NOTE: 3.16.7-ckt27 release will be the last 3.16 stable kernel
release provided by the Canonical kernel team. However, as
previously announced [1], Ben Hutchings will continue to maintain it
for the Debian 8 'jessie'.
[1] https://lists.debian.org/debian-kernel/2014/07/msg00413.html
This is the start of the review cycle for the Linux 3.16.7-ckt27 stable
kernel.
This version contains 17 new patches, summarized below. The new patches
are posted as replies to this message and also available in this git branch:
http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-review
git://kernel.ubuntu.com/ubuntu/linux.git linux-3.16.y-review
The review period for version 3.16.7-ckt27 will be open for the next three
days. To report a problem, please reply to the relevant follow-up patch
message.
For more information about the Linux 3.16.y-ckt extended stable kernel
series, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable .
-Luis
--
arch/x86/include/asm/xen/hypervisor.h | 2 ++
arch/x86/kernel/process_64.c | 12 ++++++++++
arch/x86/xen/enlighten.c | 2 +-
drivers/gpu/drm/radeon/radeon_sa.c | 7 ++++++
drivers/hv/vmbus_drv.c | 36 ++++++++++++++++++++++++++++++
drivers/input/misc/ati_remote2.c | 36 +++++++++++++++++++++++++-----
drivers/input/misc/powermate.c | 3 +++
drivers/scsi/ipr.c | 10 ++++++---
drivers/staging/comedi/drivers/ni_tiocmd.c | 2 +-
drivers/usb/class/cdc-acm.c | 3 +++
drivers/usb/misc/iowarrior.c | 6 +++++
fs/ceph/mds_client.c | 6 ++++-
include/linux/cpu.h | 6 +++++
include/linux/poison.h | 4 ++--
init/main.c | 1 +
kernel/cpu.c | 34 +++++++++++++++++++++++++---
net/ipv4/devinet.c | 4 ++++
net/ipv4/fib_frontend.c | 4 ++++
net/ipv4/netfilter/ipt_MASQUERADE.c | 12 ++++++++--
sound/usb/clock.c | 2 ++
sound/usb/endpoint.c | 3 +++
sound/usb/mixer_quirks.c | 4 ++++
sound/usb/pcm.c | 2 ++
sound/usb/quirks.c | 6 +++++
24 files changed, 188 insertions(+), 19 deletions(-)
Andy Lutomirski (1):
x86/iopl/64: Properly context-switch IOPL on Xen PV
David S. Miller (1):
ipv4: Don't do expensive useless work during inetdev destroy.
Gabriel Krisman Bertazi (1):
ipr: Fix regression when loading firmware
Ingo Molnar (1):
cpu: Provide smpboot_thread_init() on !CONFIG_SMP kernels as well
Insu Yun (1):
ipr: Fix out-of-bounds null overwrite
Josh Boyer (2):
Input: powermate - fix oops with malicious USB descriptors
USB: iowarrior: fix oops with malicious USB descriptors
Nicolai Hähnle (1):
drm/radeon: hold reference to fences in radeon_sa_bo_new (3.17 and older)
Oliver Neukum (1):
USB: cdc-acm: more sanity checking
Paul E. McKenney (1):
cpu: Defer smpboot kthread unparking until CPU known to scheduler
Spencer E. Olson (1):
staging: comedi: ni_tiocmd: change mistaken use of start_src for start_arg
Takashi Iwai (2):
ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()
ALSA: usb-audio: Add sanity checks for endpoint accesses
Vasily Kulikov (1):
include/linux/poison.h: fix LIST_POISON{1,2} offset
Vitaly Kuznetsov (1):
Drivers: hv: vmbus: prevent cpu offlining on newer hypervisors
Vladis Dronov (1):
Input: ati_remote2 - fix crashes on detecting device with invalid descriptor
Yan, Zheng (1):
ceph: fix request time stamp encoding
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Takashi Iwai <[email protected]>
commit 0f886ca12765d20124bd06291c82951fd49a33be upstream.
create_fixed_stream_quirk() may cause a NULL-pointer dereference by
accessing the non-existing endpoint when a USB device with a malformed
USB descriptor is used.
This patch avoids it simply by adding a sanity check of bNumEndpoints
before the accesses.
