17 Dec, 2014
20 commits
-
commit 66139a48cee1530c91f37c145384b4ee7043f0b7 upstream.
In snd_usbmidi_error_timer(), the driver tries to resubmit MIDI input
URBs to reactivate the MIDI stream, but this causes the error when
some of URBs are still pending like:WARNING: CPU: 0 PID: 0 at ../drivers/usb/core/urb.c:339 usb_submit_urb+0x5f/0x70()
URB ef705c40 submitted while active
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.16.6-2-desktop #1
Hardware name: FOXCONN TPS01/TPS01, BIOS 080015 03/23/2010
c0984bfa f4009ed4 c078deaf f4009ee4 c024c884 c09a135c f4009f00 00000000
c0984bfa 00000153 c061ac4f c061ac4f 00000009 00000001 ef705c40 e854d1c0
f4009eec c024c8d3 00000009 f4009ee4 c09a135c f4009f00 f4009f04 c061ac4f
Call Trace:
[] try_stack_unwind+0x156/0x170
[] dump_trace+0x5a/0x1b0
[] show_trace_log_lvl+0x46/0x50
[] show_stack_log_lvl+0x51/0xe0
[] show_stack+0x27/0x50
[] dump_stack+0x45/0x65
[] warn_slowpath_common+0x84/0xa0
[] warn_slowpath_fmt+0x33/0x40
[] usb_submit_urb+0x5f/0x70
[] snd_usbmidi_submit_urb+0x14/0x60 [snd_usbmidi_lib]
[] snd_usbmidi_error_timer+0x6a/0xa0 [snd_usbmidi_lib]
[] call_timer_fn+0x30/0x130
[] run_timer_softirq+0x1c2/0x260
[] __do_softirq+0xc3/0x270
[] do_softirq_own_stack+0x22/0x30
[] irq_exit+0x8d/0xa0
[] smp_apic_timer_interrupt+0x38/0x50
[] apic_timer_interrupt+0x34/0x3c
[] cpuidle_enter_state+0x3e/0xd0
[] cpu_idle_loop+0x29d/0x3e0
[] cpu_startup_entry+0x53/0x60
[] start_kernel+0x415/0x41aFor avoiding these errors, check the pending URBs and skip
resubmitting such ones.Reported-and-tested-by: Stefan Seyfried
Acked-by: Clemens Ladisch
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman -
commit fedb2245cbb8d823e449ebdd48ba9bb35c071ce0 upstream.
The built-in mic boost volume gets almost muted after suspend/resume
on Lenovo Ideapad S210.Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88121
Reported-and-tested-by: Roman Kagan
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman -
commit f62f5eff3d40a56ad1cf0d81a6cac8dd8743e8a1 upstream.
The same fixup to enable EAPD is needed for ASUS Z99He with AD1986A
codec like another ASUS machine.Reported-and-tested-by: Dmitry V. Zimin
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman -
commit ca5358ef75fc69fee5322a38a340f5739d997c10 upstream.
... by not hitting rename_retry for reasons other than rename having
happened. In other words, do _not_ restart when finding that
between unlocking the child and locking the parent the former got
into __dentry_kill(). Skip the killed siblings instead...Signed-off-by: Al Viro
Signed-off-by: Greg Kroah-Hartman -
commit 946e51f2bf37f1656916eb75bd0742ba33983c28 upstream.
Signed-off-by: Al Viro
Signed-off-by: Greg Kroah-Hartman -
commit 87141db0848aa20c43d453f5545efc8f390d4372 upstream.
Proper operation with the rewritten PCI mini driver requires that a flag be set
when interrupts are enabled. This flag was missed. This patch is one of three needed to
fix the kernel regression reported at https://bugzilla.kernel.org/show_bug.cgi?id=88951.Signed-off-by: Larry Finger
Reported-by: Catalin Iacob
Tested-by: Catalin Iacob
Cc: Catalin Iacob
Signed-off-by: John W. Linville
Signed-off-by: Greg Kroah-Hartman -
commit f892914c03131a445b926b82815b03162c19288e upstream.
In the major update of the rtlwifi-family of drivers, one of the callback entries
was missed, which leads to memory corruption. Unfortunately, this corruption
never caused a kernel oops, but showed up in other parts of the system.
