essentially makes the PHY library treat PHY devices with PHY_IGNORE_INTERRUPT to keep polling for the PHY device, even though the intent is not to do it. Fix this by reverting that specific hunk, which makes the PHY state machine wait for state changes, and stay in the PHY_RUNNING state for as long as needed. Fixes: 2c7b49212a86 ("phy: fix the use of PHY_IGNORE_INTERRUPT") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c175435fdf50c81ca2b6576f090cba31c3489209 Author: Dan Carpenter Date: Wed Dec 23 23:45:27 2015 +0100 NFC: nci: memory leak in nci_core_conn_create() commit c6dc65d885b98898bf287aaf44e020077b41769f upstream. I've moved the check for "number_destination_params" forward a few lines to avoid leaking "cmd". Fixes: caa575a86ec1 ('NFC: nci: fix possible crash in nci_core_conn_create') Acked-by: Christophe Ricard Signed-off-by: Dan Carpenter Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit a7b3a739c777c6deaad5c54a402304da77065642 Author: Chuck Lever Date: Mon May 2 14:40:31 2016 -0400 sunrpc: Update RPCBIND_MAXNETIDLEN commit 4b9c7f9db9a003f5c342184dc4401c1b7f2efb39 upstream. Commit 176e21ee2ec8 ("SUNRPC: Support for RPC over AF_LOCAL transports") added a 5-character netid, but did not bump RPCBIND_MAXNETIDLEN from 4 to 5. Fixes: 176e21ee2ec8 ("SUNRPC: Support for RPC over AF_LOCAL ...") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 4ebef63e925e37f5de2f9da8fc86a545e4e0b945 Author: Xin Long Date: Thu Mar 10 15:31:57 2016 +0800 sctp: fix the transports round robin issue when init is retransmitted commit 39d2adebf137de5f900843f69f5e500932e31047 upstream. prior to this patch, at the beginning if we have two paths in one assoc, they may have the same params other than the last_time_heard, it will try the paths like this: 1st cycle try trans1 fail. then trans2 is selected.(cause it's last_time_heard is after trans1). 2nd cycle: try trans2 fail then trans2 is selected.(cause it's last_time_heard is after trans1). 3rd cycle: try trans2 fail then trans2 is selected.(cause it's last_time_heard is after trans1). .... trans1 will never have change to be selected, which is not what we expect. we should keeping round robin all the paths if they are just added at the beginning. So at first every tranport's last_time_heard should be initialized 0, so that we ensure they have the same value at the beginning, only by this, all the transports could get equal chance to be selected. Then for sctp_trans_elect_best, it should return the trans_next one when *trans == *trans_next, so that we can try next if it fails, but now it always return trans. so we can fix it by exchanging these two params when we calls sctp_trans_elect_tie(). Fixes: 4c47af4d5eb2 ('net: sctp: rework multihoming retransmission path selection to rfc4960') Signed-off-by: Xin Long Acked-by: Daniel Borkmann Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3db3dac3050205e44ac29937eb9cf667cd128a93 Author: Mahesh Salgaonkar Date: Tue Aug 9 10:39:13 2016 +0530 powerpc/book3s: Fix MCE console messages for unrecoverable MCE. commit c74dd88e77d3ecbc9e55c78796d82c9aa21cabad upstream. When machine check occurs with MSR(RI=0), it means MC interrupt is unrecoverable and kernel goes down to panic path. But the console message still shows it as recovered. This patch fixes the MCE console messages. Fixes: 36df96f8acaf ("powerpc/book3s: Decode and save machine check event.") Signed-off-by: Mahesh Salgaonkar Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 2f3e56e4b6020812350190f1cada230d790ce0e8 Author: Michael Neuling Date: Wed Jul 6 14:58:06 2016 +1000 powerpc/tm: Fix stack pointer corruption in __tm_recheckpoint() commit 6bcb80143e792becfd2b9cc6a339ce523e4e2219 upstream. At the start of __tm_recheckpoint() we save the kernel stack pointer (r1) in SPRG SCRATCH0 (SPRG2) so that we can restore it after the trecheckpoint. Unfortunately, the same SPRG is used in the SLB miss handler. If an SLB miss is taken between the save and restore of r1 to the SPRG, the SPRG is changed and hence r1 is also corrupted. We can end up with the following crash when we start using r1 again after the restore from the SPRG: Oops: Bad kernel stack pointer, sig: 6 [#1] SMP NR_CPUS=2048 NUMA pSeries CPU: 658 PID: 143777 Comm: htm_demo Tainted: G EL X 4.4.13-0-default #1 task: c0000b56993a7810 ti: c00000000cfec000 task.ti: c0000b56993bc000 NIP: c00000000004f188 LR: 00000000100040b8 CTR: 0000000010002570 REGS: c00000000cfefd40 TRAP: 0300 Tainted: G EL X (4.4.13-0-default) MSR: 8000000300001033 CR: 02000424 XER: 20000000 CFAR: c000000000008468 DAR: 00003ffd84e66880 DSISR: 40000000 SOFTE: 0 PACATMSCRATCH: 00003ffbc865e680 GPR00: fffffffcfabc4268 00003ffd84e667a0 00000000100d8c38 000000030544bb80 GPR04: 0000000000000002 00000000100cf200 0000000000000449 00000000100cf100 GPR08: 000000000000c350 0000000000002569 0000000000002569 00000000100d6c30 GPR12: 00000000100d6c28 c00000000e6a6b00 00003ffd84660000 0000000000000000 GPR16: 0000000000000003 0000000000000449 0000000010002570 0000010009684f20 GPR20: 0000000000800000 00003ffd84e5f110 00003ffd84e5f7a0 00000000100d0f40 GPR24: 0000000000000000 0000000000000000 0000000000000000 00003ffff0673f50 GPR28: 00003ffd84e5e960 00000000003d0f00 00003ffd84e667a0 00003ffd84e5e680 NIP [c00000000004f188] restore_gprs+0x110/0x17c LR [00000000100040b8] 0x100040b8 Call Trace: Instruction dump: f8a1fff0 e8e700a8 38a00000 7ca10164 e8a1fff8 e821fff0 7c0007dd 7c421378 7db142a6 7c3242a6 38800002 7c810164 e9e100e8 ea0100f0 ea2100f8 We hit this on large memory machines (> 2TB) but it can also be hit on smaller machines when 1TB segments are disabled. To hit this, you also need to be virtualised to ensure SLBs are periodically removed by the hypervisor. This patches moves the saving of r1 to the SPRG to the region where we are guaranteed not to take any further SLB misses. Fixes: 98ae22e15b43 ("powerpc: Add helper functions for transactional memory context switching") Cc: stable@vger.kernel.org # v3.9+ Signed-off-by: Michael Neuling Acked-by: Cyril Bur Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 1a343f4dae71c542060c9628d8a2275015e75afe Author: Naveen N. Rao Date: Thu Apr 28 15:01:10 2016 +0530 perf tools: Fix perf regs mask generation commit f47822078dece7189cad0a5f472f148e5e916736 upstream. On some architectures (powerpc in particular), the number of registers exceeds what can be represented in an integer bitmask. Ensure we generate the proper bitmask on such platforms. Fixes: 71ad0f5e4 ("perf tools: Support for DWARF CFI unwinding on post processing") Signed-off-by: Naveen N. Rao Acked-by: Arnaldo Carvalho de Melo Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman commit 24769c71b2ed25c02b3702b556f2fc5604384259 Author: Adrian Hunter Date: Tue Mar 29 12:45:43 2016 +0300 mmc: sdhci: Fix regression setting power on Trats2 board commit 1dceb0415aa0c6bc11dacdab47c9ef83a3604166 upstream. Several commits relating to setting power have been introducing problems by putting driver-specific rules into generic SDHCI code. Krzysztof Kozlowski reported that after commit 918f4cbd4340 ("mmc: sdhci: restore behavior when setting VDD via external regulator") on Trats2 board there are warnings for invalid VDD value (2.8V): [ 3.119656] ------------[ cut here ]------------ [ 3.119666] WARNING: CPU: 3 PID: 90 at ../drivers/mmc/host/sdhci.c:1234 sdhci_do_set_ios+0x4cc/0x5e0 [ 3.119669] mmc0: Invalid vdd 0x10 [ 3.119673] Modules linked in: [ 3.119679] CPU: 3 PID: 90 Comm: kworker/3:1 Tainted: G W 4.5.0-next-20160324 #23 [ 3.119681] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) [ 3.119690] Workqueue: events_freezable mmc_rescan [ 3.119708] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 3.119719] [] (show_stack) from [] (dump_stack+0x88/0x9c) [ 3.119728] [] (dump_stack) from [] (__warn+0xe8/0x100) [ 3.119734] [] (__warn) from [] (warn_slowpath_fmt+0x38/0x48) [ 3.119740] [] (warn_slowpath_fmt) from [] (sdhci_do_set_ios+0x4cc/0x5e0) [ 3.119748] [] (sdhci_do_set_ios) from [] (sdhci_runtime_resume_host+0x60/0x114) [ 3.119758] [] (sdhci_runtime_resume_host) from [] (__rpm_callback+0x2c/0x60) [ 3.119767] [] (__rpm_callback) from [] (rpm_callback+0x20/0x80) [ 3.119773] [] (rpm_callback) from [] (rpm_resume+0x36c/0x558) [ 3.119780] [] (rpm_resume) from [] (__pm_runtime_resume+0x4c/0x64) [ 3.119788] [] (__pm_runtime_resume) from [] (__mmc_claim_host+0x170/0x1b0) [ 3.119795] [] (__mmc_claim_host) from [] (mmc_rescan+0x54/0x348) [ 3.119807] [] (mmc_rescan) from [] (process_one_work+0x120/0x3f4) [ 3.119815] [] (process_one_work) from [] (worker_thread+0x38/0x554) [ 3.119823] [] (worker_thread) from [] (kthread+0xdc/0xf4) [ 3.119831] [] (kthread) from [] (ret_from_fork+0x14/0x3c) [ 3.119834] ---[ end trace a22d652aa3276886 ]--- Fix by adding a 'set_power' callback and restoring the default behaviour prior to commit 918f4cbd4340 ("mmc: sdhci: restore behavior when setting VDD via external regulator"). The desired behaviour of that commit is gotten by having sdhci-pxav3 provide its own set_power callback. Reported-by: Krzysztof Kozlowski Link: http://lkml.kernel.org/r/CAJKOXPcGDnPm-Ykh6wHqV1YxfTaov5E8iVqBoBn4OJc7BnhgEQ@mail.gmail.com Fixes: 918f4cbd4340 ("mmc: sdhci: restore behavior when setting VDD...) Tested-by: Krzysztof Kozlowski Tested-by: Ludovic Desroches Signed-off-by: Adrian Hunter Cc: stable@vger.kernel.org # v4.5+ Reviewed-by: Jisheng Zhang Tested-by: Jisheng Zhang Tested-by: Jaehoon Chung Tested-by: Anand Moon Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 1457904f30acfe92e86f9ee4d8904b3ebf70409e Author: Nicholas Mc Guire Date: Mon Jul 25 19:59:23 2016 +0200 mmc: moxart: fix wait_for_completion_interruptible_timeout return variable type commit 41f469cac2663a41a7b0c84cb94e8f7024385ae4 upstream. wait_for_completion_timeout_interruptible returns long not unsigned long so dma_time, which is used exclusively here, is changed to long. Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver") Signed-off-by: Nicholas Mc Guire Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit b80a590de4fab8ae9fb4f64db6dd969634f52614 Author: Douglas Anderson Date: Thu May 12 11:31:50 2016 -0700 mmc: dw_mmc: rockchip: Set the drive phase properly commit d4aa908c7978f60557a799ca53b5ae4166fd8355 upstream. Historically for Rockchip devices we've relied on the power-on default (or perhaps the firmware setting) to get the correct drive phase for dw_mmc devices. This worked OK for the most part, but: * Relying on the setting just "being right" is a bit fragile. * As soon as there is an instance where the power on default is wrong or where the firmware didn't configure this properly then we'll get a mysterious failure. In commit 7a03fe6f48f3 ("clk: rockchip: reset init state before mmc card initialization") we actually started setting this explicitly in the kernel, but that commit wasn't quite right and also wasn't quite enough. See for some details. Let's explicitly set this phase in dw_mmc. The comments inside this patch try to explain the situation quite throughly, but the high level overview of this is: Before this patch on rk3288 devices tested (after revert of the clock patch described above): * eMMC: 180 degrees * SDMMC/SDIO0/SDIO1: 90 degrees After this patch: * Use 90 degree phase offset usually. * Use 180 degree phase offset for MMC_DDR52, SDR104, HS200. That means we are _changing_ behavior for those devices in this way: * If we have HS200 eMMC or DDR52 eMMC, we'll run ID mode at 90 degrees (vs 180) but otherwise have no change. * For any non-HS200 / non-DDR52 eMMC devices we'll now _always_ run at 90 degrees (vs 180). It seems fairly unlikely that building modern hardware is using an eMMC that isn't using DDR52 or HS200, of course. * For SDR104 cards we'll now run with 180 degree phase offset (vs 90). It's expected that 90 degree phase offset would have worked OK, but this gives us extra margin. I have tested this by inserting my collection of uSD cards (mostly UHS, though a few not) into a veyron_minnie and confirmed that they still seem to enumerate properly. For a subset of them I tried putting a filesystem on them and also tried running mmc_test. Fixes: 7a03fe6f48f3 ("clk: rockchip: reset init state before mmc card initialization") Signed-off-by: Douglas Anderson Reviewed-by: Shawn Lin Tested-by: Heiko Stuebner Tested-by: Enric Balletbo i Serra Signed-off-by: Jaehoon Chung Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 9257ad95bf28a695cc579ed865c9eab54f55f9af Author: Douglas Anderson Date: Thu May 12 11:03:16 2016 -0700 clk: rockchip: Revert "clk: rockchip: reset init state before mmc card initialization" commit 4715f81afc342996f680b08c944a712d9cbef11b upstream. This reverts commit 7a03fe6f48f3 ("clk: rockchip: reset init state before mmc card initialization"). Though not totally obvious from the commit message nor from the source code, that commit appears to be trying to reset the "_drv" MMC clocks to 90 degrees (note that the "_sample" MMC clocks have a shift of 0 so are not touched). The major problem here is that it doesn't properly reset things. The phase is a two bit field and the commit only touches one of the two bits. Thus the commit had the following affect: - phase 0 => phase 90 - phase 90 => phase 90 - phase 180 => phase 270 - phase 270 => phase 270 Things get even weirder if you happen to have a bootloader that was actually using delay elements (should be no reason to, but you never know), since those are additional bits that weren't touched by the original patch. This is unlikely to be what we actually want. Checking on rk3288-veyron devices, I can see that the bootloader leaves these clocks as: - emmc: phase 180 - sdmmc: phase 90 - sdio0: phase 90 Thus on rk3288-veyron devices the commit we're reverting had the effect of changing the eMMC clock to phase 270. This probably explains the scattered reports I've heard of eMMC devices not working on some veyron devices when using the upstream kernel. The original commit was presumably made because previously the kernel didn't touch the "_drv" phase at all and relied on whatever value was there when the kernel started. If someone was using a bootloader that touched the "_drv" phase then, indeed, we should have code in the kernel to fix that. ...and also, to get ideal timings, we should also have the kernel change the phase depending on the speed mode. In fact, that's the subject of a recent patch I posted at . Ideally, we should take both the patch posted to dw_mmc and this revert. Since those will likely go through different trees, here I describe behavior with the combos: 1. Just this revert: likely will fix rk3288-veyron eMMC on some devices + other cases; might break someone with a strange bootloader that sets the phase to 0 or one that uses delay elements (pretty unpredicable what would happen in that case). 2. Just dw_mmc patch: fixes everyone. Effectly the dw_mmc patch will totally override the broken patch and fix everything. 