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Signed-off-by: Takashi Iwai <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
sound/usb/quirks.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 0980405f987a..a8e3fb4c2e11 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -168,6 +168,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
}
alts = &iface->altsetting[fp->altset_idx];
altsd = get_iface_desc(alts);
+ if (altsd->bNumEndpoints < 1) {
+ kfree(fp);
+ kfree(rate_table);
+ return -EINVAL;
+ }
+
fp->protocol = altsd->bInterfaceProtocol;
if (fp->datainterval == 0)
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Vitaly Kuznetsov <[email protected]>
commit e513229b4c386e6c9f66298c13fde92f73e6e1ac upstream.
When an SMP Hyper-V guest is running on top of 2012R2 Server and secondary
cpus are sent offline (with echo 0 > /sys/devices/system/cpu/cpu$cpu/online)
the system freeze is observed. This happens due to the fact that on newer
hypervisors (Win8, WS2012R2, ...) vmbus channel handlers are distributed
across all cpus (see init_vp_index() function in drivers/hv/channel_mgmt.c)
and on cpu offlining nobody reassigns them to CPU0. Prevent cpu offlining
when vmbus is loaded until the issue is fixed host-side.
This patch also disables hibernation but it is OK as it is also broken (MCE
error is hit on resume). Suspend still works.
Tested with WS2008R2 and WS2012R2.
Signed-off-by: Vitaly Kuznetsov <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Cc: Chas Williams <[email protected]>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/hv/vmbus_drv.c | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index 4d6b26979fbd..233da0b9f4b9 100644
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -32,6 +32,7 @@
#include <linux/completion.h>
#include <linux/hyperv.h>
#include <linux/kernel_stat.h>
+#include <linux/cpu.h>
#include <asm/hyperv.h>
#include <asm/hypervisor.h>
#include <asm/mshyperv.h>
@@ -671,6 +672,39 @@ static void vmbus_isr(void)
tasklet_schedule(&msg_dpc);
}
+#ifdef CONFIG_HOTPLUG_CPU
+static int hyperv_cpu_disable(void)
+{
+ return -ENOSYS;
+}
+
+static void hv_cpu_hotplug_quirk(bool vmbus_loaded)
+{
+ static void *previous_cpu_disable;
+
+ /*
+ * Offlining a CPU when running on newer hypervisors (WS2012R2, Win8,
+ * ...) is not supported at this moment as channel interrupts are
+ * distributed across all of them.
+ */
+
+ if ((vmbus_proto_version == VERSION_WS2008) ||
+ (vmbus_proto_version == VERSION_WIN7))
+ return;
+
+ if (vmbus_loaded) {
+ previous_cpu_disable = smp_ops.cpu_disable;
+ smp_ops.cpu_disable = hyperv_cpu_disable;
+ pr_notice("CPU offlining is not supported by hypervisor\n");
+ } else if (previous_cpu_disable)
+ smp_ops.cpu_disable = previous_cpu_disable;
+}
+#else
+static void hv_cpu_hotplug_quirk(bool vmbus_loaded)
+{
+}
+#endif
+
/*
* vmbus_bus_init -Main vmbus driver initialization routine.
*
@@ -711,6 +745,7 @@ static int vmbus_bus_init(int irq)
if (ret)
goto err_alloc;
+ hv_cpu_hotplug_quirk(true);
vmbus_request_offers();
return 0;
@@ -964,6 +999,7 @@ static void __exit vmbus_exit(void)
bus_unregister(&hv_bus);
hv_cleanup();
acpi_bus_unregister_driver(&vmbus_acpi_driver);
+ hv_cpu_hotplug_quirk(false);
}
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: =?UTF-8?q?Nicolai=20H=C3=A4hnle?= <[email protected]>
commit f6ff4f67cdf8455d0a4226eeeaf5af17c37d05eb upstream.
An arbitrary amount of time can pass between spin_unlock and
radeon_fence_wait_any, so we need to ensure that nobody frees the
fences from under us.
Based on the analogous fix for amdgpu.
Signed-off-by: Nicolai Hähnle <[email protected]>
Reviewed-by: Christian König <[email protected]> (v1 + fix)
Tested-by: Lutz Euler <[email protected]>
[ nicolai:
Backport of upstream commit f6ff4f67cdf8455d0a4226eeeaf5af17c37d05eb, with
an additional NULL pointer guard that is required for kernels 3.17 and older.