This patch is one of three needed to fix the kernel regression reported at
https://bugzilla.kernel.org/show_bug.cgi?id=88951.Signed-off-by: Larry Finger
Reported-by: Catalin Iacob
Tested-by: Catalin Iacob
Cc: Catalin Iacob
Signed-off-by: John W. Linville
Signed-off-by: Greg Kroah-Hartman -
commit 99a82f734aa6c6d397e029e6dfa933f04e0fa8c8 upstream.
In the major update of the rtlwifi-family of drivers, there was an editing
mistake. Unfortunately, this particular error leads to memory corruption that
silently leads to failure of the system. This patch is one of three needed to
fix the kernel regression reported at https://bugzilla.kernel.org/show_bug.cgi?id=88951.Signed-off-by: Larry Finger
Reported-by: Catalin Iacob
Tested-by: Catalin Iacob
Cc: Catalin Iacob
Signed-off-by: John W. Linville
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 7f19fc5e0b617593dcda0d9956adc78b559ef1f5 ]
For netlink, we shouldn't be using arch_fast_hash() as a hashing
discipline, but rather jhash() instead.Since netlink sockets can be opened by any user, a local attacker
would be able to easily create collisions with the DPDK-derived
arch_fast_hash(), which trades off performance for security by
using crc32 CPU instructions on x86_64.While it might have a legimite use case in other places, it should
be avoided in netlink context, though. As rhashtable's API is very
flexible, we could later on still decide on other hashing disciplines,
if legitimate.Reference: http://thread.gmane.org/gmane.linux.kernel/1844123
Fixes: e341694e3eb5 ("netlink: Convert netlink_lookup() to use RCU protected hash table")
Cc: Herbert Xu
Signed-off-by: Daniel Borkmann
Acked-by: Thomas Graf
Acked-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 69204cf7eb9c5a72067ce6922d4699378251d053 ]
commit 46e5da40ae (net: qdisc: use rcu prefix and silence
sparse warnings) triggers a spurious warning:net/sched/sch_fq_codel.c:97 suspicious rcu_dereference_check() usage!
The code should be using the _bh variant of rcu_dereference.
Signed-off-by: Valdis Kletnieks
Acked-by: Eric Dumazet
Acked-by: John Fastabend
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 11d3d2a16cc1f05c6ece69a4392e99efb85666a6 ]
Commit 97a6d1bb2b658ac85ed88205ccd1ab809899884d (xen-netfront: Fix
handling packets on compound pages with skb_linearize) attempted to
fix a problem where an skb that would have required too many slots
would be dropped causing TCP connections to stall.However, it filled in the first slot using the original buffer and not
the new one and would use the wrong offset and grant access to the
wrong page.Netback would notice the malformed request and stop all traffic on the
VIF, reporting:vif vif-3-0 vif3.0: txreq.offset: 85e, size: 4002, end: 6144
vif vif-3-0 vif3.0: fatal error; disabling deviceReported-by: Anthony Wright
Tested-by: Anthony Wright
Signed-off-by: David Vrabel
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 0f85feae6b710ced3abad5b2b47d31dfcb956b62 ]
When I cooked commit c3658e8d0f1 ("tcp: fix possible NULL dereference in
tcp_vX_send_reset()") I missed other spots we could deref a NULL
skb_dst(skb)Again, if a socket is provided, we do not need skb_dst() to get a
pointer to network namespace : sock_net(sk) is good enough.Reported-by: Dann Frazier
Bisected-by: Dann Frazier
Tested-by: Dann Frazier
Signed-off-by: Eric Dumazet
Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode")
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 9772b54c55266ce80c639a80aa68eeb908f8ecf5 ]
To accomodate for enough headroom for tunnels, use MAX_HEADER instead
of LL_MAX_HEADER. Robert reported that he has hit after roughly 40hrs
of trinity an skb_under_panic() via SCTP output path (see reference).
I couldn't reproduce it from here, but not using MAX_HEADER as elsewhere
in other protocols might be one possible cause for this.In any case, it looks like accounting on chunks themself seems to look
good as the skb already passed the SCTP output path and did not hit
any skb_over_panic(). Given tunneling was enabled in his .config, the
headroom would have been expanded by MAX_HEADER in this case.Reported-by: Robert Święcki
Reference: https://lkml.org/lkml/2014/12/1/507
Fixes: 594ccc14dfe4d ("[SCTP] Replace incorrect use of dev_alloc_skb with alloc_skb in sctp_packet_transmit().")
Signed-off-by: Daniel Borkmann
Acked-by: Vlad Yasevich
Acked-by: Neil Horman
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 5f478b41033606d325e420df693162e2524c2b94 ]
mvneta_tx() dereferences skb to get skb->len too late,
as hardware might have completed the transmit and TX completion
could have freed the skb from another cpu.Fixes: 71f6d1b31fb1 ("net: mvneta: replace Tx timer with a real interrupt")
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit aebea2ba0f7495e1a1c9ea5e753d146cb2f6b845 ]
The mvneta driver sets the amount of Tx coalesce packets to 16 by
default. Normally that does not cause any trouble since the driver
uses a much larger Tx ring size (532 packets). But some sockets
might run with very small buffers, much smaller than the equivalent
of 16 packets. This is what ping is doing for example, by setting
SNDBUF to 324 bytes rounded up to 2kB by the kernel.The problem is that there is no documented method to force a specific
packet to emit an interrupt (eg: the last of the ring) nor is it
possible to make the NIC emit an interrupt after a given delay.In this case, it causes trouble, because when ping sends packets over
its raw socket, the few first packets leave the system, and the first
15 packets will be emitted without an IRQ being generated, so without
the skbs being freed. And since the socket's buffer is small, there's
no way to reach that amount of packets, and the ping ends up with
"send: no buffer available" after sending 6 packets. Running with 3
instances of ping in parallel is enough to hide the problem, because
with 6 packets per instance, that's 18 packets total, which is enough
to grant a Tx interrupt before all are sent.The original driver in the LSP kernel worked around this design flaw
by using a software timer to clean up the Tx descriptors. This timer
was slow and caused terrible network performance on some Tx-bound
workloads (such as routing) but was enough to make tools like ping
work correctly.Instead here, we simply set the packet counts before interrupt to 1.
This ensures that each packet sent will produce an interrupt. NAPI
takes care of coalescing interrupts since the interrupt is disabled
once generated.No measurable performance impact nor CPU usage were observed on small
nor large packets, including when saturating the link on Tx, and this
fixes tools like ping which rely on too small a send buffer. If one
wants to increase this value for certain workloads where it is safe
to do so, "ethtool -C $dev tx-frames" will override this default
setting.This fix needs to be applied to stable kernels starting with 3.10.
Tested-By: Maggie Mae Roxas
Signed-off-by: Willy Tarreau
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 2e46477a12f6fd273e31a220b155d66e8352198c ]
Remove optimize_div() from BPF_MOD | BPF_K case
since we don't know the dividend and fix the
emit_mod() by reading the mod operation result from HI registerSigned-off-by: Denis Kirjanov
Reviewed-by: Markos Chandras
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit f2a01517f2a1040a0b156f171a7cefd748f2fd03 ]
Following patch fixes typo in the flow validation. This prevented
installation of ARP and IPv6 flows.Fixes: 19e7a3df72 ("openvswitch: Fix NDP flow mask validation")
Signed-off-by: Pravin B Shelar
Reviewed-by: Thomas Graf
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 6fb2a756739aa507c1fd5b8126f0bfc2f070dc46 ]
Set the inner mac header to point to the GRE payload when
doing GRO. This is needed if we proceed to send the packet
through GRE GSO which now uses the inner mac header instead
of inner network header to determine the length of encapsulation
headers.Fixes: 14051f0452a2 ("gre: Use inner mac length when computing tunnel length")
Reported-by: Wolfgang Walter
Signed-off-by: Tom Herbert
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 00c83b01d58068dfeb2e1351cca6fccf2a83fa8f ]
Currently, when trying to reuse a socket, vxlan_sock_add will grab
vn->sock_lock, locate a reusable socket, inc refcount and release
vn->sock_lock.But vxlan_sock_release() will first decrement refcount, and then grab
that lock. refcnt operations are atomic but as currently we have
deferred works which hold vs->refcnt each, this might happen, leading to
a use after free (specially after vxlan_igmp_leave):CPU 1 CPU 2
deferred work vxlan_sock_add
... ...
spin_lock(&vn->sock_lock)
vs = vxlan_find_sock();
vxlan_sock_release
dec vs->refcnt, reaches 0
spin_lock(&vn->sock_lock)
vxlan_sock_hold(vs), refcnt=1
spin_unlock(&vn->sock_lock)
hlist_del_rcu(&vs->hlist);
vxlan_notify_del_rx_port(vs)
spin_unlock(&vn->sock_lock)So when we look for a reusable socket, we check if it wasn't freed
already before reusing it.Signed-off-by: Marcelo Ricardo Leitner
Fixes: 7c47cedf43a8b3 ("vxlan: move IGMP join/leave to work queue")
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
08 Dec, 2014
2 commits
-
Pull libata fixes from Tejun Heo:
"Three libata fixes for v3.18. Nothing too interesting. PCI ID ID and
quirk additions to ahci and an error handling path fix in sata_fsl"* 'for-3.18-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
ahci: disable MSI on SAMSUNG 0xa800 SSD
sata_fsl: fix error handling of irq_of_parse_and_map
AHCI: Add DeviceIDs for Sunrise Point-LP SATA controller
07 Dec, 2014
2 commits
-
Pull watchdog fix from Wim Van Sebroeck:
"Fix the watchdog mask bit offset for Exynos7"* git://www.linux-watchdog.org/linux-watchdog:
watchdog: s3c2410_wdt: Fix the mask bit offset for Exynos7 -
Pull i2c fixes from Wolfram Sang:
"Here are two more driver bugfixes for I2C which would be good to have"* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: cadence: Set the hardware time-out register to maximum value
i2c: davinci: generate STP always when NACK is received
06 Dec, 2014
3 commits
-
The watchdog mask bit offset listed for Exynos7 is incorrect.
Fix this.Signed-off-by: Abhilash Kesavan
Acked-by: Naveen Krishna Chatradhi
Signed-off-by: Wim Van Sebroeck -
Pull x86 fixes from Thomas Gleixner:
"Two final fixlets for 3.18:
- Prevent microcode reload wreckage on 32bit
- Unbreak cross compilation"* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86, microcode: Limit the microcode reloading to 64-bit for now
x86: Use $(OBJDUMP) instead of plain objdump -
Pull sound fixlet from Takashi Iwai:
"Just one commit for adding a copule of HD-audio quirk entries"* tag 'sound-3.18' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda/realtek - Add headset Mic support for new Dell machine
05 Dec, 2014
8 commits
-
Pull drm intel fixes from Dave Airlie:
"Two intel stable fixes, that should be it from me for this round"* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/i915: Unlock panel even when LVDS is disabled
drm/i915: More cautious with pch fifo underruns -
Pull ACPI backlight fix from Rafael Wysocki:
"This is a simple fix for an ACPI backlight regression introduced by a
recent commit that overlooked a corner case which should have been
taken into account"* tag 'pm+acpi-3.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
ACPI / video: update condition to check if device is in _DOD list -
Silence some pch fifo underrun reports and panel locking backtraces,
both cc: stable.* tag 'drm-intel-fixes-2014-12-04' of git://anongit.freedesktop.org/drm-intel:
drm/i915: Unlock panel even when LVDS is disabled
drm/i915: More cautious with pch fifo underruns -
Pull media fixes from Mauro Carvalho Chehab:
"A core fix and some driver fixes:
- regression fix in Remote Controller core affecting RC6 protocol
handling
- fix video buffer handling in cx23885
- race fix in solo6x10
- fix image selection in smiapp
- fix reported payload size on s2255drv
- two updates for MAINTAINERS file"* tag 'media/v3.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
[media] rc-core: fix toggle handling in the rc6 decoder
MAINTAINERS: Update mchehab's addresses
[media] cx23885: use sg = sg_next(sg) instead of sg++
[media] s2255drv: fix payload size for JPG, MJPEG
[media] Update MAINTAINERS for solo6x10
[media] solo6x10: fix a race in IRQ handler
[media] smiapp: Only some selection targets are settable -
A typo "header=y" was introduced by commit 7071cf7fc435 ("uapi: add
missing network related headers to kbuild").Signed-off-by: Masahiro Yamada
Cc: Stephen Hemminger
Cc: David Miller
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Cadence I2C controller has bug wherein it generates invalid read transactions
after timeout in master receiver mode. This driver does not use the HW
timeout and this interrupt is disabled but the feature itself cannot be
disabled. Hence, this patch writes the maximum value (0xFF) to this register.
This is one of the workarounds to this bug and it will not avoid the issue
completely but reduces the chances of error.Signed-off-by: Vishnu Motghare
Signed-off-by: Harini Katakam
Signed-off-by: Wolfram Sang
Cc: stable@kernel.org -
According to I2C specification the NACK should be handled as follows:
"When SDA remains HIGH during this ninth clock pulse, this is defined as the Not
Acknowledge signal. The master can then generate either a STOP condition to
abort the transfer, or a repeated START condition to start a new transfer."
[I2C spec Rev. 6, 3.1.6: http://www.nxp.com/documents/user_manual/UM10204.pdf]Currently the Davinci i2c driver interrupts the transfer on receipt of a
NACK but fails to send a STOP in some situations and so makes the bus
stuck until next I2C IP reset (idle/enable).For example, the issue will happen during SMBus read transfer which
consists from two i2c messages write command/address and read data:S Slave Address Wr A Command Code A Sr Slave Address Rd A D1..Dn A P
The I2C client device will send NACK if it can't recognize "Command Code"
and it's expected from I2C master to generate STP in this case.
But now, Davinci i2C driver will just exit with -EREMOTEIO and STP will
not be generated.Hence, fix it by generating Stop condition (STP) always when NACK is received.
This patch fixes Davinci I2C in the same way it was done for OMAP I2C
commit cda2109a26eb ("i2c: omap: query STP always when NACK is received").Reviewed-by: Uwe Kleine-König
Reported-by: Hein Tibosch
Signed-off-by: Grygorii Strashko
Signed-off-by: Wolfram Sang
Cc: stable@kernel.org -
Just like 0x1600 which got blacklisted by 66a7cbc303f4 ("ahci: disable
MSI instead of NCQ on Samsung pci-e SSDs on macbooks"), 0xa800 chokes
on NCQ commands if MSI is enabled. Disable MSI.Signed-off-by: Tejun Heo
Reported-by: Dominik Mierzejewski
Link: https://bugzilla.kernel.org/show_bug.cgi?id=89171
Cc: stable@vger.kernel.org
04 Dec, 2014
5 commits
-
It appears that some SCHEDULE_USER (asm for schedule_user) callers
in arch/x86/kernel/entry_64.S are called from RCU kernel context,
and schedule_user will return in RCU user context. This causes RCU
warnings and possible failures.This is intended to be a minimal fix suitable for 3.18.
Reported-and-tested-by: Dave Jones
Cc: Oleg Nesterov
Cc: Frédéric Weisbecker
Acked-by: Paul E. McKenney
Signed-off-by: Andy Lutomirski
Signed-off-by: Linus Torvalds -
Pull i2c bugfixes from Wolfram Sang:
"A few driver bugfixes for 3.18"* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: omap: fix i207 errata handling
i2c: designware: prevent early stop on TX FIFO empty
i2c: omap: fix NACK and Arbitration Lost irq handling -
Pull PCI fix from Bjorn Helgaas:
"This fixes a Tegra20 regression that we introduced during the v3.18
merge window"* tag 'pci-v3.18-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI: tegra: Use physical range for I/O mapping -
Pull devicetree bugfix from Grant Likely:
"One more bug fix for v3.18. I debated whether or not to send you this
merge request because we're at such a late rc. The bug isn't critical
in that there is only one system known to be affected and the patch is
easy to backport. The codepath is used by pretty much every DT based
system, so there is risk a of regression (it /should/ be safe, but
I've been bitten by stuff that should be safe before). I've had it in
linux-next for a week and haven't received any complaints.I think it probably should just be merged right away rather than
waiting for the merge window and backporting. It does fix a real bug
and the code is theoretically safer after the change. I can't think
of any situation where it would be dangerous to reserve the DT memory
an extra time.Summary from tag:
Single bugfix for boot failure seen in the wild. The memory reserve
code tries to be clever about reserving the FDT, but it should just
go ahead and reserve it unconditionally to avoid the problem of
partial overlap described in the patch"* tag 'devicetree-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/glikely/linux:
of/fdt: memblock_reserve /memreserve/ regions in the case of partial overlap -
Pull block core regression fix from Jens Axboe:
"Single fix for a regression introduced in this development cycle,
where dm on top of dif/dix is broken. From Darrick Wong"* 'for-linus' of git://git.kernel.dk/linux-block:
block: fix regression where bio_integrity_process uses wrong bio_vec iterator