3. Both patches: fixes everyone. Once dw_mmc is initting properly then any defaults from the clock code doesn't mattery. Fixes: 7a03fe6f48f3 ("clk: rockchip: reset init state before mmc card initialization") Signed-off-by: Douglas Anderson Reviewed-by: Shawn Lin Signed-off-by: Greg Kroah-Hartman [emmc and sdmmc still work on all current boards in mainline after this revert, so they should take precedence over any out-of-tree board that will hopefully again get fixed with the better upcoming dw_mmc change.] Signed-off-by: Heiko Stuebner commit f670866a282a0b75538391e50c2536dda9a8db00 Author: Olof Johansson Date: Tue Feb 9 09:34:30 2016 -0800 mmc: block: return error on failed mmc_blk_get() commit f00ab14c252ac459e86194747a1f580ab503c954 upstream. This used to return -EFAULT, but the function above returns -EINVAL on the same condition so let's stick to that. The removal of error return on this path was introduced with b093410c9aef ('mmc: block: copy resp[] data on err for MMC_IOC_MULTI_CMD'). Fixes: b093410c9aef ('mmc: block: copy resp[] data on err for MMC_IOC_MULTI_CMD'). Signed-off-by: Olof Johansson Cc: Grant Grundler Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 94225df2cfda12f020ae5d242cc3deea29dfd963 Author: Chuanxiao Dong Date: Mon Jan 18 10:35:19 2016 +0100 mmc: debugfs: correct wrong voltage value commit 0036e74686344f1051afc3107740140abfd03616 upstream. Correct the wrong voltage value shown in debugfs for mmc/sd/sdio. Signed-off-by: Chuanxiao Dong Signed-off-by: Pawel Wodkowski Fixes: 42cd95a0603e ("mmc: core: debugfs: Add signal_voltage to ios dump") Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 674c32a1c73905444fd0449a7b6f9aef451927e1 Author: Russell King Date: Sat Jan 2 10:06:29 2016 +0000 mmc: sd: limit SD card power limit according to cards capabilities commit d9812780a020bcec44565b5950b2a8b31afb5545 upstream. The SD card specification allows cards to error out a SWITCH command where the requested function in a group is not supported. The spec provides for a set of capabilities which indicate which functions are supported. In the case of the power limit, requesting an unsupported power level via the SWITCH command fails, resulting in the power level remaining at the power-on default of 0.72W, even though the host and card may support higher powers levels. This has been seen with SanDisk 8GB cards, which support the default 0.72W and 1.44W (200mA and 400mA) in combination with an iMX6 host, supporting up to 2.88W (800mA). This currently causes us to try to set a power limit function value of '3' (2.88W) which the card errors out on, and thereby causes the power level to remain at 0.72W rather than the desired 1.44W. Arrange to limit the selected current limit by the capabilities reported by the card to avoid the SWITCH command failing. Select the highest current limit that the host and card combination support. Signed-off-by: Russell King Fixes: a39ca6ae0a08 ("mmc: core: Simplify and fix for SD switch processing") Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 1bb85550275785b0e496d9eab0979724ac4be145 Author: Jisheng Zhang Date: Fri Dec 11 21:36:29 2015 +0800 mmc: sdhci: restore behavior when setting VDD via external regulator commit 918f4cbd4340ddd1eb389cd8efa3b07ac74ec4c0 upstream. After commit 52221610dd84 ("mmc: sdhci: Improve external VDD regulator support"), for the VDD is supplied via external regulators, we ignore the code to convert a VDD voltage request into one of the standard SDHCI voltage levels, then program it in the SDHCI_POWER_CONTROL. This brings two issues: 1. SDHCI_QUIRK2_CARD_ON_NEEDS_BUS_ON quirk isn't handled properly any more. 2. What's more, once SDHCI_POWER_ON bit is set, some controllers such as the sdhci-pxav3 used in marvell berlin SoCs require the voltage levels programming in the SDHCI_POWER_CONTROL register, even the VDD is supplied by external regulator. So the host in marvell berlin SoCs still works fine after the commit. However, commit 3cbc6123a93d ("mmc: sdhci: Set SDHCI_POWER_ON with external vmmc") sets the SDHCI_POWER_ON bit, this would make the host in marvell berlin SoCs won't work any more with external vmmc. This patch restores the behavior when setting VDD through external regulator by moving the call of mmc_regulator_set_ocr() to the end of sdhci_set_power() function. After this patch, the sdcard on Marvell Berlin SoC boards work again. Signed-off-by: Jisheng Zhang Fixes: 52221610dd84 ("mmc: sdhci: Improve external VDD ...") Reviewed-by: Ludovic Desroches Tested-by: Ludovic Desroches Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 25e8aad6f491da6ae330148da09585371a3790f2 Author: Andy Shevchenko Date: Fri Dec 4 23:49:18 2015 +0200 Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()" commit b5f88dd1d6efc472e35ca1b21a44e662c5422088 upstream. The specific power domain can't be used in a way provided by the commit 01ac170ba29a, i.e. pointer to platform device is a subject to change during unbound / bind cycle. This reverts commit 01ac170ba29a9903ee590e1ef2d8e6b27b49a16c. Fixes: 3df2da968744 (Revert "ACPI / LPSS: introduce a 'proxy' device to power on LPSS for DMA") Signed-off-by: Andy Shevchenko Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 2b4b4a259bb19a42b5969b5d7874a42909135d95 Author: Maciej S. Szmigiero Date: Sun Dec 20 21:30:25 2015 +0100 ASoC: fsl_ssi: mark SACNT register volatile commit 3f1c241f0f5f90046258e6b8d4aeb6463ffdc08e upstream. SACNT register should be marked volatile since its WR and RD bits are cleared by SSI after completing the relevant operation. This unbreaks AC'97 register access. Fixes: 05cf237972fe ("ASoC: fsl_ssi: Add driver suspend and resume to support MEGA Fast") Signed-off-by: Maciej S. Szmigiero Reviewed-by: Fabio Estevam Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit cbe76eacbb6e1661fb9728b33dc3534718946776 Author: Sudip Mukherjee Date: Tue Dec 1 16:09:51 2015 +0530 ASoC: tegra_alc5632: check return value commit 319c32597fc22a58b946a6146f2be1fd208582e0 upstream. We have been returning success even if snd_soc_card_jack_new() fails. Lets check the return value and return error if it fails. Fixes: 12cc6d1dca4d ("ASoC: tegra_alc5632: Register jacks at the card level") Signed-off-by: Sudip Mukherjee Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 9d1eedb8af659d87786110a2bb5199f165751334 Author: Dan Carpenter Date: Wed Nov 18 13:04:20 2015 +0300 ASoC: Intel: pass correct parameter in sst_alloc_stream_mrfld() commit d16a2b9f2465b5486f830178fbfb7d203e0a17ae upstream. "data" is always NULL in this function. I think we should be passing "&data" to sst_prepare_and_post_msg() instead of "data". Fixes: 3d9ff34622ba ('ASoC: Intel: sst: add stream operations') Signed-off-by: Dan Carpenter Tested-by: Dinesh Mirche Acked-by: Vinod Koul Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit c5197b9e45f0de50aa3f704db0760972faa7dd70 Author: Boris Brezillon Date: Fri Dec 11 15:02:34 2015 +0100 mtd: nand: denali: add missing nand_release() call in denali_remove() commit 320092a05dab2f44819c42f33d6b51efb6c474f2 upstream. Unregister the NAND device from the NAND subsystem when removing a denali NAND controller, otherwise the MTD attached to the NAND device is still exposed by the MTD layer, and accesses to this device will likely crash the system. Fixes: 2a0a288ec258 ("mtd: denali: split the generic driver and PCI layer") Signed-off-by: Boris Brezillon Acked-by: Dinh Nguyen Signed-off-by: Brian Norris Signed-off-by: Greg Kroah-Hartman commit 724cfd5930d95c4759e06884b52d78501c192d13 Author: Eric Dumazet Date: Tue Sep 20 18:06:17 2016 -0700 net: get rid of an signed integer overflow in ip_idents_reserve() commit adb03115f4590baa280ddc440a8eff08a6be0cb7 upstream. Jiri Pirko reported an UBSAN warning happening in ip_idents_reserve() [] UBSAN: Undefined behaviour in ./arch/x86/include/asm/atomic.h:156:11 [] signed integer overflow: [] -2117905507 + -695755206 cannot be represented in type 'int' Since we do not have uatomic_add_return() yet, use atomic_cmpxchg() so that the arithmetics can be done using unsigned int. Fixes: 04ca6973f7c1 ("ip: make IP identifiers less predictable") Signed-off-by: Eric Dumazet Reported-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 63bf5f01e5fcf8727ee3fc2089c54ed7396ace3e Author: Chuck Lever Date: Mon Apr 11 16:20:22 2016 -0400 NFS: Fix an LOCK/OPEN race when unlinking an open file commit 11476e9dec39d90fe1e9bf12abc6f3efe35a073d upstream. At Connectathon 2016, we found that recent upstream Linux clients would occasionally send a LOCK operation with a zero stateid. This appeared to happen in close proximity to another thread returning a delegation before unlinking the same file while it remained open. Earlier, the client received a write delegation on this file and returned the open stateid. Now, as it is getting ready to unlink the file, it returns the write delegation. But there is still an open file descriptor on that file, so the client must OPEN the file again before it returns the delegation. Since commit 24311f884189 ('NFSv4: Recovery of recalled read delegations is broken'), nfs_open_delegation_recall() clears the NFS_DELEGATED_STATE flag _before_ it sends the OPEN. This allows a racing LOCK on the same inode to be put on the wire before the OPEN operation has returned a valid open stateid. To eliminate this race, serialize delegation return with the acquisition of a file lock on the same file. Adopt the same approach as is used in the unlock path. This patch also eliminates a similar race seen when sending a LOCK operation at the same time as returning a delegation on the same file. Fixes: 24311f884189 ('NFSv4: Recovery of recalled read ... ') Signed-off-by: Chuck Lever [Anna: Add sentence about LOCK / delegation race] Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 9d533ad6b6598bcb508e9d01ab22f809e4f46c45 Author: Ilan Peer Date: Tue Mar 8 13:35:31 2016 +0200 mac80211: Fix BW upgrade for TDLS peers commit 4b559ec0bfc3a9f41a127cea6964f38b2b4bb323 upstream. It is possible that the station is connected to an AP with bandwidth of 80+80MHz or 160MHz. In such cases there is no need to perform an upgrade as the maximal supported bandwidth is 80MHz. In addition, when upgrading and setting center_freq1 and bandwidth to 80MHz also set center_freq2 to 0. Fixes: 0fabfaafec3a ("mac80211: upgrade BW of TDLS peers when possible" Signed-off-by: Ilan Peer Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 37e333d209ec41460c5bb4901a2d75a7b7e1ac9e Author: Arik Nemtsov Date: Wed Mar 2 23:28:32 2016 +0200 mac80211: TDLS: change BW calculation for WIDER_BW peers commit 59021c675995281d453eee45b3e2e1e3edbc0ec2 upstream. The previous approach simply ignored chandef restrictions when calculating the appropriate peer BW for a WIDER_BW peer. This could result in a regulatory violation if both peers indicated 80MHz support, but the regdomain forbade it. Change the approach to setting a WIDER_BW peer's BW. Don't exempt it from the chandef width at first. If during TDLS negotiation the chandef width is upgraded, update the peer's BW to match. Fixes: 0fabfaafec3a ("mac80211: upgrade BW of TDLS peers when possible") Signed-off-by: Arik Nemtsov Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 1132704fd4f8da87fb7aa0e63809cbad628449bb Author: Arik Nemtsov Date: Wed Mar 2 23:28:31 2016 +0200 mac80211: TDLS: always downgrade invalid chandefs commit db8d99774c2682559b7648857697b9b588c6795a upstream. Even if the current chandef width is equal to the station's max-BW, it doesn't mean it's a valid width for TDLS. Make sure to always check regulatory constraints in these cases. Fixes: 0fabfaafec3a ("mac80211: upgrade BW of TDLS peers when possible") Signed-off-by: Arik Nemtsov Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 85192dbafcadfa4631d2388a93173f57d6db82cf Author: Johannes Berg Date: Tue Nov 24 20:28:27 2015 +0100 mac80211: fix mgmt-tx abort cookie and leak commit e673a65952b4ab045a3e3eb200fdf408004fb4fd upstream. If a mgmt-tx operation is aborted before it runs, the wrong cookie is reported back to userspace, and the ack_skb gets leaked since the frame is freed directly instead of freeing it using ieee80211_free_txskb(). Fix that. Fixes: 3b79af973cf4 ("mac80211: stop using pointers as userspace cookies") Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit be9113b305e2b9a91fa6e9b47f1df29eef255fb0 Author: Ilan Tayari Date: Sun Sep 18 07:42:53 2016 +0000 xfrm: Fix memory leak of aead algorithm name commit b588479358ce26f32138e0f0a7ab0678f8e3e601 upstream. commit 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms") introduced aead. The function attach_aead kmemdup()s the algorithm name during xfrm_state_construct(). However this memory is never freed. Implementation has since been slightly modified in commit ee5c23176fcc ("xfrm: Clone states properly on migration") without resolving this leak. This patch adds a kfree() call for the aead algorithm name. Fixes: 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms") Signed-off-by: Ilan Tayari Acked-by: Rami Rosen Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 38e6f8d468d5b6e08e4dba4f6065bf58182af2bf Author: Mathias Krause Date: Thu Sep 8 18:09:57 2016 +0200 xfrm_user: propagate sec ctx allocation errors commit 2f30ea5090cbc57ea573cdc66421264b3de3fb0a upstream. When we fail to attach the security context in xfrm_state_construct() we'll return 0 as error value which, in turn, will wrongly claim success to userland when, in fact, we won't be adding / updating the XFRM state. This is a regression introduced by commit fd21150a0fe1 ("[XFRM] netlink: Inline attach_encap_tmpl(), attach_sec_ctx(), and attach_one_addr()"). Fix it by propagating the error returned by security_xfrm_state_alloc() in this case. Fixes: fd21150a0fe1 ("[XFRM] netlink: Inline attach_encap_tmpl()...") Signed-off-by: Mathias Krause Cc: Thomas Graf Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 7ad26966e2215877c98432ba2e8f314ee5c892c4 Author: Alexey Kodanev Date: Wed Aug 10 13:54:57 2016 +0300 net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key commit 1625f4529957738be7d87cf157e107b8fb9d23b9 upstream. Running LTP 'icmp-uni-basic.sh -6 -p ipcomp -m tunnel' test over openvswitch + veth can trigger kernel panic: BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0 IP: [] xfrm_input+0x82/0x750 ... [] xfrm6_rcv_spi+0x1e/0x20 [] xfrm6_tunnel_rcv+0x42/0x50 [xfrm6_tunnel] [] tunnel6_rcv+0x3e/0x8c [tunnel6] [] ip6_input_finish+0xd5/0x430 [] ip6_input+0x33/0x90 [] ip6_rcv_finish+0xa5/0xb0 ... It seems that tunnel.ip6 can have garbage values and also dereferenced without a proper check, only tunnel.ip4 is being verified. Fix it by adding one more if block for AF_INET6 and initialize tunnel.ip6 with NULL inside xfrm6_rcv_spi() (which is similar to xfrm4_rcv_spi()). Fixes: 049f8e2 ("xfrm: Override skb->mark with tunnel->parm.i_key in xfrm_input") Signed-off-by: Alexey Kodanev Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 644f07c105f09cfeba4aeddaf774565c641d5f28 Author: Philipp Zabel Date: Tue Feb 9 09:32:42 2016 -0800 Input: edt-ft5x06 - fix setting gain, offset, and threshold via device tree commit dc262dfaaeda7617ae0b15b5ce1252a6cd102b19 upstream. A recent patch broke parsing the gain, offset, and threshold parameters from device tree. Instead of setting the cached values and writing them to the correct registers during probe, it would write the values from DT into the register address variables and never write them to the chip during normal operation. Fixes: 2e23b7a96372 ("Input: edt-ft5x06 - use generic properties API") Signed-off-by: Philipp Zabel Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 15d6ab1058ef75047ccff59832781284c9f6c41c Author: Dmitry Torokhov Date: Wed Jan 6 14:20:07 2016 -0800 Input: gpio-keys - fix check for disabling unsupported keys commit 8679ee4204cfd5cf78b996508ccadc1ec6130f1a upstream. Commit 4ea14a53d8f881034fa9e186653821c4e3d9a8fb ("Input: gpio-keys - report error when disabling unsupported key") tried let user know that they attempted to disable an unsupported key, unfortunately the check is wrong as it believes that all codes are invalid. Fix it by ensuring that keys that we try to disable are subset of keys (or switches) that device reports. Fixes: 4ea14a53d8f8 ("Input: gpio-keys - report error when disabling unsupported key") Reported-by: Ivaylo Dimitrov Tested-by: Ivaylo Dimitrov Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit eb3a53c61a395bf25851ea21c2fe3ec53466a67d Author: Dan Carpenter Date: Wed Jan 13 15:21:17 2016 +0300 Btrfs: clean up an error code in btrfs_init_space_info() commit 0dc924c5f2a3c4d999e12feaccee5f970cea1315 upstream. If we return 1 here, then the caller treats it as an error and returns -EINVAL. It causes a static checker warning to treat positive returns as an error. Fixes: 1aba86d67f34 ('Btrfs: fix easily get into ENOSPC in mixed case') Signed-off-by: Dan Carpenter Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit c1563ca8153ee4c3af507308ed899f10c84f86df Author: William Breathitt Gray Date: Wed May 11 17:01:40 2016 -0400 isa: Call isa_bus_init before dependent ISA bus drivers register commit 32a5a0c047343b11f581f663a2309cf43d13466f upstream. The isa_bus_init function must be called before drivers which utilize the ISA bus driver are registered. A race condition for initilization exists if device_initcall is used (the isa_bus_init callback is placed in the same initcall level as dependent drivers which use module_init). This patch ensures