To be precise, any kernel that does *not* have commit 954605ca3 "drm/radeon:
use common fence implementation for fences, v4" requires this additional
NULL pointer guard.]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/radeon/radeon_sa.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_sa.c b/drivers/gpu/drm/radeon/radeon_sa.c
index adcf3e2f07da..ef86509fe5f6 100644
--- a/drivers/gpu/drm/radeon/radeon_sa.c
+++ b/drivers/gpu/drm/radeon/radeon_sa.c
@@ -349,8 +349,15 @@ int radeon_sa_bo_new(struct radeon_device *rdev,
/* see if we can skip over some allocations */
} while (radeon_sa_bo_next_hole(sa_manager, fences, tries));
+ for (i = 0; i < RADEON_NUM_RINGS; ++i) {
+ if (fences[i])
+ radeon_fence_ref(fences[i]);
+ }
+
spin_unlock(&sa_manager->wq.lock);
r = radeon_fence_wait_any(rdev, fences, false);
+ for (i = 0; i < RADEON_NUM_RINGS; ++i)
+ radeon_fence_unref(&fences[i]);
spin_lock(&sa_manager->wq.lock);
/* if we have nothing to wait for block */
if (r == -ENOENT) {
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Ingo Molnar <[email protected]>
commit 590ee7dbd569a012df705a5204fc5f1066f52b8c upstream.
Now that we are using smpboot_thread_init() in init/main.c as well,
provide it for !CONFIG_SMP as well.
This addresses a !CONFIG_SMP build failure.
Cc: Paul E. McKenney <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Signed-off-by: Ingo Molnar <[email protected]>
Cc: Kamal Mostafa <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
include/linux/cpu.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index cd895a5e4d59..285111f95464 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -206,6 +206,10 @@ static inline void cpu_notifier_register_done(void)
{
}
+static inline void smpboot_thread_init(void)
+{
+}
+
#endif /* CONFIG_SMP */
extern struct bus_type cpu_subsys;
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: "Spencer E. Olson" <[email protected]>
commit 1fd24a4702d2af0ea4d5845126cf57d4d1796216 upstream.
This fixes a bug in function ni_tio_input_inttrig(). The trigger number
should be compared to cmd->start_arg, not cmd->start_src.
Fixes: 6a760394d7eb ("staging: comedi: ni_tiocmd: clarify the cmd->start_arg validation and use")
Signed-off-by: Spencer E. Olson <[email protected]>
Reviewed-by: Ian Abbott <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Cc: Ian Abbott <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/staging/comedi/drivers/ni_tiocmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/comedi/drivers/ni_tiocmd.c b/drivers/staging/comedi/drivers/ni_tiocmd.c
index 2557ab48cb6c..db4dc1410342 100644
--- a/drivers/staging/comedi/drivers/ni_tiocmd.c
+++ b/drivers/staging/comedi/drivers/ni_tiocmd.c
@@ -98,7 +98,7 @@ static int ni_tio_input_inttrig(struct comedi_device *dev,
BUG_ON(counter == NULL);
- if (trig_num != cmd->start_src)
+ if (trig_num != cmd->start_arg)
return -EINVAL;
spin_lock_irqsave(&counter->lock, flags);
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Andy Lutomirski <[email protected]>
commit b7a584598aea7ca73140cb87b40319944dd3393f upstream.
On Xen PV, regs->flags doesn't reliably reflect IOPL and the
exit-to-userspace code doesn't change IOPL. We need to context
switch it manually.
I'm doing this without going through paravirt because this is
specific to Xen PV. After the dust settles, we can merge this with
the 32-bit code, tidy up the iopl syscall implementation, and remove
the set_iopl pvop entirely.
Fixes XSA-171.
Reviewewd-by: Jan Beulich <[email protected]>
Signed-off-by: Andy Lutomirski <[email protected]>
Cc: Andrew Cooper <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Boris Ostrovsky <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: David Vrabel <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Jan Beulich <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: http://lkml.kernel.org/r/693c3bd7aeb4d3c27c92c622b7d0f554a458173c.1458162709.git.luto@kernel.org
Signed-off-by: Ingo Molnar <[email protected]>
[ kamal: backport to 3.19-stable: no X86_FEATURE_XENPV so just call
xen_pv_domain() directly ]
Acked-by: Andy Lutomirski <[email protected]>
Signed-off-by: Kamal Mostafa <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
arch/x86/include/asm/xen/hypervisor.h | 2 ++
arch/x86/kernel/process_64.c | 12 ++++++++++++
arch/x86/xen/enlighten.c | 2 +-
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h
index d866959e5685..d2ad00a42234 100644
--- a/arch/x86/include/asm/xen/hypervisor.h
+++ b/arch/x86/include/asm/xen/hypervisor.h
@@ -57,4 +57,6 @@ static inline bool xen_x2apic_para_available(void)
}
#endif
+extern void xen_set_iopl_mask(unsigned mask);
+
#endif /* _ASM_X86_XEN_HYPERVISOR_H */
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index e2072dc4b67a..a6f51ad11d89 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -49,6 +49,7 @@
#include <asm/syscalls.h>
#include <asm/debugreg.h>
#include <asm/switch_to.h>
+#include <asm/xen/hypervisor.h>
asmlinkage extern void ret_from_fork(void);
@@ -427,6 +428,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV))
__switch_to_xtra(prev_p, next_p, tss);
+#ifdef CONFIG_XEN
+ /*
+ * On Xen PV, IOPL bits in pt_regs->flags have no effect, and
+ * current_pt_regs()->flags may not match the current task's
+ * intended IOPL. We need to switch it manually.
+ */
+ if (unlikely(xen_pv_domain() &&
+ prev->iopl != next->iopl))
+ xen_set_iopl_mask(next->iopl);
+#endif
+
return prev_p;
}
diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
index 32d00ce4a194..e1e7f4f1fb80 100644
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -956,7 +956,7 @@ static void xen_load_sp0(struct tss_struct *tss,
xen_mc_issue(PARAVIRT_LAZY_CPU);
}
-static void xen_set_iopl_mask(unsigned mask)
+void xen_set_iopl_mask(unsigned mask)
{
struct physdev_set_iopl set_iopl;
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Vasily Kulikov <[email protected]>
commit 8a5e5e02fc83aaf67053ab53b359af08c6c49aaf upstream.
Poison pointer values should be small enough to find a room in
non-mmap'able/hardly-mmap'able space. E.g. on x86 "poison pointer space"
is located starting from 0x0. Given unprivileged users cannot mmap
anything below mmap_min_addr, it should be safe to use poison pointers
lower than mmap_min_addr.
The current poison pointer values of LIST_POISON{1,2} might be too big for
mmap_min_addr values equal or less than 1 MB (common case, e.g. Ubuntu
uses only 0x10000). There is little point to use such a big value given
the "poison pointer space" below 1 MB is not yet exhausted. Changing it
to a smaller value solves the problem for small mmap_min_addr setups.
The values are suggested by Solar Designer:
http://www.openwall.com/lists/oss-security/2015/05/02/6
Signed-off-by: Vasily Kulikov <[email protected]>
Cc: Solar Designer <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: "Kirill A. Shutemov" <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
include/linux/poison.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/poison.h b/include/linux/poison.h
index 2110a81c5e2a..253c9b4198ef 100644
--- a/include/linux/poison.h
+++ b/include/linux/poison.h
@@ -19,8 +19,8 @@
* under normal circumstances, used to verify that nobody uses
* non-initialized list entries.
*/
-#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
-#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
+#define LIST_POISON1 ((void *) 0x100 + POISON_POINTER_DELTA)
+#define LIST_POISON2 ((void *) 0x200 + POISON_POINTER_DELTA)
/********** include/linux/timer.h **********/
/*
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Vladis Dronov <[email protected]>
commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d upstream.
The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.
The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
Reported-by: Ralf Spenneberg <[email protected]>
Signed-off-by: Vladis Dronov <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
1 file changed, 30 insertions(+), 6 deletions(-)
diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
index f63341f20b91..e8c6a4842e91 100644
--- a/drivers/input/misc/ati_remote2.c
+++ b/drivers/input/misc/ati_remote2.c
@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
ar2->udev = udev;
+ /* Sanity check, first interface must have an endpoint */
+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+ dev_err(&interface->dev,
+ "%s(): interface 0 must have an endpoint\n", __func__);
+ r = -ENODEV;
+ goto fail1;
+ }
ar2->intf[0] = interface;
ar2->ep[0] = &alt->endpoint[0].desc;
+ /* Sanity check, the device must have two interfaces */
ar2->intf[1] = usb_ifnum_to_if(udev, 1);
+ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
+ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
+ __func__, udev->actconfig->desc.bNumInterfaces);
+ r = -ENODEV;
+ goto fail1;
+ }
+
r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
if (r)
goto fail1;
+
+ /* Sanity check, second interface must have an endpoint */
alt = ar2->intf[1]->cur_altsetting;
+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+ dev_err(&interface->dev,
+ "%s(): interface 1 must have an endpoint\n", __func__);
+ r = -ENODEV;
+ goto fail2;
+ }
ar2->ep[1] = &alt->endpoint[0].desc;
r = ati_remote2_urb_init(ar2);
if (r)
- goto fail2;
+ goto fail3;
ar2->channel_mask = channel_mask;
ar2->mode_mask = mode_mask;
r = ati_remote2_setup(ar2, ar2->channel_mask);
if (r)
- goto fail2;
+ goto fail3;
usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
if (r)
- goto fail2;
+ goto fail3;
r = ati_remote2_input_init(ar2);
if (r)
- goto fail3;
+ goto fail4;
usb_set_intfdata(interface, ar2);
@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
return 0;
- fail3:
+ fail4:
sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
- fail2:
+ fail3:
ati_remote2_urb_cleanup(ar2);
+ fail2:
usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
fail1:
kfree(ar2);
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Oliver Neukum <[email protected]>
commit 8835ba4a39cf53f705417b3b3a94eb067673f2c9 upstream.
An attack has become available which pretends to be a quirky
device circumventing normal sanity checks and crashes the kernel
by an insufficient number of interfaces. This patch adds a check
to the code path for quirky devices.
Signed-off-by: Oliver Neukum <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/class/cdc-acm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 332be4c5745c..54061a3bc5e9 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1104,6 +1104,9 @@ static int acm_probe(struct usb_interface *intf,
if (quirks == NO_UNION_NORMAL) {
data_interface = usb_ifnum_to_if(usb_dev, 1);
control_interface = usb_ifnum_to_if(usb_dev, 0);
+ /* we would crash */
+ if (!data_interface || !control_interface)
+ return -ENODEV;
goto skip_normal_probe;
}
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: "Paul E. McKenney" <[email protected]>
commit 00df35f991914db6b8bde8cf09808e19a9cffc3d upstream.
Currently, smpboot_unpark_threads() is invoked before the incoming CPU
has been added to the scheduler's runqueue structures. This might
potentially cause the unparked kthread to run on the wrong CPU, since the
correct CPU isn't fully set up yet.
That causes a sporadic, hard to debug boot crash triggering on some
systems, reported by Borislav Petkov, and bisected down to:
2a442c9c6453 ("x86: Use common outgoing-CPU-notification code")
This patch places smpboot_unpark_threads() in a CPU hotplug
notifier with priority set so that these kthreads are unparked just after
the CPU has been added to the runqueues.
Reported-and-tested-by: Borislav Petkov <[email protected]>
Signed-off-by: Paul E. McKenney <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Signed-off-by: Ingo Molnar <[email protected]>
Cc: Owen Hofmann <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
include/linux/cpu.h | 2 ++
init/main.c | 1 +
kernel/cpu.c | 34 +++++++++++++++++++++++++++++++---
3 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index 95978ad7fcdd..cd895a5e4d59 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -69,6 +69,7 @@ enum {
/* migration should happen before other stuff but after perf */
CPU_PRI_PERF = 20,
CPU_PRI_MIGRATION = 10,
+ CPU_PRI_SMPBOOT = 9,
/* bring up workqueues before normal notifiers and down after */
CPU_PRI_WORKQUEUE_UP = 5,
CPU_PRI_WORKQUEUE_DOWN = -5,
@@ -157,6 +158,7 @@ static inline void __unregister_cpu_notifier(struct notifier_block *nb)
}
#endif
+void smpboot_thread_init(void);
int cpu_up(unsigned int cpu);
void notify_cpu_starting(unsigned int cpu);
extern void cpu_maps_update_begin(void);
diff --git a/init/main.c b/init/main.c
index 44af5b583cf4..3861fe648fbd 100644
--- a/init/main.c
+++ b/init/main.c
@@ -396,6 +396,7 @@ static noinline void __init_refok rest_init(void)
int pid;
rcu_scheduler_starting();
+ smpboot_thread_init();
/*
* We need to spawn init first so that it obtains pid 1, however
* the init task will end up wanting to create kthreads, which, if
diff --git a/kernel/cpu.c b/kernel/cpu.c
index a343bde710b1..247d8dd17a2c 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -416,6 +416,37 @@ out:
EXPORT_SYMBOL(cpu_down);
#endif /*CONFIG_HOTPLUG_CPU*/
+/*
+ * Unpark per-CPU smpboot kthreads at CPU-online time.
+ */
+static int smpboot_thread_call(struct notifier_block *nfb,
+ unsigned long action, void *hcpu)
+{
+ int cpu = (long)hcpu;
+
+ switch (action & ~CPU_TASKS_FROZEN) {
+
+ case CPU_ONLINE:
+ smpboot_unpark_threads(cpu);
+ break;
+
+ default:
+ break;
+ }
+
+ return NOTIFY_OK;
+}
+
+static struct notifier_block smpboot_thread_notifier = {
+ .notifier_call = smpboot_thread_call,
+ .priority = CPU_PRI_SMPBOOT,
+};
+
+void __cpuinit smpboot_thread_init(void)
+{
+ register_cpu_notifier(&smpboot_thread_notifier);
+}
+
/* Requires cpu_add_remove_lock to be held */
static int _cpu_up(unsigned int cpu, int tasks_frozen)
{
@@ -455,9 +486,6 @@ static int _cpu_up(unsigned int cpu, int tasks_frozen)
goto out_notify;
BUG_ON(!cpu_online(cpu));
- /* Wake the per cpu threads */
- smpboot_unpark_threads(cpu);
-
/* Now call notifier in preparation. */
cpu_notify(CPU_ONLINE | mod, hcpu);
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Gabriel Krisman Bertazi <[email protected]>
commit 21b81716c6bff24cda52dc75588455f879ddbfe9 upstream.
Commit d63c7dd5bcb9 ("ipr: Fix out-of-bounds null overwrite") removed
the end of line handling when storing the update_fw sysfs attribute.
This changed the userpace API because it started refusing writes
terminated by a line feed, which broke the update tools we already have.
This patch re-adds that handling, so both a write terminated by a line
feed or not can make it through with the update.
Fixes: d63c7dd5bcb9 ("ipr: Fix out-of-bounds null overwrite")
Signed-off-by: Gabriel Krisman Bertazi <[email protected]>
Cc: Insu Yun <[email protected]>
Acked-by: Brian King <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Cc: Ben Hutchings <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/scsi/ipr.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index 824e66d7bf93..de2bfa24b91a 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -3984,6 +3984,7 @@ static ssize_t ipr_store_update_fw(struct device *dev,
struct ipr_sglist *sglist;
char fname[100];
char *src;
+ char *endline;
int result, dnld_size;
if (!capable(CAP_SYS_ADMIN))
@@ -3991,6 +3992,10 @@ static ssize_t ipr_store_update_fw(struct device *dev,
snprintf(fname, sizeof(fname), "%s", buf);
+ endline = strchr(fname, '\n');
+ if (endline)
+ *endline = '\0';
+
if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) {
dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname);
return -EIO;
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: "Yan, Zheng" <[email protected]>
commit 1f041a89b4f22cf2e701514f4b8f73a8b1e06a3e upstream.
struct timespec uses 'long' to present second and nanosecond. 'long'
is 64 bits on 64bits machine. ceph MDS expects time stamp to be
encoded as struct ceph_timespec, which uses 'u32' to present second
and nanosecond.
Signed-off-by: Yan, Zheng <[email protected]>
BugLink: http://tracker.ceph.com/issues/15302
BugLink: http://bugs.launchpad.net/bugs/1564950
[ kamal: backport to 3.16-stable: no time stamp in __prepare_send_request() ]
Signed-off-by: Kamal Mostafa <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
fs/ceph/mds_client.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index 63f2bc82f4af..6b6f11b8f36a 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -1841,7 +1841,11 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc,
head->num_releases = cpu_to_le16(releases);
/* time stamp */
- ceph_encode_copy(&p, &req->r_stamp, sizeof(req->r_stamp));
+ {
+ struct ceph_timespec ts;
+ ceph_encode_timespec(&ts, &req->r_stamp);
+ ceph_encode_copy(&p, &ts, sizeof(ts));
+ }
BUG_ON(p > end);
msg->front.iov_len = p - msg->front.iov_base;
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Josh Boyer <[email protected]>
commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.
The iowarrior driver expects at least one valid endpoint. If given
malicious descriptors that specify 0 for the number of endpoints,
it will crash in the probe function. Ensure there is at least
one endpoint on the interface before using it.
The full report of this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/87
Reported-by: Ralf Spenneberg <[email protected]>
Signed-off-by: Josh Boyer <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/misc/iowarrior.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index c6bfd13f6c92..1950e87b4219 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
iface_desc = interface->cur_altsetting;
dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+ if (iface_desc->desc.bNumEndpoints < 1) {
+ dev_err(&interface->dev, "Invalid number of endpoints\n");
+ retval = -EINVAL;
+ goto error;
+ }
+
/* set up the endpoint information */
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
endpoint = &iface_desc->endpoint[i].desc;
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Josh Boyer <[email protected]>
commit 9c6ba456711687b794dcf285856fc14e2c76074f upstream.
The powermate driver expects at least one valid USB endpoint in its
probe function. If given malicious descriptors that specify 0 for
the number of endpoints, it will crash. Validate the number of
endpoints on the interface before using them.
The full report for this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/85
Reported-by: Ralf Spenneberg <[email protected]>
Signed-off-by: Josh Boyer <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/input/misc/powermate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
index 63b539d3daba..84909a12ff36 100644
--- a/drivers/input/misc/powermate.c
+++ b/drivers/input/misc/powermate.c
@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
int error = -ENOMEM;
interface = intf->cur_altsetting;
+ if (interface->desc.bNumEndpoints < 1)
+ return -EINVAL;
+
endpoint = &interface->endpoint[0].desc;
if (!usb_endpoint_is_int_in(endpoint))
return -EIO;
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Insu Yun <[email protected]>
commit d63c7dd5bcb9441af0526d370c43a65ca2c980d9 upstream.
Return value of snprintf is not bound by size value, 2nd argument.
(https://www.kernel.org/doc/htmldocs/kernel-api/API-snprintf.html).
Return value is number of printed chars, can be larger than 2nd
argument. Therefore, it can write null byte out of bounds ofbuffer.
Since snprintf puts null, it does not need to put additional null byte.
Signed-off-by: Insu Yun <[email protected]>
Reviewed-by: Shane Seymour <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Cc: Ben Hutchings <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/scsi/ipr.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index d2c3fdcf90ba..824e66d7bf93 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -3984,13 +3984,12 @@ static ssize_t ipr_store_update_fw(struct device *dev,
struct ipr_sglist *sglist;
char fname[100];
char *src;
- int len, result, dnld_size;
+ int result, dnld_size;
if (!capable(CAP_SYS_ADMIN))
return -EACCES;
- len = snprintf(fname, 99, "%s", buf);
- fname[len-1] = '\0';
+ snprintf(fname, sizeof(fname), "%s", buf);
if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) {
dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname);
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Takashi Iwai <[email protected]>
commit 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a upstream.
Add some sanity check codes before actually accessing the endpoint via
get_endpoint() in order to avoid the invalid access through a
malformed USB descriptor. Mostly just checking bNumEndpoints, but in
one place (snd_microii_spdif_default_get()), the validity of iface and
altsetting index is checked as well.
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Signed-off-by: Takashi Iwai <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
sound/usb/clock.c | 2 ++
sound/usb/endpoint.c | 3 +++
sound/usb/mixer_quirks.c | 4 ++++
sound/usb/pcm.c | 2 ++
4 files changed, 11 insertions(+)
diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 03fed6611d9e..56216a23277f 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface,
unsigned char data[3];
int err, crate;
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
+ return -EINVAL;
ep = get_endpoint(alts, 0)->bEndpointAddress;
/* if endpoint doesn't have sampling rate control, bail out */
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index 114e3e7ff511..e87436826b3b 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -410,6 +410,9 @@ exit_clear:
*
* New endpoints will be added to chip->ep_list and must be freed by
* calling snd_usb_endpoint_free().
+ *
+ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that
+ * bNumEndpoints > 1 beforehand.
*/
struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
struct usb_host_interface *alts,
diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
index 614f33e63c3a..5bcf542b3a38 100644
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -1456,7 +1456,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol,
/* use known values for that card: interface#1 altsetting#1 */
iface = usb_ifnum_to_if(mixer->chip->dev, 1);
+ if (!iface || iface->num_altsetting < 2)
+ return -EINVAL;
alts = &iface->altsetting[1];
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
+ return -EINVAL;
ep = get_endpoint(alts, 0)->bEndpointAddress;
err = snd_usb_ctl_msg(mixer->chip->dev,
diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
index c62a1659106d..0bf61d4a1080 100644
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface,
unsigned char data[1];
int err;
+ if (get_iface_desc(alts)->bNumEndpoints < 1)
+ return -EINVAL;
ep = get_endpoint(alts, 0)->bEndpointAddress;
data[0] = 1;
3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: "David S. Miller" <[email protected]>
commit fbd40ea0180a2d328c5adc61414dc8bab9335ce2 upstream.
When an inetdev is destroyed, every address assigned to the interface
is removed. And in this scenerio we do two pointless things which can
be very expensive if the number of assigned interfaces is large:
1) Address promotion. We are deleting all addresses, so there is no
point in doing this.
2) A full nf conntrack table purge for every address. We only need to
do this once, as is already caught by the existing
masq_dev_notifier so masq_inet_event() can skip this.
Reported-by: Solar Designer <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Tested-by: Cyrill Gorcunov <[email protected]>
Cc: Moritz Muehlenhoff <[email protected]>
[ luis: backported to 3.16:
- file rename: nf_nat_masquerade_ipv4.c -> ipt_MASQUERADE.c ]
Signed-off-by: Luis Henriques <[email protected]>
---
net/ipv4/devinet.c | 4 ++++
net/ipv4/fib_frontend.c | 4 ++++
net/ipv4/netfilter/ipt_MASQUERADE.c | 12 ++++++++++--
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index aa4b9990dd7a..710fe64fb2f7 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -326,6 +326,9 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
ASSERT_RTNL();
+ if (in_dev->dead)
+ goto no_promotions;
+
/* 1. Deleting primary ifaddr forces deletion all secondaries
* unless alias promotion is set
**/
@@ -372,6 +375,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
fib_del_ifaddr(ifa, ifa1);
}
+no_promotions:
/* 2. Unlink it */
*ifap = ifa1->ifa_next;
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 255aa9946fe7..7d736cd3ee91 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -812,6 +812,9 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
subnet = 1;
}
+ if (in_dev->dead)
+ goto no_promotions;
+
/* Deletion is more complicated than add.
* We should take care of not to delete too much :-)
*
@@ -887,6 +890,7 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
}
}
+no_promotions:
if (!(ok & BRD_OK))
fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim);
if (subnet && ifa->ifa_prefixlen < 31) {
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 00352ce0f0de..3bc1c98aa2f0 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -128,10 +128,18 @@ static int masq_inet_event(struct notifier_block *this,
unsigned long event,
void *ptr)
{
- struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev;
+ struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev;
struct netdev_notifier_info info;
- netdev_notifier_info_init(&info, dev);
+ /* The masq_dev_notifier will catch the case of the device going
+ * down. So if the inetdev is dead and being destroyed we have
+ * no work to do. Otherwise this is an individual address removal
+ * and we have to perform the flush.
+ */
+ if (idev->dead)
+ return NOTIFY_DONE;
+
+ netdev_notifier_info_init(&info, idev->dev);
return masq_device_event(this, event, &info);
}
On Tue, 2016-04-12 at 19:08 +0100, Luis Henriques wrote:
> 3.16.7-ckt27 -stable review patch. If anyone has any objections, please let me know.
>
> ---8<------------------------------------------------------------
>
> From: Vitaly Kuznetsov <[email protected]>
>
> commit e513229b4c386e6c9f66298c13fde92f73e6e1ac upstream.
>
> When an SMP Hyper-V guest is running on top of 2012R2 Server and secondary
> cpus are sent offline (with echo 0 > /sys/devices/system/cpu/cpu$cpu/online)
> the system freeze is observed. This happens due to the fact that on newer
> hypervisors (Win8, WS2012R2, ...) vmbus channel handlers are distributed
> across all cpus (see init_vp_index() function in drivers/hv/channel_mgmt.c)
> and on cpu offlining nobody reassigns them to CPU0. Prevent cpu offlining
> when vmbus is loaded until the issue is fixed host-side.
>
> This patch also disables hibernation but it is OK as it is also broken (MCE
> error is hit on resume). Suspend still works.
[...]
> +static void hv_cpu_hotplug_quirk(bool vmbus_loaded)
> +{
> + static void *previous_cpu_disable;
> +
> + /*
> + * Offlining a CPU when running on newer hypervisors (WS2012R2, Win8,
> + * ...) is not supported at this moment as channel interrupts are
> + * distributed across all of them.
> + */
> +
> + if ((vmbus_proto_version == VERSION_WS2008) ||
> + (vmbus_proto_version == VERSION_WIN7))
> + return;
> +
> + if (vmbus_loaded) {
> + previous_cpu_disable = smp_ops.cpu_disable;
> + smp_ops.cpu_disable = hyperv_cpu_disable;
> + pr_notice("CPU offlining is not supported by hypervisor\n");
> + } else if (previous_cpu_disable)
> + smp_ops.cpu_disable = previous_cpu_disable;
[...]
This is a really bad hack. What if two different drivers patched
smp_ops and got unloaded in a different order? Perhaps the core
support code for Hyper-V should define its own smp_ops.
I don't want to stop this going into stable, but seriously, please
clean this up.
Ben.
--
Ben Hutchings
In a hierarchy, every employee tends to rise to his level of incompetence.