that isa_bus_init is called first by utilizing postcore_initcall in favor of device_initcall. Fixes: a5117ba7da37 ("[PATCH] Driver model: add ISA bus") Cc: Rene Herman Signed-off-by: William Breathitt Gray Signed-off-by: Greg Kroah-Hartman commit a9dc0ddf400669e39b8a8f692756247dfcfbb29a Author: Olaf Hering Date: Mon Dec 14 16:01:37 2015 -0800 Drivers: hv: utils: use memdup_user in hvt_op_write commit b00359642c2427da89dc8f77daa2c9e8a84e6d76 upstream. Use memdup_user to handle OOM. Fixes: 14b50f80c32d ('Drivers: hv: util: introduce hv_utils_transport abstraction') Signed-off-by: Olaf Hering Signed-off-by: K. Y. Srinivasan Signed-off-by: Greg Kroah-Hartman commit c32532162f8ea4beed50a20cf4f9b205c75fe1b1 Author: Krzysztof Kozlowski Date: Thu Jun 16 08:27:36 2016 +0200 serial: samsung: Fix possible out of bounds access on non-DT platform commit 926b7b5122c96e1f18cd20e85a286c7ec8d18c97 upstream. On non-DeviceTree platforms, the index of serial device is a static variable incremented on each probe. It is incremented even if deferred probe happens when getting the clock in s3c24xx_serial_init_port(). This index is used for referencing elements of statically allocated s3c24xx_serial_ports array. In case of re-probe, the index will point outside of this array leading to memory corruption. Increment the index only on successful probe. Reported-by: Bartlomiej Zolnierkiewicz Fixes: b497549a035c ("[ARM] S3C24XX: Split serial driver into core and per-cpu drivers") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit 651bf80028592c0d1c7ad2aa921310ebec9aa0f4 Author: Stephen Boyd Date: Fri Mar 25 14:35:49 2016 -0700 tty: serial: msm: Support more bauds commit 98952bf510d0c7cdfc284f098bbf4682dc47bc61 upstream. The msm_find_best_baud() function is written with the assumption that the port->uartclk rate is fixed to a particular rate at boot time, but now this driver changes that clk rate at runtime when the baud is changed. The way the hardware works is that an input clk rate comes from the clk controller into the uart hw block. That rate is typically 1843200 or 3686400 Hz. That rate can then be divided by an internal divider in the hw block to achieve a particular baud on the serial wire. msm_find_best_baud() is looking for that divider value. A few things are wrong with the way the code is written. First, it assumes that the maximum baud that the uart can support if the clk rate is fixed at boot is 460800, which would correspond to an input clk rate of 230400 * 16 == 3686400 Hz. Except some devices have a boot rate of 1843200 Hz or max baud of 115200, so achieving 230400 on those devices doesn't work at all because we don't increase the clk rate unless max baud is 460800. Second, we can't achieve bauds higher than 460800 that require anything besides a divisor of 1, because we always call msm_find_best_baud() with a fixed port->uartclk rate that will eventually be changed after we calculate the divisor. So if we need to get a baud of 500000, we'll just multiply that by 16 and hope that the clk can give us 500000 * 16 == 8000000 Hz, which it typically can't do. To really achieve 500000 baud, we need to get an input clk rate of 24000000 Hz and then divide that by 3 inside the uart hardware. Finally, we return success for bauds even when we can't actually achieve them. This means that when the user asks for 500000 baud, we actually get 921600 right now, but the user doesn't know that. Fix all of this by searching through the divisor and clk rate space with a combination of clk_round_rate() and baud calculations, keeping track of the best clk rate and divisor we find if we can't get an exact match. Typically we can get an exact match with a divisor of 1, but sometimes we need to keep track and try more frequencies. On my msm8916 device, this results in all standard bauds in baud_table being supported except for 1800, 576000, 1152000, and 4000000. Fixes: 850b37a71bde ("tty: serial: msm: Remove 115.2 Kbps maximum baud rate limitation") Cc: "Ivan T. Ivanov" Cc: Matthew McClintock Signed-off-by: Stephen Boyd Tested-by: Srinivas Kandagatla Acked-by: Andy Gross Acked-by: Bjorn Andersson Tested-by: Cristian Prundeanu Signed-off-by: Greg Kroah-Hartman commit 61a2d57491324cd145e23f0cf040f503a9b3f4e4 Author: Simon Wunderlich Date: Sun Jun 26 11:16:09 2016 +0200 batman-adv: replace WARN with rate limited output on non-existing VLAN commit 0b3dd7dfb81ad8af53791ea2bb64b83bac1b7d32 upstream. If a VLAN tagged frame is received and the corresponding VLAN is not configured on the soft interface, it will splat a WARN on every packet received. This is a quite annoying behaviour for some scenarios, e.g. if bat0 is bridged with eth0, and there are arbitrary VLAN tagged frames from Ethernet coming in without having any VLAN configuration on bat0. The code should probably create vlan objects on the fly and transparently transport these VLAN-tagged Ethernet frames, but until this is done, at least the WARN splat should be replaced by a rate limited output. Fixes: 354136bcc3c4 ("batman-adv: fix kernel crash due to missing NULL checks") Signed-off-by: Simon Wunderlich Signed-off-by: Marek Lindner Signed-off-by: Sven Eckelmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d1fe020cde3316fb812bff8f1cd95842814bad84 Author: Sven Eckelmann Date: Tue Nov 3 19:20:34 2015 +0100 batman-adv: Fix lockdep annotation of batadv_tlv_container_remove commit 008a374487070a391c12aa39288fd8511f822cab upstream. The function handles tlv containers and not tlv handlers. Thus the lockdep_assert_held has to check for the container_list lock. Fixes: 2c72d655b044 ("batman-adv: Annotate deleting functions with external lock via lockdep") Signed-off-by: Sven Eckelmann Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli Signed-off-by: Greg Kroah-Hartman commit 5fdfe159630f9984129ce22b2b28ec9553f1e82a Author: David Ahern Date: Wed May 4 21:26:08 2016 -0700 net: ipv6: tcp reset, icmp need to consider L3 domain commit 1d2f7b2d956e242179aaf4a08f3545f99c81f9a3 upstream. Responses for packets to unused ports are getting lost with L3 domains. IPv4 has ip_send_unicast_reply for sending TCP responses which accounts for L3 domains; update the IPv6 counterpart tcp_v6_send_response. For icmp the L3 master check needs to be moved up in icmp6_send to properly respond to UDP packets to a port with no listener. Fixes: ca254490c8df ("net: Add VRF support to IPv6 stack") Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b7bc600b05eb619120217a9d637c6baf122eb97d Author: Sowmini Varadhan Date: Mon May 2 11:24:51 2016 -0700 RDS:TCP: Synchronize rds_tcp_accept_one with rds_send_xmit when resetting t_sock commit eb192840266fab3e3da644018121eed30153355d upstream. There is a race condition between rds_send_xmit -> rds_tcp_xmit and the code that deals with resolution of duelling syns added by commit 241b271952eb ("RDS-TCP: Reset tcp callbacks if re-using an outgoing socket in rds_tcp_accept_one()"). Specifically, we may end up derefencing a null pointer in rds_send_xmit if we have the interleaving sequence: rds_tcp_accept_one rds_send_xmit conn is RDS_CONN_UP, so invoke rds_tcp_xmit tc = conn->c_transport_data rds_tcp_restore_callbacks /* reset t_sock */ null ptr deref from tc->t_sock The race condition can be avoided without adding the overhead of additional locking in the xmit path: have rds_tcp_accept_one wait for rds_tcp_xmit threads to complete before resetting callbacks. The synchronization can be done in the same manner as rds_conn_shutdown(). First set the rds_conn_state to something other than RDS_CONN_UP (so that new threads cannot get into rds_tcp_xmit()), then wait for RDS_IN_XMIT to be cleared in the conn->c_flags indicating that any threads in rds_tcp_xmit are done. Fixes: 241b271952eb ("RDS-TCP: Reset tcp callbacks if re-using an outgoing socket in rds_tcp_accept_one()") Signed-off-by: Sowmini Varadhan Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 56cc1c9c99c423e52a31a1251f1e40e521a65bc8 Author: Eric Dumazet Date: Thu Feb 11 08:58:18 2016 -0800 tcp: do not set rtt_min to 1 commit 372022830b06d9980c7e8b41fa0a4081cff883b0 upstream. There are some cases where rtt_us derives from deltas of jiffies, instead of using usec timestamps. Since we want to track minimal rtt, better to assume a delta of 0 jiffie might be in fact be very close to 1 jiffie. It is kind of sad jiffies_to_usecs(1) calls a function instead of simply using a constant. Fixes: f672258391b42 ("tcp: track min RTT using windowed min-filter") Signed-off-by: Eric Dumazet Signed-off-by: Neal Cardwell Cc: Yuchung Cheng Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 25151bae5780de2ba9149fcbb8302fadd9ace129 Author: Johannes Weiner Date: Thu Jan 14 15:20:59 2016 -0800 net: tcp_memcontrol: properly detect ancestor socket pressure commit 8c2c2358b236530bc2c79b4c2a447cbdbc3d96d7 upstream. When charging socket memory, the code currently checks only the local page counter for excess to determine whether the memcg is under socket pressure. But even if the local counter is fine, one of the ancestors could have breached its limit, which should also force this child to enter socket pressure. This currently doesn't happen. Fix this by using page_counter_try_charge() first. If that fails, it means that either the local counter or one of the ancestors are in excess of their limit, and the child should enter socket pressure. Fixes: 3e32cb2e0a12 ("mm: memcontrol: lockless page counters") Signed-off-by: Johannes Weiner Acked-by: David S. Miller Reviewed-by: Vladimir Davydov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7893f7289884251a3bb7c83e31a29093f4401c15 Author: Yotam Gigi Date: Tue Oct 4 09:46:04 2016 +0200 mlxsw: spectrum: Fix misuse of hard_header_len commit feb7d387a6cf6c1ec66d4a2b6d4b2cc52309876e upstream. In order to specify that the mlxsw spectrum driver needs additional headroom for packets, there have been use of the hard_header_len field of the netdevice struct. This commit changes that to use needed_headroom instead, as this is the correct way to do that. Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by: Yotam Gigi Acked-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 32cff698d06fa6a91c12147276f3727da81320f3 Author: Ido Schimmel Date: Fri Jul 15 11:14:59 2016 +0200 mlxsw: spectrum: Indicate support for autonegotiation commit c3f1576810affced47684e04a08c1ffa845144c9 upstream. The device supports link autonegotiation, so let the user know about it by indicating support via ethtool ops. Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0398b2f34d118a558e55228f928e991202eaa492 Author: Nogah Frankel Date: Fri Jun 17 15:09:05 2016 +0200 mlxsw: spectrum: Don't count internal TX header bytes to stats commit 63dcdd35c1552ca0c911e98ba3389a0729a457f4 upstream. Stop the SW TX counter from counting the TX header bytes since they are not being sent out. Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Reviewed-by: Ido Schimmel Signed-off-by: Nogah Frankel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4d1809cb8877a843ac4b83936450048a714e5802 Author: Ido Schimmel Date: Wed Jan 27 15:20:20 2016 +0100 mlxsw: spectrum: Disable learning according to STP state commit 454911333b1d86e1d58a557be271bc6b7e9e7f10 upstream. When port is put into LISTENING state it shouldn't populate the FDB, so set the port's STP state in hardware to DISCARDING instead of LEARNING. It will therefore keep listening to BPDU packets, but discard other non-control packets and won't perform any learning. Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2b4ff0796f291ef4dae7df42d0e24c37e0fdb3c5 Author: Ido Schimmel Date: Wed Jan 27 15:20:19 2016 +0100 mlxsw: spectrum: Don't forward packets when STP state is DISABLED commit 9cb026ebb8ab76829a8d8e4bbd057168ac38fb86 upstream. When STP state is set to DISABLED the port is assumed to be inactive, but currently we forward packets ingressing through it. Instead, set the port's STP state in hardware to DISCARDING, which means it doesn't forward packets or perform any learning, but it does trap control packets. However, these packets will be dropped by bridge code, which results in the expected behavior. Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0da087ed04ebeb42651f5b535d2dc411a836b7b1 Author: Honggang Li Date: Mon May 23 08:32:09 2016 +0800 RDMA/cxgb3: device driver frees DMA memory with different size commit 0de4cbb3dddca35ecd06b95918f38439c9c6401f upstream. [ 598.852037] ------------[ cut here ]------------ [ 598.856698] WARNING: at lib/dma-debug.c:887 check_unmap+0xf8/0x920() [ 598.863079] cxgb3 0000:01:00.0: DMA-API: device driver frees DMA memory with different size [device address=0x0000000003310000] [map size=17 bytes] [unmap size=16 bytes] [ 598.878265] Modules linked in: xprtrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_sa ib_mad kvm_amd kvm ipmi_devintf ipmi_ssif dcdbas pcspkr ipmi_si sg ipmi_msghandler acpi_power_meter amd64_edac_mod shpchp edac_core sp5100_tco k10temp edac_mce_amd i2c_piix4 acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_common ata_generic iw_cxgb3 pata_acpi ib_core ib_addr mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm pata_atiixp drm ahci libahci serio_raw i2c_core cxgb3 libata bnx2 mdio dm_mirror dm_region_hash dm_log dm_mod [ 598.946822] CPU: 3 PID: 11820 Comm: cmtime Not tainted 3.10.0-327.el7.x86_64.debug #1 [ 598.954681] Hardware name: Dell Inc. PowerEdge R415/0GXH08, BIOS 2.0.2 10/22/2012 [ 598.962193] ffff8808077479a8 000000000381a432 ffff880807747960 ffffffff81700918 [ 598.969663] ffff880807747998 ffffffff8108b6c0 ffff880807747a80 ffff8808063f55c0 [ 598.977132] ffffffff833ca850 0000000000000282 ffff88080b1bb800 ffff880807747a00 [ 598.984602] Call Trace: [ 598.987062] [] dump_stack+0x19/0x1b [ 598.992224] [] warn_slowpath_common+0x70/0xb0 [ 598.998254] [] warn_slowpath_fmt+0x5c/0x80 [ 599.004033] [] check_unmap+0xf8/0x920 [ 599.009369] [] ? sched_clock+0x9/0x10 [ 599.014702] [] debug_dma_free_coherent+0x7e/0xa0 [ 599.021008] [] cxio_destroy_cq+0xcc/0x160 [iw_cxgb3] [ 599.027654] [] iwch_destroy_cq+0xf0/0x140 [iw_cxgb3] [ 599.034307] [] ib_destroy_cq+0x1e/0x30 [ib_core] [ 599.040601] [] ib_uverbs_close+0x302/0x4d0 [ib_uverbs] [ 599.047417] [] __fput+0x102/0x310 [ 599.052401] [] ____fput+0xe/0x10 [ 599.057297] [] task_work_run+0xb4/0xe0 [ 599.062719] [] do_exit+0x304/0xc60 [ 599.067789] [] ? native_sched_clock+0x35/0x80 [ 599.073820] [] ? sched_clock+0x9/0x10 [ 599.079153] [] ? _raw_spin_unlock_irq+0x2c/0x50 [ 599.085358] [] do_group_exit+0x4c/0xc0 [ 599.090779] [] get_signal_to_deliver+0x2e1/0x960 [ 599.097071] [] do_signal+0x57/0x6e0 [ 599.102229] [] ? sysret_signal+0x5/0x4e [ 599.107738] [] do_notify_resume+0x5f/0xb0 [ 599.113418] [] int_signal+0x12/0x17 [ 599.118576] ---[ end trace 1e4653102e7e7019 ]--- [ 599.123211] Mapped at: [ 599.125577] [] debug_dma_alloc_coherent+0x2b/0x80 [ 599.131968] [] cxio_create_cq+0xf2/0x1f0 [iw_cxgb3] [ 599.139920] [] iwch_create_cq+0x105/0x4e0 [iw_cxgb3] [ 599.147895] [] create_cq.constprop.14+0x184/0x2e0 [ib_uverbs] [ 599.156649] [] ib_uverbs_create_cq+0x10b/0x140 [ib_uverbs] Fixes: b955150ea784 ('RDMA/cxgb3: When a user QP is marked in error, also mark the CQs in error') Signed-off-by: Honggang Li Reviewed-by: Leon Romanovsky Reviewed-by: Steve Wise Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit bf91224b2da8527d1ab5846c4f6881f51fe7d753 Author: Chuck Lever Date: Mon Feb 15 10:23:59 2016 -0500 xprtrdma: rpcrdma_bc_receive_call() should init rq_private_buf.len commit 9f74660bcf1e4cca577be99e54bc77b5df62b508 upstream. Some NFSv4.1 OPEN requests were hanging waiting for the NFS server to finish recalling delegations. Turns out that each NFSv4.1 CB request on RDMA gets a GARBAGE_ARGS reply from the Linux client. Commit 756b9b37cfb2e3dc added a line in bc_svc_process that overwrites the incoming rq_rcv_buf's length with the value in rq_private_buf.len. But rpcrdma_bc_receive_call() does not invoke xprt_complete_bc_request(), thus rq_private_buf.len is not initialized. svc_process_common() is invoked with a zero-length RPC message, and fails. Fixes: 756b9b37cfb2e3dc ('SUNRPC: Fix callback channel') Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit da65456fe6bb42ce487e7170ec8b9e653feabec4 Author: Chuck Lever Date: Wed Dec 16 17:22:14 2015 -0500 xprtrdma: xprt_rdma_free() must not release backchannel reqs commit ffc4d9b1596c34caa98962722e930e97912c8a9f upstream. Preserve any rpcrdma_req that is attached to rpc_rqst's allocated for the backchannel. Otherwise, after all the pre-allocated backchannel req's are consumed, incoming backward calls start writing on freed memory. Somehow this hunk got lost. Fixes: f531a5dbc451 ('xprtrdma: Pre-allocate backward rpc_rqst') Signed-off-by: Chuck Lever Tested-by: Devesh Sharma Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 88a295dfa2d86c54cce0f3872c0cf3478e978dc8 Author: Chuck Lever Date: Wed Dec 16 17:22:06 2015 -0500 xprtrdma: Fix additional uses of spin_lock_irqsave(rb_lock) commit 9b06688bc3b9f13f8de90f832c455fddec3d4e8a upstream. Clean up. rb_lock critical sections added in rpcrdma_ep_post_extra_recv() should have first been converted to use normal spin_lock now that the reply handler is a work queue. The backchannel set up code should use the appropriate helper instead of open-coding a rb_recv_bufs list add. Problem introduced by glib patch re-ordering on my part. Fixes: f531a5dbc451 ('xprtrdma: Pre-allocate backward rpc_rqst') Signed-off-by: Chuck Lever Tested-by: Devesh Sharma Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit f3c70430d82619889a0404631b6dd80a8a551a82 Author: Dan Carpenter Date: Thu Nov 5 11:39:52 2015 +0300 xprtrdma: checking for NULL instead of IS_ERR() commit abfb689711aaebd14d893236c6ea4bcdfb61e74c upstream. The rpcrdma_create_req() function returns error pointers or success. It never returns NULL. Fixes: f531a5dbc451 ('xprtrdma: Pre-allocate backward rpc_rqst and send/receive buffers') Signed-off-by: Dan Carpenter Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit dc4f0e1cf9ab8ad370117c2137301a24dff500e1 Author: Raja Mani Date: Thu Mar 10 10:25:07 2016 +0530 ath10k: free cached fw bin contents when get board id fails commit b9c191be3fbdd9d78be11160dd7a3ddb9fdc6d42 upstream. ath10k_core_probe_fw() simply returns error without freeing cached firmware file content when get board id operation fails. Free cached fw bin data in failure case to avoid memory leak. Fixes: db0984e51a18 ("ath10k: select board data based on BMI chip id and board id") Signed-off-by: Raja Mani Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit db05a639e4137ef5d56dcb173bde229d29915561 Author: Boris Brezillon Date: Mon Nov 23 11:23:07 2015 +0100 mtd: nand: fix ONFI parameter page layout commit de64aa9ec129ba627634088f662a4d09e356ddb6 upstream. src_ssync_features field is only 1 byte large, and the 4th reserved area is actually 8 bytes large. Fixes: d1e1f4e42b5 ("mtd: nand: add support for reading ONFI parameters from NAND device") Signed-off-by: Boris Brezillon Signed-off-by: Brian Norris Signed-off-by: Greg Kroah-Hartman commit 7ec2c637a9cac502983f0e0f81c88f5620f14ac4 Author: Eric Dumazet Date: Thu Jun 30 16:13:41 2016 +0200 bonding: prevent out of bound accesses commit f87fda00b6ed232a817c655b8d179b48bde8fdbe upstream. ether_addr_equal_64bits() requires some care about its arguments, namely that 8 bytes might be read, even if last 2 byte values are not used. KASan detected a violation with null_mac_addr and lacpdu_mcast_addr in bond_3ad.c Same problem with mac_bcast[] and mac_v6_allmcast[] in bond_alb.c : Although the 8-byte alignment was there, KASan would detect out of bound accesses. Fixes: 815117adaf5b ("bonding: use ether_addr_equal_unaligned for bond addr compare") Fixes: bb54e58929f3 ("bonding: Verify RX LACPDU has proper dest mac-addr") Fixes: 885a136c52a8 ("bonding: use compare_ether_addr_64bits() in ALB") Signed-off-by: Eric Dumazet Reported-by: Dmitry Vyukov Acked-by: Dmitry Vyukov Acked-by: Nikolay Aleksandrov Acked-by: Ding Tianhong Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9fe690a428abf54e0fe7238cf65dee8f99b189da Author: Johan Hovold Date: Thu Nov 3 18:40:19 2016 +0100 phy: fix device reference leaks commit 17ae1c650c1ecf8dc8e16d54b0f68a345965f43f upstream. Make sure to drop the reference taken by bus_find_device_by_name() before returning from phy_connect() and phy_attach(). Note that both function still take a reference to the phy device through phy_attach_direct(). Fixes: e13934563db0 ("[PATCH] PHY Layer fixup") Cc: Florian Fainelli Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7f04269dbdbb046acea06423747b321cdc3ebf0d Author: phil.turnbull@oracle.com Date: Thu Sep 15 12:41:44 2016 -0400 irda: Free skb on irda_accept error path. commit 8ab86c00e349cef9fb14719093a7f198bcc72629 upstream. skb is not freed if newsk is NULL. Rework the error path so free_skb is unconditionally called on function exit. Fixes: c3ea9fa27413 ("[IrDA] af_irda: IRDA_ASSERT cleanups") Signed-off-by: Phil Turnbull Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0140d7ebea98ab6c166b13e38357b78026ec4dce Author: Jiri Kosina Date: Tue Mar 15 11:28:54 2016 +0100 btrfs: cleaner_kthread() doesn't need explicit freeze commit 838fe1887765f4cc679febea60d87d2a06bd300e upstream. cleaner_kthread() is not marked freezable, and therefore calling try_to_freeze() in its context is a pointless no-op. In addition to that, as has been clearly demonstrated by 80ad623edd2d ("Revert "btrfs: clear PF_NOFREEZE in cleaner_kthread()"), it's perfectly valid / legal for cleaner_kthread() to stay scheduled out in an arbitrary place during suspend (in that particular example that was waiting for reading of extent pages), so there is no need to leave any traces of freezer in this kthread. Fixes: 80ad623edd2d ("Revert "btrfs: clear PF_NOFREEZE in cleaner_kthread()") Fixes: 696249132158 ("btrfs: clear PF_NOFREEZE in cleaner_kthread()") Signed-off-by: Jiri Kosina Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 3b7d90c569dd2347d6f6ba4d2b150fa3fa8a6f25 Author: WANG Cong Date: Wed Jun 1 16:15:19 2016 -0700 sch_tbf: update backlog as well commit 8d5958f424b62060a8696b12c17dad198d5d386f upstream. Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0592391127dfbd79f3db347fb05c5a59eb71abc1 Author: WANG Cong Date: Sun Sep 18 16:22:48 2016 -0700 sch_sfb: keep backlog updated with qlen commit 3d4357fba82b3cf19ebf0a04d1c9cb086af15d02 upstream. Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7d0d7b3e4dce733e3106bc2287e89360ad4ce2fc Author: WANG Cong Date: Sun Sep 18 16:22:47 2016 -0700 sch_qfq: keep backlog updated with qlen commit 2ed5c3f09627f72a2e0e407a86b2ac05494190f9 upstream. Reported-by: Stas Nichiporovich Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fc176c6e5905490c544a0798085b0d482245670a Author: WANG Cong Date: Wed Jun 1 16:15:16 2016 -0700 sch_prio: update backlog as well commit 6529d75ad9228f4d8a8f6c5c5244ceb945ac9bc2 upstream. We need to update backlog too when we update qlen. Joint work with Stas. Reported-by: Stas Nichiporovich Tested-by: Stas Nichiporovich Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b8cf532fa7cf6e637ee96bb720bdd7ebab4892c1 Author: WANG Cong Date: Wed Jun 1 16:15:15 2016 -0700 sch_hfsc: always keep backlog updated commit 357cc9b4a8a7a0cd0e662537b76e6fa4670b6798 upstream. hfsc updates backlog lazily, that is only when we dump the stats. This is problematic after we begin to update backlog in qdisc_tree_reduce_backlog(). Reported-by: Stas Nichiporovich Tested-by: Stas Nichiporovich Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f08f4d40dcb4dd3d818b195712d44b03fac57011 Author: WANG Cong Date: Wed Jun 1 16:15:17 2016 -0700 sch_drr: update backlog as well commit 6a73b571b63075ef408c83f07c2565b5652f93cc upstream. Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 76684c7647f5f25c89f1dcc86f4f04a515e46580 Author: WANG Cong Date: Fri Jun 3 15:05:57 2016 -0700 net_sched: keep backlog updated with qlen commit a27758ffaf96f89002129eedb2cc172d254099f8 upstream. For gso_skb we only update qlen, backlog should be updated too. Note, it is correct to just update these stats at one layer, because the gso_skb is cached there. Reported-by: Stas Nichiporovich Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aa060f503da2ed45dec1844ae91d0934d9eed992 Author: Matthew Finlay Date: Thu Jun 30 17:34:47 2016 +0300 net/mlx5e: Copy all L2 headers into inline segment commit e3a19b53cbb0e6738b7a547f262179065b72e3fa upstream. ConnectX4-Lx uses an inline wqe mode that currently defaults to requiring the entire L2 header be included in the wqe. This patch fixes mlx5e_get_inline_hdr_size() to account for all L2 headers (VLAN, QinQ, etc) using skb_network_offset(skb). Fixes: e586b3b0baee ("net/mlx5: Ethernet Datapath files") Signed-off-by: Matthew Finlay Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 712efcaeba69c66ad943107296c4b1b6bc5e8ce9 Author: Mohamad Haj Yahia Date: Thu Aug 18 21:09:04 2016 +0300 net/mlx5: Fix pci error recovery flow commit 1061c90f524963a0a90e7d2f9a6bfa666458af51 upstream. When PCI error is detected we should save the state of the pci prior to disabling it. Also when receiving pci slot reset call we need to verify that the device is responsive. Fixes: 89d44f0a6c73 ('net/mlx5_core: Add pci error handlers to mlx5_core driver') Signed-off-by: Mohamad Haj Yahia Signed-off-by: Greg Kroah-Hartman Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller commit b50cee2cfdf61ac835c0435553b98a387201ee94 Author: Mohamad Haj Yahia Date: Thu Jun 30 17:34:43 2016 +0300 net/mlx5: Add timeout handle to commands with callback commit 65ee67084589c1783a74b4a4a5db38d7264ec8b5 upstream. The current implementation does not handle timeout in case of command with callback request, and this can lead to deadlock if the command doesn't get fw response. Add delayed callback timeout work before posting the command to fw. In case of real fw command completion we will cancel the delayed work. In case of fw command timeout the callback timeout handler will be called and it will simulate fw completion with timeout error. Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters') Signed-off-by: Mohamad Haj Yahia Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0cdcfc149c573f4ab0ace699ef273e6b54cbd807 Author: Mohamad Haj Yahia Date: Thu Jun 30 17:34:42 2016 +0300 net/mlx5: Fix potential deadlock in command mode change commit 9cba4ebcf374c3772f6eb61f2d065294b2451b49 upstream. Call command completion handler in case of timeout when working in interrupts mode. Avoid flushing the commands workqueue after acquiring the semaphores to prevent a potential deadlock. Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters') Signed-off-by: Mohamad Haj Yahia Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 03184b1b389c1dd3aefa1ab94a684c3f832f7a1a Author: Daniel Jurgens Date: Thu Jun 30 17:34:41 2016 +0300 net/mlx5: Fix wait_vital for VFs and remove fixed sleep commit d57847dc4177c6fd8d950cb533f5edf0eab45b11 upstream. The device ID for VFs is in a different location than PFs. This results in the poll always timing out for VFs. There's no good way to read the VF device ID without using the PF's configuration space. Switch to waiting for the health poll to start incrementing. Also remove the 1s sleep at the beginning. fixes: 89d44f0a6c73 ('net/mlx5_core: Add pci error handlers to mlx5_core driver') Signed-off-by: Daniel Jurgens Signed-off-by: Greg Kroah-Hartman Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller commit 04391e1040b6cd51e3b449a6268f6d925b1c9ee9 Author: Mohamad Haj Yahia Date: Thu Jun 30 17:34:39 2016 +0300 net/mlx5: Avoid calling sleeping function by the health poll thread commit c1d4d2e92ad670168a17a57dfa182a5a5baa72d4 upstream. In internal error state the health poll thread will eventually call synchronize_irq() (to safely trigger command completions) which might sleep, so we are calling sleeping function from atomic context which is invalid. Here we move trigger_cmd_completions(dev) to enter error state which is the earliest stage in error state handling. This way we won't need to wait for next health poll to trigger command completions and will solve the scheduling while atomic issue. mlx5_enter_error_state can be called from two contexts, protect it with dev->intf_state_lock Fixes: 89d44f0a6c73 ('net/mlx5_core: Add pci error handlers to mlx5_core driver') Signed-off-by: Mohamad Haj Yahia Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3cfb2ed799768b7b666b1e332c27eedd5272e8d3 Author: Wang Sheng-Hui Date: Fri Jun 24 08:52:11 2016 +0800 net/mlx5: use mlx5_buf_alloc_node instead of mlx5_buf_alloc in mlx5_wq_ll_create commit f299a02d5f13c4deb52c1a7ddf2b42630fe6294a upstream. Commit 311c7c71c9bb ("net/mlx5e: Allocate DMA coherent memory on reader NUMA node") introduced mlx5_*_alloc_node() but missed changing some calling and warn messages. This patch introduces 2 changes: * Use mlx5_buf_alloc_node() instead of mlx5_buf_alloc() in mlx5_wq_ll_create() * Update the failure warn messages with _node postfix for mlx5_*_alloc function names Fixes: 311c7c71c9bb ("net/mlx5e: Allocate DMA coherent memory on reader NUMA node") Signed-off-by: Wang Sheng-Hui Acked-By: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1ce6993b857318a4b8c674b1bbaaf79aced34136 Author: Eli Cohen Date: Fri Jun 10 00:07:40 2016 +0300 net/mlx5e: Fix blue flame quota logic commit 0ca00fc1f808602137dc6d51f17747b3bb0fc34d upstream. Blue flame is a latency enhancement feature that allows the driver to write the packet data directly to the NIC's registers thus making the read of the packet data from host memory redundant. We maintain a quota for the blue flame which is reloaded whenever we identify that the hardware is processing send requests and processes them fast enough so by the time we post the next send request it was able to process all the pending ones. This indicates that the hardware is capable of processing more blue flame requests efficiently. The blue flame quota is decremented whenever we send using blue flame. The current code erroneously clears the budget if we did not use blue flame for the current post send operation and we fix it here. Fixes: 88a85f99e51f ('net/mlx5e: TX latency optimization to save DMA reads') Signed-off-by: Eli Cohen Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9d1cc4917ccfb0372ed5c8c12954e8542bf568b9 Author: Majd Dibbiny Date: Fri Jun 10 00:07:29 2016 +0300 net/mlx5: Fix masking of reserved bits in XRCD number commit 9cd3411c42c5d5ba55d6e745edfe7df53c1ffa41 upstream. Mask the reserved bits when reading the number of newly created XRCD. Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters') Signed-off-by: Majd Dibbiny Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 28e5545adea82108ce9778e03484646649d9312a Author: Majd Dibbiny Date: Fri Jun 10 00:07:28 2016 +0300 net/mlx5: Fix the size of modify QP mailbox commit 418f8399a8bedf376ec13eb01088f04a76ebdd6f upstream. Add 16 reserved bytes at the end of mlx5_modify_qp_mbox_in to match the hardware spec definition. Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters') Signed-off-by: Majd Dibbiny Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e386a748a14aba831e3846742aa3b783ef3d1f40 Author: Rana Shahout Date: Fri Apr 22 00:33:01 2016 +0300 net/mlx5e: Fix MLX5E_100BASE_T define commit 6e4c21894673baabdbef03c3ac2458a28246128b upstream. Bit 25 of eth_proto_capability in PTYS register is 1000Base-TT and not 100Base-T. Fixes: f62b8bb8f2d3 ('net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality') Signed-off-by: Rana Shahout Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7d4d0cd6198770541035e85e4cd51a2a02eb6613 Author: Eran Ben Elisha Date: Sat Jun 4 15:15:30 2016 +0300 IB/mlx5: Fix FW version diaplay in sysfs commit c0fcebf55289c48148992eee002a7caf853a5358 upstream. Add a 4-digit padding to show FW version in proper format. Fixes: 9603b61de1eee ('mlx5: Move pci device handling from...') Signed-off-by: Eran Ben Elisha Signed-off-by: Noa Osherovich Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit dd83b921af916d59634c0ea959391dfa3ae12ab4 Author: Or Gerlitz Date: Wed Mar 2 00:13:39 2016 +0200 net/mlx5: Make command timeout way shorter commit 6b6c07bdcdc97ccac2596063bfc32a5faddfe884 upstream. The command timeout is terribly long, whole two hours. Make it 60s so if things do go wrong, the user gets feedback in relatively short time, so they can take corrective actions and/or investigate using tools and such. Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters') Signed-off-by: Or Gerlitz Signed-off-by: Leon Romanovsky Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 74937a83b2b00a48b4f55761e461ae0f85cd1276 Author: Leon Romanovsky Date: Thu Feb 11 21:09:57 2016 +0200 IB/mlx5: Fix RC transport send queue overhead computation commit 75c1657e1d50730dc0130a67977f7831a4e241f4 upstream. Fix the RC QPs send queue overhead computation to take into account two additional segments in the WQE which are needed for registration operations. The ATOMIC and UMR segments can't coexist together, so chose maximum out of them. The commit 9e65dc371b5c ("IB/mlx5: Fix RC transport send queue overhead computation") was intended to update RC transport as commit messages states, but added the code to UC transport. Fixes: 9e65dc371b5c ("IB/mlx5: Fix RC transport send queue overhead computation") Signed-off-by: Kamal Heib Signed-off-by: Leon Romanovsky Reviewed-by: Sagi Grimberg Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 7955b3993b7e17dcf66b1a8d5ffabd898eccbb29 Author: Noa Osherovich Date: Tue Oct 25 18:36:35 2016 +0300 net/mlx5: Avoid passing dma address 0 to firmware commit 6b276190c50a12511d889d9079ffb901ff94a822 upstream. Currently the firmware can't work with a page with dma address 0. Passing such an address to the firmware will cause the give_pages command to fail. To avoid this, in case we get a 0 dma address of a page from the dma engine, we avoid passing it to FW by remapping to get an address other than 0. Fixes: bf0bf77f6519 ('mlx5: Support communicating arbitrary host...') Signed-off-by: Noa Osherovich Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 565993e288f0b2067d03640315a498baac11c5b1 Author: Peter Griffin Date: Thu Mar 24 08:23:52 2016 -0300 c8sectpfe: Rework firmware loading mechanism commit c23ac90f78aa9190643c82c1975a0cfe480d7c60 upstream. c8sectpfe driver relied on CONFIG_FW_LOADER_USER_HELPER_FALLBACK option for loading its xp70 firmware. A previous commit removed this Kconfig option, as it is apparently harmful, but did not update the driver code which relied on it. This patch reworks the firmware loading into the start_feed callback. At this point we can be sure the rootfs is present, thereby removing the depedency on CONFIG_FW_LOADER_USER_HELPER_FALLBACK. Fixes: 79f5b6ae960d ('[media] c8sectpfe: Remove select on CONFIG_FW_LOADER_USER_HELPER_FALLBACK') Signed-off-by: Peter Griffin Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 26b056e9fcfbfa5b798fdfa5dc9363532437a3e4 Author: Brian Norris Date: Wed Dec 9 14:50:28 2015 -0800 firmware: actually return NULL on failed request_firmware_nowait() commit 715780ae4bb76d6fd2f20eb78e2a9ba9769a6cdc upstream. The kerneldoc for request_firmware_nowait() says that it may call the provided cont() callback with @fw == NULL, if the firmware request fails. However, this is not the case when called with an empty string (""). This case is short-circuited by the 'name[0] == '\0'' check introduced in commit 471b095dfe0d ("firmware_class: make sure fw requests contain a name"), so _request_firmware() never gets to set the fw to NULL. Noticed while using the new 'trigger_async_request' testing hook: # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request [10553.726178] test_firmware: loading '' [10553.729859] test_firmware: loaded: 995209091 # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request [10733.676184] test_firmware: loading '' [10733.679855] Unable to handle kernel NULL pointer dereference at virtual address 00000004 [10733.687951] pgd = ec188000 [10733.690655] [00000004] *pgd=00000000 [10733.694240] Internal error: Oops: 5 [#1] SMP ARM [10733.698847] Modules linked in: btmrvl_sdio btmrvl bluetooth sbs_battery nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables asix usbnet mwifiex_sdio mwifiex cfg80211 jitterentropy_rng drbg joydev snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async ppp_generic slhc tun [10733.725670] CPU: 0 PID: 6600 Comm: bash Not tainted 4.4.0-rc4-00351-g63d0877 #178 [10733.733137] Hardware name: Rockchip (Device Tree) [10733.737831] task: ed24f6c0 ti: ee322000 task.ti: ee322000 [10733.743222] PC is at do_raw_spin_lock+0x18/0x1a0 [10733.747831] LR is at _raw_spin_lock+0x18/0x1c [10733.752180] pc : [] lr : [] psr: a00d0013 [10733.752180] sp : ee323df8 ip : ee323e20 fp : ee323e1c [10733.763634] r10: 00000051 r9 : b6f18000 r8 : ee323f80 [10733.768847] r7 : c089cebc r6 : 00000001 r5 : 00000000 r4 : ec0e6000 [10733.775360] r3 : dead4ead r2 : c06bd140 r1 : eef913b4 r0 : 00000000 [10733.781874] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [10733.788995] Control: 10c5387d Table: 2c18806a DAC: 00000051 [10733.794728] Process bash (pid: 6600, stack limit = 0xee322218) [10733.800549] Stack: (0xee323df8 to 0xee324000) [10733.804896] 3de0: ec0e6000 00000000 [10733.813059] 3e00: 00000001 c089cebc ee323f80 b6f18000 ee323e2c ee323e20 c054c204 c0065394 [10733.821221] 3e20: ee323e44 ee323e30 c02fec60 c054c1f8 ec0e7ec0 ec3fcfc0 ee323e5c ee323e48 [10733.829384] 3e40: c02fed08 c02fec48 c07dbf74 eeb05a00 ee323e8c ee323e60 c0253828 c02fecac [10733.837547] 3e60: 00000001 c0116950 ee323eac ee323e78 00000001 ec3fce00 ed2d9700 ed2d970c [10733.845710] 3e80: ee323e9c ee323e90 c02e873c c02537d4 ee323eac ee323ea0 c017bd40 c02e8720 [10733.853873] 3ea0: ee323ee4 ee323eb0 c017b250 c017bd00 00000000 00000000 f3e47a54 ec128b00 [10733.862035] 3ec0: c017b10c ee323f80 00000001 c000f504 ee322000 00000000 ee323f4c ee323ee8 [10733.870197] 3ee0: c011b71c c017b118 ee323fb0 c011bc90 becfa8d9 00000001 ec128b00 00000001 [10733.878359] 3f00: b6f18000 ee323f80 ee323f4c ee323f18 c011bc90 c0063950 ee323f3c ee323f28 [10733.886522] 3f20: c0063950 c0549138 00000001 ec128b00 00000001 ec128b00 b6f18000 ee323f80 [10733.894684] 3f40: ee323f7c ee323f50 c011bed8 c011b6ec c0135fb8 c0135f24 ec128b00 ec128b00 [10733.902847] 3f60: 00000001 b6f18000 c000f504 ee322000 ee323fa4 ee323f80 c011c664 c011be24 [10733.911009] 3f80: 00000000 00000000 00000001 b6f18000 b6e79be0 00000004 00000000 ee323fa8 [10733.919172] 3fa0: c000f340 c011c618 00000001 b6f18000 00000001 b6f18000 00000001 00000000 [10733.927334] 3fc0: 00000001 b6f18000 b6e79be0 00000004 00000001 00000001 8068a3f1 b6e79c84 [10733.935496] 3fe0: 00000000 becfa7dc b6de194d b6e20246 400d0030 00000001 7a4536e8 49bda390 [10733.943664] [] (do_raw_spin_lock) from [] (_raw_spin_lock+0x18/0x1c) [10733.951743] [] (_raw_spin_lock) from [] (fw_free_buf+0x24/0x64) [10733.959388] [] (fw_free_buf) from [] (release_firmware+0x68/0x74) [10733.967207] [] (release_firmware) from [] (trigger_async_request_store+0x60/0x124) [10733.976501] [] (trigger_async_request_store) from [] (dev_attr_store+0x28/0x34) [10733.985533] [] (dev_attr_store) from [] (sysfs_kf_write+0x4c/0x58) [10733.993437] [] (sysfs_kf_write) from [] (kernfs_fop_write+0x144/0x1a8) [10734.001689] [] (kernfs_fop_write) from [] (__vfs_write+0x3c/0xe4) After this patch: # printf '\x00' > /sys/devices/virtual/misc/test_firmware/trigger_async_request [ 32.126322] test_firmware: loading '' [ 32.129995] test_firmware: failed to async load firmware -bash: printf: write error: No such device Fixes: 471b095dfe0d ("firmware_class: make sure fw requests contain a name") Signed-off-by: Brian Norris Acked-by: Ming Lei Acked-by: Kees Cook Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman commit 91e5d3fbb0323e9d7befc6bdc3082f85523466ab Author: Alexey Kardashevskiy Date: Wed Jun 26 12:37:46 2019 +1000 powerpc/pci/of: Parse unassigned resources commit dead1c845dbe97e0061dae2017eaf3bd8f8f06ee upstream. The pseries platform uses the PCI_PROBE_DEVTREE method of PCI probing which reads "assigned-addresses" of every PCI device and initializes the device resources. However if the property is missing or zero sized, then there is no fallback of any kind and the PCI resources remain undiscovered, i.e. pdev->resource[] array remains empty. This adds a fallback which parses the "reg" property in pretty much same way except it marks resources as "unset" which later make Linux assign those resources proper addresses. This has an effect when: 1. a hypervisor failed to assign any resource for a device; 2. /chosen/linux,pci-probe-only=0 is in the DT so the system may try assigning a resource. Neither is likely to happen under PowerVM. Signed-off-by: Alexey Kardashevskiy Signed-off-by: Michael Ellerman Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 21fbc1a1334af28f513de03db3ff970b970abd7c Author: Alexander Duyck Date: Tue Apr 5 09:13:39 2016 -0700 GRE: Disable segmentation offloads w/ CSUM and we are encapsulated via FOU commit a0ca153f98db8cf25298565a09e11fe9d82846ad upstream. This patch fixes an issue I found in which we were dropping frames if we had enabled checksums on GRE headers that were encapsulated by either FOU or GUE. Without this patch I was barely able to get 1 Gb/s of throughput. With this patch applied I am now at least getting around 6 Gb/s. The issue is due to the fact that with FOU or GUE applied we do not provide a transport offset pointing to the GRE header, nor do we offload it in software as the GRE header is completely skipped by GSO and treated like a VXLAN or GENEVE type header. As such we need to prevent the stack from generating it and also prevent GRE from generating it via any interface we create. Fixes: c3483384ee511 ("gro: Allow tunnel stacking in the case of FOU/GUE") Signed-off-by: Alexander Duyck Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 96edfba59c27f0454ac6da080245dff1d996e986 Author: Nicolas Dichtel Date: Mon Jun 13 10:31:04 2016 +0200 ovs/gre,geneve: fix error path when creating an iface commit 106da663ff495e0aea3ac15b8317aa410754fcac upstream. After ipgre_newlink()/geneve_configure() call, the netdev is registered. Fixes: 7e059158d57b ("vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices") CC: David Wragg Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e01128e3cef06652fe39797cc24bb5b3c90bbf5d Author: Matan Barak Date: Thu Jan 14 17:47:02 2016 +0200 IB/mlx4: Initialize hop_limit when creating address handle commit 4e4081673445485aa6bc90383bdb83e7a96cc48a upstream. Hop limit value wasn't copied from attributes when ah was created. This may influence packets for unconnected services to get dropped in routers when endpoints are not in the same subnet. Fixes: fa417f7b520e ("IB/mlx4: Add support for IBoE") Signed-off-by: Matan Barak Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 4ec565c2eee0c9031fc87868643356d94a961a69 Author: Ido Schimmel Date: Mon Feb 15 13:19:53 2016 +0100 mlxsw: Treat local port 64 as valid commit 1e5ad30c649a82a062ce79a87c1296e6c6f328c2 upstream. MLXSW_PORT_MAX_PORTS represents the maximum number of local ports, which is 65 for both ASICs (SwitchX-2 and Spectrum) supported by this driver. Fixes: 93c1edb27f9e ("mlxsw: Introduce Mellanox switch driver core") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0e15fa1883ea33872ab633698fa360bdb1780bf4 Author: Franky Lin Date: Thu Jun 2 02:00:27 2016 -0700 brcmfmac: add eth_type_trans back for PCIe full dongle commit 31143e2933d1675c4c1ba6ce125cdd95870edd85 upstream. A regression was introduced in commit 9c349892ccc9 ("brcmfmac: revise handling events in receive path") which moves eth_type_trans() call to brcmf_rx_frame(). Msgbuf layer doesn't use brcmf_rx_frame() but invokes brcmf_netif_rx() directly. In such case the Ethernet header was not stripped out resulting in null pointer dereference in the networking stack. BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 IP: [] enqueue_to_backlog+0x56/0x260 PGD 0 Oops: 0000 [#1] PREEMPT SMP Modules linked in: fuse ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype [...] rtsx_pci scsi_mod usbcore usb_common i8042 serio nvme nvme_core CPU: 7 PID: 1340 Comm: irq/136-brcmf_p Not tainted 4.7.0-rc1-mainline #1 Hardware name: Dell Inc. XPS 15 9550/0N7TVV, BIOS 01.02.00 04/07/2016 task: ffff8804a0c5bd00 ti: ffff88049e124000 task.ti: ffff88049e124000 RIP: 0010:[] [] enqueue_to_backlog+0x56/0x260 RSP: 0018:ffff88049e127ca0 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff8804bddd7c40 RCX: 000000000000002f RDX: 0000000000000000 RSI: 0000000000000007 RDI: ffff8804bddd7d4c RBP: ffff88049e127ce8 R08: 0000000000000000 R09: 0000000000000000 R10: ffff8804bddd12c0 R11: 000000000000149e R12: 0000000000017c40 R13: ffff88049e127d08 R14: ffff8804a9bd6d00 R15: ffff8804bddd7d4c FS: 0000000000000000(0000) GS:ffff8804bddc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000048 CR3: 0000000001806000 CR4: 00000000003406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff8804bdddad00 ffff8804ad089e00 0000000000000000 0000000000000282 0000000000000000 ffff8804a9bd6d00 ffff8804a1b27e00 ffff8804a9bd6d00 ffff88002ee88000 ffff88049e127d28 ffffffff814c3f3b ffffffff81311fc3 Call Trace: [] netif_rx_internal+0x4b/0x170 [] ? swiotlb_tbl_unmap_single+0xf3/0x120 [] netif_rx_ni+0x27/0xc0 [] brcmf_netif_rx+0x49/0x70 [brcmfmac] [] brcmf_msgbuf_process_rx+0x2b4/0x570 [brcmfmac] [] ? __xen_set_pgd_hyper+0x57/0xd0 [] ? irq_forced_thread_fn+0x70/0x70 [] brcmf_proto_msgbuf_rx_trigger+0x31/0xe0 [brcmfmac] [] brcmf_pcie_isr_thread+0x7f/0x110 [brcmfmac] [] irq_thread_fn+0x20/0x50 [] irq_thread+0x12d/0x1c0 [] ? __schedule+0x2f5/0x7a0 [] ? wake_threads_waitq+0x30/0x30 [] ? irq_thread_dtor+0xb0/0xb0 [] kthread+0xd8/0xf0 [] ret_from_fork+0x1f/0x40 [] ? kthread_worker_fn+0x170/0x170 Code: 1c f5 60 9a 8e 81 9c 58 0f 1f 44 00 00 48 89 45 d0 fa 66 0f 1f 44 00 00 4c 8d bb 0c 01 00 00 4c 89 ff e8 5e 08 11 00 49 8b 56 20 <48> 8b 52 48 83 e2 01 74 10 8b 8b 08 01 00 00 8b 15 59 c5 42 00 RIP [] enqueue_to_backlog+0x56/0x260 RSP CR2: 0000000000000048 Fixes: 9c349892ccc9 ("brcmfmac: revise handling events in receive path") Reported-by: Rafal Milecki Reported-by: Grey Christoforo Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Arend Van Spriel Reviewed-by: Hante Meuleman Signed-off-by: Franky Lin [arend@broadcom.com: rephrased the commit message] Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit a13415839d626b17c73263397359c0ca8e89f0d3 Author: Alex Williamson Date: Tue May 31 21:25:52 2016 -0600 vfio/pci: Allow VPD short read commit ce7585f3c4d76bca1dff4b66ae1ea32552954f9e upstream. The size of the VPD area is not necessarily 4-byte aligned, so a pci_vpd_read() might return less than 4 bytes. Zero our buffer and accept anything other than an error. Intel X710 NICs exercise this. Fixes: 4e1a635552d3 ("vfio/pci: Use kernel VPD access functions") Signed-off-by: Alex Williamson Signed-off-by: Greg Kroah-Hartman commit 7cf7cfdf3ce4f36d635a6514391c7768d864faff Author: Bjorn Helgaas Date: Mon Apr 25 15:59:50 2016 -0500 alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO commit c20e128030caf0537d5e906753eac1c28fefdb75 upstream. The alpha pci_mmap_resource() is used for both IORESOURCE_MEM and IORESOURCE_IO resources, but iomem_is_exclusive() is only applicable for IORESOURCE_MEM. Call iomem_is_exclusive() only for IORESOURCE_MEM resources, and do it earlier to match the generic version of pci_mmap_resource(). Fixes: 10a0ef39fbd1 ("PCI/alpha: pci sysfs resources") Signed-off-by: Bjorn Helgaas CC: Ivan Kokshaysky Signed-off-by: Greg Kroah-Hartman commit b1611bb6a939edc4a115daa4e70ccc81601c4083 Author: Daniel Jurgens Date: Wed Apr 20 16:01:15 2016 +0300 net/mlx4_core: Implement pci_resume callback commit c12833acff62cff83a8b728253e7ebbc1264d75e upstream. Move resume related activities to a new pci_resume function instead of performing them in mlx4_pci_slot_reset. This change is needed to avoid a hotplug during EEH recovery due to commit f2da4ccf8bd4 ("powerpc/eeh: More relaxed hotplug criterion"). Fixes: 2ba5fbd62b25 ('net/mlx4_core: Handle AER flow properly') Signed-off-by: Daniel Jurgens Signed-off-by: Yishai Hadas Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 011f69c4bd17dcbe7d1f0485173faa58e08441ad Author: Bjorn Helgaas Date: Thu Apr 7 17:15:14 2016 -0700 PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive() commit ca620723d4ff9ea7ed484eab46264c3af871b9ae upstream. iomem_is_exclusive() requires a CPU physical address, but on some arches we supplied a PCI bus address instead. On most arches, pci_resource_to_user(res) returns "res->start", which is a CPU physical address. But on microblaze, mips, powerpc, and sparc, it returns the PCI bus address corresponding to "res->start". The result is that pci_mmap_resource() may fail when it shouldn't (if the bus address happens to match an existing resource), or it may succeed when it should fail (if the resource is exclusive but the bus address doesn't match it). Call iomem_is_exclusive() with "res->start", which is always a CPU physical address, not the result of pci_resource_to_user(). Fixes: e8de1481fd71 ("resource: allow MMIO exclusivity for device drivers") Suggested-by: Yinghai Lu Signed-off-by: Bjorn Helgaas CC: Arjan van de Ven Signed-off-by: Greg Kroah-Hartman commit 0a8b5f3fac581ff4a04f5db57ccc79b2de5f7259 Author: Ido Schimmel Date: Mon Mar 7 15:15:30 2016 +0100 mlxsw: pci: Correctly determine if descriptor queue is full commit 5091730d7795ccb21eb880699b5194730641c70b upstream. The descriptor queues for sending (SDQs) and receiving (RDQs) packets are managed by two counters - producer and consumer - which are both 16-bit in size. A queue is considered full when the difference between the two equals the queue's maximum number of descriptors. However, if the producer counter overflows, then it's possible for the full queue check to fail, as it doesn't take the overflow into account. In such a case, descriptors already passed to the device - but for which a completion has yet to be posted - will be overwritten, thereby causing undefined behavior. The above can be achieved under heavy load (~30 netperf instances). Fix that by casting the subtraction result to u16, preventing it from being treated as a signed integer. Fixes: eda6500a987a ("mlxsw: Add PCI bus implementation") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 15aeb6325d5930f46fb705175ae46c81f848dcbb Author: Daniel Jurgens Date: Wed Feb 17 17:24:25 2016 +0200 net/mlx4_core: Do not BUG_ON during reset when PCI is offline commit 22e3817e6c8301dc0520b855c8a2d764580e719c upstream. The PCI channel could go offline during reset due to EEH. Don't bug on in this case, the error is recoverable. Fixes: f6bc11e42646 ('net/mlx4_core: Enhance the catas flow to support device reset') Signed-off-by: Daniel Jurgens Reviewed-by: Yishai Hadas Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 792d5414d01409a229b3b2a5031b6167a8656bd6 Author: Willem de Bruijn Date: Tue Jul 12 18:18:57 2016 -0400 dccp: limit sk_filter trim to payload commit 4f0c40d94461cfd23893a17335b2ab78ecb333c8 upstream. Dccp verifies packet integrity, including length, at initial rcv in dccp_invalid_packet, later pulls headers in dccp_enqueue_skb. A call to sk_filter in-between can cause __skb_pull to wrap skb->len. skb_copy_datagram_msg interprets this as a negative value, so (correctly) fails with EFAULT. The negative length is reported in ioctl SIOCINQ or possibly in a DCCP_WARN in dccp_close. Introduce an sk_receive_skb variant that caps how small a filter program can trim packets, and call this in dccp with the header length. Excessively trimmed packets are now processed normally and queued for reception as 0B payloads. Fixes: 7c657876b63c ("[DCCP]: Initial implementation") Signed-off-by: Willem de Bruijn Acked-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6c687c0c284e65a350bd1e50072b13ff8e322b9c Author: Chin-Ran Lo Date: Tue Dec 29 04:26:33 2015 -0800 Bluetooth: btmrvl: fix hung task warning dump commit 86f7ac77d4035e22ec7e58dcdb96327e2ecc3a9b upstream. It's been observed that when bluetooth driver fails to activate the firmware, below hung task warning dump is displayed after 120 seconds. [ 36.461022] Bluetooth: vendor=0x2df, device=0x912e, class=255, fn=2 [ 56.512128] Bluetooth: FW failed to be active in time! [ 56.517264] Bluetooth: Downloading firmware failed! [ 240.252176] INFO: task kworker/3:2:129 blocked for more than 120 seconds. [ 240.258931] Not tainted 3.18.0 #254 [ 240.262972] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 240.270751] kworker/3:2 D ffffffc000205760 0 129 2 0x00000000 [ 240.277825] Workqueue: events request_firmware_work_func [ 240.283134] Call trace: [ 240.285581] [] __switch_to+0x80/0x8c [ 240.290693] [] __schedule+0x540/0x7b8 [ 240.295921] [] schedule+0x78/0x84 [ 240.300764] [] __mmc_claim_host+0xe8/0x1c8 [ 240.306395] [] sdio_claim_host+0x74/0x84 [ 240.311840] [] 0xffffffbffc163d08 [ 240.316685] [] 0xffffffbffc165104 [ 240.321524] [] mwifiex_dnld_fw+0x98/0x110 [mwifiex] [ 240.327918] [] mwifiex_remove_card+0x2c4/0x5fc [mwifiex] [ 240.334741] [] request_firmware_work_func+0x44/0x80 [ 240.341127] [] process_one_work+0x2ec/0x50c [ 240.346831] [] worker_thread+0x350/0x470 [ 240.352272] [] kthread+0xf0/0xfc [ 240.357019] 2 locks held by kworker/3:2/129: [ 240.361248] #0: ("events"){.+.+.+}, at: [] process_one_work+0x1f8/0x50c [ 240.369562] #1: ((&fw_work->work)){+.+.+.}, at: [] process_one_work+0x1f8/0x50c [ 240.378589] task PC stack pid father [ 240.384501] kworker/1:1 D ffffffc000205760 0 40 2 0x00000000 [ 240.391524] Workqueue: events mtk_atomic_work [ 240.395884] Call trace: [ 240.398317] [] __switch_to+0x80/0x8c [ 240.403448] [] lock_acquire+0x128/0x164 [ 240.408821] kworker/3:2 D ffffffc000205760 0 129 2 0x00000000 [ 240.415867] Workqueue: events request_firmware_work_func [ 240.421138] Call trace: [ 240.423589] [] __switch_to+0x80/0x8c [ 240.428688] [] __schedule+0x540/0x7b8 [ 240.433886] [] schedule+0x78/0x84 [ 240.438732] [] __mmc_claim_host+0xe8/0x1c8 [ 240.444361] [] sdio_claim_host+0x74/0x84 [ 240.449801] [] 0xffffffbffc163d08 [ 240.454649] [] 0xffffffbffc165104 [ 240.459486] [] mwifiex_dnld_fw+0x98/0x110 [mwifiex] [ 240.465882] [] mwifiex_remove_card+0x2c4/0x5fc [mwifiex] [ 240.472705] [] request_firmware_work_func+0x44/0x80 [ 240.479090] [] process_one_work+0x2ec/0x50c [ 240.484794] [] worker_thread+0x350/0x470 [ 240.490231] [] kthread+0xf0/0xfc This patch adds missing sdio_release_host() call so that wlan driver thread can claim sdio host. Fixes: 4863e4cc31d647e1 ("Bluetooth: btmrvl: release sdio bus after firmware is up") Signed-off-by: Chin-Ran Lo Signed-off-by: Amitkumar Karwar Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit ea2bedc0f85eb1686920ecce8ab589fca1602c32 Author: Emmanuel Grumbach Date: Mon Jan 4 10:19:17 2016 +0200 iwlwifi: set max firmware version of 7265 to 17 commit ed0450cef00d2c76bcb8778721df947ba7ff4147 upstream. Just like 7260, 7265 will not have firmware releases newer than iwlwifi-7265-17.ucode. 7265D is still supported in latest firmware releases. Fixes: 628a2918afe4 ("iwlwifi: separate firmware version for 7260 devices") Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit 1a22e80896fada4e8ccf1aa04c4da92ad74e2490 Author: Amitkumar Karwar Date: Wed Dec 16 04:21:44 2015 -0800 mwifiex: add missing check for PCIe8997 chipset commit f3b35f28096895f2438c10ef719ef67d2951a8c9 upstream. This patch ensures mwifiex_pcie_txbd_empty() does take care of 8997 chipset. Fixes: 6d85ef00d9dfe ("mwifiex: add support for 8997 chipset") Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit e5501b261cd08b58402d76bc0303c781b4018532 Author: chunfan chen Date: Wed Jan 6 23:40:48 2016 -0800 mwifiex: fix IBSS data path issue. commit dc386ce76dedaeeaaf006fceb6ed8cf2e20ff026 upstream. The port_open flag is not applicable for IBSS mode. IBSS data path was broken when port_open flag was introduced. This patch fixes the problem by correcting the checks. Fixes: 5c8946330abfa4c ("mwifiex: enable traffic only when port is open") Signed-off-by: chunfan chen Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 0cbb0084fa2b444b7316a0967a0d93f5ae520216 Author: Vegard Nossum Date: Tue Jul 5 10:18:08 2016 +0200 xfrm: fix crash in XFRM_MSG_GETSA netlink handler commit 1ba5bf993c6a3142e18e68ea6452b347f9cb5635 upstream. If we hit any of the error conditions inside xfrm_dump_sa(), then xfrm_state_walk_init() never gets called. However, we still call xfrm_state_walk_done() from xfrm_dump_sa_done(), which will crash because the state walk was never initialized properly. We can fix this by setting cb->args[0] only after we've processed the first element and checking this before calling xfrm_state_walk_done(). Fixes: d3623099d3 ("ipsec: add support of limited SA dump") Cc: Nicolas Dichtel Cc: Steffen Klassert Signed-off-by: Vegard Nossum Acked-by: Nicolas Dichtel Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman commit 6eea9a76509caa5cf107125d55f72d585e0a4a3a Author: Pablo Neira Ayuso Date: Sun Jan 24 23:08:39 2016 +0100 netfilter: nfnetlink: use original skbuff when acking batches commit 7c7bdf35991bb8f7cfaeaf22ea3a2f2d1967c166 upstream. Since bd678e09dc17 ("netfilter: nfnetlink: fix splat due to incorrect socket memory accounting in skbuff clones"), we don't manually attach the sk to the skbuff clone anymore, so we have to use the original skbuff from netlink_ack() which needs to access the sk pointer. Fixes: bd678e09dc17 ("netfilter: nfnetlink: fix splat due to incorrect socket memory accounting in skbuff clones") Reported-by: Dmitry Vyukov Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit c99044c92485afcd61fce6ba957b08c5cd26f50a Author: Andy Shevchenko Date: Mon Dec 21 19:09:53 2015 +0200 ALSA: fm801: detect FM-only card earlier commit b56fa687e02b27f8bd9d282950a88c2ed23d766b upstream. If user does not supply tea575x_tuner parameter the driver tries to detect the tuner type. The failed codec initialization is considered as FM-only card present, however the driver still registers an IRQ handler for it. Move codec detection earlier to set tea575x_tuner parameter before check. Here the following functions are introduced reset_coded() resets AC97 codec snd_fm801_chip_multichannel_init() initializes cards with multichannel support Fixes: 5618955c4269 (ALSA: fm801: move to pcim_* and devm_* functions) Signed-off-by: Andy Shevchenko Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6c318f90522ff47dfb073835a131037d8008f3a7 Author: Andy Shevchenko Date: Mon Dec 21 19:09:52 2015 +0200 ALSA: fm801: propagate TUNER_ONLY bit when autodetected commit dbec6719ac036f68568d8488805d41346c021eff upstream. The commit d7ba858a7f7a (ALSA: fm801: implement TEA575x tuner autodetection) brings autodetection to the driver. However the autodetection algorithm misses the TUNER_ONLY bit if it is supplied by the user. Thus, user gets weird messages and no card registered. snd_fm801 0000:0d:01.0: detected TEA575x radio type SF64-PCR snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) ... snd_fm801 0000:0d:01.0: AC'97 0 does not respond - RESET snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) snd_fm801 0000:0d:01.0: AC'97 interface is busy (1) snd_fm801 0000:0d:01.0: AC'97 0 access is not valid [0x0], removing mixer. snd_fm801: probe of 0000:0d:01.0 failed with error -5 Do a copy of TUNER_ONLY bit to be applied after autodetection is done. Fixes: d7ba858a7f7a (ALSA: fm801: implement TEA575x tuner autodetection) Signed-off-by: Andy Shevchenko Cc: Ondrej Zary Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d692ef8ce6753ad12561361495fac8366527103e Author: Andy Shevchenko Date: Fri Dec 18 21:14:10 2015 +0200 ALSA: fm801: explicitly free IRQ line commit e97e98c63b43040732ad5d1f0b38ad4a8371c73a upstream. Otherwise we will have a warning on ->remove() since device is a PCI one. WARNING: CPU: 4 PID: 1411 at /home/andy/prj/linux/fs/proc/generic.c:575 remove_proc_entry+0x137/0x160() remove_proc_entry: removing non-empty directory 'irq/21', leaking at least 'snd_fm801' Fixes: 5618955c4269 (ALSA: fm801: move to pcim_* and devm_* functions) Signed-off-by: Andy Shevchenko Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 82ff45e06d4894333b0e0bb1ae5ba9aa98b42e67 Author: Dan Carpenter Date: Thu Nov 24 01:19:08 2016 +0300 x86/apic/uv: Silence a shift wrapping warning commit c4597fd756836a5fb7900f2091797ab564390ad0 upstream. 'm_io' is stored in 6 bits so it's a number in the 0-63 range. Static analysis tools complain that 1 << 63 will wrap so I have changed it to 1ULL << m_io. This code is over three years old so presumably the bug doesn't happen very frequently in real life or someone would have complained by now. Signed-off-by: Dan Carpenter Cc: Alex Thorlton Cc: Dimitri Sivanich Cc: Linus Torvalds Cc: Mike Travis Cc: Nathan Zimmer Cc: Peter Zijlstra Cc: Sebastian Andrzej Siewior Cc: Thomas Gleixner Cc: kernel-janitors@vger.kernel.org Fixes: b15cc4a12bed ("x86, uv, uv3: Update x2apic Support for SGI UV3") Link: http://lkml.kernel.org/r/20161123221908.GA23997@mwanda Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit d41bffbc70686df0af95bf8646350a0c5d335b5d Author: Jan Beulich Date: Tue Dec 22 08:42:44 2015 -0700 x86/LDT: Print the real LDT base address commit 0d430e3fb3f7cdc13c0d22078b820f682821b45a upstream. This was meant to print base address and entry count; make it do so again. Fixes: 37868fe113ff "x86/ldt: Make modify_ldt synchronous" Signed-off-by: Jan Beulich Acked-by: Andy Lutomirski Link: http://lkml.kernel.org/r/56797D8402000078000C24F0@prv-mh.provo.novell.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 0554b4d5ddda43c7de4aaf4ffbc00c1431f3283c Author: Stephane Eranian Date: Mon Dec 7 20:33:25 2015 +0100 perf/x86: Fix filter_events() bug with event mappings commit 61b87cae6361ea6af161c1ffa549898892707b19 upstream. This patch fixes a bug in the filter_events() function. The patch fixes the bug whereby if some mappings did not exist, e.g., STALLED_CYCLES_FRONTEND, then any event after it in the attrs array would disappear from the published list of events in /sys/devices/cpu/events. This could be verified easily on any system post SNB (which do not publish STALLED_CYCLES_FRONTEND): $ ./perf stat -e cycles,ref-cycles true Performance counter stats for 'true': 1,217,348 cycles ref-cycles The problem is that in filter_events() there is an assumption that the argument (attrs) is organized in increasing continuous event indexes related to the event_map(). But if we remove the non-supported events by shifing the position in the array, then the lookup x86_pmu.event_map() needs to compensate for it, otherwise we are looking up the wrong index. This patch corrects this problem by compensating for the deleted events and with that ref-cycles reappears (here shown on Haswell): $ perf stat -e ref-cycles,cycles true Performance counter stats for 'true': 4,525,910 ref-cycles 1,064,920 cycles 0.002943888 seconds time elapsed Signed-off-by: Stephane Eranian Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Cc: jolsa@kernel.org Cc: kan.liang@intel.com Fixes: 8300daa26755 ("perf/x86: Filter out undefined events from sysfs events attribute") Link: http://lkml.kernel.org/r/1449516805-6637-1-git-send-email-eranian@google.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit f7766d1fdf5fffd45b8816f114ac7f7b9dd6489e Author: Suman Anna Date: Sun Apr 10 13:20:11 2016 -0600 ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence commit c20c8f750d9f8f8617f07ee2352d3ff560e66bc2 upstream. The omap_hwmod _enable() function can return success without setting the hwmod state to _HWMOD_STATE_ENABLED for IPs with reset lines when all of the reset lines are asserted. The omap_hwmod _idle() function also performs a similar check, but after checking for the hwmod state first. This triggers the WARN when pm_runtime_get and pm_runtime_put are invoked on IPs with all reset lines asserted. Reverse the checks for hwmod state and reset lines status to fix this. Issue found during a unbind operation on a device with reset lines still asserted, example backtrace below ------------[ cut here ]------------ WARNING: CPU: 1 PID: 879 at arch/arm/mach-omap2/omap_hwmod.c:2207 _idle+0x1e4/0x240() omap_hwmod: mmu_dsp: idle state can only be entered from enabled state Modules linked in: CPU: 1 PID: 879 Comm: sh Not tainted 4.4.0-00008-ga989d951331a #3 Hardware name: Generic OMAP5 (Flattened Device Tree) [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (dump_stack+0x90/0xc0) [] (dump_stack) from [] (warn_slowpath_common+0x78/0xb4) [] (warn_slowpath_common) from [] (warn_slowpath_fmt+0x30/0x40) [] (warn_slowpath_fmt) from [] (_idle+0x1e4/0x240) [] (_idle) from [] (omap_hwmod_idle+0x28/0x48) [] (omap_hwmod_idle) from [] (omap_device_idle+0x3c/0x90) [] (omap_device_idle) from [] (__rpm_callback+0x2c/0x60) [] (__rpm_callback) from [] (rpm_callback+0x20/0x80) [] (rpm_callback) from [] (rpm_suspend+0x138/0x74c) [] (rpm_suspend) from [] (__pm_runtime_idle+0x78/0xa8) [] (__pm_runtime_idle) from [] (__device_release_driver+0x64/0x100) [] (__device_release_driver) from [] (device_release_driver+0x20/0x2c) [] (device_release_driver) from [] (unbind_store+0x78/0xf8) [] (unbind_store) from [] (kernfs_fop_write+0xc0/0x1c4) [] (kernfs_fop_write) from [] (__vfs_write+0x20/0xdc) [] (__vfs_write) from [] (vfs_write+0x90/0x164) [] (vfs_write) from [] (SyS_write+0x44/0x9c) [] (SyS_write) from [] (ret_fast_syscall+0x0/0x1c) ---[ end trace a4182013c75a9f50 ]--- While at this, fix the sequence in _shutdown() as well, though there is no easy reproducible scenario. Fixes: 747834ab8347 ("ARM: OMAP2+: hwmod: revise hardreset behavior") Signed-off-by: Suman Anna Signed-off-by: Paul Walmsley Signed-off-by: Greg Kroah-Hartman commit 31906bd42e7271608a75f0f3a1f7315dc541a144 Author: Heinrich Schuchardt Date: Mon Mar 28 10:03:48 2016 +0200 ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile commit fc5c796e12511a7c027b5a4438719dde2f796208 upstream. Commit 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices") created the new file kirkwood-ds112.dts but did not add it to the Makefile. Fixes: 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices") Signed-off-by: Heinrich Schuchardt Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 972093389a6885cfd27d4d58f5ebc753ac06c27f Author: Heinrich Schuchardt Date: Sun Feb 7 19:34:26 2016 +0100 ARM: dts: kirkwood: use unique machine name for ds112 commit 9d021c9d1b4b774a35d8a03d58dbf029544debda upstream. Downstream packages like Debian flash-kernel use /proc/device-tree/model to determine which dtb file to install. Hence each dts in the Linux kernel should provide a unique model identifier. Commit 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices") created the new files kirkwood-ds111.dts and kirkwood-ds112.dts using the same model identifier. This patch provides a unique model identifier for the Synology DiskStation DS112. Fixes: 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices") Signed-off-by: Heinrich Schuchardt Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 6e4a4856badbc1e00838866bd091b88c71d5b7a4 Author: Roger Shimizu Date: Sat Feb 6 14:59:51 2016 +0900 ARM: dts: orion5x: fix the missing mtd flash on linkstation lswtgl commit 44361a2cc13493fc41216d33bb9a562ec3a9cc4e upstream. MTD flash stores u-boot and u-boot environment on linkstation lswtgl. The latter one can be easily read/write by u-boot-tools package in Debian. Fixes: dc57844a736f ("ARM: dts: orion5x: add buffalo linkstation ls-wtgl") Signed-off-by: Roger Shimizu Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 71c26bb299188cc76ac07d799465af11fd476c47 Author: Roger Shimizu Date: Fri Jan 22 00:00:36 2016 +0900 ARM: dts: orion5x: gpio pin fixes for linkstation lswtgl commit ff61ee84e7aa5842d9e33c0b442f0b43a6a44eaf upstream. Here're a few gpio pin related fixes: - remove pinctrl-0 definition from pinctrl, since those pins are used in other places such as gpio-fan and regulators. - keep initial state of power led - fix for alarm pin of gpio-fan. Fixes: dc57844a736f ("ARM: dts: orion5x: add buffalo linkstation ls-wtgl") Signed-off-by: Roger Shimizu Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 7931b0b0bf4e84ecbba076b9f54089e6731500b0 Author: Roger Shimizu Date: Thu Jan 21 23:38:47 2016 +0900 ARM: dts: kirkwood: gpio-leds fixes for linkstation ls-wvl/vl commit 0418138e2ffd90f4a00b263593f2e199db87321d upstream. The GPIOs controlling the LEDs, listed below, are active high, not low: - gpio-leds: "lswvl:red:alarm" pin - gpio-leds: "lswvl:red:func" pin - gpio-leds: "lswvl:amber:info" pin - gpio-leds: "lswvl:blue:func" pin - gpio-leds: "lswvl:red:hdderr{0,1}" pin Fixes: c43379e150aa ("ARM: dts: add buffalo linkstation ls-wvl/vl") Signed-off-by: Roger Shimizu Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 3d90a4c2c864a9d0558c41df40772835b381be05 Author: Roger Shimizu Date: Thu Jan 21 23:38:46 2016 +0900 ARM: dts: kirkwood: gpio-leds fixes for linkstation ls-wxl/wsxl commit e98bd707e39d52d8bef8622e6e7b0ab4bd0ed8d0 upstream. The GPIOs controlling the LEDs, listed below, are active high, not low: - gpio-leds: "lswxl:blue:power" pin - gpio-leds: "lswxl:red:func" pin - gpio-leds: "lswxl:red:hdderr{0,1}" pin Fixes: e54e4b1b622e ("ARM: dts: add buffalo linkstation ls-wxl/wsxl") Signed-off-by: Roger Shimizu Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 0e16d8be379c169207d6ffb2c537d1ed09f4939d Author: Roger Shimizu Date: Thu Jan 21 23:38:45 2016 +0900 ARM: dts: kirkwood: gpio pin fixes for linkstation ls-wvl/vl commit 6f86e9adc53b4c0a2a4283692216d119019f0b8d upstream. For kirkwood, gpio pins starts from 32 are in the 2nd bank, so it should be converted to "gpio1 " in dts file. e.g. gpio 40 should be "gpio1 8" The pin/bank issue was found when discussing Debian Bug #810894 [https://bugs.debian.org/810894#47] Fixes: c43379e150aa ("ARM: dts: add buffalo linkstation ls-wvl/vl") Reported-by: Arnaud Patard (Rtp) Signed-off-by: Roger Shimizu Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit de8966f681906717db2d7bfe8a356939b204ed21 Author: Roger Shimizu Date: Thu Jan 21 23:38:44 2016 +0900 ARM: dts: kirkwood: gpio pin fixes for linkstation ls-wxl/wsxl commit 144e08abe80080c9c2cf0a06e40f1bc8150674eb upstream. For kirkwood, gpio pins starts from 32 are in the 2nd bank, so it should be converted to "gpio1 " in dts file. e.g. gpio 40 should be "gpio1 8" Besides, a few other pin fixes for ls-wxl/wsxl, to match with mpp pin definition: - gpio-leds: "lswxl:blue:power" pin - gpio-leds: "lswxl:red:func" pin - gpio-leds: "lswxl:red:hdderr0" pin - gpio-leds: "lswxl:red:hdderr1" pin - gpio-fan: low/high/alarm pin The pin/bank issue was found when discussing Debian Bug #810894 [https://bugs.debian.org/810894#47] Fixes: e54e4b1b622e ("ARM: dts: add buffalo linkstation ls-wxl/wsxl") Reported-by: Arnaud Patard (Rtp) Signed-off-by: Roger Shimizu Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Greg Kroah-Hartman commit 30b4465af24f07927f47f5a48f709829b2338666 Author: Arnd Bergmann Date: Fri Dec 18 16:40:26 2015 +0100 ARM: imx: select SRC for i.MX7 commit f1858b0e801a45d801dc23bc1ff5be14805022c8 upstream. The i.MX7 Kconfig option had a couple of missing select lines that I fixed already, but I missed HAVE_IMX_SRC: arch/arm/mach-imx/built-in.o: In function `imx7d_init_irq': platform-spi_imx.c:(.init.text+0x25a8): undefined reference to `imx_src_init' This adds that one as well. Signed-off-by: Arnd Bergmann Fixes: 0be5da9dc249 ("ARM: imx: imx7d requires anatop") Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit e44ef9c4fac4f2286f90bc17d1ec33cb65310984 Author: Geert Uytterhoeven Date: Fri Dec 18 11:51:36 2015 +0100 ARM: dts: armadillo800eva Correct extal1 frequency to 24 MHz commit c61f30a255550bbfc6b83c1ca720661489cac4c0 upstream. On r8a7740/armadillo, actual clock rates are ca. 4% lower than reported by /sys/kernel/debug/clk/clk_summary. Correct the extal1 frequency from 25 MHz to 24 MHz to fix this. This matches the Armadillo-800 EVA Product Manual, which claims the main crystal runs at 24 MHz, and the old legacy/reference board code. Fixes: 25aa7ba3fdfb ("ARM: shmobile: armadillo800eva: Sync DTS") Signed-off-by: Geert Uytterhoeven Signed-off-by: Simon Horman Signed-off-by: Greg Kroah-Hartman commit 95f179ffff039f428371133f76dda1384b527fcb Author: Hidehiro Kawai Date: Tue Oct 11 13:54:26 2016 -0700 mips/panic: replace smp_send_stop() with kdump friendly version in panic path commit 54c721b857fd45f3ad3bda695ee4f472518db02a upstream. Daniel Walker reported problems which happens when crash_kexec_post_notifiers kernel option is enabled (https://lkml.org/lkml/2015/6/24/44). In that case, smp_send_stop() is called before entering kdump routines which assume other CPUs are still online. As the result, kdump routines fail to save other CPUs' registers. Additionally for MIPS OCTEON, it misses to stop the watchdog timer. To fix this problem, call a new kdump friendly function, crash_smp_send_stop(), instead of the smp_send_stop() when crash_kexec_post_notifiers is enabled. crash_smp_send_stop() is a weak function, and it just call smp_send_stop(). Architecture codes should override it so that kdump can work appropriately. This patch provides MIPS version. Fixes: f06e5153f4ae (kernel/panic.c: add "crash_kexec_post_notifiers" option) Link: http://lkml.kernel.org/r/20160810080950.11028.28000.stgit@sysi4-13.yrl.intra.hitachi.co.jp Signed-off-by: Hidehiro Kawai Reported-by: Daniel Walker Cc: Dave Young Cc: Baoquan He Cc: Vivek Goyal Cc: Eric Biederman Cc: Masami Hiramatsu Cc: Daniel Walker Cc: Xunlei Pang Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: Borislav Petkov Cc: David Vrabel Cc: Toshi Kani Cc: Ralf Baechle Cc: David Daney Cc: Aaro Koskinen Cc: "Steven J. Hill" Cc: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4aa560bc839f3b525cfdf9744c13230065126a91 Author: James Hogan Date: Mon Jul 25 16:59:50 2016 +0100 MIPS: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO commit 233b2ca181f20674ecad11be90b00814911ce345 upstream. AT_VECTOR_SIZE_ARCH should be defined with the maximum number of NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined for MIPS at all even though ARCH_DLINFO will contain one NEW_AUX_ENT for the VDSO address. This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for AT_BASE_PLATFORM which MIPS doesn't use, but lets define it now and add the comment above ARCH_DLINFO as found in several other architectures to remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to date. Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") Signed-off-by: James Hogan Cc: linux-mips@linux-mips.org Cc: linux-arch@vger.kernel.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/13823/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 0fb34ac0f0c102e425eae97b13b22b944d3de085 Author: Dan Carpenter Date: Fri Jul 15 14:16:44 2016 +0300 MIPS: RM7000: Double locking bug in rm7k_tc_disable() commit 58a7e1c140f3ad61646bc0cd9a1f6a9cafc0b225 upstream. We obviously intended to enable IRQs again at the end. Fixes: 745aef5df1e2 ('MIPS: RM7000: Add support for tertiary cache') Signed-off-by: Dan Carpenter Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Cc: kernel-janitors@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/13815/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 506a1e3bef3bc686d5484222877d438e05603cdd Author: Daniel Borkmann Date: Thu Jul 14 13:57:55 2016 +0200 bpf, mips: fix off-by-one in ctx offset allocation commit b4e76f7e6d3200462c6354a6ad4ae167459e61f8 upstream. Dan Carpenter reported [1] a static checker warning that ctx->offsets[] may be accessed off by one from build_body(), since it's allocated with fp->len * sizeof(*ctx.offsets) as length. The cBPF arm and ppc code doesn't have this issue as claimed, so only mips seems to be affected and should like most other JITs allocate with fp->len + 1. A few number of JITs (x86, sparc, arm64) handle this differently, where they only require fp->len array elements. [1] http://www.spinics.net/lists/mips/msg64193.html Fixes: c6610de353da ("MIPS: net: Add BPF JIT") Reported-by: Dan Carpenter Signed-off-by: Daniel Borkmann Cc: Alexei Starovoitov Cc: ast@kernel.org Cc: linux-mips@linux-mips.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13814/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit cdd952995b0de62474e74c48af2de8c6bf347230 Author: Dan Carpenter Date: Thu Jul 14 13:14:29 2016 +0300 MIPS: Octeon: Off by one in octeon_irq_gpio_map() commit 008d0cf1ec69ec6d2c08f2d23aff2b67cbe5d2af upstream. It should be >= ARRAY_SIZE() instead of > ARRAY_SIZE(). Fixes: 64b139f97c01 ('MIPS: OCTEON: irq: add CIB and other fixes') Signed-off-by: Dan Carpenter Acked-by: David Daney Cc: Rob Herring Cc: Marc Zyngier Cc: linux-mips@linux-mips.org Cc: kernel-janitors@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/13813/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 6da475d078a79b8c216a36252a08272e241d6ad0 Author: James Hogan Date: Wed Jul 13 14:12:47 2016 +0100 MIPS: c-r4k: Fix protected_writeback_scache_line for EVA commit 0758b116b4080d9a2a2a715bec6eee2cbd828215 upstream. The protected_writeback_scache_line() function is used by local_r4k_flush_cache_sigtramp() to flush an FPU delay slot emulation trampoline on the userland stack from the caches so it is visible to subsequent instruction fetches. Commit de8974e3f76c ("MIPS: asm: r4kcache: Add EVA cache flushing functions") updated some protected_ cache flush functions to use EVA CACHEE instructions via protected_cachee_op(), and commit 83fd43449baa ("MIPS: r4kcache: Add EVA case for protected_writeback_dcache_line") did the same thing for protected_writeback_dcache_line(), but protected_writeback_scache_line() never got updated. Lets fix that now to flush the right user address from the secondary cache rather than some arbitrary kernel unmapped address. This issue was spotted through code inspection, and it seems unlikely to be possible to hit this in practice. It theoretically affect EVA kernels on EVA capable cores with an L2 cache, where the icache fetches straight from RAM (cpu_icache_snoops_remote_store == 0), running a hard float userland with FPU disabled (nofpu). That both Malta and Boston platforms override cpu_icache_snoops_remote_store to 1 suggests that all MIPS cores fetch instructions into icache straight from L2 rather than RAM. Fixes: de8974e3f76c ("MIPS: asm: r4kcache: Add EVA cache flushing functions") Signed-off-by: James Hogan Cc: Leonid Yegoshin Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13800/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 4cf3afdf9794ebafbdee83507a7f3f2e09f8fa35 Author: James Hogan Date: Wed Jul 13 14:12:45 2016 +0100 MIPS: SMP: Update cpu_foreign_map on CPU disable commit 826e99be6ab5189dbfb096389016ffb8d20a683e upstream. When a CPU is disabled via CPU hotplug, cpu_foreign_map is not updated. This could result in cache management SMP calls being sent to offline CPUs instead of online siblings in the same core. Add a call to calculate_cpu_foreign_map() in the various MIPS cpu disable callbacks after set_cpu_online(). All cases are updated for consistency and to keep cpu_foreign_map strictly up to date, not just those which may support hardware multithreading. Fixes: cccf34e9411c ("MIPS: c-r4k: Fix cache flushing for MT cores") Signed-off-by: James Hogan Cc: Paul Burton Cc: David Daney Cc: Kevin Cernekee Cc: Florian Fainelli Cc: Huacai Chen Cc: Hongliang Tao Cc: Hua Yan Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13799/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 439b0831e5743f12759cdd061f609d3faaee3e17 Author: James Hogan Date: Wed Jun 15 19:29:45 2016 +0100 MIPS: KVM: Fix translation of MFC0 ErrCtl commit 66ffc50c480e7ab6ad5642f47276435a8873c31a upstream. The MIPS KVM dynamic translation is meant to translate "MFC0 rt, ErrCtl" instructions into "ADD rt, zero, zero" to zero the destination register, however the rt register number was copied into rt of the ADD instruction encoding, which is the 2nd source operand. This results in "ADD zero, zero, rt" which is a no-op, so only the first execution of each such MFC0 from ErrCtl will actually read 0. Fix the shift to put the rt from the MFC0 encoding into the rd field of the ADD. Fixes: 50c8308538dc ("KVM/MIPS32: Binary patching of select privileged instructions.") Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit dce6c5bb915a5608226191d769122980382562c6 Author: James Hogan Date: Mon May 16 19:32:35 2016 +0100 MIPS: perf: Fix I6400 event numbers commit fd716fca10fc3dc0f18b8c16d4ecfa6d93f010d2 upstream. Fix perf hardware performance counter event numbers for I6400. This core does not follow the performance event numbering scheme of previous MIPS cores. All performance counters (both odd and even) are capable of counting any of the available events. Fixes: 4e88a8621301 ("MIPS: Add cases for CPU_I6400") Signed-off-by: James Hogan Cc: Peter Zijlstra Cc: Ingo Molnar Cc: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/13259/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 524fafef88ec19bb0b11ed1fe1c92bbf32441838 Author: Paul Burton Date: Thu Apr 21 14:04:46 2016 +0100 MIPS: Fix BC1{EQ,NE}Z return offset calculation commit ac1496980f1d2752f26769f5db63afbc9ac2b603 upstream. The conditions for branching when emulating the BC1EQZ & BC1NEZ instructions were backwards, leading to each of those instructions being treated as the other. Fix this by reversing the conditions, and clear up the code a little for readability & checkpatch. Fixes: c8a34581ec09 ("MIPS: Emulate the BC1{EQ,NE}Z FPU instructions") Signed-off-by: Paul Burton Reviewed-by: James Hogan Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/13151/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 26bf2650cd38cb30cf58c9a154286aaab909c25b Author: Paul Burton Date: Thu Apr 21 14:04:45 2016 +0100 MIPS: math-emu: Fix BC1{EQ,NE}Z emulation commit 93583e178ebfdd2fadf950eef1547f305cac12ca upstream. The conditions for branching when emulating the BC1EQZ & BC1NEZ instructions were backwards, leading to each of those instructions being treated as the other. Fix this by reversing the conditions, and clear up the code a little for readability & checkpatch. Fixes: c909ca718e8f ("MIPS: math-emu: Emulate missing BC1{EQ,NE}Z instructions") Signed-off-by: Paul Burton Reviewed-by: James Hogan Cc: Maciej W. Rozycki Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/13150/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 8a70d2a0c1cd48ee08913ca179cd361b0b13de3a Author: Florian Fainelli Date: Tue Apr 19 15:35:39 2016 -0700 MIPS: BMIPS: Adjust mips-hpt-frequency for BCM7435 commit 80fa40acaa1dad5a0a9c15ed2e5d2e72461843f5 upstream. The CPU actually runs at 1405Mhz which gives us a 175625000 Hz MIPS timer frequency (CPU frequency / 8). Fixes: e4c7d009654a ("MIPS: BMIPS: Add BCM7435 dtsi") Signed-off-by: Florian Fainelli Cc: linux-mips@linux-mips.org Cc: john@phrozen.org Cc: cernekee@gmail.com Cc: jaedon.shin@gmail.com Patchwork: https://patchwork.linux-mips.org/patch/13132/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit b3582e67d5943e69bc21c1f2ce78e0c6da4aa707 Author: James Hogan Date: Tue Apr 19 09:25:00 2016 +0100 MIPS: Fix HTW config on XPA kernel without LPA enabled commit 14bc241443e126c62fcbf571b7d4c79740debc58 upstream. The hardware page table walker (HTW) configuration is broken on XPA kernels where XPA couldn't be enabled (either nohtw or the hardware doesn't support it). This is because the PWSize.PTEW field (PTE width) was only set to 8 bytes (an extra shift of 1) in config_htw_params() if PageGrain.ELPA (enable large physical addressing) is set. On an XPA kernel though the size of PTEs is fixed at 8 bytes regardless of whether XPA could actually be enabled. Fix the initialisation of this field based on sizeof(pte_t) instead. Fixes: c5b367835cfc ("MIPS: Add support for XPA.") Signed-off-by: James Hogan Cc: Steven J. Hill Cc: Paul Burton Cc: Paul Gortmaker Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/13113/ Signed-off-by: Paul Burton Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 94c0d503d9ec687e0b2726f3b3dcac4906581fea Author: Florian Fainelli Date: Mon Apr 4 10:55:38 2016 -0700 MIPS: BMIPS: Pretty print BMIPS5200 processor name commit 37808d62afcdc420d98875c4b514c178d56f6815 upstream. Just to ease debugging of multiplatform kernel, make sure we print "Broadcom BMIPS5200" for the BMIPS5200 implementation instead of Broadcom BMIPS5000. Fixes: 68e6a78373a6d ("MIPS: BMIPS: Add PRId for BMIPS5200 (Whirlwind)") Signed-off-by: Florian Fainelli Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13014/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 93e27aae8460e464e04cf5cfa387bac8947f941a Author: Florian Fainelli Date: Mon Apr 4 10:55:36 2016 -0700 MIPS: BMIPS: local_r4k___flush_cache_all needs to blast S-cache commit f675843ddfdfdf467d08cc922201614a149e439e upstream. local_r4k___flush_cache_all() is missing a special check for BMIPS5000 processors, we need to blast the S-cache, just like other MTI processors since we have an inclusive cache. We also need an additional __sync() to make sure this is completed. Fixes: d74b0172e4e2c ("MIPS: BMIPS: Add special cache handling in c-r4k.c") Signed-off-by: Florian Fainelli Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13012/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 3ab4cbdf079226f4ee97bc95f6bd8f8d498eb6c3 Author: Florian Fainelli Date: Mon Apr 4 10:55:35 2016 -0700 MIPS: BMIPS: Clear MIPS_CACHE_ALIASES earlier commit 73c4ca047f440c79f545bc6133e3033f754cd239 upstream. BMIPS5000 and BMIPS5200 processor have no D cache aliases, and this is properly handled by the per-CPU override added at the end of r4k_cache_init(), the problem is that the output of probe_pcache() disagrees with that, since this is too late: Primary instruction cache 32kB, VIPT, 4-way, linesize 64 bytes. Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes With the change moved earlier, we now have a consistent output with the settings we are intending to have: Primary instruction cache 32kB, VIPT, 4-way, linesize 64 bytes. Primary data cache 32kB, 4-way, VIPT, no aliases, linesize 32 bytes Fixes: d74b0172e4e2c ("MIPS: BMIPS: Add special cache handling in c-r4k.c") Signed-off-by: Florian Fainelli Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13011/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit cd6bfe5fba7d40f08286926899564e70d7c4ec8c Author: Florian Fainelli Date: Mon Apr 4 10:55:34 2016 -0700 MIPS: BMIPS: BMIPS5000 has I cache filing from D cache commit c130d2fd3d59fbd5d269f7d5827bd4ed1d94aec6 upstream. BMIPS5000 and BMIPS52000 processors have their I-cache filling from the D-cache. Since BMIPS_GENERIC does not provide (yet) a cpu-feature-overrides.h file, this was not set anywhere, so make sure the R4K cache detection takes care of that. Fixes: d74b0172e4e2c ("MIPS: BMIPS: Add special cache handling in c-r4k.c") Signed-off-by: Florian Fainelli Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13010/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit c53964b4e447e76b9b206325241149b5ac0f84e3 Author: Matt Redfearn Date: Tue Mar 29 09:35:31 2016 +0100 MIPS: scall: Handle seccomp filters which redirect syscalls commit a400bed6d105c23d3673f763596e4b85de14e41a upstream. Commit d218af78492a ("MIPS: scall: Always run the seccomp syscall filters") modified the syscall code to always call the seccomp filters, but missed the case where a filter may redirect the syscall, as revealed by the seccomp_bpf self test. The syscall path now restores the syscall from the stack after the filter rather than saving it locally. Syscall number checking and syscall function table lookup is done after the filter may have run such that redirected syscalls are also checked, and executed. The regular path of syscall number checking and pointer lookup is also made more consistent between ABIs with scall64-64.S being the reference. With this patch in place, the seccomp_bpf self test now passes TRACE_syscall.syscall_redirected and TRACE_syscall.syscall_dropped on all MIPS ABIs. Fixes: d218af78492a ("MIPS: scall: Always run the seccomp syscall filters") Signed-off-by: Matt Redfearn Acked-by: Kees Cook Cc: Eric B Munson Cc: James Hogan Cc: Andrew Morton Cc: linux-mips@linux-mips.org Cc: IMG-MIPSLinuxKerneldevelopers@imgtec.com Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/12916/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 349ef07dd14042df426399fd7a2481a8919525b4 Author: Paul Burton Date: Wed Feb 3 03:15:35 2016 +0000 MIPS: smp-cps: Stop printing EJTAG exceptions to UART commit 6609ccdc852f7bfbfa54300dd5b3cd89eb4ced6f upstream. When CONFIG_MIPS_CPS_NS16550 is enabled, some register state is dumped to the UART when an exception is taken via the BEV on secondary cores. EJTAG exceptions are architecturally expected to be handled by the BEV even when Status.BEV is 0. This effectively means that if userland executes an sdbbp instruction on a secondary core then the kernel dumps register state to the UART even though the exception is perfectly normal & expected. Prevent this by simply not dumping information to the UART for EJTAG exceptions. Fixes: 609cf6f2291a ("MIPS: CPS: Early debug using an ns16550-compatible UART") Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/12341/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 2cae94d199901da7a4445d1b0c9e6c44e66d0a19 Author: Florian Fainelli Date: Fri Jan 29 21:17:26 2016 -0800 MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200 commit cbbda6e7c9c3e4532bd70a73ff9d5e6655c894dc upstream. BMIPS5000 have a PrID value of 0x5A00 and BMIPS5200 have a PrID value of 0x5B00, which, masked with 0x5A00, returns 0x5A00. Update all conditionals on the PrID to cover both variants since we are going to need this to enable BMIPS5200 SMP. The existing check, masking with 0xFF00 would not cover BMIPS5200 at all. Fixes: 68e6a78373a6d ("MIPS: BMIPS: Add PRId for BMIPS5200 (Whirlwind)") Fixes: 6465460c92a85 ("MIPS: BMIPS: change compile time checks to runtime checks") Signed-off-by: Florian Fainelli Cc: john@phrozen.org Cc: cernekee@gmail.com Cc: jogo@openwrt.org Cc: jaedon.shin@gmail.com Cc: jfraser@broadcom.com Cc: pgynther@google.com Cc: dragan.stancevic@gmail.com Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/12279/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit aa3e59218c47e786d7ed7743d4b61eed3f776d30 Author: James Hogan Date: Tue Dec 22 13:56:39 2015 +0000 MIPS: ptrace: Drop cp0_tcstatus from regoffset_table[] commit 555fae60b2bbb2d6282d82c5321d3adfa85b22ae upstream. The cp0_tcstatus member of struct pt_regs was removed along with the rest of SMTC in v3.16, commit b633648c5ad3 ("MIPS: MT: Remove SMTC support"), however recent uprobes support in v4.3 added back a reference to it in the regoffset_table[] in ptrace.c. Remove it. Signed-off-by: James Hogan Fixes: 40e084a506eb ("MIPS: Add uprobes support.") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/11920/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 31616b2ff81e5115668235aeba52bd4bf862e75d Author: Jaedon Shin Date: Mon Dec 21 12:47:35 2015 +0900 MIPS: Fix macro typo commit 2549cc967ebb4043f3507b55e3dc579f44d3b516 upstream. Change the CONFIG_MIPS_CMDLINE_EXTEND to CONFIG_MIPS_CMDLINE_DTB_EXTEND to resolve the EXTEND_WITH_PROM macro. Signed-off-by: Jaedon Shin Fixes: 2024972ef533 ("MIPS: Make the kernel arguments from dtb available") Reviewed-by: Alexander Sverdlin Cc: Jonas Gorski Cc: Masahiro Yamada Cc: Paul Burton Cc: Aaro Koskinen Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/11909/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 982c4970fd125cd14b847cb0c7c13bb026673704 Author: Felipe Balbi Date: Wed Aug 24 14:33:27 2016 +0300 usb: gadget: udc: core: don't starve DMA resources commit 23fd537c9508fb6e3b93ddf23982f51afc087781 upstream. Always unmap all SG entries as required by DMA API Fixes: a698908d3b3b ("usb: gadget: add generic map/unmap request utilities") Cc: # v3.4+ Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 2a5cb80e3eb14b3b2152f93d7bffe4b5c7d2fdc3 Author: Iago Abal Date: Tue Jun 21 12:01:11 2016 +0200 usb: gadget: pch_udc: reorder spin_[un]lock to avoid deadlock commit 1d23d16a88e6c8143b07339435ba061b131ebb8c upstream. The above commit reordered spin_lock/unlock and now `&dev->lock' is acquired (rather than released) before calling `dev->driver->disconnect', `dev->driver->setup', `dev->driver->suspend', `usb_gadget_giveback_request', and `usb_gadget_udc_reset'. But this *may* not be the right way to fix the problem pointed by d3cb25a12138. Note that the other usb/gadget/udc drivers do release the lock before calling these functions. There are also inconsistencies within pch_udc.c, where `dev->driver->disconnect' is called while holding `&dev->lock' in lines 613 and 1184, but not in line 2739. Finally, commit d3cb25a12138 may have introduced several potential deadlocks. For instance, EBA (https://github.com/models-team/eba) reports: Double lock in drivers/usb/gadget/udc/pch_udc.c first at 2791: spin_lock(& dev->lock); [pch_udc_isr] second at 2694: spin_lock(& dev->lock); [pch_udc_svc_cfg_interrupt] after calling from 2793: pch_udc_dev_isr(dev, dev_intr); after calling from 2724: pch_udc_svc_cfg_interrupt(dev); Similarly, other potential deadlocks are 2791 -> 2793 -> 2721 -> 2657; and 2791 -> 2793 -> 2711 -> 2573 -> 1499 -> 1480. Fixes: d3cb25a12138 ("usb: gadget: udc: fix spin_lock in pch_udc") Signed-off-by: Iago Abal Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit f2f8b4655a89a914732a21c362d7379138728675 Author: Andy Shevchenko Date: Fri Mar 18 16:55:37 2016 +0200 usb: gadged: pch_udc: get rid of redundant assignments commit 6b968737c3efe7cdaa5407afec972cd7c7d3ca35 upstream. It seems there are leftovers of some assignments which are not used anymore. Compiler even warns us about: drivers/usb/gadget/udc/pch_udc.c:2022:22: warning: variable ‘dev’ set \ but not used [-Wunused-but-set-variable] drivers/usb/gadget/udc/pch_udc.c:2639:9: warning: variable ‘ret’ set \ but not used [-Wunused-but-set-variable] Remove them and shut compiler about. Signed-off-by: Andy Shevchenko Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit bb630aaad7d62600821897abdbb8207d2ba451b2 Author: Krzysztof Opasiak Date: Tue Mar 1 12:47:11 2016 +0100 usb: gadget: f_acm: Fix configfs attr name commit 0561f77e2db9e72dc32e4f82b56fca8ba6b31171 upstream. Correct attribute name is port_num not num. Fixes: ea6bd6b ("usb-gadget/f_acm: use per-attribute show and store methods") Reviewed-by: Christoph Hellwig Signed-off-by: Krzysztof Opasiak Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 44c2909c48c0c2cb999b517d298e6e6ef566a15a Author: Ben Hutchings Date: Thu Apr 21 00:19:25 2016 +0100 staging: rtl8192u: Fix crash due to pointers being "confusing" commit c3f463484bdd0acd15abd5f92399041f79592d06 upstream. There's no net_device stashed in skb->cb, there's a net_device * there. To make it *really* clear, also change the write of the dev pointer into skb->cb from a memcpy() to an assignment. Fixes: 3fe563249374 ("staging: rtl8192u: r8192U_core.c: Cleaning up ...") Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit b420b29796bef1fdae8b65b0741fb3fe4e015ef3 Author: Vasily Averin Date: Mon Apr 27 08:32:46 2020 +0300 drm/qxl: qxl_release leak in qxl_draw_dirty_fb() commit 85e9b88af1e6164f19ec71381efd5e2bcfc17620 upstream. ret should be changed to release allocated struct qxl_release Cc: stable@vger.kernel.org Fixes: 8002db6336dd ("qxl: convert qxl driver to proper use for reservations") Signed-off-by: Vasily Averin Link: http://patchwork.freedesktop.org/patch/msgid/22cfd55f-07c8-95d0-a2f7-191b7153c3d4@virtuozzo.com Signed-off-by: Gerd Hoffmann Signed-off-by: Vasily Averin Signed-off-by: Greg Kroah-Hartman commit 94361db06d3d57b99477728e6c6571c0b2b66e19 Author: Vasily Averin Date: Wed Apr 29 12:01:24 2020 +0300 drm/qxl: qxl_release use after free commit 933db73351d359f74b14f4af095808260aff11f9 upstream. qxl_release should not be accesses after qxl_push_*_ring_release() calls: userspace driver can process submitted command quickly, move qxl_release into release_ring, generate interrupt and trigger garbage collector. It can lead to crashes in qxl driver or trigger memory corruption in some kmalloc-192 slab object Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() + qxl_push_{cursor,command}_ring_release() calls to close that race window. cc: stable@vger.kernel.org Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") Signed-off-by: Vasily Averin Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com Signed-off-by: Gerd Hoffmann Signed-off-by: Vasily Averin Signed-off-by: Greg Kroah-Hartman commit 094c94291cc203a02b809d4b60e7c4b53a924e0f Author: Amitkumar Karwar Date: Wed Dec 16 04:21:43 2015 -0800 mwifiex: fix PCIe register information for 8997 chipset commit ce0c58d998410fb91c63a70e749e98bb0e67eb67 upstream. This patch corrects some information in mwifiex_pcie_card_reg() structure for 8997 chipset Fixes: 6d85ef00d9dfe ("mwifiex: add support for 8997 chipset") Signed-off-by: Amitkumar Karwar Signed-off-by: Shengzhen Li Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman