This is the start of the stable review cycle for the 3.16.47 release.
There are 134 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Mon Aug 21 18:00:00 UTC 2017.
Anything received after that time might be too late.
A combined patch relative to 3.16.46 will be posted as an additional
response to this. A shortlog and diffstat can be found below.
Ben.
-------------
Adrian Salido (1):
dm ioctl: prevent stack leak in dm ioctl call
[4617f564c06117c7d1b611be49521a4430042287]
Ajay Kaher (1):
USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously
[2f86a96be0ccb1302b7eee7855dbee5ce4dc5dfb]
Al Viro (1):
dentry name snapshots
[49d31c2f389acfe83417083e1208422b4091cd9e]
Alex Williamson (1):
vfio/type1: Remove locked page accounting workqueue
[0cfef2b7410b64d7a430947e0b533314c4f97153]
Alexander Tsoy (1):
ath9k_htc: add device ID for Toshiba WLM-20U2/GN-1080
[aea57edf80c6e96d6dc24757599396af99c02b19]
Alexey Brodkin (1):
usb: Make sure usb/phy/of gets built-in
[3d6159640da9c9175d1ca42f151fc1a14caded59]
Alyssa Milburn (4):
[media] digitv: limit messages to buffer size
[821117dc21083a99dd99174c10848d70ff43de29]
[media] dw2102: limit messages to buffer size
[950e252cb469f323740d78e4907843acef89eedb]
[media] ttusb2: limit messages to buffer size
[a12b8ab8c5ff7ccd7b107a564743507c850a441d]
[media] zr364xx: enforce minimum size when reading header
[ee0fe833d96793853335844b6d99fb76bd12cbeb]
Amir Goldstein (1):
fanotify: don't expose EOPENSTALE to userspace
[4ff33aafd32e084f5ee7faa54ba06e95f8b1b8af]
Amitoj Kaur Chawla (1):
staging: gdm724x: gdm_mux: Remove create_workqueue()
[c272dc2da14cde0bfd9495a5aafb8e3e94f35601]
Andrew Jones (1):
KVM: arm/arm64: fix races in kvm_psci_vcpu_on
[6c7a5dce22b3f3cc44be098e2837fa6797edb8b8]
Andy Lutomirski (1):
x86/mm: Fix flush_tlb_page() on Xen
[dbd68d8e84c606673ebbcf15862f8c155fa92326]
Arnd Bergmann (2):
[media] pvrusb2: reduce stack usage pvr2_eeprom_analyze()
[6830733d53a4517588e56227b9c8538633f0c496]
fbdev: sti: don't select CONFIG_VT
[34bf129a7f068e3108dbb051b4b05674e2a270e7]
Ashish Kalra (1):
x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup
[d594aa0277e541bb997aef0bc0a55172d8138340]
Bart Van Assche (1):
target/fileio: Fix zero-length READ and WRITE handling
[59ac9c078141b8fd0186c0b18660a1b2c24e724e]
Benjamin Coddington (1):
NFS: Use GFP_NOIO for two allocations in writeback
[ae97aa524ef495b6276fd26f5d5449fb22975d7c]
Bjorn Helgaas (2):
PCI: Ignore write combining when mapping I/O port space
[3a92c319c44a7bcee9f48dff9d97d001943b54c6]
PCI: dwc: Unindent dw_handle_msi_irq() loop
[dbe4a09e8bbcf88809a8394d6a359d8cebd22a86]
Brian Norris (1):
mwifiex: pcie: fix cmd_buf use-after-free in remove/reset
[3c8cb9ad032d737b874e402c59eb51e3c991a144]
Changbin Du (1):
perf hists browser: Fix typo in function switch_data_file
[3ef5b4023c64c16c793a066a7a2ed6ea3767e0d7]
Christoph Hellwig (1):
libata: reject passthrough WRITE SAME requests
[c6ade20f5e50e188d20b711a618b20dd1d50457e]
Christophe Leroy (1):
net: ethernet: ucc_geth: fix MEM_PART_MURAM mode
[8b8642af15ed14b9a7a34d3401afbcc274533e13]
Cong Wang (1):
mqueue: fix a use-after-free in sys_mq_notify()
[f991af3daabaecff34684fd51fac80319d1baad1]
Craig Gallek (1):
ip6_tunnel: Fix missing tunnel encapsulation limit option
[89a23c8b528bd2c89f3981573d6cd7d23840c8a6]
Dan Carpenter (5):
HSI: ssi_protocol: double free in ssip_pn_xmit()
[3026050179a3a9a6f5c892c414b5e36ecf092081]
PCI: dwc: Fix uninitialized variable in dw_handle_msi_irq()
[1b497e6493c49bbb55c89f53562f7f853495e90d]
ath9k: off by one in ath9k_hw_nvram_read_array()
[b7dcf68f383a05567bd16a390907b67022a62d3d]
cifs: small underflow in cnvrtDosUnixTm()
[564277eceeca01e02b1ef3e141cfb939184601b4]
staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data()
[784047eb2d3405a35087af70cba46170c5576b25]
Daniel Glöckner (1):
ima: accept previously set IMA_NEW_FILE
[1ac202e978e18f045006d75bd549612620c6ec3a]
David Ahern (1):
net: ipv6: send unsolicited NA on admin up
[4a6e3c5def13c91adf2acc613837001f09af3baa]
David Carrillo-Cisneros (1):
perf inject: Don't proceed if perf_session__process_event() fails
[bb8d521f77f3e68a713456b7fb1e99f52ff3342c]
David S. Miller (1):
ipv6: Need to export ipv6_push_frag_opts for tunneling now.
[5b8481fa42ac58484d633b558579e302aead64c1]
David Woodhouse (3):
PCI: Fix another sanity check bug in /proc/pci mmap
[17caf56731311c9596e7d38a70c88fcb6afa6a1b]
PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
[6bccc7f426abd640f08d8c75fb22f99483f201b4]
PCI: Only allow WC mmap on prefetchable resources
[cef4d02305a06be581bb7f4353446717a1b319ec]
Dmitry Kasatkin (1):
ima: pass 'opened' flag to identify newly created files
[3034a146820c26fe6da66a45f6340fe87fe0983a]
Dmitry Tunin (1):
ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device
[16ff1fb0e32f76a5d285a6f23b82d21aa52813c6]
Eric Biggers (1):
ext4: evict inline data when writing to memory map
[7b4cc9787fe35b3ee2dfb1c35e22eafc32e00c33]
Eric Dumazet (1):
tcp: fix wraparound issue in tcp_lp
[a9f11f963a546fea9144f6a6d1a307e814a387e7]
Eva Rachel Retuya (1):
staging: iio: tsl2x7x_core: Fix standard deviation calculation
[cf6c77323a96fc40309cc8a4921ef206cccdd961]
Fabian Frederick (1):
IPoIB: Remove unnecessary test for NULL before debugfs_remove()
[e42fa2092c1049ac9c0e38aaac39ef3c40e91a36]
Feras Daoud (1):
IB/ipoib: Update broadcast object if PKey value was changed in index 0
[9a9b8112699d78e7f317019b37f377e90023f3ed]
Frank Schaefer (1):
[media] ov2640: fix vflip control
[7f140fc2064bcd23e0490d8210650e2ef21c1c89]
Geert Uytterhoeven (1):
pinctrl: sh-pfc: Update info pointer after SoC-specific init
[3091ae775fae17084013021d01513bc1ad274e6a]
Giedrius Statkevičius (1):
power: supply: lp8788: prevent out of bounds array access
[bdd9968d35f7fcdb76089347d1529bf079534214]
Guenter Roeck (2):
usb: hub: Do not attempt to autosuspend disconnected devices
[f5cccf49428447dfbc9edb7a04bb8fc316269781]
usb: hub: Fix error loop seen after hub communication errors
[245b2eecee2aac6fdc77dcafaa73c33f9644c3c7]
Hannes Reinecke (1):
scsi: scsi_error: count medium access timeout only once per EH run
[7a38dc0bfb4cc39ed57e120e2224673f3d4d200f]
Huacai Chen (1):
MIPS: Loongson-3: Select MIPS_L1_CACHE_SHIFT_6
[17c99d9421695a0e0de18bf1e7091d859e20ec1d]
Ian Abbott (2):
staging: comedi: jr3_pci: cope with jiffies wraparound
[8ec04a491825e08068e92bed0bba7821893b6433]
staging: comedi: jr3_pci: fix possible null pointer dereference
[45292be0b3db0b7f8286683b376e2d9f949d11f9]
Jack Morgenstein (1):
IB/mlx4: Fix ib device initialization error flow
[99e68909d5aba1861897fe7afc3306c3c81b6de0]
James Hogan (2):
metag/uaccess: Check access_ok in strncpy_from_user
[3a158a62da0673db918b53ac1440845a5b64fd90]
metag/uaccess: Fix access_ok()
[8a8b56638bcac4e64cccc88bf95a0f9f4b19a2fb]
Jason A. Donenfeld (1):
padata: free correct variable
[07a77929ba672d93642a56dc2255dd21e6e2290b]
Johan Hovold (12):
[media] cx231xx-audio: fix NULL-deref at probe
[65f921647f4c89a2068478c89691f39b309b58f7]
[media] cx231xx-audio: fix init error path
[fff1abc4d54e469140a699612b4db8d6397bfcba]
[media] cx231xx-cards: fix NULL-deref at probe
[0cd273bb5e4d1828efaaa8dfd11b7928131ed149]
[media] dib0700: fix NULL-deref at probe
[d5823511c0f8719a39e72ede1bce65411ac653b7]
[media] gspca: konica: add missing endpoint sanity check
[aa58fedb8c7b6cf2f05941d238495f9e2f29655c]
[media] mceusb: fix NULL-deref at probe
[03eb2a557ed552e920a0942b774aaf931596eec1]
[media] usbvision: fix NULL-deref at probe
[eacb975b48272f54532b62f515a3cf7eefa35123]
ath9k_htc: fix NULL-deref at probe
[ebeb36670ecac36c179b5fb5d5c88ff03ba191ec]
serial: omap: fix runtime-pm handling on unbind
[099bd73dc17ed77aa8c98323e043613b6e8f54fc]
serial: omap: suspend device on probe errors
[77e6fe7fd2b7cba0bf2f2dc8cde51d7b9a35bf74]
staging: gdm724x: gdm_mux: fix use-after-free on module unload
[b58f45c8fc301fe83ee28cad3e64686c19e78f1c]
zd1211rw: fix NULL-deref at probe
[ca260ece6a57dc7d751e0685f51fa2c55d851873]
Kamal Heib (1):
net/mlx4_en: Change the error print to debug print
[505a9249c23988768983aaa0766ce54e0dbe037d]
Kan Liang (1):
perf/x86: Fix spurious NMI with PEBS Load Latency event
[fd583ad1563bec5f00140e1f2444adbcd331caad]
Kieran Bingham (1):
[media] uvcvideo: Fix empty packet statistic
[360a3a90c6261fe24a959ff38f8f6c3a8468f23c]
Laura Abbott (1):
x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init()
[861ce4a3244c21b0af64f880d5bfe5e6e2fb9e4a]
Leon Nardella (1):
ath9k_htc: Add new USB ID
[0088d27b78f2c0118aee82923269518616481ea0]
Liping Zhang (2):
netfilter: ctnetlink: fix deadlock due to acquire _expect_lock twice
[88be4c09d9008f9ff337cbf48c5d0f06c8f872e7]
netfilter: ctnetlink: make it safer when updating ct->status
[53b56da83d7899de375a9de153fd7f5397de85e6]
Ludovic Desroches (2):
ARM: dts: at91: sama5d3_xplained: fix ADC vref
[9cdd31e5913c1f86dce7e201b086155b3f24896b]
ARM: dts: at91: sama5d3_xplained: not all ADC channels are available
[d3df1ec06353e51fc44563d2e7e18d42811af290]
Luis Henriques (1):
ceph: fix memory leak in __ceph_setxattr()
[eeca958dce0a9231d1969f86196653eb50fcc9b3]
Lukas Wunner (1):
PCI: Freeze PME scan before suspending devices
[ea00353f36b64375518662a8ad15e39218a1f324]
Maksim Salau (1):
usb: misc: legousbtower: Fix buffers on stack
[942a48730faf149ccbf3e12ac718aee120bb3529]
Marc Zyngier (1):
arm64: KVM: Fix decoding of Rt/Rt2 when trapping AArch32 CP accesses
[c667186f1c01ca8970c785888868b7ffd74e51ee]
Marek Szyprowski (1):
[media] s5p-mfc: Fix unbalanced call to clock management
[a5cb00eb4223458250b55daf03ac7ea5f424d601]
Marek Vasut (1):
USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit
[31c5d1922b90ddc1da6a6ddecef7cd31f17aa32b]
Mario Kleiner (1):
drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2
[e345da82bd6bdfa8492f80b3ce4370acfd868d95]
Mark Rutland (2):
arm64: ensure extension of smp_store_release value
[994870bead4ab19087a79492400a5478e2906196]
arm64: uaccess: ensure extension of access_ok() addr
[a06040d7a791a9177581dcf7293941bd92400856]
Matt Ranostay (1):
iio: proximity: as3935: fix as3935_write
[84ca8e364acb26aba3292bc113ca8ed4335380fd]
Michael J. Ruhl (2):
IB/core: For multicast functions, verify that LIDs are multicast LIDs
[8561eae60ff9417a50fa1fb2b83ae950dc5c1e21]
IB/core: If the MGID/MLID pair is not on the list return an error
[20c7840a77ddcb2ed2fbd66e8197db2868495751]
Michael S. Tsirkin (1):
virtio_net: fix support for small rings
[d85b758f72b05a774045545f24d70980e3e9aac4]
Michael Trimarchi (1):
power: supply: pda_power: move from timer to delayed_work
[633e8799ddc09431be2744c4a1efdbda13af2b0b]
Michal Hocko (1):
fs/xattr.c: zero out memory copied to userspace in getxattr
[81be3dee96346fbe08c31be5ef74f03f6b63cf68]
Mikulas Patocka (1):
dm bufio: avoid a possible ABBA deadlock
[1b0fb5a5b2dc0dddcfa575060441a7176ba7ac37]
Nikolay Borisov (1):
lockdep: teach lockdep about memalloc_noio_save
[6d7225f0cc1a1fc32cf5dd01b4ab4b8a34c7cdb4]
Pan Bian (1):
power: supply: isp1704: Fix unchecked return value of devm_kzalloc
[8b20839988f1ed5e534b270f3776709b640dc7e0]
Pavel Roskin (1):
iio: dac: ad7303: fix channel description
[ce420fd4251809b4c3119b3b20c8b13bd8eba150]
Peter Chen (1):
usb: host: xhci: print correct command ring address
[6fc091fb0459ade939a795bfdcaf645385b951d4]
Rabin Vincent (1):
CIFS: fix oplock break deadlocks
[3998e6b87d4258a70df358296d6f1c7234012bfe]
Richard Cochran (1):
regulator: tps65023: Fix inverted core enable logic.
[c90722b54a4f5e21ac59301ed9a6dbaa439bdb16]
Richard Weinberger (1):
um: Fix PTRACE_POKEUSER on x86_64
[9abc74a22d85ab29cef9896a2582a530da7e79bf]
Rob Herring (1):
of: fix sparse warning in of_pci_range_parser_one
[eb3100365791b06242b8bb5c3c2854ba41dabfbc]
Russell Currey (1):
powerpc/eeh: Avoid use after free in eeh_handle_special_event()
[daeba2956f32f91f3493788ff6ee02fb1b2f02fa]
Sabrina Dubroca (1):
ipv6: avoid overflow of offset in ip6_find_1stfragopt
[6399f1fae4ec29fab5ec76070435555e256ca3a6]
Sean Young (1):
[media] serial_ir: iommap is a memory address, not bool
[069f3b10aed966b2da6bb1161af41da0e8880724]
Sebastian Reichel (1):
Input: twl4030-pwrbutton - use correct device for irq request
[3071e9dd6cd3f2290d770117330f2c8b2e9a97e4]
Sergei Shtylyov (4):
pinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal
[3908632fb829d73317c64c3d04f584b49f62e4ae]
pinctrl: sh-pfc: r8a7791: Add missing HSCIF1 pinmux data
[da7a692fbbab07f4e9798b5b52798f6e3256dd8f]
pinctrl: sh-pfc: r8a7791: Fix IPSR comment typos
[0cbdc11482d72ad164e33ef7cc57b01e8b61e40d]
pinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data
[58439280f84e6b39fd7d61f25ab30489c1aaf0a9]
Shamir Rabinovitch (1):
IB/IPoIB: ibX: failed to create mcg debug file
[771a52584096c45e4565e8aabb596eece9d73d61]
Somasundaram Krishnasamy (1):
dm era: save spacemap metadata root after the pre-commit
[117aceb030307dcd431fdcff87ce988d3016c34a]
Stefan Assmann (1):
PCI: Disable boot interrupt quirk for ASUS M2N-LR
[c4e649b09f55595e6df6da5465a5b3cfc93557c1]
Stephane Eranian (1):
perf/x86/pebs: Fix handling of PEBS buffer overflows
[daa864b8f8e34477bde817f26d736d89dc6032f3]
Steve French (2):
SMB3: Work around mount failure when using SMB3 dialect to Macs
[7db0a6efdc3e990cdfd4b24820d010e9eb7890ad]
Set unicode flag on cifs echo request to avoid Mac error
[26c9cb668c7fbf9830516b75d8bee70b699ed449]
Steven Rostedt (1):
ftrace: Fix removing of second function probe
[82cc4fc2e70ec5baeff8f776f2773abc8b2cc0ae]
Szymon Janc (1):
Bluetooth: Fix user channel for 32bit userspace on 64bit kernel
[ab89f0bdd63a3721f7cd3f064f39fc4ac7ca14d4]
Takatoshi Akiyama (1):
serial: sh-sci: Fix panic when serial console and DMA are enabled
[3c9101766b502a0163d1d437fada5801cf616be2]
Talat Batheesh (1):
net/mlx4_en: Avoid adding steering rules with invalid ring
[89c557687a32c294e9d25670a96e9287c09f2d5f]
Thomas Gleixner (1):
timerfd: Protect the might cancel mechanism proper
[1e38da300e1e395a15048b0af1e5305bd91402f6]
Thomas Petazzoni (1):
mtd: nand: fsmc: fix NAND width handling
[ee56874f23e5c11576540bd695177a5ebc4f4352]
Tobias Herzog (1):
cdc-acm: fix possible invalid access when processing notification
[1bb9914e1730417d530de9ed37e59efdc647146b]
Tony Lindgren (1):
mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode
[8b8a84c54aff4256d592dc18346c65ecf6811b45]
Tyrel Datwyler (2):
powerpc/pseries: Fix of_node_put() underflow during DLPAR remove
[68baf692c435339e6295cb470ea5545cbc28160e]
powerpc/sysfs: Fix reference leak of cpu device_nodes present at boot
[e76ca27790a514590af782f83f6eae49e0ccf8c9]
Vinothkumar Raja (1):
dm btree: fix for dm_btree_find_lowest_key()
[7d1fedb6e96a960aa91e4ff70714c3fb09195a5a]
WANG Cong (1):
ipv4: restore rt->fi for reference counting
[82486aa6f1b9bc8145e6d0fa2bc0b44307f3b875]
Willem de Bruijn (2):
packet: fix tp_reserve race in packet_set_ring
[c27927e372f0785f3303e8fad94b85945e2c97b7]
udp: consistently apply ufo or fragmentation
[85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa]
YueHaibing (1):
tg3: don't clear stats while tg3_close
[37a7fdf2892be124545ddaf99b85de576121476c]
Zheng Li (1):
ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output
[e4c5e13aa45c23692e4acf56f0b3533f328199b2]
Makefile | 4 +-
arch/arm/boot/dts/at91-sama5d3_xplained.dts | 5 +-
arch/arm/kvm/psci.c | 8 +-
arch/arm64/include/asm/barrier.h | 12 ++-
arch/arm64/include/asm/kvm_emulate.h | 6 ++
arch/arm64/include/asm/uaccess.h | 3 +-
arch/arm64/kvm/sys_regs.c | 8 +-
arch/metag/include/asm/uaccess.h | 49 +++++++-----
arch/mips/Kconfig | 1 +
arch/powerpc/include/asm/qe.h | 1 +
arch/powerpc/kernel/eeh_driver.c | 19 ++++-
arch/powerpc/kernel/sysfs.c | 6 ++
arch/powerpc/platforms/pseries/dlpar.c | 1 -
arch/x86/boot/boot.h | 2 +-
arch/x86/kernel/cpu/perf_event.h | 1 +
arch/x86/kernel/cpu/perf_event_intel.c | 31 +++++---
arch/x86/mm/numa_32.c | 1 +
arch/x86/mm/tlb.c | 4 +-
arch/x86/um/ptrace_64.c | 2 +-
drivers/Makefile | 1 +
drivers/ata/libata-scsi.c | 8 ++
drivers/gpu/drm/drm_edid.c | 8 ++
drivers/hsi/clients/ssi_protocol.c | 5 +-
drivers/iio/dac/ad7303.c | 6 +-
drivers/iio/proximity/as3935.c | 3 +-
drivers/infiniband/core/uverbs_cmd.c | 13 ++-
drivers/infiniband/core/verbs.c | 8 +-
drivers/infiniband/hw/mlx4/main.c | 1 +
drivers/infiniband/ulp/ipoib/ipoib_fs.c | 9 ++-
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 +++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 44 +++++++++--
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 3 -
drivers/input/misc/twl4030-pwrbutton.c | 2 +-
drivers/md/dm-bufio.c | 9 ++-
drivers/md/dm-era-target.c | 8 +-
drivers/md/dm-ioctl.c | 2 +-
drivers/md/persistent-data/dm-btree.c | 8 +-
drivers/media/i2c/soc_camera/ov2640.c | 6 +-
drivers/media/platform/s5p-mfc/s5p_mfc.c | 1 +
drivers/media/rc/mceusb.c | 4 +-
drivers/media/usb/cx231xx/cx231xx-audio.c | 41 +++++++---
drivers/media/usb/cx231xx/cx231xx-cards.c | 46 +++++++++--
drivers/media/usb/dvb-usb/dib0700_core.c | 3 +
drivers/media/usb/dvb-usb/digitv.c | 4 +
drivers/media/usb/dvb-usb/dw2102.c | 54 +++++++++++++
drivers/media/usb/dvb-usb/ttusb2.c | 19 +++++
drivers/media/usb/gspca/konica.c | 3 +
drivers/media/usb/pvrusb2/pvrusb2-eeprom.c | 13 +--
drivers/media/usb/usbvision/usbvision-video.c | 9 ++-
drivers/media/usb/uvc/uvc_video.c | 2 +-
drivers/media/usb/zr364xx/zr364xx.c | 8 ++
drivers/mfd/omap-usb-tll.c | 2 +-
drivers/mtd/nand/fsmc_nand.c | 9 ++-
drivers/net/ethernet/broadcom/tg3.c | 4 -
drivers/net/ethernet/freescale/ucc_geth.c | 8 +-
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 ++
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 3 +-
drivers/net/virtio_net.c | 30 ++++++-
drivers/net/wireless/ath/ath9k/eeprom.c | 2 +-
drivers/net/wireless/ath/ath9k/hif_usb.c | 7 ++
drivers/net/wireless/mwifiex/pcie.c | 7 ++
drivers/net/wireless/zd1211rw/zd_usb.c | 3 +
drivers/of/address.c | 2 +-
drivers/pci/host/pcie-designware.c | 28 +++----
drivers/pci/pci-sysfs.c | 10 ++-
drivers/pci/pci.c | 9 ++-
drivers/pci/proc.c | 20 ++++-
drivers/pci/quirks.c | 24 ++++++
drivers/pinctrl/sh-pfc/core.c | 3 +
drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 18 +++--
drivers/power/isp1704_charger.c | 4 +
drivers/power/lp8788-charger.c | 2 +-
drivers/power/pda_power.c | 49 ++++++------
drivers/regulator/tps65023-regulator.c | 3 +-
drivers/scsi/scsi_error.c | 18 +++++
drivers/scsi/sd.c | 27 ++++++-
drivers/scsi/sd.h | 1 +
drivers/staging/comedi/drivers/jr3_pci.c | 13 +--
drivers/staging/gdm724x/gdm_mux.c | 21 +----
drivers/staging/iio/light/tsl2x7x_core.c | 2 +-
drivers/staging/media/lirc/lirc_serial.c | 4 +-
drivers/staging/rtl8188eu/core/rtw_ap.c | 2 +-
drivers/target/target_core_file.c | 3 +-
drivers/tty/serial/omap-serial.c | 9 ++-
drivers/tty/serial/sh-sci.c | 10 ++-
drivers/usb/class/cdc-acm.c | 13 ++-
drivers/usb/core/driver.c | 21 +++++
drivers/usb/core/file.c | 9 ++-
drivers/usb/core/hub.c | 11 ++-
drivers/usb/host/xhci-mem.c | 2 +-
drivers/usb/misc/legousbtower.c | 37 ++++++---
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 6 ++
drivers/vfio/vfio_iommu_type1.c | 92 ++++++++++------------
drivers/video/Makefile | 1 +
drivers/video/fbdev/Kconfig | 2 -
fs/ceph/xattr.c | 3 +
fs/cifs/cifsfs.c | 15 +++-
fs/cifs/cifsglob.h | 1 +
fs/cifs/cifssmb.c | 3 +
fs/cifs/misc.c | 2 +-
fs/cifs/netmisc.c | 6 +-
fs/cifs/smb2misc.c | 5 +-
fs/cifs/smb2pdu.c | 14 +++-
fs/dcache.c | 37 +++++++++
fs/debugfs/inode.c | 10 +--
fs/ext4/inode.c | 5 ++
fs/namei.c | 10 +--
fs/nfs/pagelist.c | 10 ++-
fs/nfsd/vfs.c | 2 +-
fs/notify/fanotify/fanotify_user.c | 26 ++++--
fs/notify/fsnotify.c | 8 +-
fs/timerfd.c | 17 +++-
fs/xattr.c | 2 +-
include/linux/dcache.h | 7 ++
include/linux/fsnotify.h | 31 --------
include/linux/ima.h | 4 +-
include/net/route.h | 1 +
include/scsi/scsi_driver.h | 1 +
include/uapi/linux/netfilter/nf_conntrack_common.h | 9 +++
ipc/mqueue.c | 4 +-
kernel/locking/lockdep.c | 4 +-
kernel/padata.c | 2 +-
kernel/trace/ftrace.c | 14 +++-
net/bluetooth/hci_sock.c | 3 +-
net/ipv4/ip_output.c | 7 +-
net/ipv4/route.c | 24 +++++-
net/ipv4/tcp_lp.c | 6 +-
net/ipv4/udp.c | 2 +-
net/ipv6/exthdrs.c | 1 +
net/ipv6/ip6_output.c | 7 +-
net/ipv6/ip6_tunnel.c | 4 +-
net/ipv6/ndisc.c | 2 +
net/ipv6/output_core.c | 8 +-
net/netfilter/nf_conntrack_netlink.c | 60 ++++++++------
net/packet/af_packet.c | 13 ++-
security/integrity/ima/ima.h | 4 +-
security/integrity/ima/ima_appraise.c | 7 +-
security/integrity/ima/ima_main.c | 14 ++--
tools/perf/builtin-inject.c | 2 +
tools/perf/ui/browsers/hists.c | 2 +-
141 files changed, 1061 insertions(+), 443 deletions(-)
--
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <[email protected]>
commit 8ec04a491825e08068e92bed0bba7821893b6433 upstream.
The timer expiry routine `jr3_pci_poll_dev()` checks for expiry by
checking whether the absolute value of `jiffies` (stored in local
variable `now`) is greater than the expected expiry time in jiffy units.
This will fail when `jiffies` wraps around. Also, it seems to make
sense to handle the expiry one jiffy earlier than the current test. Use
`time_after_eq()` to check for expiry.
Signed-off-by: Ian Abbott <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/comedi/drivers/jr3_pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/comedi/drivers/jr3_pci.c
+++ b/drivers/staging/comedi/drivers/jr3_pci.c
@@ -608,7 +608,7 @@ static void jr3_pci_poll_dev(unsigned lo
s = &dev->subdevices[i];
spriv = s->private;
- if (now > spriv->next_time_min) {
+ if (time_after_eq(now, spriv->next_time_min)) {
struct jr3_pci_poll_delay sub_delay;
sub_delay = jr3_pci_poll_subdevice(s);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <[email protected]>
commit 6830733d53a4517588e56227b9c8538633f0c496 upstream.
The driver uses a relatively large data structure on the stack, which
showed up on my radar as we get a warning with the "latent entropy"
GCC plugin:
drivers/media/usb/pvrusb2/pvrusb2-eeprom.c:153:1: error: the frame size of 1376 bytes is larger than 1152 bytes [-Werror=frame-larger-than=]
The warning is usually hidden as we raise the warning limit to 2048
when the plugin is enabled, but I'd like to lower that again in the
future, and making this function smaller helps to do that without
build regressions.
Further analysis shows that putting an 'i2c_client' structure on
the stack is not really supported, as the embedded 'struct device'
is not initialized here, and we are only saved by the fact that
the function that is called here does not use the pointer at all.
Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
Signed-off-by: Arnd Bergmann <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/pvrusb2/pvrusb2-eeprom.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
--- a/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c
@@ -123,15 +123,10 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
memset(&tvdata,0,sizeof(tvdata));
eeprom = pvr2_eeprom_fetch(hdw);
- if (!eeprom) return -EINVAL;
+ if (!eeprom)
+ return -EINVAL;
- {
- struct i2c_client fake_client;
- /* Newer version expects a useless client interface */
- fake_client.addr = hdw->eeprom_addr;
- fake_client.adapter = &hdw->i2c_adap;
- tveeprom_hauppauge_analog(&fake_client,&tvdata,eeprom);
- }
+ tveeprom_hauppauge_analog(NULL, &tvdata, eeprom);
trace_eeprom("eeprom assumed v4l tveeprom module");
trace_eeprom("eeprom direct call results:");
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <[email protected]>
commit 59ac9c078141b8fd0186c0b18660a1b2c24e724e upstream.
This patch fixes zero-length READ and WRITE handling in target/FILEIO,
which was broken a long time back by:
Since:
commit d81cb44726f050d7cf1be4afd9cb45d153b52066
Author: Paolo Bonzini <[email protected]>
Date: Mon Sep 17 16:36:11 2012 -0700
target: go through normal processing for all zero-length commands
which moved zero-length READ and WRITE completion out of target-core,
to doing submission into backend driver code.
To address this, go ahead and invoke target_complete_cmd() for any
non negative return value in fd_do_rw().
Signed-off-by: Bart Van Assche <[email protected]>
Reviewed-by: Hannes Reinecke <[email protected]>
Reviewed-by: Christoph Hellwig <[email protected]>
Cc: Andy Grover <[email protected]>
Cc: David Disseldorp <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/target/target_core_file.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/target/target_core_file.c
+++ b/drivers/target/target_core_file.c
@@ -743,8 +743,7 @@ fd_execute_rw(struct se_cmd *cmd, struct
return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
}
- if (ret)
- target_complete_cmd(cmd, SAM_STAT_GOOD);
+ target_complete_cmd(cmd, SAM_STAT_GOOD);
return 0;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <[email protected]>
commit 82486aa6f1b9bc8145e6d0fa2bc0b44307f3b875 upstream.
IPv4 dst could use fi->fib_metrics to store metrics but fib_info
itself is refcnt'ed, so without taking a refcnt fi and
fi->fib_metrics could be freed while dst metrics still points to
it. This triggers use-after-free as reported by Andrey twice.
This patch reverts commit 2860583fe840 ("ipv4: Kill rt->fi") to
restore this reference counting. It is a quick fix for -net and
-stable, for -net-next, as Eric suggested, we can consider doing
reference counting for metrics itself instead of relying on fib_info.
IPv6 is very different, it copies or steals the metrics from mx6_config
in fib6_commit_metrics() so probably doesn't need a refcnt.
Decnet has already done the refcnt'ing, see dn_fib_semantic_match().
Fixes: 2860583fe840 ("ipv4: Kill rt->fi")
Reported-by: Andrey Konovalov <[email protected]>
Tested-by: Andrey Konovalov <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16:
- Update all 5 places where rtable is initialised
- Open-code fib_info_hold()
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -64,6 +64,7 @@ struct rtable {
u32 rt_pmtu;
struct list_head rt_uncached;
+ struct fib_info *fi; /* for refcnt to shared metrics */
};
static inline bool rt_is_input_route(const struct rtable *rt)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1346,6 +1346,11 @@ static void ipv4_dst_destroy(struct dst_
{
struct rtable *rt = (struct rtable *) dst;
+ if (rt->fi) {
+ fib_info_put(rt->fi);
+ rt->fi = NULL;
+ }
+
if (!list_empty(&rt->rt_uncached)) {
spin_lock_bh(&rt_uncached_lock);
list_del(&rt->rt_uncached);
@@ -1378,6 +1383,16 @@ static bool rt_cache_valid(const struct
!rt_is_expired(rt);
}
+static void rt_init_metrics(struct rtable *rt, struct fib_info *fi)
+{
+ if (fi->fib_metrics != (u32 *)dst_default_metrics) {
+ atomic_inc(&fi->fib_clntref);
+ rt->fi = fi;
+ }
+
+ dst_init_metrics(&rt->dst, fi->fib_metrics, true);
+}
+
static void rt_set_nexthop(struct rtable *rt, __be32 daddr,
const struct fib_result *res,
struct fib_nh_exception *fnhe,
@@ -1392,7 +1407,7 @@ static void rt_set_nexthop(struct rtable
rt->rt_gateway = nh->nh_gw;
rt->rt_uses_gateway = 1;
}
- dst_init_metrics(&rt->dst, fi->fib_metrics, true);
+ rt_init_metrics(rt, fi);
#ifdef CONFIG_IP_ROUTE_CLASSID
rt->dst.tclassid = nh->nh_tclassid;
#endif
@@ -1480,6 +1495,7 @@ static int ip_route_input_mc(struct sk_b
rth->rt_pmtu = 0;
rth->rt_gateway = 0;
rth->rt_uses_gateway = 0;
+ rth->fi = NULL;
INIT_LIST_HEAD(&rth->rt_uncached);
if (our) {
rth->dst.input= ip_local_deliver;
@@ -1649,6 +1665,7 @@ rt_cache:
rth->rt_pmtu = 0;
rth->rt_gateway = 0;
rth->rt_uses_gateway = 0;
+ rth->fi = NULL;
INIT_LIST_HEAD(&rth->rt_uncached);
RT_CACHE_STAT_INC(in_slow_tot);
@@ -1823,6 +1840,7 @@ local_input:
rth->rt_pmtu = 0;
rth->rt_gateway = 0;
rth->rt_uses_gateway = 0;
+ rth->fi = NULL;
INIT_LIST_HEAD(&rth->rt_uncached);
RT_CACHE_STAT_INC(in_slow_tot);
if (res.type == RTN_UNREACHABLE) {
@@ -2037,6 +2055,7 @@ add:
rth->rt_pmtu = 0;
rth->rt_gateway = 0;
rth->rt_uses_gateway = 0;
+ rth->fi = NULL;
INIT_LIST_HEAD(&rth->rt_uncached);
RT_CACHE_STAT_INC(out_slow_tot);
@@ -2316,6 +2335,9 @@ struct dst_entry *ipv4_blackhole_route(s
rt->rt_type = ort->rt_type;
rt->rt_gateway = ort->rt_gateway;
rt->rt_uses_gateway = ort->rt_uses_gateway;
+ rt->fi = ort->fi;
+ if (rt->fi)
+ atomic_inc(&rt->fi->fib_clntref);
INIT_LIST_HEAD(&rt->rt_uncached);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <[email protected]>
commit 34bf129a7f068e3108dbb051b4b05674e2a270e7 upstream.
While working on another build error, I ran into several variations of
this dependency loop:
subsection "Kconfig recursive dependency limitations"
drivers/input/Kconfig:8: symbol INPUT is selected by VT
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/tty/Kconfig:12: symbol VT is selected by FB_STI
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/video/fbdev/Kconfig:677: symbol FB_STI depends on FB
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/video/fbdev/Kconfig:5: symbol FB is selected by DRM_KMS_FB_HELPER
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/gpu/drm/Kconfig:72: symbol DRM_KMS_FB_HELPER is selected by DRM_KMS_CMA_HELPER
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/gpu/drm/Kconfig:137: symbol DRM_KMS_CMA_HELPER is selected by DRM_HDLCD
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/gpu/drm/arm/Kconfig:6: symbol DRM_HDLCD depends on OF
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/of/Kconfig:4: symbol OF is selected by X86_INTEL_CE
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
arch/x86/Kconfig:523: symbol X86_INTEL_CE depends on X86_IO_APIC
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
arch/x86/Kconfig:1011: symbol X86_IO_APIC depends on X86_LOCAL_APIC
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
arch/x86/Kconfig:1005: symbol X86_LOCAL_APIC depends on X86_UP_APIC
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
arch/x86/Kconfig:980: symbol X86_UP_APIC depends on PCI_MSI
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/pci/Kconfig:11: symbol PCI_MSI is selected by AMD_IOMMU
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/iommu/Kconfig:106: symbol AMD_IOMMU depends on IOMMU_SUPPORT
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/iommu/Kconfig:5: symbol IOMMU_SUPPORT is selected by DRM_ETNAVIV
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/gpu/drm/etnaviv/Kconfig:2: symbol DRM_ETNAVIV depends on THERMAL
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/thermal/Kconfig:5: symbol THERMAL is selected by ACPI_VIDEO
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
drivers/acpi/Kconfig:183: symbol ACPI_VIDEO is selected by INPUT
This doesn't currently show up as I fixed the 'THERMAL' part of it,
but I noticed that the FB_STI dependency should not be there but
was introduced by slightly incorrect bug-fix patch that tried to
fix a link error.
Instead of selecting 'VT' to make us enter the drivers/video/console
directory at compile-time, it's sufficient to build the
drivers/video/console/sticore.c file by adding its directory
to when CONFIG_FB_STI is enabled. Alternatively, we could move the
sticore code to another directory that is always built when we
have at STI_CONSOLE or FB_STI enabled.
Fixes: 17085a934592 ("parisc: stifb: should depend on STI_CONSOLE")
Signed-off-by: Arnd Bergmann <[email protected]>
Cc: Helge Deller <[email protected]>
Cc: "James E.J. Bottomley" <[email protected]>
Cc: Alexander Beregalov <[email protected]>
Signed-off-by: Bartlomiej Zolnierkiewicz <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/video/Makefile | 1 +
drivers/video/fbdev/Kconfig | 2 --
2 files changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/video/Makefile
+++ b/drivers/video/Makefile
@@ -2,6 +2,7 @@ obj-$(CONFIG_VGASTATE) += vga
obj-$(CONFIG_HDMI) += hdmi.o
obj-$(CONFIG_VT) += console/
+obj-$(CONFIG_FB_STI) += console/
obj-$(CONFIG_LOGO) += logo/
obj-y += backlight/
--- a/drivers/video/fbdev/Kconfig
+++ b/drivers/video/fbdev/Kconfig
@@ -650,8 +650,6 @@ config FB_STI
select FB_CFB_FILLRECT
select FB_CFB_COPYAREA
select FB_CFB_IMAGEBLIT
- select STI_CONSOLE
- select VT
default y
---help---
STI refers to the HP "Standard Text Interface" which is a set of
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Laura Abbott <[email protected]>
commit 861ce4a3244c21b0af64f880d5bfe5e6e2fb9e4a upstream.
'__vmalloc_start_set' currently only gets set in initmem_init() when
!CONFIG_NEED_MULTIPLE_NODES. This breaks detection of vmalloc address
with virt_addr_valid() with CONFIG_NEED_MULTIPLE_NODES=y, causing
a kernel crash:
[mm/usercopy] 517e1fbeb6: kernel BUG at arch/x86/mm/physaddr.c:78!
Set '__vmalloc_start_set' appropriately for that case as well.
Reported-by: kbuild test robot <[email protected]>
Signed-off-by: Laura Abbott <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Fixes: dc16ecf7fd1f ("x86-32: use specific __vmalloc_start_set flag in __virt_addr_valid")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/mm/numa_32.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/mm/numa_32.c
+++ b/arch/x86/mm/numa_32.c
@@ -100,5 +100,6 @@ void __init initmem_init(void)
printk(KERN_DEBUG "High memory starts at vaddr %08lx\n",
(ulong) pfn_to_kaddr(highstart_pfn));
+ __vmalloc_start_set = true;
setup_bootmem_allocator();
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Li <[email protected]>
commit e4c5e13aa45c23692e4acf56f0b3533f328199b2 upstream.
There is an inconsistent conditional judgement between __ip6_append_data
and ip6_finish_output functions, the variable length in __ip6_append_data
just include the length of application's payload and udp6 header, don't
include the length of ipv6 header, but in ip6_finish_output use
(skb->len > ip6_skb_dst_mtu(skb)) as judgement, and skb->len include the
length of ipv6 header.
That causes some particular application's udp6 payloads whose length are
between (MTU - IPv6 Header) and MTU were fragmented by ip6_fragment even
though the rst->dev support UFO feature.
Add the length of ipv6 header to length in __ip6_append_data to keep
consistent conditional judgement as ip6_finish_output for ip6 fragment.
Signed-off-by: Zheng Li <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/ip6_output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1291,7 +1291,7 @@ emsgsize:
skb = skb_peek_tail(&sk->sk_write_queue);
cork->length += length;
- if (((length > mtu) ||
+ if ((((length + fragheaderlen) > mtu) ||
(skb && skb_is_gso(skb))) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Hocko <[email protected]>
commit 81be3dee96346fbe08c31be5ef74f03f6b63cf68 upstream.
getxattr uses vmalloc to allocate memory if kzalloc fails. This is
filled by vfs_getxattr and then copied to the userspace. vmalloc,
however, doesn't zero out the memory so if the specific implementation
of the xattr handler is sloppy we can theoretically expose a kernel
memory. There is no real sign this is really the case but let's make
sure this will not happen and use vzalloc instead.
Fixes: 779302e67835 ("fs/xattr.c:getxattr(): improve handling of allocation failures")
Link: http://lkml.kernel.org/r/[email protected]
Acked-by: Kees Cook <[email protected]>
Reported-by: Vlastimil Babka <[email protected]>
Signed-off-by: Michal Hocko <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -455,7 +455,7 @@ getxattr(struct dentry *d, const char __
size = XATTR_SIZE_MAX;
kvalue = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
if (!kvalue) {
- vvalue = vmalloc(size);
+ vvalue = vzalloc(size);
if (!vvalue)
return -ENOMEM;
kvalue = vvalue;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <[email protected]>
commit c667186f1c01ca8970c785888868b7ffd74e51ee upstream.
Our 32bit CP14/15 handling inherited some of the ARMv7 code for handling
the trapped system registers, completely missing the fact that the
fields for Rt and Rt2 are now 5 bit wide, and not 4...
Let's fix it, and provide an accessor for the most common Rt case.
Reviewed-by: Christoffer Dall <[email protected]>
Signed-off-by: Marc Zyngier <[email protected]>
Signed-off-by: Christoffer Dall <[email protected]>
[bwh: Backported to 3.16:
- Use literal numbers in kvm_vcpu_sys_get_rt()
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/arm64/include/asm/kvm_emulate.h | 6 ++++++
arch/arm64/kvm/sys_regs.c | 8 ++++----
2 files changed, 10 insertions(+), 4 deletions(-)
--- a/arch/arm64/include/asm/kvm_emulate.h
+++ b/arch/arm64/include/asm/kvm_emulate.h
@@ -187,6 +187,12 @@ static inline u8 kvm_vcpu_trap_get_fault
return kvm_vcpu_get_hsr(vcpu) & ESR_EL2_FSC_TYPE;
}
+static inline int kvm_vcpu_sys_get_rt(struct kvm_vcpu *vcpu)
+{
+ u32 esr = kvm_vcpu_get_hsr(vcpu);
+ return (esr >> 5) & 0x1f;
+}
+
static inline unsigned long kvm_vcpu_get_mpidr(struct kvm_vcpu *vcpu)
{
return vcpu_sys_reg(vcpu, MPIDR_EL1);
--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -504,12 +504,12 @@ int kvm_handle_cp15_64(struct kvm_vcpu *
{
struct sys_reg_params params;
u32 hsr = kvm_vcpu_get_hsr(vcpu);
- int Rt2 = (hsr >> 10) & 0xf;
+ int Rt2 = (hsr >> 10) & 0x1f;
params.is_aarch32 = true;
params.is_32bit = false;
params.CRm = (hsr >> 1) & 0xf;
- params.Rt = (hsr >> 5) & 0xf;
+ params.Rt = kvm_vcpu_sys_get_rt(vcpu);
params.is_write = ((hsr & 1) == 0);
params.Op0 = 0;
@@ -554,7 +554,7 @@ int kvm_handle_cp15_32(struct kvm_vcpu *
params.is_aarch32 = true;
params.is_32bit = true;
params.CRm = (hsr >> 1) & 0xf;
- params.Rt = (hsr >> 5) & 0xf;
+ params.Rt = kvm_vcpu_sys_get_rt(vcpu);
params.is_write = ((hsr & 1) == 0);
params.CRn = (hsr >> 10) & 0xf;
params.Op0 = 0;
@@ -629,7 +629,7 @@ int kvm_handle_sys_reg(struct kvm_vcpu *
params.CRn = (esr >> 10) & 0xf;
params.CRm = (esr >> 1) & 0xf;
params.Op2 = (esr >> 17) & 0x7;
- params.Rt = (esr >> 5) & 0x1f;
+ params.Rt = kvm_vcpu_sys_get_rt(vcpu);
params.is_write = !(esr & 1);
return emulate_sys_reg(vcpu, ¶ms);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" <[email protected]>
commit d85b758f72b05a774045545f24d70980e3e9aac4 upstream.
When ring size is small (<32 entries) making buffers smaller means a
full ring might not be able to hold enough buffers to fit a single large
packet.
Make sure a ring full of buffers is large enough to allow at least one
packet of max size.
Fixes: 2613af0ed18a ("virtio_net: migrate mergeable rx buffers to page frag allocators")
Signed-off-by: Michael S. Tsirkin <[email protected]>
[bwh: Backported to 3.16:
- There's no net_device::max_mtu, so always set packet_len = IP_MAX_MTU
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/virtio_net.c | 30 ++++++++++++++++++++++++++----
1 file changed, 26 insertions(+), 4 deletions(-)
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -27,6 +27,7 @@
#include <linux/slab.h>
#include <linux/cpu.h>
#include <linux/average.h>
+#include <net/route.h>
static int napi_weight = NAPI_POLL_WEIGHT;
module_param(napi_weight, int, 0444);
@@ -92,6 +93,9 @@ struct receive_queue {
/* RX: fragments + linear part + virtio header */
struct scatterlist sg[MAX_SKB_FRAGS + 2];
+ /* Min single buffer size for mergeable buffers case. */
+ unsigned int min_buf_len;
+
/* Name of this receive queue: input.$index */
char name[40];
};
@@ -600,13 +604,14 @@ static int add_recvbuf_big(struct receiv
return err;
}
-static unsigned int get_mergeable_buf_len(struct ewma *avg_pkt_len)
+static unsigned int get_mergeable_buf_len(struct receive_queue *rq,
+ struct ewma *avg_pkt_len)
{
const size_t hdr_len = sizeof(struct virtio_net_hdr_mrg_rxbuf);
unsigned int len;
len = hdr_len + clamp_t(unsigned int, ewma_read(avg_pkt_len),
- GOOD_PACKET_LEN, PAGE_SIZE - hdr_len);
+ rq->min_buf_len - hdr_len, PAGE_SIZE - hdr_len);
return ALIGN(len, MERGEABLE_BUFFER_ALIGN);
}
@@ -618,7 +623,7 @@ static int add_recvbuf_mergeable(struct
int err;
unsigned int len, hole;
- len = get_mergeable_buf_len(&rq->mrg_avg_pkt_len);
+ len = get_mergeable_buf_len(rq, &rq->mrg_avg_pkt_len);
if (unlikely(!skb_page_frag_refill(len, alloc_frag, gfp)))
return -ENOMEM;
@@ -1462,6 +1467,21 @@ static void virtnet_del_vqs(struct virtn
virtnet_free_queues(vi);
}
+/* How large should a single buffer be so a queue full of these can fit at
+ * least one full packet?
+ * Logic below assumes the mergeable buffer header is used.
+ */
+static unsigned int mergeable_min_buf_len(struct virtnet_info *vi, struct virtqueue *vq)
+{
+ const unsigned int hdr_len = sizeof(struct virtio_net_hdr_mrg_rxbuf);
+ unsigned int rq_size = virtqueue_get_vring_size(vq);
+ unsigned int packet_len = IP_MAX_MTU;
+ unsigned int buf_len = hdr_len + ETH_HLEN + VLAN_HLEN + packet_len;
+ unsigned int min_buf_len = DIV_ROUND_UP(buf_len, rq_size);
+
+ return max(min_buf_len, hdr_len);
+}
+
static int virtnet_find_vqs(struct virtnet_info *vi)
{
vq_callback_t **callbacks;
@@ -1517,6 +1537,7 @@ static int virtnet_find_vqs(struct virtn
for (i = 0; i < vi->max_queue_pairs; i++) {
vi->rq[i].vq = vqs[rxq2vq(i)];
+ vi->rq[i].min_buf_len = mergeable_min_buf_len(vi, vi->rq[i].vq);
vi->sq[i].vq = vqs[txq2vq(i)];
}
@@ -1601,7 +1622,8 @@ static ssize_t mergeable_rx_buffer_size_
BUG_ON(queue_index >= vi->max_queue_pairs);
avg = &vi->rq[queue_index].mrg_avg_pkt_len;
- return sprintf(buf, "%u\n", get_mergeable_buf_len(avg));
+ return sprintf(buf, "%u\n",
+ get_mergeable_buf_len(&vi->rq[queue_index], avg));
}
static struct rx_queue_attribute mergeable_rx_buffer_size_attribute =
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <[email protected]>
commit 49d31c2f389acfe83417083e1208422b4091cd9e upstream.
take_dentry_name_snapshot() takes a safe snapshot of dentry name;
if the name is a short one, it gets copied into caller-supplied
structure, otherwise an extra reference to external name is grabbed
(those are never modified). In either case the pointer to stable
string is stored into the same structure.
dentry must be held by the caller of take_dentry_name_snapshot(),
but may be freely dropped afterwards - the snapshot will stay
until destroyed by release_dentry_name_snapshot().
Intended use:
struct name_snapshot s;
take_dentry_name_snapshot(&s, dentry);
...
access s.name
...
release_dentry_name_snapshot(&s);
Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name
to pass down with event.
Signed-off-by: Al Viro <[email protected]>
[carnil: backport 4.9: adjust context]
[bwh: Backported to 3.16:
- External names are not ref-counted, so copy them
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -244,6 +244,43 @@ static void __d_free(struct rcu_head *he
kmem_cache_free(dentry_cache, dentry);
}
+void take_dentry_name_snapshot(struct name_snapshot *name, struct dentry *dentry)
+{
+ spin_lock(&dentry->d_lock);
+ if (unlikely(dname_external(dentry))) {
+ u32 len;
+ char *p;
+
+ for (;;) {
+ len = dentry->d_name.len;
+ spin_unlock(&dentry->d_lock);
+
+ p = kmalloc(len + 1, GFP_KERNEL | __GFP_NOFAIL);
+
+ spin_lock(&dentry->d_lock);
+ if (dentry->d_name.len <= len)
+ break;
+ kfree(p);
+ }
+ memcpy(p, dentry->d_name.name, dentry->d_name.len + 1);
+ spin_unlock(&dentry->d_lock);
+
+ name->name = p;
+ } else {
+ memcpy(name->inline_name, dentry->d_iname, DNAME_INLINE_LEN);
+ spin_unlock(&dentry->d_lock);
+ name->name = name->inline_name;
+ }
+}
+EXPORT_SYMBOL(take_dentry_name_snapshot);
+
+void release_dentry_name_snapshot(struct name_snapshot *name)
+{
+ if (unlikely(name->name != name->inline_name))
+ kfree(name->name);
+}
+EXPORT_SYMBOL(release_dentry_name_snapshot);
+
static void dentry_free(struct dentry *dentry)
{
WARN_ON(!hlist_unhashed(&dentry->d_u.d_alias));
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -620,7 +620,7 @@ struct dentry *debugfs_rename(struct den
{
int error;
struct dentry *dentry = NULL, *trap;
- const char *old_name;
+ struct name_snapshot old_name;
trap = lock_rename(new_dir, old_dir);
/* Source or destination directories don't exist? */
@@ -635,19 +635,19 @@ struct dentry *debugfs_rename(struct den
if (IS_ERR(dentry) || dentry == trap || dentry->d_inode)
goto exit;
- old_name = fsnotify_oldname_init(old_dentry->d_name.name);
+ take_dentry_name_snapshot(&old_name, old_dentry);
error = simple_rename(old_dir->d_inode, old_dentry, new_dir->d_inode,
dentry);
if (error) {
- fsnotify_oldname_free(old_name);
+ release_dentry_name_snapshot(&old_name);
goto exit;
}
d_move(old_dentry, dentry);
- fsnotify_move(old_dir->d_inode, new_dir->d_inode, old_name,
+ fsnotify_move(old_dir->d_inode, new_dir->d_inode, old_name.name,
S_ISDIR(old_dentry->d_inode->i_mode),
NULL, old_dentry);
- fsnotify_oldname_free(old_name);
+ release_dentry_name_snapshot(&old_name);
unlock_rename(new_dir, old_dir);
dput(dentry);
return old_dentry;
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -4082,11 +4082,11 @@ int vfs_rename(struct inode *old_dir, st
{
int error;
bool is_dir = d_is_dir(old_dentry);
- const unsigned char *old_name;
struct inode *source = old_dentry->d_inode;
struct inode *target = new_dentry->d_inode;
bool new_is_dir = false;
unsigned max_links = new_dir->i_sb->s_max_links;
+ struct name_snapshot old_name;
if (source == target)
return 0;
@@ -4136,7 +4136,7 @@ int vfs_rename(struct inode *old_dir, st
if (error)
return error;
- old_name = fsnotify_oldname_init(old_dentry->d_name.name);
+ take_dentry_name_snapshot(&old_name, old_dentry);
dget(new_dentry);
if (!is_dir || (flags & RENAME_EXCHANGE))
lock_two_nondirectories(source, target);
@@ -4195,14 +4195,14 @@ out:
mutex_unlock(&target->i_mutex);
dput(new_dentry);
if (!error) {
- fsnotify_move(old_dir, new_dir, old_name, is_dir,
+ fsnotify_move(old_dir, new_dir, old_name.name, is_dir,
!(flags & RENAME_EXCHANGE) ? target : NULL, old_dentry);
if (flags & RENAME_EXCHANGE) {
fsnotify_move(new_dir, old_dir, old_dentry->d_name.name,
new_is_dir, NULL, new_dentry);
}
}
- fsnotify_oldname_free(old_name);
+ release_dentry_name_snapshot(&old_name);
return error;
}
--- a/fs/notify/fsnotify.c
+++ b/fs/notify/fsnotify.c
@@ -105,16 +105,20 @@ int __fsnotify_parent(struct path *path,
if (unlikely(!fsnotify_inode_watches_children(p_inode)))
__fsnotify_update_child_dentry_flags(p_inode);
else if (p_inode->i_fsnotify_mask & mask) {
+ struct name_snapshot name;
+
/* we are notifying a parent so come up with the new mask which
* specifies these are events which came from a child. */
mask |= FS_EVENT_ON_CHILD;
+ take_dentry_name_snapshot(&name, dentry);
if (path)
ret = fsnotify(p_inode, mask, path, FSNOTIFY_EVENT_PATH,
- dentry->d_name.name, 0);
+ name.name, 0);
else
ret = fsnotify(p_inode, mask, dentry->d_inode, FSNOTIFY_EVENT_INODE,
- dentry->d_name.name, 0);
+ name.name, 0);
+ release_dentry_name_snapshot(&name);
}
dput(parent);
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -530,4 +530,11 @@ static inline struct dentry *d_backing_d
return upper;
}
+struct name_snapshot {
+ const char *name;
+ char inline_name[DNAME_INLINE_LEN];
+};
+void take_dentry_name_snapshot(struct name_snapshot *, struct dentry *);
+void release_dentry_name_snapshot(struct name_snapshot *);
+
#endif /* __LINUX_DCACHE_H */
--- a/include/linux/fsnotify.h
+++ b/include/linux/fsnotify.h
@@ -310,35 +310,4 @@ static inline void fsnotify_change(struc
}
}
-#if defined(CONFIG_FSNOTIFY) /* notify helpers */
-
-/*
- * fsnotify_oldname_init - save off the old filename before we change it
- */
-static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
-{
- return kstrdup(name, GFP_KERNEL);
-}
-
-/*
- * fsnotify_oldname_free - free the name we got from fsnotify_oldname_init
- */
-static inline void fsnotify_oldname_free(const unsigned char *old_name)
-{
- kfree(old_name);
-}
-
-#else /* CONFIG_FSNOTIFY */
-
-static inline const char *fsnotify_oldname_init(const unsigned char *name)
-{
- return NULL;
-}
-
-static inline void fsnotify_oldname_free(const unsigned char *old_name)
-{
-}
-
-#endif /* CONFIG_FSNOTIFY */
-
#endif /* _LINUX_FS_NOTIFY_H */
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Heib <[email protected]>
commit 505a9249c23988768983aaa0766ce54e0dbe037d upstream.
The error print within mlx4_en_calc_rx_buf() should be a debug print.
Fixes: 51151a16a60f ('mlx4: allow order-0 memory allocations in RX path')
Signed-off-by: Kamal Heib <[email protected]>
Signed-off-by: Tariq Toukan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
@@ -993,7 +993,8 @@ void mlx4_en_calc_rx_buf(struct net_devi
en_dbg(DRV, priv, "Rx buffer scatter-list (effective-mtu:%d num_frags:%d):\n",
eff_mtu, priv->num_frags);
for (i = 0; i < priv->num_frags; i++) {
- en_err(priv,
+ en_dbg(DRV,
+ priv,
" frag:%d - size:%d prefix:%d align:%d stride:%d\n",
i,
priv->frag_info[i].frag_size,
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Talat Batheesh <[email protected]>
commit 89c557687a32c294e9d25670a96e9287c09f2d5f upstream.
Inserting steering rules with illegal ring is an invalid operation,
block it.
Fixes: 820672812f82 ('net/mlx4_en: Manage flow steering rules with ethtool')
Signed-off-by: Talat Batheesh <[email protected]>
Signed-off-by: Tariq Toukan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -930,6 +930,11 @@ static int mlx4_en_flow_replace(struct n
qpn = priv->drop_qp.qpn;
else if (cmd->fs.ring_cookie & EN_ETHTOOL_QP_ATTACH) {
qpn = cmd->fs.ring_cookie & (EN_ETHTOOL_QP_ATTACH - 1);
+ if (qpn < priv->rss_map.base_qpn ||
+ qpn >= priv->rss_map.base_qpn + priv->rx_ring_num) {
+ en_warn(priv, "rxnfc: QP (0x%x) doesn't exist\n", qpn);
+ return -EINVAL;
+ }
} else {
if (cmd->fs.ring_cookie >= priv->rx_ring_num) {
en_warn(priv, "rxnfc: RX ring (%llu) doesn't exist\n",
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <[email protected]>
commit 994870bead4ab19087a79492400a5478e2906196 upstream.
When an inline assembly operand's type is narrower than the register it
is allocated to, the least significant bits of the register (up to the
operand type's width) are valid, and any other bits are permitted to
contain any arbitrary value. This aligns with the AAPCS64 parameter
passing rules.
Our __smp_store_release() implementation does not account for this, and
implicitly assumes that operands have been zero-extended to the width of
the type being stored to. Thus, we may store unknown values to memory
when the value type is narrower than the pointer type (e.g. when storing
a char to a long).
This patch fixes the issue by casting the value operand to the same
width as the pointer operand in all cases, which ensures that the value
is zero-extended as we expect. We use the same union trickery as
__smp_load_acquire and {READ,WRITE}_ONCE() to avoid GCC complaining that
pointers are potentially cast to narrower width integers in unreachable
paths.
A whitespace issue at the top of __smp_store_release() is also
corrected.
No changes are necessary for __smp_load_acquire(). Load instructions
implicitly clear any upper bits of the register, and the compiler will
only consider the least significant bits of the register as valid
regardless.
Fixes: 47933ad41a86 ("arch: Introduce smp_load_acquire(), smp_store_release()")
Fixes: 878a84d5a8a1 ("arm64: add missing data types in smp_load_acquire/smp_store_release")
Acked-by: Will Deacon <[email protected]>
Signed-off-by: Mark Rutland <[email protected]>
Cc: Matthias Kaehlcke <[email protected]>
Signed-off-by: Catalin Marinas <[email protected]>
[bwh: Backported to 3.16: smp_store_release() only supports 32- and 64-bit
types]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/arch/arm64/include/asm/barrier.h
+++ b/arch/arm64/include/asm/barrier.h
@@ -58,17 +58,23 @@ do { \
#define smp_rmb() dmb(ishld)
#define smp_wmb() dmb(ishst)
-#define smp_store_release(p, v) \
+#define smp_store_release(p, v) \
do { \
+ union { typeof(*p) __val; char __c[1]; } __u = \
+ { .__val = (__force typeof(*p)) (v) }; \
compiletime_assert_atomic_type(*p); \
switch (sizeof(*p)) { \
case 4: \
asm volatile ("stlr %w1, %0" \
- : "=Q" (*p) : "r" (v) : "memory"); \
+ : "=Q" (*p) \
+ : "r" (*(__u32 *)__u.__c) \
+ : "memory"); \
break; \
case 8: \
asm volatile ("stlr %1, %0" \
- : "=Q" (*p) : "r" (v) : "memory"); \
+ : "=Q" (*p) \
+ : "r" (*(__u64 *)__u.__c) \
+ : "memory"); \
break; \
} \
} while (0)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <[email protected]>
commit a06040d7a791a9177581dcf7293941bd92400856 upstream.
Our access_ok() simply hands its arguments over to __range_ok(), which
implicitly assummes that the addr parameter is 64 bits wide. This isn't
necessarily true for compat code, which might pass down a 32-bit address
parameter.
In these cases, we don't have a guarantee that the address has been zero
extended to 64 bits, and the upper bits of the register may contain
unknown values, potentially resulting in a suprious failure.
Avoid this by explicitly casting the addr parameter to an unsigned long
(as is done on other architectures), ensuring that the parameter is
widened appropriately.
Fixes: 0aea86a2176c ("arm64: User access library functions")
Acked-by: Will Deacon <[email protected]>
Signed-off-by: Mark Rutland <[email protected]>
Signed-off-by: Catalin Marinas <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/arm64/include/asm/uaccess.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -89,11 +89,12 @@ static inline void set_fs(mm_segment_t f
*/
#define __range_ok(addr, size) \
({ \
+ unsigned long __addr = (unsigned long __force)(addr); \
unsigned long flag, roksum; \
__chk_user_ptr(addr); \
asm("adds %1, %1, %3; ccmp %1, %4, #2, cc; cset %0, ls" \
: "=&r" (flag), "=&r" (roksum) \
- : "1" (addr), "Ir" (size), \
+ : "1" (__addr), "Ir" (size), \
"r" (current_thread_info()->addr_limit) \
: "cc"); \
flag; \
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Tsoy <[email protected]>
commit aea57edf80c6e96d6dc24757599396af99c02b19 upstream.
This device is available under different marketing names:
WLM-20U2 - Wireless USB Dongle for Toshiba TVs
GN-1080 - Wireless LAN Module for Toshiba MFPs.
Signed-off-by: Alexander Tsoy <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -60,6 +60,8 @@ static struct usb_device_id ath9k_hif_us
.driver_info = AR9280_USB }, /* Buffalo WLI-UV-AG300P */
{ USB_DEVICE(0x04da, 0x3904),
.driver_info = AR9280_USB },
+ { USB_DEVICE(0x0930, 0x0a08),
+ .driver_info = AR9280_USB }, /* Toshiba WLM-20U2 and GN-1080 */
{ USB_DEVICE(0x0cf3, 0x20ff),
.driver_info = STORAGE_DEVICE },
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <[email protected]>
commit 3a158a62da0673db918b53ac1440845a5b64fd90 upstream.
The metag implementation of strncpy_from_user() doesn't validate the src
pointer, which could allow reading of arbitrary kernel memory. Add a
short access_ok() check to prevent that.
Its still possible for it to read across the user/kernel boundary, but
it will invariably reach a NUL character after only 9 bytes, leaking
only a static kernel address being loaded into D0Re0 at the beginning of
__start, which is acceptable for the immediate fix.
Reported-by: Al Viro <[email protected]>
Signed-off-by: James Hogan <[email protected]>
Cc: [email protected]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/metag/include/asm/uaccess.h | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/arch/metag/include/asm/uaccess.h
+++ b/arch/metag/include/asm/uaccess.h
@@ -189,8 +189,13 @@ do {
extern long __must_check __strncpy_from_user(char *dst, const char __user *src,
long count);
-#define strncpy_from_user(dst, src, count) __strncpy_from_user(dst, src, count)
-
+static inline long
+strncpy_from_user(char *dst, const char __user *src, long count)
+{
+ if (!access_ok(VERIFY_READ, src, 1))
+ return -EFAULT;
+ return __strncpy_from_user(dst, src, count);
+}
/*
* Return the size of a string (including the ending 0)
*
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <[email protected]>
commit f991af3daabaecff34684fd51fac80319d1baad1 upstream.
The retry logic for netlink_attachskb() inside sys_mq_notify()
is nasty and vulnerable:
1) The sock refcnt is already released when retry is needed
2) The fd is controllable by user-space because we already
release the file refcnt
so we when retry but the fd has been just closed by user-space
during this small window, we end up calling netlink_detachskb()
on the error path which releases the sock again, later when
the user-space closes this socket a use-after-free could be
triggered.
Setting 'sock' to NULL here should be sufficient to fix it.
Reported-by: GeneBlue <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Manfred Spraul <[email protected]>
Cc: [email protected]
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
ipc/mqueue.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -1239,8 +1239,10 @@ retry:
timeo = MAX_SCHEDULE_TIMEOUT;
ret = netlink_attachskb(sock, nc, &timeo, NULL);
- if (ret == 1)
+ if (ret == 1) {
+ sock = NULL;
goto retry;
+ }
if (ret) {
sock = NULL;
nc = NULL;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <[email protected]>
commit 1e38da300e1e395a15048b0af1e5305bd91402f6 upstream.
The handling of the might_cancel queueing is not properly protected, so
parallel operations on the file descriptor can race with each other and
lead to list corruptions or use after free.
Protect the context for these operations with a seperate lock.
The wait queue lock cannot be reused for this because that would create a
lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
atomic (atomic_t or atomic bit) does not help either because it still can
race vs. the actual list operation.
Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Cc: "[email protected]"
Cc: syzkaller <[email protected]>
Cc: Al Viro <[email protected]>
Cc: [email protected]
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
Signed-off-by: Thomas Gleixner <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/timerfd.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
--- a/fs/timerfd.c
+++ b/fs/timerfd.c
@@ -39,6 +39,7 @@ struct timerfd_ctx {
int clockid;
struct rcu_head rcu;
struct list_head clist;
+ spinlock_t cancel_lock;
bool might_cancel;
};
@@ -111,7 +112,7 @@ void timerfd_clock_was_set(void)
rcu_read_unlock();
}
-static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
+static void __timerfd_remove_cancel(struct timerfd_ctx *ctx)
{
if (ctx->might_cancel) {
ctx->might_cancel = false;
@@ -121,6 +122,13 @@ static void timerfd_remove_cancel(struct
}
}
+static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
+{
+ spin_lock(&ctx->cancel_lock);
+ __timerfd_remove_cancel(ctx);
+ spin_unlock(&ctx->cancel_lock);
+}
+
static bool timerfd_canceled(struct timerfd_ctx *ctx)
{
if (!ctx->might_cancel || ctx->moffs.tv64 != KTIME_MAX)
@@ -131,6 +139,7 @@ static bool timerfd_canceled(struct time
static void timerfd_setup_cancel(struct timerfd_ctx *ctx, int flags)
{
+ spin_lock(&ctx->cancel_lock);
if ((ctx->clockid == CLOCK_REALTIME ||
ctx->clockid == CLOCK_REALTIME_ALARM) &&
(flags & TFD_TIMER_ABSTIME) && (flags & TFD_TIMER_CANCEL_ON_SET)) {
@@ -140,9 +149,10 @@ static void timerfd_setup_cancel(struct
list_add_rcu(&ctx->clist, &cancel_list);
spin_unlock(&cancel_lock);
}
- } else if (ctx->might_cancel) {
- timerfd_remove_cancel(ctx);
+ } else {
+ __timerfd_remove_cancel(ctx);
}
+ spin_unlock(&ctx->cancel_lock);
}
static ktime_t timerfd_get_remaining(struct timerfd_ctx *ctx)
@@ -326,6 +336,7 @@ SYSCALL_DEFINE2(timerfd_create, int, clo
return -ENOMEM;
init_waitqueue_head(&ctx->wqh);
+ spin_lock_init(&ctx->cancel_lock);
ctx->clockid = clockid;
if (isalarm(ctx))
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <[email protected]>
commit 6399f1fae4ec29fab5ec76070435555e256ca3a6 upstream.
In some cases, offset can overflow and can cause an infinite loop in
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
This problem has been here since before the beginning of git history.
Signed-off-by: Sabrina Dubroca <[email protected]>
Acked-by: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/output_core.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -44,7 +44,7 @@ EXPORT_SYMBOL_GPL(ipv6_proxy_select_iden
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
{
- u16 offset = sizeof(struct ipv6hdr);
+ unsigned int offset = sizeof(struct ipv6hdr);
unsigned int packet_len = skb_tail_pointer(skb) -
skb_network_header(skb);
int found_rhdr = 0;
@@ -52,6 +52,7 @@ int ip6_find_1stfragopt(struct sk_buff *
while (offset <= packet_len) {
struct ipv6_opt_hdr *exthdr;
+ unsigned int len;
switch (**nexthdr) {
@@ -77,7 +78,10 @@ int ip6_find_1stfragopt(struct sk_buff *
exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
offset);
- offset += ipv6_optlen(exthdr);
+ len = ipv6_optlen(exthdr);
+ if (len + offset >= IPV6_MAXPLEN)
+ return -EINVAL;
+ offset += len;
*nexthdr = &exthdr->nexthdr;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell Currey <[email protected]>
commit daeba2956f32f91f3493788ff6ee02fb1b2f02fa upstream.
eeh_handle_special_event() is called when an EEH event is detected but
can't be narrowed down to a specific PE. This function looks through
every PE to find one in an erroneous state, then calls the regular event
handler eeh_handle_normal_event() once it knows which PE has an error.
However, if eeh_handle_normal_event() found that the PE cannot possibly
be recovered, it will free it, rendering the passed PE stale.
This leads to a use after free in eeh_handle_special_event() as it attempts to
clear the "recovering" state on the PE after eeh_handle_normal_event() returns.
Thus, make sure the PE is valid when attempting to clear state in
eeh_handle_special_event().
Fixes: 8a6b1bc70dbb ("powerpc/eeh: EEH core to handle special event")
Reported-by: Alexey Kardashevskiy <[email protected]>
Signed-off-by: Russell Currey <[email protected]>
Reviewed-by: Gavin Shan <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/powerpc/kernel/eeh_driver.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/arch/powerpc/kernel/eeh_driver.c
+++ b/arch/powerpc/kernel/eeh_driver.c
@@ -584,7 +584,7 @@ static int eeh_reset_device(struct eeh_p
*/
#define MAX_WAIT_FOR_RECOVERY 300
-static void eeh_handle_normal_event(struct eeh_pe *pe)
+static bool eeh_handle_normal_event(struct eeh_pe *pe)
{
struct pci_bus *frozen_bus;
int rc = 0;
@@ -594,7 +594,7 @@ static void eeh_handle_normal_event(stru
if (!frozen_bus) {
pr_err("%s: Cannot find PCI bus for PHB#%d-PE#%x\n",
__func__, pe->phb->global_number, pe->addr);
- return;
+ return false;
}
eeh_pe_update_time_stamp(pe);
@@ -711,7 +711,7 @@ static void eeh_handle_normal_event(stru
pr_info("EEH: Notify device driver to resume\n");
eeh_pe_dev_traverse(pe, eeh_report_resume, NULL);
- return;
+ return false;
excess_failures:
/*
@@ -751,7 +751,11 @@ perm_error:
pci_lock_rescan_remove();
pcibios_remove_pci_devices(frozen_bus);
pci_unlock_rescan_remove();
+
+ /* The passed PE should no longer be used */
+ return true;
}
+ return false;
}
static void eeh_handle_special_event(void)
@@ -817,7 +821,14 @@ static void eeh_handle_special_event(voi
*/
if (rc == EEH_NEXT_ERR_FROZEN_PE ||
rc == EEH_NEXT_ERR_FENCED_PHB) {
- eeh_handle_normal_event(pe);
+ /*
+ * eeh_handle_normal_event() can make the PE stale if it
+ * determines that the PE cannot possibly be recovered.
+ * Don't modify the PE state if that's the case.
+ */
+ if (eeh_handle_normal_event(pe))
+ continue;
+
eeh_pe_state_clear(pe, EEH_PE_RECOVERING);
} else {
pci_lock_rescan_remove();
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <[email protected]>
commit c27927e372f0785f3303e8fad94b85945e2c97b7 upstream.
Updates to tp_reserve can race with reads of the field in
packet_set_ring. Avoid this by holding the socket lock during
updates in setsockopt PACKET_RESERVE.
This bug was discovered by syzkaller.
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Reported-by: Andrey Konovalov <[email protected]>
Signed-off-by: Willem de Bruijn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/packet/af_packet.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3345,14 +3345,19 @@ packet_setsockopt(struct socket *sock, i
if (optlen != sizeof(val))
return -EINVAL;
- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
- return -EBUSY;
if (copy_from_user(&val, optval, sizeof(val)))
return -EFAULT;
if (val > INT_MAX)
return -EINVAL;
- po->tp_reserve = val;
- return 0;
+ lock_sock(sk);
+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+ ret = -EBUSY;
+ } else {
+ po->tp_reserve = val;
+ ret = 0;
+ }
+ release_sock(sk);
+ return ret;
}
case PACKET_LOSS:
{
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rabin Vincent <[email protected]>
commit 3998e6b87d4258a70df358296d6f1c7234012bfe upstream.
When the final cifsFileInfo_put() is called from cifsiod and an oplock
break work is queued, lockdep complains loudly:
=============================================
[ INFO: possible recursive locking detected ]
4.11.0+ #21 Not tainted
---------------------------------------------
kworker/0:2/78 is trying to acquire lock:
("cifsiod"){++++.+}, at: flush_work+0x215/0x350
but task is already holding lock:
("cifsiod"){++++.+}, at: process_one_work+0x255/0x8e0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock("cifsiod");
lock("cifsiod");
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by kworker/0:2/78:
#0: ("cifsiod"){++++.+}, at: process_one_work+0x255/0x8e0
#1: ((&wdata->work)){+.+...}, at: process_one_work+0x255/0x8e0
stack backtrace:
CPU: 0 PID: 78 Comm: kworker/0:2 Not tainted 4.11.0+ #21
Workqueue: cifsiod cifs_writev_complete
Call Trace:
dump_stack+0x85/0xc2
__lock_acquire+0x17dd/0x2260
? match_held_lock+0x20/0x2b0
? trace_hardirqs_off_caller+0x86/0x130
? mark_lock+0xa6/0x920
lock_acquire+0xcc/0x260
? lock_acquire+0xcc/0x260
? flush_work+0x215/0x350
flush_work+0x236/0x350
? flush_work+0x215/0x350
? destroy_worker+0x170/0x170
__cancel_work_timer+0x17d/0x210
? ___preempt_schedule+0x16/0x18
cancel_work_sync+0x10/0x20
cifsFileInfo_put+0x338/0x7f0
cifs_writedata_release+0x2a/0x40
? cifs_writedata_release+0x2a/0x40
cifs_writev_complete+0x29d/0x850
? preempt_count_sub+0x18/0xd0
process_one_work+0x304/0x8e0
worker_thread+0x9b/0x6a0
kthread+0x1b2/0x200
? process_one_work+0x8e0/0x8e0
? kthread_create_on_node+0x40/0x40
ret_from_fork+0x31/0x40
This is a real warning. Since the oplock is queued on the same
workqueue this can deadlock if there is only one worker thread active
for the workqueue (which will be the case during memory pressure when
the rescuer thread is handling it).
Furthermore, there is at least one other kind of hang possible due to
the oplock break handling if there is only worker. (This can be
reproduced without introducing memory pressure by having passing 1 for
the max_active parameter of cifsiod.) cifs_oplock_break() can wait
indefintely in the filemap_fdatawait() while the cifs_writev_complete()
work is blocked:
sysrq: SysRq : Show Blocked State
task PC stack pid father
kworker/0:1 D 0 16 2 0x00000000
Workqueue: cifsiod cifs_oplock_break
Call Trace:
__schedule+0x562/0xf40
? mark_held_locks+0x4a/0xb0
schedule+0x57/0xe0
io_schedule+0x21/0x50
wait_on_page_bit+0x143/0x190
? add_to_page_cache_lru+0x150/0x150
__filemap_fdatawait_range+0x134/0x190
? do_writepages+0x51/0x70
filemap_fdatawait_range+0x14/0x30
filemap_fdatawait+0x3b/0x40
cifs_oplock_break+0x651/0x710
? preempt_count_sub+0x18/0xd0
process_one_work+0x304/0x8e0
worker_thread+0x9b/0x6a0
kthread+0x1b2/0x200
? process_one_work+0x8e0/0x8e0
? kthread_create_on_node+0x40/0x40
ret_from_fork+0x31/0x40
dd D 0 683 171 0x00000000
Call Trace:
__schedule+0x562/0xf40
? mark_held_locks+0x29/0xb0
schedule+0x57/0xe0
io_schedule+0x21/0x50
wait_on_page_bit+0x143/0x190
? add_to_page_cache_lru+0x150/0x150
__filemap_fdatawait_range+0x134/0x190
? do_writepages+0x51/0x70
filemap_fdatawait_range+0x14/0x30
filemap_fdatawait+0x3b/0x40
filemap_write_and_wait+0x4e/0x70
cifs_flush+0x6a/0xb0
filp_close+0x52/0xa0
__close_fd+0xdc/0x150
SyS_close+0x33/0x60
entry_SYSCALL_64_fastpath+0x1f/0xbe
Showing all locks held in the system:
2 locks held by kworker/0:1/16:
#0: ("cifsiod"){.+.+.+}, at: process_one_work+0x255/0x8e0
#1: ((&cfile->oplock_break)){+.+.+.}, at: process_one_work+0x255/0x8e0
Showing busy workqueues and worker pools:
workqueue cifsiod: flags=0xc
pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=1/1
in-flight: 16:cifs_oplock_break
delayed: cifs_writev_complete, cifs_echo_request
pool 0: cpus=0 node=0 flags=0x0 nice=0 hung=0s workers=3 idle: 750 3
Fix these problems by creating a a new workqueue (with a rescuer) for
the oplock break work.
Signed-off-by: Rabin Vincent <[email protected]>
Signed-off-by: Steve French <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/cifs/cifsfs.c | 15 +++++++++++++--
fs/cifs/cifsglob.h | 1 +
fs/cifs/misc.c | 2 +-
fs/cifs/smb2misc.c | 5 +++--
4 files changed, 18 insertions(+), 5 deletions(-)
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -86,6 +86,7 @@ extern mempool_t *cifs_req_poolp;
extern mempool_t *cifs_mid_poolp;
struct workqueue_struct *cifsiod_wq;
+struct workqueue_struct *cifsoplockd_wq;
/*
* Bumps refcount for cifs super block.
@@ -1210,9 +1211,16 @@ init_cifs(void)
goto out_clean_proc;
}
+ cifsoplockd_wq = alloc_workqueue("cifsoplockd",
+ WQ_FREEZABLE|WQ_MEM_RECLAIM, 0);
+ if (!cifsoplockd_wq) {
+ rc = -ENOMEM;
+ goto out_destroy_cifsiod_wq;
+ }
+
rc = cifs_fscache_register();
if (rc)
- goto out_destroy_wq;
+ goto out_destroy_cifsoplockd_wq;
rc = cifs_init_inodecache();
if (rc)
@@ -1260,7 +1268,9 @@ out_destroy_inodecache:
cifs_destroy_inodecache();
out_unreg_fscache:
cifs_fscache_unregister();
-out_destroy_wq:
+out_destroy_cifsoplockd_wq:
+ destroy_workqueue(cifsoplockd_wq);
+out_destroy_cifsiod_wq:
destroy_workqueue(cifsiod_wq);
out_clean_proc:
cifs_proc_clean();
@@ -1283,6 +1293,7 @@ exit_cifs(void)
cifs_destroy_mids();
cifs_destroy_inodecache();
cifs_fscache_unregister();
+ destroy_workqueue(cifsoplockd_wq);
destroy_workqueue(cifsiod_wq);
cifs_proc_clean();
}
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1581,6 +1581,7 @@ void cifs_oplock_break(struct work_struc
extern const struct slow_work_ops cifs_oplock_break_ops;
extern struct workqueue_struct *cifsiod_wq;
+extern struct workqueue_struct *cifsoplockd_wq;
extern mempool_t *cifs_mid_poolp;
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -483,7 +483,7 @@ is_valid_oplock_break(char *buffer, stru
CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
&pCifsInode->flags);
- queue_work(cifsiod_wq,
+ queue_work(cifsoplockd_wq,
&netfile->oplock_break);
netfile->oplock_break_cancelled = false;
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -447,7 +447,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tc
else
cfile->oplock_break_cancelled = true;
- queue_work(cifsiod_wq, &cfile->oplock_break);
+ queue_work(cifsoplockd_wq, &cfile->oplock_break);
kfree(lw);
return true;
}
@@ -591,7 +591,8 @@ smb2_is_valid_oplock_break(char *buffer,
CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
&cinode->flags);
spin_unlock(&cfile->file_info_lock);
- queue_work(cifsiod_wq, &cfile->oplock_break);
+ queue_work(cifsoplockd_wq,
+ &cfile->oplock_break);
spin_unlock(&tcon->open_file_lock);
spin_unlock(&cifs_tcp_ses_lock);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <[email protected]>
commit 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa upstream.
When iteratively building a UDP datagram with MSG_MORE and that
datagram exceeds MTU, consistently choose UFO or fragmentation.
Once skb_is_gso, always apply ufo. Conversely, once a datagram is
split across multiple skbs, do not consider ufo.
Sendpage already maintains the first invariant, only add the second.
IPv6 does not have a sendpage implementation to modify.
A gso skb must have a partial checksum, do not follow sk_no_check_tx
in udp_send_skb.
Found by syzkaller.
Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
Reported-by: Andrey Konovalov <[email protected]>
Signed-off-by: Willem de Bruijn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16:
- ip6_append_data() doesn't take a queue parameter; use &sk->sk_write_queue
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/ip_output.c | 7 +++++--
net/ipv4/udp.c | 2 +-
net/ipv6/ip6_output.c | 7 ++++---
3 files changed, 10 insertions(+), 6 deletions(-)
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -885,10 +885,12 @@ static int __ip_append_data(struct sock
csummode = CHECKSUM_PARTIAL;
cork->length += length;
- if (((length > mtu) || (skb && skb_is_gso(skb))) &&
+ if ((skb && skb_is_gso(skb)) ||
+ ((length > mtu) &&
+ (skb_queue_len(queue) <= 1) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
- (sk->sk_type == SOCK_DGRAM)) {
+ (sk->sk_type == SOCK_DGRAM))) {
err = ip_ufo_append_data(sk, queue, getfrag, from, length,
hh_len, fragheaderlen, transhdrlen,
maxfraglen, flags);
@@ -1203,6 +1205,7 @@ ssize_t ip_append_page(struct sock *sk,
cork->length += size;
if ((size + skb->len > mtu) &&
+ (skb_queue_len(&sk->sk_write_queue) == 1) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO)) {
skb_shinfo(skb)->gso_size = mtu - fragheaderlen;
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -824,7 +824,7 @@ static int udp_send_skb(struct sk_buff *
if (is_udplite) /* UDP-Lite */
csum = udplite_csum(skb);
- else if (sk->sk_no_check_tx) { /* UDP csum disabled */
+ else if (sk->sk_no_check_tx && !skb_is_gso(skb)) { /* UDP csum off */
skb->ip_summed = CHECKSUM_NONE;
goto send;
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1291,11 +1291,12 @@ emsgsize:
skb = skb_peek_tail(&sk->sk_write_queue);
cork->length += length;
- if ((((length + fragheaderlen) > mtu) ||
- (skb && skb_is_gso(skb))) &&
+ if ((skb && skb_is_gso(skb)) ||
+ (((length + fragheaderlen) > mtu) &&
+ (skb_queue_len(&sk->sk_write_queue) <= 1) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
- (sk->sk_type == SOCK_DGRAM)) {
+ (sk->sk_type == SOCK_DGRAM))) {
err = ip6_ufo_append_data(sk, getfrag, from, length,
hh_len, fragheaderlen, exthdrlen,
transhdrlen, mtu, flags, rt);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Borisov <[email protected]>
commit 6d7225f0cc1a1fc32cf5dd01b4ab4b8a34c7cdb4 upstream.
Patch series "scope GFP_NOFS api", v5.
This patch (of 7):
Commit 21caf2fc1931 ("mm: teach mm by current context info to not do I/O
during memory allocation") added the memalloc_noio_(save|restore)
functions to enable people to modify the MM behavior by disabling I/O
during memory allocation.
This was further extended in commit 934f3072c17c ("mm: clear __GFP_FS
when PF_MEMALLOC_NOIO is set").
memalloc_noio_* functions prevent allocation paths recursing back into
the filesystem without explicitly changing the flags for every
allocation site.
However, lockdep hasn't been keeping up with the changes and it entirely
misses handling the memalloc_noio adjustments. Instead, it is left to
the callers of __lockdep_trace_alloc to call the function after they
have shaven the respective GFP flags which can lead to false positives:
=================================
[ INFO: inconsistent lock state ]
4.10.0-nbor #134 Not tainted
---------------------------------
inconsistent {IN-RECLAIM_FS-W} -> {RECLAIM_FS-ON-W} usage.
fsstress/3365 [HC0[0]:SC0[0]:HE1:SE1] takes:
(&xfs_nondir_ilock_class){++++?.}, at: xfs_ilock+0x141/0x230
{IN-RECLAIM_FS-W} state was registered at:
__lock_acquire+0x62a/0x17c0
lock_acquire+0xc5/0x220
down_write_nested+0x4f/0x90
xfs_ilock+0x141/0x230
xfs_reclaim_inode+0x12a/0x320
xfs_reclaim_inodes_ag+0x2c8/0x4e0
xfs_reclaim_inodes_nr+0x33/0x40
xfs_fs_free_cached_objects+0x19/0x20
super_cache_scan+0x191/0x1a0
shrink_slab+0x26f/0x5f0
shrink_node+0xf9/0x2f0
kswapd+0x356/0x920
kthread+0x10c/0x140
ret_from_fork+0x31/0x40
irq event stamp: 173777
hardirqs last enabled at (173777): __local_bh_enable_ip+0x70/0xc0
hardirqs last disabled at (173775): __local_bh_enable_ip+0x37/0xc0
softirqs last enabled at (173776): _xfs_buf_find+0x67a/0xb70
softirqs last disabled at (173774): _xfs_buf_find+0x5db/0xb70
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&xfs_nondir_ilock_class);
<Interrupt>
lock(&xfs_nondir_ilock_class);
*** DEADLOCK ***
4 locks held by fsstress/3365:
#0: (sb_writers#10){++++++}, at: mnt_want_write+0x24/0x50
#1: (&sb->s_type->i_mutex_key#12){++++++}, at: vfs_setxattr+0x6f/0xb0
#2: (sb_internal#2){++++++}, at: xfs_trans_alloc+0xfc/0x140
#3: (&xfs_nondir_ilock_class){++++?.}, at: xfs_ilock+0x141/0x230
stack backtrace:
CPU: 0 PID: 3365 Comm: fsstress Not tainted 4.10.0-nbor #134
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
kmem_cache_alloc_node_trace+0x3a/0x2c0
vm_map_ram+0x2a1/0x510
_xfs_buf_map_pages+0x77/0x140
xfs_buf_get_map+0x185/0x2a0
xfs_attr_rmtval_set+0x233/0x430
xfs_attr_leaf_addname+0x2d2/0x500
xfs_attr_set+0x214/0x420
xfs_xattr_set+0x59/0xb0
__vfs_setxattr+0x76/0xa0
__vfs_setxattr_noperm+0x5e/0xf0
vfs_setxattr+0xae/0xb0
setxattr+0x15e/0x1a0
path_setxattr+0x8f/0xc0
SyS_lsetxattr+0x11/0x20
entry_SYSCALL_64_fastpath+0x23/0xc6
Let's fix this by making lockdep explicitly do the shaving of respective
GFP flags.
Fixes: 934f3072c17c ("mm: clear __GFP_FS when PF_MEMALLOC_NOIO is set")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Nikolay Borisov <[email protected]>
Signed-off-by: Michal Hocko <[email protected]>
Acked-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Dave Chinner <[email protected]>
Cc: Theodore Ts'o <[email protected]>
Cc: Chris Mason <[email protected]>
Cc: David Sterba <[email protected]>
Cc: Jan Kara <[email protected]>
Cc: Brian Foster <[email protected]>
Cc: Darrick J. Wong <[email protected]>
Cc: Vlastimil Babka <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
[bwh: Backported to 3.16: no need to touch #includes]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -2724,6 +2724,8 @@ static void __lockdep_trace_alloc(gfp_t
if (unlikely(!debug_locks))
return;
+ gfp_mask = memalloc_noio_flags(gfp_mask);
+
/* no reclaim without waiting on it */
if (!(gfp_mask & __GFP_WAIT))
return;
@@ -3644,7 +3646,7 @@ EXPORT_SYMBOL_GPL(lock_is_held);
void lockdep_set_current_reclaim_state(gfp_t gfp_mask)
{
- current->lockdep_reclaim_gfp = gfp_mask;
+ current->lockdep_reclaim_gfp = memalloc_noio_flags(gfp_mask);
}
void lockdep_clear_current_reclaim_state(void)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <[email protected]>
commit 7db0a6efdc3e990cdfd4b24820d010e9eb7890ad upstream.
Macs send the maximum buffer size in response on ioctl to validate
negotiate security information, which causes us to fail the mount
as the response buffer is larger than the expected response.
Changed ioctl response processing to allow for padding of validate
negotiate ioctl response and limit the maximum response size to
maximum buffer size.
Signed-off-by: Steve French <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/cifs/smb2pdu.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -524,8 +524,12 @@ int smb3_validate_negotiate(const unsign
}
if (rsplen != sizeof(struct validate_negotiate_info_rsp)) {
- cifs_dbg(VFS, "invalid size of protocol negotiate response\n");
- return -EIO;
+ cifs_dbg(VFS, "invalid protocol negotiate response size: %d\n",
+ rsplen);
+
+ /* relax check since Mac returns max bufsize allowed on ioctl */
+ if (rsplen > CIFSMaxBufSize)
+ return -EIO;
}
/* check validate negotiate info response matches what we got earlier */
@@ -1293,8 +1297,12 @@ SMB2_ioctl(const unsigned int xid, struc
* than one credit. Windows typically sets this smaller, but for some
* ioctls it may be useful to allow server to send more. No point
* limiting what the server can send as long as fits in one credit
+ * Unfortunately - we can not handle more than CIFS_MAX_MSG_SIZE
+ * (by default, note that it can be overridden to make max larger)
+ * in responses (except for read responses which can be bigger.
+ * We may want to bump this limit up
*/
- req->MaxOutputResponse = cpu_to_le32(0xFF00); /* < 64K uses 1 credit */
+ req->MaxOutputResponse = cpu_to_le32(CIFSMaxBufSize);
if (is_fsctl)
req->Flags = cpu_to_le32(SMB2_0_IOCTL_IS_FSCTL);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques <[email protected]>
commit eeca958dce0a9231d1969f86196653eb50fcc9b3 upstream.
The ceph_inode_xattr needs to be released when removing an xattr. Easily
reproducible running the 'generic/020' test from xfstests or simply by
doing:
attr -s attr0 -V 0 /mnt/test && attr -r attr0 /mnt/test
While there, also fix the error path.
Here's the kmemleak splat:
unreferenced object 0xffff88001f86fbc0 (size 64):
comm "attr", pid 244, jiffies 4294904246 (age 98.464s)
hex dump (first 32 bytes):
40 fa 86 1f 00 88 ff ff 80 32 38 1f 00 88 ff ff @........28.....
00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................
backtrace:
[<ffffffff81560199>] kmemleak_alloc+0x49/0xa0
[<ffffffff810f3e5b>] kmem_cache_alloc+0x9b/0xf0
[<ffffffff812b157e>] __ceph_setxattr+0x17e/0x820
[<ffffffff812b1c57>] ceph_set_xattr_handler+0x37/0x40
[<ffffffff8111fb4b>] __vfs_removexattr+0x4b/0x60
[<ffffffff8111fd37>] vfs_removexattr+0x77/0xd0
[<ffffffff8111fdd1>] removexattr+0x41/0x60
[<ffffffff8111fe65>] path_removexattr+0x75/0xa0
[<ffffffff81120aeb>] SyS_lremovexattr+0xb/0x10
[<ffffffff81564b20>] entry_SYSCALL_64_fastpath+0x13/0x94
[<ffffffffffffffff>] 0xffffffffffffffff
Signed-off-by: Luis Henriques <[email protected]>
Reviewed-by: "Yan, Zheng" <[email protected]>
Signed-off-by: Ilya Dryomov <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ceph/xattr.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -369,6 +369,7 @@ static int __set_xattr(struct ceph_inode
if (update_xattr) {
int err = 0;
+
if (xattr && (flags & XATTR_CREATE))
err = -EEXIST;
else if (!xattr && (flags & XATTR_REPLACE))
@@ -376,12 +377,14 @@ static int __set_xattr(struct ceph_inode
if (err) {
kfree(name);
kfree(val);
+ kfree(*newxattr);
return err;
}
if (update_xattr < 0) {
if (xattr)
__remove_xattr(ci, xattr);
kfree(name);
+ kfree(*newxattr);
return 0;
}
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rob Herring <[email protected]>
commit eb3100365791b06242b8bb5c3c2854ba41dabfbc upstream.
sparse gives the following warning for 'pci_space':
../drivers/of/address.c:266:26: warning: incorrect type in assignment (different base types)
../drivers/of/address.c:266:26: expected unsigned int [unsigned] [usertype] pci_space
../drivers/of/address.c:266:26: got restricted __be32 const [usertype] <noident>
It appears that pci_space is only ever accessed on powerpc, so the endian
swap is often not needed.
Signed-off-by: Rob Herring <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/of/address.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/of/address.c
+++ b/drivers/of/address.c
@@ -258,7 +258,7 @@ struct of_pci_range *of_pci_range_parser
if (!parser->range || parser->range + parser->np > parser->end)
return NULL;
- range->pci_space = parser->range[0];
+ range->pci_space = be32_to_cpup(parser->range);
range->flags = of_bus_pci_get_flags(parser->range);
range->pci_addr = of_read_number(parser->range + 1, ns);
range->cpu_addr = of_translate_address(parser->node,
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <[email protected]>
commit 8a8b56638bcac4e64cccc88bf95a0f9f4b19a2fb upstream.
The __user_bad() macro used by access_ok() has a few corner cases
noticed by Al Viro where it doesn't behave correctly:
- The kernel range check has off by 1 errors which permit access to the
first and last byte of the kernel mapped range.
- The kernel range check ends at LINCORE_BASE rather than
META_MEMORY_LIMIT, which is ineffective when the kernel is in global
space (an extremely uncommon configuration).
There are a couple of other shortcomings here too:
- Access to the whole of the other address space is permitted (i.e. the
global half of the address space when the kernel is in local space).
This isn't ideal as it could theoretically still contain privileged
mappings set up by the bootloader.
- The size argument is unused, permitting user copies which start on
valid pages at the end of the user address range and cross the
boundary into the kernel address space (e.g. addr = 0x3ffffff0, size
> 0x10).
It isn't very convenient to add size checks when disallowing certain
regions, and it seems far safer to be sure and explicit about what
userland is able to access, so invert the logic to allow certain regions
instead, and fix the off by 1 errors and missing size checks. This also
allows the get_fs() == KERNEL_DS check to be more easily optimised into
the user address range case.
We now have 3 such allowed regions:
- The user address range (incorporating the get_fs() == KERNEL_DS
check).
- NULL (some kernel code expects this to work, and we'll always catch
the fault anyway).
- The core code memory region.
Fixes: 373cd784d0fc ("metag: Memory handling")
Reported-by: Al Viro <[email protected]>
Signed-off-by: James Hogan <[email protected]>
Cc: [email protected]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/metag/include/asm/uaccess.h | 40 ++++++++++++++++++++++++----------------
1 file changed, 24 insertions(+), 16 deletions(-)
--- a/arch/metag/include/asm/uaccess.h
+++ b/arch/metag/include/asm/uaccess.h
@@ -28,24 +28,32 @@
#define segment_eq(a, b) ((a).seg == (b).seg)
-#define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
-/*
- * Explicitly allow NULL pointers here. Parts of the kernel such
- * as readv/writev use access_ok to validate pointers, but want
- * to allow NULL pointers for various reasons. NULL pointers are
- * safe to allow through because the first page is not mappable on
- * Meta.
- *
- * We also wish to avoid letting user code access the system area
- * and the kernel half of the address space.
- */
-#define __user_bad(addr, size) (((addr) > 0 && (addr) < META_MEMORY_BASE) || \
- ((addr) > PAGE_OFFSET && \
- (addr) < LINCORE_BASE))
-
static inline int __access_ok(unsigned long addr, unsigned long size)
{
- return __kernel_ok || !__user_bad(addr, size);
+ /*
+ * Allow access to the user mapped memory area, but not the system area
+ * before it. The check extends to the top of the address space when
+ * kernel access is allowed (there's no real reason to user copy to the
+ * system area in any case).
+ */
+ if (likely(addr >= META_MEMORY_BASE && addr < get_fs().seg &&
+ size <= get_fs().seg - addr))
+ return true;
+ /*
+ * Explicitly allow NULL pointers here. Parts of the kernel such
+ * as readv/writev use access_ok to validate pointers, but want
+ * to allow NULL pointers for various reasons. NULL pointers are
+ * safe to allow through because the first page is not mappable on
+ * Meta.
+ */
+ if (!addr)
+ return true;
+ /* Allow access to core code memory area... */
+ if (addr >= LINCORE_CODE_BASE && addr <= LINCORE_CODE_LIMIT &&
+ size <= LINCORE_CODE_LIMIT + 1 - addr)
+ return true;
+ /* ... but no other areas. */
+ return false;
}
#define access_ok(type, addr, size) __access_ok((unsigned long)(addr), \
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <[email protected]>
commit 9abc74a22d85ab29cef9896a2582a530da7e79bf upstream.
This is broken since ever but sadly nobody noticed.
Recent versions of GDB set DR_CONTROL unconditionally and
UML dies due to a heap corruption. It turns out that
the PTRACE_POKEUSER was copy&pasted from i386 and assumes
that addresses are 4 bytes long.
Fix that by using 8 as address size in the calculation.
Reported-by: jie cao <[email protected]>
Signed-off-by: Richard Weinberger <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/um/ptrace_64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/um/ptrace_64.c
+++ b/arch/x86/um/ptrace_64.c
@@ -120,7 +120,7 @@ int poke_user(struct task_struct *child,
else if ((addr >= offsetof(struct user, u_debugreg[0])) &&
(addr <= offsetof(struct user, u_debugreg[7]))) {
addr -= offsetof(struct user, u_debugreg[0]);
- addr = addr >> 2;
+ addr = addr >> 3;
if ((addr == 4) || (addr == 5))
return -EIO;
child->thread.arch.debugregs[addr] = data;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mario Kleiner <[email protected]>
commit e345da82bd6bdfa8492f80b3ce4370acfd868d95 upstream.
The builtin eDP panel in the HP zBook 17 G2 supports 10 bpc,
as advertised by the Laptops product specs and verified via
injecting a fixed edid + photometer measurements, but edid
reports unknown depth, so drivers fall back to 6 bpc.
Add a quirk to get the full 10 bpc.
Signed-off-by: Mario Kleiner <[email protected]>
Acked-by: Harry Wentland <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
Link: http://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/drm_edid.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -74,6 +74,8 @@
#define EDID_QUIRK_FORCE_12BPC (1 << 9)
/* Force 6bpc */
#define EDID_QUIRK_FORCE_6BPC (1 << 10)
+/* Force 10bpc */
+#define EDID_QUIRK_FORCE_10BPC (1 << 11)
struct detailed_mode_closure {
struct drm_connector *connector;
@@ -116,6 +118,9 @@ static struct edid_quirk {
{ "FCM", 13600, EDID_QUIRK_PREFER_LARGE_75 |
EDID_QUIRK_DETAILED_IN_CM },
+ /* LGD panel of HP zBook 17 G2, eDP 10 bpc, but reports unknown bpc */
+ { "LGD", 764, EDID_QUIRK_FORCE_10BPC },
+
/* LG Philips LCD LP154W01-A5 */
{ "LPL", 0, EDID_QUIRK_DETAILED_USE_MAXIMUM_SIZE },
{ "LPL", 0x2a00, EDID_QUIRK_DETAILED_USE_MAXIMUM_SIZE },
@@ -3678,6 +3683,9 @@ int drm_add_edid_modes(struct drm_connec
if (quirks & EDID_QUIRK_FORCE_8BPC)
connector->display_info.bpc = 8;
+ if (quirks & EDID_QUIRK_FORCE_10BPC)
+ connector->display_info.bpc = 10;
+
if (quirks & EDID_QUIRK_FORCE_12BPC)
connector->display_info.bpc = 12;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <[email protected]>
commit 26c9cb668c7fbf9830516b75d8bee70b699ed449 upstream.
Mac requires the unicode flag to be set for cifs, even for the smb
echo request (which doesn't have strings).
Without this Mac rejects the periodic echo requests (when mounting
with cifs) that we use to check if server is down
Signed-off-by: Steve French <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/cifs/cifssmb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -720,6 +720,9 @@ CIFSSMBEcho(struct TCP_Server_Info *serv
if (rc)
return rc;
+ if (server->capabilities & CAP_UNICODE)
+ smb->hdr.Flags2 |= SMBFLG2_UNICODE;
+
/* set up echo request */
smb->hdr.Tid = 0xffff;
smb->hdr.WordCount = 1;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <[email protected]>
commit a9f11f963a546fea9144f6a6d1a307e814a387e7 upstream.
Be careful when comparing tcp_time_stamp to some u32 quantity,
otherwise result can be surprising.
Fixes: 7c106d7e782b ("[TCP]: TCP Low Priority congestion control")
Signed-off-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/tcp_lp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp_lp.c
+++ b/net/ipv4/tcp_lp.c
@@ -264,13 +264,15 @@ static void tcp_lp_pkts_acked(struct soc
{
struct tcp_sock *tp = tcp_sk(sk);
struct lp *lp = inet_csk_ca(sk);
+ u32 delta;
if (rtt_us > 0)
tcp_lp_rtt_sample(sk, rtt_us);
/* calc inference */
- if (tcp_time_stamp > tp->rx_opt.rcv_tsecr)
- lp->inference = 3 * (tcp_time_stamp - tp->rx_opt.rcv_tsecr);
+ delta = tcp_time_stamp - tp->rx_opt.rcv_tsecr;
+ if ((s32)delta > 0)
+ lp->inference = 3 * delta;
/* test if within inference */
if (lp->last_drop && (tcp_time_stamp - lp->last_drop < lp->inference))
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Amir Goldstein <[email protected]>
commit 4ff33aafd32e084f5ee7faa54ba06e95f8b1b8af upstream.
When delivering an event to userspace for a file on an NFS share,
if the file is deleted on server side before user reads the event,
user will not get the event.
If the event queue contained several events, the stale event is
quietly dropped and read() returns to user with events read so far
in the buffer.
If the event queue contains a single stale event or if the stale
event is a permission event, read() returns to user with the kernel
internal error code 518 (EOPENSTALE), which is not a POSIX error code.
Check the internal return value -EOPENSTALE in fanotify_read(), just
the same as it is checked in path_openat() and drop the event in the
cases that it is not already dropped.
This is a reproducer from Marko Rauhamaa:
Just take the example program listed under "man fanotify" ("fantest")
and follow these steps:
==============================================================
NFS Server NFS Client(1) NFS Client(2)
==============================================================
# echo foo >/nfsshare/bar.txt
# cat /nfsshare/bar.txt
foo
# ./fantest /nfsshare
Press enter key to terminate.
Listening for events.
# rm -f /nfsshare/bar.txt
# cat /nfsshare/bar.txt
read: Unknown error 518
cat: /nfsshare/bar.txt: Operation not permitted
==============================================================
where NFS Client (1) and (2) are two terminal sessions on a single NFS
Client machine.
Reported-by: Marko Rauhamaa <[email protected]>
Tested-by: Marko Rauhamaa <[email protected]>
Cc: <[email protected]>
Signed-off-by: Amir Goldstein <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/notify/fanotify/fanotify_user.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -294,27 +294,37 @@ static ssize_t fanotify_read(struct file
}
ret = copy_event_to_user(group, kevent, buf);
+ if (unlikely(ret == -EOPENSTALE)) {
+ /*
+ * We cannot report events with stale fd so drop it.
+ * Setting ret to 0 will continue the event loop and
+ * do the right thing if there are no more events to
+ * read (i.e. return bytes read, -EAGAIN or wait).
+ */
+ ret = 0;
+ }
+
/*
* Permission events get queued to wait for response. Other
* events can be destroyed now.
*/
if (!(kevent->mask & FAN_ALL_PERM_EVENTS)) {
fsnotify_destroy_event(group, kevent);
- if (ret < 0)
- break;
} else {
#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
- if (ret < 0) {
+ if (ret <= 0) {
FANOTIFY_PE(kevent)->response = FAN_DENY;
wake_up(&group->fanotify_data.access_waitq);
- break;
+ } else {
+ spin_lock(&group->fanotify_data.access_lock);
+ list_add_tail(&kevent->list,
+ &group->fanotify_data.access_list);
+ spin_unlock(&group->fanotify_data.access_lock);
}
- spin_lock(&group->fanotify_data.access_lock);
- list_add_tail(&kevent->list,
- &group->fanotify_data.access_list);
- spin_unlock(&group->fanotify_data.access_lock);
#endif
}
+ if (ret < 0)
+ break;
buf += ret;
count -= ret;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: YueHaibing <[email protected]>
commit 37a7fdf2892be124545ddaf99b85de576121476c upstream.
Now tg3 NIC's stats will be cleared after ifdown/ifup. bond_get_stats traverse
its salves to get statistics,cumulative the increment.If a tg3 NIC is added to
bonding as a slave,ifdown/ifup will cause bonding's stats become tremendous value
(ex.1638.3 PiB) because of negative increment.
Fixes: 92feeabf3f67 ("tg3: Save stats across chip resets")
Signed-off-by: YueHaibing <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/broadcom/tg3.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/net/ethernet/broadcom/tg3.c
+++ b/drivers/net/ethernet/broadcom/tg3.c
@@ -11709,10 +11709,6 @@ static int tg3_close(struct net_device *
tg3_stop(tp);
- /* Clear stats across close / open calls */
- memset(&tp->net_stats_prev, 0, sizeof(tp->net_stats_prev));
- memset(&tp->estats_prev, 0, sizeof(tp->estats_prev));
-
if (pci_device_is_present(tp->pdev)) {
tg3_power_down_prepare(tp);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pan Bian <[email protected]>
commit 8b20839988f1ed5e534b270f3776709b640dc7e0 upstream.
Function devm_kzalloc() will return a NULL pointer. However, in function
isp1704_charger_probe(), the return value of devm_kzalloc() is directly
used without validation. This may result in a bad memory access bug.
Fixes: 34a109610e2a ("isp1704_charger: Add DT support")
Signed-off-by: Pan Bian <[email protected]>
Reviewed-by: Pali Rohár <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/power/isp1704_charger.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/power/isp1704_charger.c
+++ b/drivers/power/isp1704_charger.c
@@ -415,6 +415,10 @@ static int isp1704_charger_probe(struct
pdata = devm_kzalloc(&pdev->dev,
sizeof(struct isp1704_charger_data), GFP_KERNEL);
+ if (!pdata) {
+ ret = -ENOMEM;
+ goto fail0;
+ }
pdata->enable_gpio = gpio;
dev_info(&pdev->dev, "init gpio %d\n", pdata->enable_gpio);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <[email protected]>
commit 7b4cc9787fe35b3ee2dfb1c35e22eafc32e00c33 upstream.
Currently the case of writing via mmap to a file with inline data is not
handled. This is maybe a rare case since it requires a writable memory
map of a very small file, but it is trivial to trigger with on
inline_data filesystem, and it causes the
'BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA));' in
ext4_writepages() to be hit:
mkfs.ext4 -O inline_data /dev/vdb
mount /dev/vdb /mnt
xfs_io -f /mnt/file \
-c 'pwrite 0 1' \
-c 'mmap -w 0 1m' \
-c 'mwrite 0 1' \
-c 'fsync'
kernel BUG at fs/ext4/inode.c:2723!
invalid opcode: 0000 [#1] SMP
CPU: 1 PID: 2532 Comm: xfs_io Not tainted 4.11.0-rc1-xfstests-00301-g071d9acf3d1f #633
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
task: ffff88003d3a8040 task.stack: ffffc90000300000
RIP: 0010:ext4_writepages+0xc89/0xf8a
RSP: 0018:ffffc90000303ca0 EFLAGS: 00010283
RAX: 0000028410000000 RBX: ffff8800383fa3b0 RCX: ffffffff812afcdc
RDX: 00000a9d00000246 RSI: ffffffff81e660e0 RDI: 0000000000000246
RBP: ffffc90000303dc0 R08: 0000000000000002 R09: 869618e8f99b4fa5
R10: 00000000852287a2 R11: 00000000a03b49f4 R12: ffff88003808e698
R13: 0000000000000000 R14: 7fffffffffffffff R15: 7fffffffffffffff
FS: 00007fd3e53094c0(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd3e4c51000 CR3: 000000003d554000 CR4: 00000000003406e0
Call Trace:
? _raw_spin_unlock+0x27/0x2a
? kvm_clock_read+0x1e/0x20
do_writepages+0x23/0x2c
? do_writepages+0x23/0x2c
__filemap_fdatawrite_range+0x80/0x87
filemap_write_and_wait_range+0x67/0x8c
ext4_sync_file+0x20e/0x472
vfs_fsync_range+0x8e/0x9f
? syscall_trace_enter+0x25b/0x2d0
vfs_fsync+0x1c/0x1e
do_fsync+0x31/0x4a
SyS_fsync+0x10/0x14
do_syscall_64+0x69/0x131
entry_SYSCALL64_slow_path+0x25/0x25
We could try to be smart and keep the inline data in this case, or at
least support delayed allocation when allocating the block, but these
solutions would be more complicated and don't seem worthwhile given how
rare this case seems to be. So just fix the bug by calling
ext4_convert_inline_data() when we're asked to make a page writable, so
that any inline data gets evicted, with the block allocated immediately.
Reported-by: Nick Alcock <[email protected]>
Reviewed-by: Andreas Dilger <[email protected]>
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/inode.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5273,6 +5273,11 @@ int ext4_page_mkwrite(struct vm_area_str
sb_start_pagefault(inode->i_sb);
file_update_time(vma->vm_file);
+
+ ret = ext4_convert_inline_data(inode);
+ if (ret)
+ goto out_ret;
+
/* Delalloc case is easy... */
if (test_opt(inode->i_sb, DELALLOC) &&
!ext4_should_journal_data(inode) &&
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <[email protected]>
commit 564277eceeca01e02b1ef3e141cfb939184601b4 upstream.
January is month 1. There is no zero-th month. If someone passes a
zero month then it means we read from one space before the start of the
total_days_of_prev_months[] array.
We may as well also be strict about days as well.
Fixes: 1bd5bbcb6531 ("[CIFS] Legacy time handling for Win9x and OS/2 part 1")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Steve French <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/cifs/netmisc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/cifs/netmisc.c
+++ b/fs/cifs/netmisc.c
@@ -966,10 +966,10 @@ struct timespec cnvrtDosUnixTm(__le16 le
cifs_dbg(VFS, "illegal hours %d\n", st->Hours);
days = sd->Day;
month = sd->Month;
- if ((days > 31) || (month > 12)) {
+ if (days < 1 || days > 31 || month < 1 || month > 12) {
cifs_dbg(VFS, "illegal date, month %d day: %d\n", month, days);
- if (month > 12)
- month = 12;
+ days = clamp(days, 1, 31);
+ month = clamp(month, 1, 12);
}
month -= 1;
days += total_days_of_prev_months[month];
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Craig Gallek <[email protected]>
commit 89a23c8b528bd2c89f3981573d6cd7d23840c8a6 upstream.
The IPv6 tunneling code tries to insert IPV6_TLV_TNL_ENCAP_LIMIT and
IPV6_TLV_PADN options when an encapsulation limit is defined (the
default is a limit of 4). An MTU adjustment is done to account for
these options as well. However, the options are never present in the
generated packets.
The issue appears to be a subtlety between IPV6_DSTOPTS and
IPV6_RTHDRDSTOPTS defined in RFC 3542. When the IPIP tunnel driver was
written, the encap limit options were included as IPV6_RTHDRDSTOPTS in
dst0opt of struct ipv6_txoptions. Later, ipv6_push_nfrags_opts was
(correctly) updated to require IPV6_RTHDR options when IPV6_RTHDRDSTOPTS
are to be used. This caused the options to no longer be included in v6
encapsulated packets.
The fix is to use IPV6_DSTOPTS (in dst1opt of struct ipv6_txoptions)
instead. IPV6_DSTOPTS do not have the additional IPV6_RTHDR requirement.
Fixes: 1df64a8569c7: ("[IPV6]: Add ip6ip6 tunnel driver.")
Fixes: 333fad5364d6: ("[IPV6]: Support several new sockopt / ancillary data in Advanced API (RFC3542)")
Signed-off-by: Craig Gallek <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/ip6_tunnel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -883,7 +883,7 @@ static void init_tel_txopt(struct ipv6_t
opt->dst_opt[5] = IPV6_TLV_PADN;
opt->dst_opt[6] = 1;
- opt->ops.dst0opt = (struct ipv6_opt_hdr *) opt->dst_opt;
+ opt->ops.dst1opt = (struct ipv6_opt_hdr *) opt->dst_opt;
opt->ops.opt_nflen = 8;
}
@@ -1051,7 +1051,7 @@ static int ip6_tnl_xmit2(struct sk_buff
proto = fl6->flowi6_proto;
if (encap_limit >= 0) {
init_tel_txopt(&opt, encap_limit);
- ipv6_push_nfrag_opts(skb, &opt.ops, &proto, NULL);
+ ipv6_push_frag_opts(skb, &opt.ops, &proto);
}
if (likely(!skb->encapsulation)) {
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <[email protected]>
commit 3071e9dd6cd3f2290d770117330f2c8b2e9a97e4 upstream.
The interrupt should be requested for the platform device
and not for the input device.
Fixes: 7f9ce649d267 ("Input: twl4030-pwrbutton - simplify driver using devm_*")
Signed-off-by: Sebastian Reichel <[email protected]>
Signed-off-by: Dmitry Torokhov <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/input/misc/twl4030-pwrbutton.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/misc/twl4030-pwrbutton.c
+++ b/drivers/input/misc/twl4030-pwrbutton.c
@@ -70,7 +70,7 @@ static int twl4030_pwrbutton_probe(struc
pwr->phys = "twl4030_pwrbutton/input0";
pwr->dev.parent = &pdev->dev;
- err = devm_request_threaded_irq(&pwr->dev, irq, NULL, powerbutton_irq,
+ err = devm_request_threaded_irq(&pdev->dev, irq, NULL, powerbutton_irq,
IRQF_TRIGGER_FALLING | IRQF_TRIGGER_RISING,
"twl4030_pwrbutton", pwr);
if (err < 0) {
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <[email protected]>
commit 5b8481fa42ac58484d633b558579e302aead64c1 upstream.
Since that change also made the nfrag function not necessary
for exports, remove it.
Fixes: 89a23c8b528b ("ip6_tunnel: Fix missing tunnel encapsulation limit option")
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16: keep exporting ipv6_push_nfrag_opts(), needed by
ip6_gre module]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -709,6 +709,7 @@ void ipv6_push_frag_opts(struct sk_buff
if (opt->dst1opt)
ipv6_push_exthdr(skb, proto, NEXTHDR_DEST, opt->dst1opt);
}
+EXPORT_SYMBOL(ipv6_push_frag_opts);
struct ipv6_txoptions *
ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Trimarchi <[email protected]>
commit 633e8799ddc09431be2744c4a1efdbda13af2b0b upstream.
This changed is needed to avoid locking problem during
boot as shown:
<5>[ 8.824096] Registering SWP/SWPB emulation handler
<6>[ 8.977294] clock: disabling unused clocks to save power
<3>[ 9.108154] BUG: sleeping function called from invalid context at kernel_albert/kernel/mutex.c:269
<3>[ 9.122894] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
<4>[ 9.130249] 3 locks held by swapper/0/1:
<4>[ 9.134613] #0: (&__lockdep_no_validate__){......}, at: [<c0342430>] __driver_attach+0x58/0xa8
<4>[ 9.144500] #1: (&__lockdep_no_validate__){......}, at: [<c0342440>] __driver_attach+0x68/0xa8
<4>[ 9.154357] #2: (&polling_timer){......}, at: [<c0053770>] run_timer_softirq+0x108/0x3ec
<4>[ 9.163726] Backtrace:
<4>[ 9.166473] [<c001269c>] (dump_backtrace+0x0/0x114) from [<c067e5f0>] (dump_stack+0x20/0x24)
<4>[ 9.175811] r6:00203230 r5:0000010d r4:d782e000 r3:60000113
<4>[ 9.182250] [<c067e5d0>] (dump_stack+0x0/0x24) from [<c007441c>] (__might_sleep+0x10c/0x128)
<4>[ 9.191650] [<c0074310>] (__might_sleep+0x0/0x128) from [<c0688f60>] (mutex_lock_nested+0x34/0x36c)
<4>[ 9.201660] r5:c02d5350 r4:d79a0c64
<4>[ 9.205688] [<c0688f2c>] (mutex_lock_nested+0x0/0x36c) from [<c02d5350>] (regulator_set_current_limit+0x30/0x118)
<4>[ 9.217071] [<c02d5320>] (regulator_set_current_limit+0x0/0x118) from [<c0435ce0>] (update_charger+0x84/0xc4)
<4>[ 9.228027] r7:d782fb20 r6:00000101 r5:c1767e94 r4:00000000
<4>[ 9.234436] [<c0435c5c>] (update_charger+0x0/0xc4) from [<c0435d40>] (psy_changed+0x20/0x48)
<4>[ 9.243804] r5:d782e000 r4:c1767e94
<4>[ 9.247802] [<c0435d20>] (psy_changed+0x0/0x48) from [<c0435dec>] (polling_timer_func+0x84/0xb8)
<4>[ 9.257537] r4:c1767e94 r3:00000002
<4>[ 9.261566] [<c0435d68>] (polling_timer_func+0x0/0xb8) from [<c00537e4>] (run_timer_softirq+0x17c/0x3ec)
<4>[ 9.272033] r4:c1767eb0 r3:00000000
<4>[ 9.276062] [<c0053668>] (run_timer_softirq+0x0/0x3ec) from [<c004b000>] (__do_softirq+0xf0/0x298)
<4>[ 9.286010] [<c004af10>] (__do_softirq+0x0/0x298) from [<c004b650>] (irq_exit+0x98/0xa0)
<4>[ 9.295013] [<c004b5b8>] (irq_exit+0x0/0xa0) from [<c000edbc>] (handle_IRQ+0x60/0xc0)
<4>[ 9.303680] r4:c1194e98 r3:c00bc778
<4>[ 9.307708] [<c000ed5c>] (handle_IRQ+0x0/0xc0) from [<c0008504>] (gic_handle_irq+0x34/0x68)
<4>[ 9.316955] r8:000ac383 r7:d782fc3c r6:d782fc08 r5:c11936c4 r4:e0802100
<4>[ 9.324310] r3:c026ba48
<4>[ 9.327301] [<c00084d0>] (gic_handle_irq+0x0/0x68) from [<c068c2c0>] (__irq_svc+0x40/0x74)
<4>[ 9.336456] Exception stack(0xd782fc08 to 0xd782fc50)
<4>[ 9.342041] fc00: d6e30e6c ac383627 00000000 ac383417 ea19c000 ea200000
<4>[ 9.351104] fc20: beffffff 00000667 000ac383 d6e30670 d6e3066c d782fc94 d782fbe8 d782fc50
<4>[ 9.360168] fc40: c026ba48 c001d1f0 00000113 ffffffff
Fixes: b2998049cfae ("[BATTERY] pda_power platform driver")
Signed-off-by: Michael Trimarchi <[email protected]>
Signed-off-by: Anthony Brandon <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/power/pda_power.c | 49 ++++++++++++++++++++++------------------
1 file changed, 27 insertions(+), 22 deletions(-)
--- a/drivers/power/pda_power.c
+++ b/drivers/power/pda_power.c
@@ -30,9 +30,9 @@ static inline unsigned int get_irq_flags
static struct device *dev;
static struct pda_power_pdata *pdata;
static struct resource *ac_irq, *usb_irq;
-static struct timer_list charger_timer;
-static struct timer_list supply_timer;
-static struct timer_list polling_timer;
+static struct delayed_work charger_work;
+static struct delayed_work polling_work;
+static struct delayed_work supply_work;
static int polling;
#if IS_ENABLED(CONFIG_USB_PHY)
@@ -143,7 +143,7 @@ static void update_charger(void)
}
}
-static void supply_timer_func(unsigned long unused)
+static void supply_work_func(struct work_struct *work)
{
if (ac_status == PDA_PSY_TO_CHANGE) {
ac_status = new_ac_status;
@@ -164,11 +164,12 @@ static void psy_changed(void)
* Okay, charger set. Now wait a bit before notifying supplicants,
* charge power should stabilize.
*/
- mod_timer(&supply_timer,
- jiffies + msecs_to_jiffies(pdata->wait_for_charger));
+ cancel_delayed_work(&supply_work);
+ schedule_delayed_work(&supply_work,
+ msecs_to_jiffies(pdata->wait_for_charger));
}
-static void charger_timer_func(unsigned long unused)
+static void charger_work_func(struct work_struct *work)
{
update_status();
psy_changed();
@@ -187,13 +188,14 @@ static irqreturn_t power_changed_isr(int
* Wait a bit before reading ac/usb line status and setting charger,
* because ac/usb status readings may lag from irq.
*/
- mod_timer(&charger_timer,
- jiffies + msecs_to_jiffies(pdata->wait_for_status));
+ cancel_delayed_work(&charger_work);
+ schedule_delayed_work(&charger_work,
+ msecs_to_jiffies(pdata->wait_for_status));
return IRQ_HANDLED;
}
-static void polling_timer_func(unsigned long unused)
+static void polling_work_func(struct work_struct *work)
{
int changed = 0;
@@ -214,8 +216,9 @@ static void polling_timer_func(unsigned
if (changed)
psy_changed();
- mod_timer(&polling_timer,
- jiffies + msecs_to_jiffies(pdata->polling_interval));
+ cancel_delayed_work(&polling_work);
+ schedule_delayed_work(&polling_work,
+ msecs_to_jiffies(pdata->polling_interval));
}
#if IS_ENABLED(CONFIG_USB_PHY)
@@ -253,8 +256,9 @@ static int otg_handle_notification(struc
* Wait a bit before reading ac/usb line status and setting charger,
* because ac/usb status readings may lag from irq.
*/
- mod_timer(&charger_timer,
- jiffies + msecs_to_jiffies(pdata->wait_for_status));
+ cancel_delayed_work(&charger_work);
+ schedule_delayed_work(&charger_work,
+ msecs_to_jiffies(pdata->wait_for_status));
return NOTIFY_OK;
}
@@ -302,8 +306,8 @@ static int pda_power_probe(struct platfo
if (!pdata->ac_max_uA)
pdata->ac_max_uA = 500000;
- setup_timer(&charger_timer, charger_timer_func, 0);
- setup_timer(&supply_timer, supply_timer_func, 0);
+ INIT_DELAYED_WORK(&charger_work, charger_work_func);
+ INIT_DELAYED_WORK(&supply_work, supply_work_func);
ac_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "ac");
usb_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "usb");
@@ -381,9 +385,10 @@ static int pda_power_probe(struct platfo
if (polling) {
dev_dbg(dev, "will poll for status\n");
- setup_timer(&polling_timer, polling_timer_func, 0);
- mod_timer(&polling_timer,
- jiffies + msecs_to_jiffies(pdata->polling_interval));
+ INIT_DELAYED_WORK(&polling_work, polling_work_func);
+ cancel_delayed_work(&polling_work);
+ schedule_delayed_work(&polling_work,
+ msecs_to_jiffies(pdata->polling_interval));
}
if (ac_irq || usb_irq)
@@ -429,9 +434,9 @@ static int pda_power_remove(struct platf
free_irq(ac_irq->start, &pda_psy_ac);
if (polling)
- del_timer_sync(&polling_timer);
- del_timer_sync(&charger_timer);
- del_timer_sync(&supply_timer);
+ cancel_delayed_work_sync(&polling_work);
+ cancel_delayed_work_sync(&charger_work);
+ cancel_delayed_work_sync(&supply_work);
if (pdata->is_usb_online)
power_supply_unregister(&pda_psy_usb);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <[email protected]>
commit 1b0fb5a5b2dc0dddcfa575060441a7176ba7ac37 upstream.
__get_memory_limit() tests if dm_bufio_cache_size changed and calls
__cache_size_refresh() if it did. It takes dm_bufio_clients_lock while
it already holds the client lock. However, lock ordering is violated
because in cleanup_old_buffers() dm_bufio_clients_lock is taken before
the client lock.
This results in a possible deadlock and lockdep engine warning.
Fix this deadlock by changing mutex_lock() to mutex_trylock(). If the
lock can't be taken, it will be re-checked next time when a new buffer
is allocated.
Also add "unlikely" to the if condition, so that the optimizer assumes
that the condition is false.
Signed-off-by: Mikulas Patocka <[email protected]>
Signed-off-by: Mike Snitzer <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/md/dm-bufio.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -873,10 +873,11 @@ static void __get_memory_limit(struct dm
{
unsigned long buffers;
- if (ACCESS_ONCE(dm_bufio_cache_size) != dm_bufio_cache_size_latch) {
- mutex_lock(&dm_bufio_clients_lock);
- __cache_size_refresh();
- mutex_unlock(&dm_bufio_clients_lock);
+ if (unlikely(ACCESS_ONCE(dm_bufio_cache_size) != dm_bufio_cache_size_latch)) {
+ if (mutex_trylock(&dm_bufio_clients_lock)) {
+ __cache_size_refresh();
+ mutex_unlock(&dm_bufio_clients_lock);
+ }
}
buffers = dm_bufio_cache_size_per_client >>
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael J. Ruhl" <[email protected]>
commit 8561eae60ff9417a50fa1fb2b83ae950dc5c1e21 upstream.
The Infiniband spec defines "A multicast address is defined by a
MGID and a MLID" (section 10.5). Currently the MLID value is not
validated.
Add check to verify that the MLID value is in the correct address
range.
Fixes: 0c33aeedb2cf ("[IB] Add checks to multicast attach and detach")
Reviewed-by: Ira Weiny <[email protected]>
Reviewed-by: Dasaratharaman Chandramouli <[email protected]>
Signed-off-by: Michael J. Ruhl <[email protected]>
Signed-off-by: Dennis Dalessandro <[email protected]>
Reviewed-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
[bwh: Backported to 3.16: use literal number instead of IB_MULTICAST_LID_BASE]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/core/verbs.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -1346,7 +1346,9 @@ int ib_attach_mcast(struct ib_qp *qp, un
if (!qp->device->attach_mcast)
return -ENOSYS;
- if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD)
+ if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD ||
+ lid < 0xC000 ||
+ lid == be16_to_cpu(IB_LID_PERMISSIVE))
return -EINVAL;
ret = qp->device->attach_mcast(qp, gid, lid);
@@ -1362,7 +1364,9 @@ int ib_detach_mcast(struct ib_qp *qp, un
if (!qp->device->detach_mcast)
return -ENOSYS;
- if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD)
+ if (gid->raw[0] != 0xff || qp->qp_type != IB_QPT_UD ||
+ lid < 0xC000 ||
+ lid == be16_to_cpu(IB_LID_PERMISSIVE))
return -EINVAL;
ret = qp->device->detach_mcast(qp, gid, lid);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <[email protected]>
commit 8b8642af15ed14b9a7a34d3401afbcc274533e13 upstream.
Since commit 5093bb965a163 ("powerpc/QE: switch to the cpm_muram
implementation"), muram area is not part of immrbar mapping anymore
so immrbar_virt_to_phys() is not usable anymore.
Fixes: 5093bb965a163 ("powerpc/QE: switch to the cpm_muram implementation")
Signed-off-by: Christophe Leroy <[email protected]>
Acked-by: David S. Miller <[email protected]>
Acked-by: Li Yang <[email protected]>
Signed-off-by: Scott Wood <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/powerpc/include/asm/qe.h | 1 +
drivers/net/ethernet/freescale/ucc_geth.c | 8 +++-----
2 files changed, 4 insertions(+), 5 deletions(-)
--- a/arch/powerpc/include/asm/qe.h
+++ b/arch/powerpc/include/asm/qe.h
@@ -193,6 +193,7 @@ static inline int qe_alive_during_sleep(
#define qe_muram_free cpm_muram_free
#define qe_muram_addr cpm_muram_addr
#define qe_muram_offset cpm_muram_offset
+#define qe_muram_dma cpm_muram_dma
/* Structure that defines QE firmware binary files.
*
--- a/drivers/net/ethernet/freescale/ucc_geth.c
+++ b/drivers/net/ethernet/freescale/ucc_geth.c
@@ -2590,11 +2590,10 @@ static int ucc_geth_startup(struct ucc_g
} else if (ugeth->ug_info->uf_info.bd_mem_part ==
MEM_PART_MURAM) {
out_be32(&ugeth->p_send_q_mem_reg->sqqd[i].bd_ring_base,
- (u32) immrbar_virt_to_phys(ugeth->
- p_tx_bd_ring[i]));
+ (u32)qe_muram_dma(ugeth->p_tx_bd_ring[i]));
out_be32(&ugeth->p_send_q_mem_reg->sqqd[i].
last_bd_completed_address,
- (u32) immrbar_virt_to_phys(endOfRing));
+ (u32)qe_muram_dma(endOfRing));
}
}
@@ -2840,8 +2839,7 @@ static int ucc_geth_startup(struct ucc_g
} else if (ugeth->ug_info->uf_info.bd_mem_part ==
MEM_PART_MURAM) {
out_be32(&ugeth->p_rx_bd_qs_tbl[i].externalbdbaseptr,
- (u32) immrbar_virt_to_phys(ugeth->
- p_rx_bd_ring[i]));
+ (u32)qe_muram_dma(ugeth->p_rx_bd_ring[i]));
}
/* rest of fields handled by QE */
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Szymon Janc <[email protected]>
commit ab89f0bdd63a3721f7cd3f064f39fc4ac7ca14d4 upstream.
Running 32bit userspace on 64bit kernel results in MSG_CMSG_COMPAT being
defined as 0x80000000. This results in sendmsg failure if used from 32bit
userspace running on 64bit kernel. Fix this by accounting for MSG_CMSG_COMPAT
in flags check in hci_sock_sendmsg.
Signed-off-by: Szymon Janc <[email protected]>
Signed-off-by: Marko Kiiskila <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/bluetooth/hci_sock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -886,7 +886,8 @@ static int hci_sock_sendmsg(struct kiocb
if (msg->msg_flags & MSG_OOB)
return -EOPNOTSUPP;
- if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE))
+ if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_NOSIGNAL|MSG_ERRQUEUE|
+ MSG_CMSG_COMPAT))
return -EINVAL;
if (len < 4 || len > HCI_MAX_FRAME_SIZE)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Brodkin <[email protected]>
commit 3d6159640da9c9175d1ca42f151fc1a14caded59 upstream.
DWC3 driver uses of_usb_get_phy_mode() which is
implemented in drivers/usb/phy/of.c and in bare minimal
configuration it might not be pulled in kernel binary.
In case of ARC or ARM this could be easily reproduced with
"allnodefconfig" +CONFIG_USB=m +CONFIG_USB_DWC3=m.
On building all ends-up with:
---------------------->8------------------
Kernel: arch/arm/boot/Image is ready
Kernel: arch/arm/boot/zImage is ready
Building modules, stage 2.
MODPOST 5 modules
ERROR: "of_usb_get_phy_mode" [drivers/usb/dwc3/dwc3.ko] undefined!
make[1]: *** [__modpost] Error 1
make: *** [modules] Error 2
---------------------->8------------------
Signed-off-by: Alexey Brodkin <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: Masahiro Yamada <[email protected]>
Cc: Geert Uytterhoeven <[email protected]>
Cc: Nicolas Pitre <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Felipe Balbi <[email protected]>
Cc: Felix Fietkau <[email protected]>
Cc: Jeremy Kerr <[email protected]>
Cc: [email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/Makefile
+++ b/drivers/Makefile
@@ -91,6 +91,7 @@ obj-$(CONFIG_USB_PHY) += usb/
obj-$(CONFIG_USB) += usb/
obj-$(CONFIG_PCI) += usb/
obj-$(CONFIG_USB_GADGET) += usb/
+obj-$(CONFIG_OF) += usb/
obj-$(CONFIG_SERIO) += input/serio/
obj-$(CONFIG_GAMEPORT) += input/gameport/
obj-$(CONFIG_INPUT) += input/
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <[email protected]>
commit c6ade20f5e50e188d20b711a618b20dd1d50457e upstream.
The WRITE SAME to TRIM translation rewrites the DATA OUT buffer. While
the SCSI code accomodates for this by passing a read-writable buffer
userspace applications don't cater for this behavior. In fact it can
be used to rewrite e.g. a readonly file through mmap and should be
considered as a security fix.
Signed-off-by: Christoph Hellwig <[email protected]>
Reviewed-by: Martin K. Petersen <[email protected]>
Signed-off-by: Tejun Heo <[email protected]>
[bwh: Backported to 3.16:
- Open-code blk_rq_is_passthrough()
- We don't distinguish which field is invaid so goto invalid_fld
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/ata/libata-scsi.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -3097,6 +3097,14 @@ static unsigned int ata_scsi_write_same_
if (unlikely(!dev->dma_mode))
goto invalid_fld;
+ /*
+ * We only allow sending this command through the block layer,
+ * as it modifies the DATA OUT buffer, which would corrupt user
+ * memory for SG_IO commands.
+ */
+ if (unlikely(scmd->request->cmd_type != REQ_TYPE_FS))
+ goto invalid_fld;
+
if (unlikely(scmd->cmd_len < 16))
goto invalid_fld;
scsi_16_lba_len(cdb, &block, &n_block);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <[email protected]>
commit dbd68d8e84c606673ebbcf15862f8c155fa92326 upstream.
flush_tlb_page() passes a bogus range to flush_tlb_others() and
expects the latter to fix it up. native_flush_tlb_others() has the
fixup but Xen's version doesn't. Move the fixup to
flush_tlb_others().
AFAICS the only real effect is that, without this fix, Xen would
flush everything instead of just the one page on remote vCPUs in
when flush_tlb_page() was called.
Signed-off-by: Andy Lutomirski <[email protected]>
Reviewed-by: Boris Ostrovsky <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: Dave Hansen <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Josh Poimboeuf <[email protected]>
Cc: Juergen Gross <[email protected]>
Cc: Konrad Rzeszutek Wilk <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Michal Hocko <[email protected]>
Cc: Nadav Amit <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Rik van Riel <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Fixes: e7b52ffd45a6 ("x86/flush_tlb: try flush_tlb_single one by one in flush_tlb_range")
Link: http://lkml.kernel.org/r/10ed0e4dfea64daef10b87fb85df1746999b4dba.1492844372.git.luto@kernel.org
Signed-off-by: Ingo Molnar <[email protected]>
[bwh: Backported to 3.16: the special case was handled in flush_tlb_func(), not
native_flush_tlb_others()]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/mm/tlb.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -107,8 +107,6 @@ static void flush_tlb_func(void *info)
if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK) {
if (f->flush_end == TLB_FLUSH_ALL)
local_flush_tlb();
- else if (!f->flush_end)
- __flush_tlb_single(f->flush_start);
else {
unsigned long addr;
addr = f->flush_start;
@@ -248,7 +246,7 @@ void flush_tlb_page(struct vm_area_struc
}
if (cpumask_any_but(mm_cpumask(mm), smp_processor_id()) < nr_cpu_ids)
- flush_tlb_others(mm_cpumask(mm), mm, start, 0UL);
+ flush_tlb_others(mm_cpumask(mm), mm, start, start + PAGE_SIZE);
preempt_enable();
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael J. Ruhl" <[email protected]>
commit 20c7840a77ddcb2ed2fbd66e8197db2868495751 upstream.
A list of MGID/MLID pairs is built when doing a multicast attach. When
the multicast detach is called, the list is searched, and regardless of
the search outcome, the driver detach is called.
If an MGID/MLID pair is not on the list, driver detach should not be
called, and an error should be returned. Calling the driver without
removing an MGID/MLID pair from the list can leave the core and driver
out of sync.
Fixes: f4e401562c11 ("IB/uverbs: track multicast group membership for userspace QPs")
Reviewed-by: Ira Weiny <[email protected]>
Reviewed-by: Leon Romanovsky <[email protected]>
Signed-off-by: Michael J. Ruhl <[email protected]>
Signed-off-by: Dennis Dalessandro <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/core/uverbs_cmd.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2577,6 +2577,7 @@ ssize_t ib_uverbs_detach_mcast(struct ib
struct ib_qp *qp;
struct ib_uverbs_mcast_entry *mcast;
int ret = -EINVAL;
+ bool found = false;
if (copy_from_user(&cmd, buf, sizeof cmd))
return -EFAULT;
@@ -2585,10 +2586,6 @@ ssize_t ib_uverbs_detach_mcast(struct ib
if (!qp)
return -EINVAL;
- ret = ib_detach_mcast(qp, (union ib_gid *) cmd.gid, cmd.mlid);
- if (ret)
- goto out_put;
-
obj = container_of(qp->uobject, struct ib_uqp_object, uevent.uobject);
list_for_each_entry(mcast, &obj->mcast_list, list)
@@ -2596,9 +2593,17 @@ ssize_t ib_uverbs_detach_mcast(struct ib
!memcmp(cmd.gid, mcast->gid.raw, sizeof mcast->gid.raw)) {
list_del(&mcast->list);
kfree(mcast);
+ found = true;
break;
}
+ if (!found) {
+ ret = -EINVAL;
+ goto out_put;
+ }
+
+ ret = ib_detach_mcast(qp, (union ib_gid *)cmd.gid, cmd.mlid);
+
out_put:
put_qp_write(qp);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Salido <[email protected]>
commit 4617f564c06117c7d1b611be49521a4430042287 upstream.
When calling a dm ioctl that doesn't process any data
(IOCTL_FLAGS_NO_PARAMS), the contents of the data field in struct
dm_ioctl are left initialized. Current code is incorrectly extending
the size of data copied back to user, causing the contents of kernel
stack to be leaked to user. Fix by only copying contents before data
and allow the functions processing the ioctl to override.
Signed-off-by: Adrian Salido <[email protected]>
Reviewed-by: Alasdair G Kergon <[email protected]>
Signed-off-by: Mike Snitzer <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/md/dm-ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1839,7 +1839,7 @@ static int ctl_ioctl(uint command, struc
if (r)
goto out;
- param->data_size = sizeof(*param);
+ param->data_size = offsetof(struct dm_ioctl, data);
r = fn(param, input_param_size);
if (unlikely(param->flags & DM_BUFFER_FULL_FLAG) &&
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Maksim Salau <[email protected]>
commit 942a48730faf149ccbf3e12ac718aee120bb3529 upstream.
Allocate buffers on HEAP instead of STACK for local structures
that are to be received using usb_control_msg().
Signed-off-by: Maksim Salau <[email protected]>
Tested-by: Alfredo Rafael Vicente Boix <[email protected]>;
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/misc/legousbtower.c | 37 +++++++++++++++++++++++++++----------
1 file changed, 27 insertions(+), 10 deletions(-)
--- a/drivers/usb/misc/legousbtower.c
+++ b/drivers/usb/misc/legousbtower.c
@@ -317,9 +317,16 @@ static int tower_open (struct inode *ino
int subminor;
int retval = 0;
struct usb_interface *interface;
- struct tower_reset_reply reset_reply;
+ struct tower_reset_reply *reset_reply;
int result;
+ reset_reply = kmalloc(sizeof(*reset_reply), GFP_KERNEL);
+
+ if (!reset_reply) {
+ retval = -ENOMEM;
+ goto exit;
+ }
+
nonseekable_open(inode, file);
subminor = iminor(inode);
@@ -364,8 +371,8 @@ static int tower_open (struct inode *ino
USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
0,
0,
- &reset_reply,
- sizeof(reset_reply),
+ reset_reply,
+ sizeof(*reset_reply),
1000);
if (result < 0) {
dev_err(&dev->udev->dev,
@@ -406,6 +413,7 @@ unlock_exit:
mutex_unlock(&dev->lock);
exit:
+ kfree(reset_reply);
return retval;
}
@@ -808,7 +816,7 @@ static int tower_probe (struct usb_inter
struct lego_usb_tower *dev = NULL;
struct usb_host_interface *iface_desc;
struct usb_endpoint_descriptor* endpoint;
- struct tower_get_version_reply get_version_reply;
+ struct tower_get_version_reply *get_version_reply = NULL;
int i;
int retval = -ENOMEM;
int result;
@@ -898,6 +906,13 @@ static int tower_probe (struct usb_inter
dev->interrupt_in_interval = interrupt_in_interval ? interrupt_in_interval : dev->interrupt_in_endpoint->bInterval;
dev->interrupt_out_interval = interrupt_out_interval ? interrupt_out_interval : dev->interrupt_out_endpoint->bInterval;
+ get_version_reply = kmalloc(sizeof(*get_version_reply), GFP_KERNEL);
+
+ if (!get_version_reply) {
+ retval = -ENOMEM;
+ goto error;
+ }
+
/* get the firmware version and log it */
result = usb_control_msg (udev,
usb_rcvctrlpipe(udev, 0),
@@ -905,18 +920,19 @@ static int tower_probe (struct usb_inter
USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
0,
0,
- &get_version_reply,
- sizeof(get_version_reply),
+ get_version_reply,
+ sizeof(*get_version_reply),
1000);
if (result < 0) {
dev_err(idev, "LEGO USB Tower get version control request failed\n");
retval = result;
goto error;
}
- dev_info(&interface->dev, "LEGO USB Tower firmware version is %d.%d "
- "build %d\n", get_version_reply.major,
- get_version_reply.minor,
- le16_to_cpu(get_version_reply.build_no));
+ dev_info(&interface->dev,
+ "LEGO USB Tower firmware version is %d.%d build %d\n",
+ get_version_reply->major,
+ get_version_reply->minor,
+ le16_to_cpu(get_version_reply->build_no));
/* we can register the device now, as it is ready */
usb_set_intfdata (interface, dev);
@@ -940,6 +956,7 @@ exit:
return retval;
error:
+ kfree(get_version_reply);
tower_delete(dev);
return retval;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vinothkumar Raja <[email protected]>
commit 7d1fedb6e96a960aa91e4ff70714c3fb09195a5a upstream.
dm_btree_find_lowest_key() is giving incorrect results. find_key()
traverses the btree correctly for finding the highest key, but there is
an error in the way it traverses the btree for retrieving the lowest
key. dm_btree_find_lowest_key() fetches the first key of the rightmost
block of the btree instead of fetching the first key from the leftmost
block.
Fix this by conditionally passing the correct parameter to value64()
based on the @find_highest flag.
Signed-off-by: Erez Zadok <[email protected]>
Signed-off-by: Vinothkumar Raja <[email protected]>
Signed-off-by: Nidhi Panpalia <[email protected]>
Signed-off-by: Mike Snitzer <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/md/persistent-data/dm-btree.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/md/persistent-data/dm-btree.c
+++ b/drivers/md/persistent-data/dm-btree.c
@@ -804,8 +804,12 @@ static int find_key(struct ro_spine *s,
else
*result_key = le64_to_cpu(ro_node(s)->keys[0]);
- if (next_block || flags & INTERNAL_NODE)
- block = value64(ro_node(s), i);
+ if (next_block || flags & INTERNAL_NODE) {
+ if (find_highest)
+ block = value64(ro_node(s), i);
+ else
+ block = value64(ro_node(s), 0);
+ }
} while (flags & INTERNAL_NODE);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Amitoj Kaur Chawla <[email protected]>
commit c272dc2da14cde0bfd9495a5aafb8e3e94f35601 upstream.
With concurrency managed workqueues, use of dedicated workqueues
can be replaced by using system_wq. Drop mux_rx_wq by using system_wq.
Since there is only one work item per mux_dev and different mux_devs
do not need to be ordered, increase of concurrency level by switching
to system_wq should not break anything.
cancel_work_sync() is used to ensure that work is not pending or
executing on any CPU.
Lastly, since all devices are suspended, which shutdowns the work item
before the driver can be unregistered, it is guaranteed that no work
item is pending or executing by the time exit path runs.
Signed-off-by: Amitoj Kaur Chawla <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/gdm724x/gdm_mux.c | 18 +++---------------
1 file changed, 3 insertions(+), 15 deletions(-)
--- a/drivers/staging/gdm724x/gdm_mux.c
+++ b/drivers/staging/gdm724x/gdm_mux.c
@@ -26,8 +26,6 @@
#include "gdm_mux.h"
-static struct workqueue_struct *mux_rx_wq;
-
static u16 packet_type[TTY_MAX_COUNT] = {0xF011, 0xF010};
#define USB_DEVICE_CDC_DATA(vid, pid) \
@@ -277,7 +275,7 @@ static void gdm_mux_rcv_complete(struct
r->len = r->urb->actual_length;
spin_lock_irqsave(&rx->to_host_lock, flags);
list_add_tail(&r->to_host_list, &rx->to_host_list);
- queue_work(mux_rx_wq, &mux_dev->work_rx.work);
+ schedule_work(&mux_dev->work_rx.work);
spin_unlock_irqrestore(&rx->to_host_lock, flags);
}
}
@@ -604,6 +602,8 @@ static int gdm_mux_suspend(struct usb_in
mux_dev = tty_dev->priv_dev;
rx = &mux_dev->rx;
+ cancel_work_sync(&mux_dev->work_rx.work);
+
if (mux_dev->usb_state != PM_NORMAL) {
pr_err("usb suspend - invalid state\n");
return -1;
@@ -659,13 +659,6 @@ static struct usb_driver gdm_mux_driver
static int __init gdm_usb_mux_init(void)
{
-
- mux_rx_wq = create_workqueue("mux_rx_wq");
- if (mux_rx_wq == NULL) {
- pr_err("work queue create fail\n");
- return -1;
- }
-
register_lte_tty_driver();
return usb_register(&gdm_mux_driver);
@@ -675,11 +668,6 @@ static void __exit gdm_usb_mux_exit(void
{
unregister_lte_tty_driver();
- if (mux_rx_wq) {
- flush_workqueue(mux_rx_wq);
- destroy_workqueue(mux_rx_wq);
- }
-
usb_deregister(&gdm_mux_driver);
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tony Lindgren <[email protected]>
commit 8b8a84c54aff4256d592dc18346c65ecf6811b45 upstream.
Commit 16fa3dc75c22 ("mfd: omap-usb-tll: HOST TLL platform driver")
added support for USB TLL, but uses OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF
bit the wrong way. The comments in the code are correct, but the inverted
use of OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF causes the register to be
enabled instead of disabled unlike what the comments say.
Without this change the Wrigley 3G LTE modem on droid 4 EHCI bus can
be only pinged few times before it stops responding.
Fixes: 16fa3dc75c22 ("mfd: omap-usb-tll: HOST TLL platform driver")
Signed-off-by: Tony Lindgren <[email protected]>
Acked-by: Roger Quadros <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/mfd/omap-usb-tll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mfd/omap-usb-tll.c
+++ b/drivers/mfd/omap-usb-tll.c
@@ -376,8 +376,8 @@ int omap_tll_init(struct usbhs_omap_plat
* and use SDR Mode
*/
reg &= ~(OMAP_TLL_CHANNEL_CONF_UTMIAUTOIDLE
- | OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF
| OMAP_TLL_CHANNEL_CONF_ULPIDDRMODE);
+ reg |= OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF;
} else if (pdata->port_mode[i] ==
OMAP_EHCI_PORT_MODE_HSIC) {
/*
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <[email protected]>
commit 784047eb2d3405a35087af70cba46170c5576b25 upstream.
The "len" could be as low as -14 so we should check for negatives.
Fixes: 9a7fe54ddc3a ("staging: r8188eu: Add source files for new driver - part 1")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/rtl8188eu/core/rtw_ap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
+++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
@@ -881,7 +881,7 @@ int rtw_check_beacon_data(struct adapter
return _FAIL;
- if (len > MAX_IE_SZ)
+ if (len < 0 || len > MAX_IE_SZ)
return _FAIL;
pbss_network->IELength = len;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit b58f45c8fc301fe83ee28cad3e64686c19e78f1c upstream.
Make sure to deregister the USB driver before releasing the tty driver
to avoid use-after-free in the USB disconnect callback where the tty
devices are deregistered.
Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
Cc: Won Kang <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/gdm724x/gdm_mux.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/staging/gdm724x/gdm_mux.c
+++ b/drivers/staging/gdm724x/gdm_mux.c
@@ -666,9 +666,8 @@ static int __init gdm_usb_mux_init(void)
static void __exit gdm_usb_mux_exit(void)
{
- unregister_lte_tty_driver();
-
usb_deregister(&gdm_mux_driver);
+ unregister_lte_tty_driver();
}
module_init(gdm_usb_mux_init);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Assmann <[email protected]>
commit c4e649b09f55595e6df6da5465a5b3cfc93557c1 upstream.
The ASUS M2N-LR should not trigger boot interrupt quirks although it
carries an Intel 6702PXH. On this board the boot interrupt quirks cause
incorrect IRQ assignments and should be disabled.
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=43074
Tested-by: Solomon Peachy <[email protected]>
Signed-off-by: Stefan Assmann <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pci/quirks.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -1637,6 +1637,29 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_IN
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x260b, quirk_intel_pcie_pm);
#ifdef CONFIG_X86_IO_APIC
+static int dmi_disable_ioapicreroute(const struct dmi_system_id *d)
+{
+ noioapicreroute = 1;
+ pr_info("%s detected: disable boot interrupt reroute\n", d->ident);
+
+ return 0;
+}
+
+static struct dmi_system_id boot_interrupt_dmi_table[] = {
+ /*
+ * Systems to exclude from boot interrupt reroute quirks
+ */
+ {
+ .callback = dmi_disable_ioapicreroute,
+ .ident = "ASUSTek Computer INC. M2N-LR",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTek Computer INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "M2N-LR"),
+ },
+ },
+ {}
+};
+
/*
* Boot interrupts on some chipsets cannot be turned off. For these chipsets,
* remap the original interrupt in the linux kernel to the boot interrupt, so
@@ -1645,6 +1668,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_IN
*/
static void quirk_reroute_to_boot_interrupts_intel(struct pci_dev *dev)
{
+ dmi_check_system(boot_interrupt_dmi_table);
if (noioapicquirk || noioapicreroute)
return;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tyrel Datwyler <[email protected]>
commit e76ca27790a514590af782f83f6eae49e0ccf8c9 upstream.
For CPUs present at boot each logical CPU acquires a reference to the
associated device node of the core. This happens in register_cpu() which
is called by topology_init(). The result of this is that we end up with
a reference held by each thread of the core. However, these references
are never freed if the CPU core is DLPAR removed.
This patch fixes the reference leaks by acquiring and releasing the references
in the CPU hotplug callbacks un/register_cpu_online(). With this patch symmetric
reference counting is observed with both CPUs present at boot, and those DLPAR
added after boot.
Fixes: f86e4718f24b ("driver/core: cpu: initialize of_node in cpu's device struture")
Signed-off-by: Tyrel Datwyler <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/powerpc/kernel/sysfs.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/powerpc/kernel/sysfs.c
+++ b/arch/powerpc/kernel/sysfs.c
@@ -672,6 +672,10 @@ static void register_cpu_online(unsigned
struct device_attribute *attrs, *pmc_attrs;
int i, nattrs;
+ /* For cpus present at boot a reference was already grabbed in register_cpu() */
+ if (!s->of_node)
+ s->of_node = of_get_cpu_node(cpu, NULL);
+
#ifdef CONFIG_PPC64
if (cpu_has_feature(CPU_FTR_SMT))
device_create_file(s, &dev_attr_smt_snooze_delay);
@@ -825,6 +829,8 @@ static void unregister_cpu_online(unsign
}
#endif
cacheinfo_cpu_offline(cpu);
+ of_node_put(s->of_node);
+ s->of_node = NULL;
}
#ifdef CONFIG_ARCH_CPU_PROBE_RELEASE
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liping Zhang <[email protected]>
commit 53b56da83d7899de375a9de153fd7f5397de85e6 upstream.
After converting to use rcu for conntrack hash, one CPU may update
the ct->status via ctnetlink, while another CPU may process the
packets and update the ct->status.
So the non-atomic operation "ct->status |= status;" via ctnetlink
becomes unsafe, and this may clear the IPS_DYING_BIT bit set by
another CPU unexpectedly. For example:
CPU0 CPU1
ctnetlink_change_status __nf_conntrack_find_get
old = ct->status nf_ct_gc_expired
- nf_ct_kill
- test_and_set_bit(IPS_DYING_BIT
new = old | status; -
ct->status = new; <-- oops, _DYING_ is cleared!
Now using a series of atomic bit operation to solve the above issue.
Also note, user shouldn't set IPS_TEMPLATE, IPS_SEQ_ADJUST directly,
so make these two bits be unchangable too.
If we set the IPS_TEMPLATE_BIT, ct will be freed by nf_ct_tmpl_free,
but actually it is alloced by nf_conntrack_alloc.
If we set the IPS_SEQ_ADJUST_BIT, this may cause the NULL pointer
deference, as the nfct_seqadj(ct) maybe NULL.
Last, add some comments to describe the logic change due to the
commit a963d710f367 ("netfilter: ctnetlink: Fix regression in CTA_STATUS
processing"), which makes me feel a little confusing.
Fixes: 76507f69c44e ("[NETFILTER]: nf_conntrack: use RCU for conntrack hash")
Signed-off-by: Liping Zhang <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
[bwh: Backported to 3.16: IPS_UNCHANGEABLE_MASK was not previously defined and
ctnetlink_update_status() is not needed]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/include/uapi/linux/netfilter/nf_conntrack_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -91,6 +91,15 @@ enum ip_conntrack_status {
/* Conntrack got a helper explicitly attached via CT target. */
IPS_HELPER_BIT = 13,
IPS_HELPER = (1 << IPS_HELPER_BIT),
+
+ /* Be careful here, modifying these bits can make things messy,
+ * so don't let users modify them directly.
+ */
+ IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK |
+ IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING |
+ IPS_SEQ_ADJUST | IPS_TEMPLATE),
+
+ __IPS_MAX_BIT = 14,
};
/* Connection tracking event types */
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1307,6 +1307,24 @@ ctnetlink_parse_nat_setup(struct nf_conn
}
#endif
+static void
+__ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
+ unsigned long off)
+{
+ unsigned int bit;
+
+ /* Ignore these unchangable bits */
+ on &= ~IPS_UNCHANGEABLE_MASK;
+ off &= ~IPS_UNCHANGEABLE_MASK;
+
+ for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
+ if (on & (1 << bit))
+ set_bit(bit, &ct->status);
+ else if (off & (1 << bit))
+ clear_bit(bit, &ct->status);
+ }
+}
+
static int
ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
{
@@ -1326,10 +1344,7 @@ ctnetlink_change_status(struct nf_conn *
/* ASSURED bit can only be set */
return -EBUSY;
- /* Be careful here, modifying NAT bits can screw up things,
- * so don't let users modify them directly if they don't pass
- * nf_nat_range. */
- ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
+ __ctnetlink_change_status(ct, status, 0);
return 0;
}
@@ -1513,7 +1528,7 @@ ctnetlink_change_seq_adj(struct nf_conn
if (ret < 0)
return ret;
- ct->status |= IPS_SEQ_ADJUST;
+ set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
}
if (cda[CTA_SEQ_ADJ_REPLY]) {
@@ -1522,7 +1537,7 @@ ctnetlink_change_seq_adj(struct nf_conn
if (ret < 0)
return ret;
- ct->status |= IPS_SEQ_ADJUST;
+ set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
}
return 0;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Somasundaram Krishnasamy <[email protected]>
commit 117aceb030307dcd431fdcff87ce988d3016c34a upstream.
When committing era metadata to disk, it doesn't always save the latest
spacemap metadata root in superblock. Due to this, metadata is getting
corrupted sometimes when reopening the device. The correct order of update
should be, pre-commit (shadows spacemap root), save the spacemap root
(newly shadowed block) to in-core superblock and then the final commit.
Signed-off-by: Somasundaram Krishnasamy <[email protected]>
Signed-off-by: Mike Snitzer <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/md/dm-era-target.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/md/dm-era-target.c
+++ b/drivers/md/dm-era-target.c
@@ -957,15 +957,15 @@ static int metadata_commit(struct era_me
}
}
- r = save_sm_root(md);
+ r = dm_tm_pre_commit(md->tm);
if (r) {
- DMERR("%s: save_sm_root failed", __func__);
+ DMERR("%s: pre commit failed", __func__);
return r;
}
- r = dm_tm_pre_commit(md->tm);
+ r = save_sm_root(md);
if (r) {
- DMERR("%s: pre commit failed", __func__);
+ DMERR("%s: save_sm_root failed", __func__);
return r;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ashish Kalra <[email protected]>
commit d594aa0277e541bb997aef0bc0a55172d8138340 upstream.
The minimum size for a new stack (512 bytes) setup for arch/x86/boot components
when the bootloader does not setup/provide a stack for the early boot components
is not "enough".
The setup code executing as part of early kernel startup code, uses the stack
beyond 512 bytes and accidentally overwrites and corrupts part of the BSS
section. This is exposed mostly in the early video setup code, where
it was corrupting BSS variables like force_x, force_y, which in-turn affected
kernel parameters such as screen_info (screen_info.orig_video_cols) and
later caused an exception/panic in console_init().
Most recent boot loaders setup the stack for early boot components, so this
stack overwriting into BSS section issue has not been exposed.
Signed-off-by: Ashish Kalra <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: H. Peter Anvin <[email protected]>
Cc: Josh Poimboeuf <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/boot/boot.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/boot/boot.h
+++ b/arch/x86/boot/boot.h
@@ -16,7 +16,7 @@
#ifndef BOOT_BOOT_H
#define BOOT_BOOT_H
-#define STACK_SIZE 512 /* Minimum number of bytes for stack */
+#define STACK_SIZE 1024 /* Minimum number of bytes for stack */
#ifndef __ASSEMBLY__
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liping Zhang <[email protected]>
commit 88be4c09d9008f9ff337cbf48c5d0f06c8f872e7 upstream.
Currently, ctnetlink_change_conntrack is always protected by _expect_lock,
but this will cause a deadlock when deleting the helper from a conntrack,
as the _expect_lock will be acquired again by nf_ct_remove_expectations:
CPU0
----
lock(nf_conntrack_expect_lock);
lock(nf_conntrack_expect_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by lt-conntrack_gr/12853:
#0: (&table[i].mutex){+.+.+.}, at: [<ffffffffa05e2009>]
nfnetlink_rcv_msg+0x399/0x6a9 [nfnetlink]
#1: (nf_conntrack_expect_lock){+.....}, at: [<ffffffffa05f2c1f>]
ctnetlink_new_conntrack+0x17f/0x408 [nf_conntrack_netlink]
Call Trace:
dump_stack+0x85/0xc2
__lock_acquire+0x1608/0x1680
? ctnetlink_parse_tuple_proto+0x10f/0x1c0 [nf_conntrack_netlink]
lock_acquire+0x100/0x1f0
? nf_ct_remove_expectations+0x32/0x90 [nf_conntrack]
_raw_spin_lock_bh+0x3f/0x50
? nf_ct_remove_expectations+0x32/0x90 [nf_conntrack]
nf_ct_remove_expectations+0x32/0x90 [nf_conntrack]
ctnetlink_change_helper+0xc6/0x190 [nf_conntrack_netlink]
ctnetlink_new_conntrack+0x1b2/0x408 [nf_conntrack_netlink]
nfnetlink_rcv_msg+0x60a/0x6a9 [nfnetlink]
? nfnetlink_rcv_msg+0x1b9/0x6a9 [nfnetlink]
? nfnetlink_bind+0x1a0/0x1a0 [nfnetlink]
netlink_rcv_skb+0xa4/0xc0
nfnetlink_rcv+0x87/0x770 [nfnetlink]
Since the operations are unrelated to nf_ct_expect, so we can drop the
_expect_lock. Also note, after removing the _expect_lock protection,
another CPU may invoke nf_conntrack_helper_unregister, so we should
use rcu_read_lock to protect __nf_conntrack_helper_find invoked by
ctnetlink_change_helper.
Fixes: ca7433df3a67 ("netfilter: conntrack: seperate expect locking from nf_conntrack_lock")
Signed-off-by: Liping Zhang <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
[bwh: Backported to 3.16:
- ctnetlink_change_helper() still auto-loads modules, so update the unlocking
and re-locking there
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1384,24 +1384,22 @@ ctnetlink_change_helper(struct nf_conn *
return 0;
}
+ rcu_read_lock();
helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
nf_ct_protonum(ct));
if (helper == NULL) {
#ifdef CONFIG_MODULES
- spin_unlock_bh(&nf_conntrack_expect_lock);
+ rcu_read_unlock();
- if (request_module("nfct-helper-%s", helpname) < 0) {
- spin_lock_bh(&nf_conntrack_expect_lock);
+ if (request_module("nfct-helper-%s", helpname) < 0)
return -EOPNOTSUPP;
- }
- spin_lock_bh(&nf_conntrack_expect_lock);
+ rcu_read_lock();
helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
nf_ct_protonum(ct));
- if (helper)
- return -EAGAIN;
#endif
- return -EOPNOTSUPP;
+ rcu_read_unlock();
+ return helper ? -EAGAIN : -EOPNOTSUPP;
}
if (help) {
@@ -1409,13 +1407,16 @@ ctnetlink_change_helper(struct nf_conn *
/* update private helper data if allowed. */
if (helper->from_nlattr)
helper->from_nlattr(helpinfo, ct);
- return 0;
+ err = 0;
} else
- return -EBUSY;
+ err = -EBUSY;
+ } else {
+ /* we cannot set a helper for an existing conntrack */
+ err = -EOPNOTSUPP;
}
- /* we cannot set a helper for an existing conntrack */
- return -EOPNOTSUPP;
+ rcu_read_unlock();
+ return err;
}
static inline int
@@ -1831,9 +1832,7 @@ ctnetlink_new_conntrack(struct sock *ctn
err = -EEXIST;
ct = nf_ct_tuplehash_to_ctrack(h);
if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
- spin_lock_bh(&nf_conntrack_expect_lock);
err = ctnetlink_change_conntrack(ct, cda);
- spin_unlock_bh(&nf_conntrack_expect_lock);
if (err == 0) {
nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
(1 << IPCT_ASSURED) |
@@ -2165,11 +2164,7 @@ ctnetlink_nfqueue_parse(const struct nla
if (ret < 0)
return ret;
- spin_lock_bh(&nf_conntrack_expect_lock);
- ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
- spin_unlock_bh(&nf_conntrack_expect_lock);
-
- return ret;
+ return ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
}
static int ctnetlink_nfqueue_exp_parse(const struct nlattr * const *cda,
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tyrel Datwyler <[email protected]>
commit 68baf692c435339e6295cb470ea5545cbc28160e upstream.
Historically struct device_node references were tracked using a kref embedded as
a struct field. Commit 75b57ecf9d1d ("of: Make device nodes kobjects so they
show up in sysfs") (Mar 2014) refactored device_nodes to be kobjects such that
the device tree could by more simply exposed to userspace using sysfs.
Commit 0829f6d1f69e ("of: device_node kobject lifecycle fixes") (Mar 2014)
followed up these changes to better control the kobject lifecycle and in
particular the referecne counting via of_node_get(), of_node_put(), and
of_node_init().
A result of this second commit was that it introduced an of_node_put() call when
a dynamic node is detached, in of_node_remove(), that removes the initial kobj
reference created by of_node_init().
Traditionally as the original dynamic device node user the pseries code had
assumed responsibilty for releasing this final reference in its platform
specific DLPAR detach code.
This patch fixes a refcount underflow introduced by commit 0829f6d1f6, and
recently exposed by the upstreaming of the recount API.
Messages like the following are no longer seen in the kernel log with this
patch following DLPAR remove operations of cpus and pci devices.
rpadlpar_io: slot PHB 72 removed
refcount_t: underflow; use-after-free.
------------[ cut here ]------------
WARNING: CPU: 5 PID: 3335 at lib/refcount.c:128 refcount_sub_and_test+0xf4/0x110
Fixes: 0829f6d1f69e ("of: device_node kobject lifecycle fixes")
Signed-off-by: Tyrel Datwyler <[email protected]>
[mpe: Make change log commit references more verbose]
Signed-off-by: Michael Ellerman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/powerpc/platforms/pseries/dlpar.c | 1 -
1 file changed, 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/dlpar.c
+++ b/arch/powerpc/platforms/pseries/dlpar.c
@@ -298,7 +298,6 @@ int dlpar_detach_node(struct device_node
if (rc)
return rc;
- of_node_put(dn); /* Must decrement the refcount */
return 0;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein <[email protected]>
commit 99e68909d5aba1861897fe7afc3306c3c81b6de0 upstream.
In mlx4_ib_add, procedure mlx4_ib_alloc_eqs is called to allocate EQs.
However, in the mlx4_ib_add error flow, procedure mlx4_ib_free_eqs is not
called to free the allocated EQs.
Fixes: e605b743f33d ("IB/mlx4: Increase the number of vectors (EQs) available for ULPs")
Signed-off-by: Jack Morgenstein <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/hw/mlx4/main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -2281,6 +2281,7 @@ err_counter:
mlx4_counter_free(ibdev->dev, ibdev->counters[i - 1]);
err_map:
+ mlx4_ib_free_eqs(dev, ibdev);
iounmap(ibdev->uar_map);
err_uar:
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Feras Daoud <[email protected]>
commit 9a9b8112699d78e7f317019b37f377e90023f3ed upstream.
Update the broadcast address in the priv->broadcast object when the
Pkey value changes in index 0, otherwise the multicast GID value will
keep the previous value of the PKey, and will not be updated.
This leads to interface state down because the interface will keep the
old PKey value.
For example, in SR-IOV environment, if the PF changes the value of PKey
index 0 for one of the VFs, then the VF receives PKey change event that
triggers heavy flush. This flush calls update_parent_pkey that update the
broadcast object and its relevant members. If in this case the multicast
GID will not be updated, the interface state will be down.
Fixes: c2904141696e ("IPoIB: Fix pkey change flow for virtualization environments")
Signed-off-by: Feras Daoud <[email protected]>
Signed-off-by: Erez Shitrit <[email protected]>
Reviewed-by: Alex Vesker <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -961,6 +961,19 @@ static inline int update_parent_pkey(str
*/
priv->dev->broadcast[8] = priv->pkey >> 8;
priv->dev->broadcast[9] = priv->pkey & 0xff;
+
+ /*
+ * Update the broadcast address in the priv->broadcast object,
+ * in case it already exists, otherwise no one will do that.
+ */
+ if (priv->broadcast) {
+ spin_lock_irq(&priv->lock);
+ memcpy(priv->broadcast->mcmember.mgid.raw,
+ priv->dev->broadcast + 4,
+ sizeof(union ib_gid));
+ spin_unlock_irq(&priv->lock);
+ }
+
return 0;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Brian Norris <[email protected]>
commit 3c8cb9ad032d737b874e402c59eb51e3c991a144 upstream.
Command buffers (skb's) are allocated by the main driver, and freed upon
the last use. That last use is often in mwifiex_free_cmd_buffer(). In
the meantime, if the command buffer gets used by the PCI driver, we map
it as DMA-able, and store the mapping information in the 'cb' memory.
However, if a command was in-flight when resetting the device (and
therefore was still mapped), we don't get a chance to unmap this memory
until after the core has cleaned up its command handling.
Let's keep a refcount within the PCI driver, so we ensure the memory
only gets freed after we've finished unmapping it.
Noticed by KASAN when forcing a reset via:
echo 1 > /sys/bus/pci/.../reset
The same code path can presumably be exercised in remove() and
shutdown().
[ 205.390377] mwifiex_pcie 0000:01:00.0: info: shutdown mwifiex...
[ 205.400393] ==================================================================
[ 205.407719] BUG: KASAN: use-after-free in mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie] at addr ffffffc0ad471b28
[ 205.419040] Read of size 16 by task bash/1913
[ 205.423421] =============================================================================
[ 205.431625] BUG skbuff_head_cache (Tainted: G B ): kasan: bad access detected
[ 205.439815] -----------------------------------------------------------------------------
[ 205.439815]
[ 205.449534] INFO: Allocated in __build_skb+0x48/0x114 age=1311 cpu=4 pid=1913
[ 205.456709] alloc_debug_processing+0x124/0x178
[ 205.461282] ___slab_alloc.constprop.58+0x528/0x608
[ 205.466196] __slab_alloc.isra.54.constprop.57+0x44/0x54
[ 205.471542] kmem_cache_alloc+0xcc/0x278
[ 205.475497] __build_skb+0x48/0x114
[ 205.479019] __netdev_alloc_skb+0xe0/0x170
[ 205.483244] mwifiex_alloc_cmd_buffer+0x68/0xdc [mwifiex]
[ 205.488759] mwifiex_init_fw+0x40/0x6cc [mwifiex]
[ 205.493584] _mwifiex_fw_dpc+0x158/0x520 [mwifiex]
[ 205.498491] mwifiex_reinit_sw+0x2c4/0x398 [mwifiex]
[ 205.503510] mwifiex_pcie_reset_notify+0x114/0x15c [mwifiex_pcie]
[ 205.509643] pci_reset_notify+0x5c/0x6c
[ 205.513519] pci_reset_function+0x6c/0x7c
[ 205.517567] reset_store+0x68/0x98
[ 205.521003] dev_attr_store+0x54/0x60
[ 205.524705] sysfs_kf_write+0x9c/0xb0
[ 205.528413] INFO: Freed in __kfree_skb+0xb0/0xbc age=131 cpu=4 pid=1913
[ 205.535064] free_debug_processing+0x264/0x370
[ 205.539550] __slab_free+0x84/0x40c
[ 205.543075] kmem_cache_free+0x1c8/0x2a0
[ 205.547030] __kfree_skb+0xb0/0xbc
[ 205.550465] consume_skb+0x164/0x178
[ 205.554079] __dev_kfree_skb_any+0x58/0x64
[ 205.558304] mwifiex_free_cmd_buffer+0xa0/0x158 [mwifiex]
[ 205.563817] mwifiex_shutdown_drv+0x578/0x5c4 [mwifiex]
[ 205.569164] mwifiex_shutdown_sw+0x178/0x310 [mwifiex]
[ 205.574353] mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie]
[ 205.580398] pci_reset_notify+0x5c/0x6c
[ 205.584274] pci_dev_save_and_disable+0x24/0x6c
[ 205.588837] pci_reset_function+0x30/0x7c
[ 205.592885] reset_store+0x68/0x98
[ 205.596324] dev_attr_store+0x54/0x60
[ 205.600017] sysfs_kf_write+0x9c/0xb0
...
[ 205.800488] Call trace:
[ 205.802980] [<ffffffc00020a69c>] dump_backtrace+0x0/0x190
[ 205.808415] [<ffffffc00020a96c>] show_stack+0x20/0x28
[ 205.813506] [<ffffffc0005d020c>] dump_stack+0xa4/0xcc
[ 205.818598] [<ffffffc0003be44c>] print_trailer+0x158/0x168
[ 205.824120] [<ffffffc0003be5f0>] object_err+0x4c/0x5c
[ 205.829210] [<ffffffc0003c45bc>] kasan_report+0x334/0x500
[ 205.834641] [<ffffffc0003c3994>] check_memory_region+0x20/0x14c
[ 205.840593] [<ffffffc0003c3b14>] __asan_loadN+0x14/0x1c
[ 205.845879] [<ffffffbffc46171c>] mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie]
[ 205.854282] [<ffffffbffc461864>] mwifiex_pcie_delete_cmdrsp_buf+0x94/0xa8 [mwifiex_pcie]
[ 205.862421] [<ffffffbffc462028>] mwifiex_pcie_free_buffers+0x11c/0x158 [mwifiex_pcie]
[ 205.870302] [<ffffffbffc4620d4>] mwifiex_pcie_down_dev+0x70/0x80 [mwifiex_pcie]
[ 205.877736] [<ffffffbffc1397a8>] mwifiex_shutdown_sw+0x190/0x310 [mwifiex]
[ 205.884658] [<ffffffbffc4606b4>] mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie]
[ 205.892446] [<ffffffc000635f54>] pci_reset_notify+0x5c/0x6c
[ 205.898048] [<ffffffc00063a044>] pci_dev_save_and_disable+0x24/0x6c
[ 205.904350] [<ffffffc00063cf0c>] pci_reset_function+0x30/0x7c
[ 205.910134] [<ffffffc000641118>] reset_store+0x68/0x98
[ 205.915312] [<ffffffc000771588>] dev_attr_store+0x54/0x60
[ 205.920750] [<ffffffc00046f53c>] sysfs_kf_write+0x9c/0xb0
[ 205.926182] [<ffffffc00046dfb0>] kernfs_fop_write+0x184/0x1f8
[ 205.931963] [<ffffffc0003d64f4>] __vfs_write+0x6c/0x17c
[ 205.937221] [<ffffffc0003d7164>] vfs_write+0xf0/0x1c4
[ 205.942310] [<ffffffc0003d7da0>] SyS_write+0x78/0xd8
[ 205.947312] [<ffffffc000204634>] el0_svc_naked+0x24/0x28
...
[ 205.998268] ==================================================================
This bug has been around in different forms for a while. It was sort of
noticed in commit 955ab095c51a ("mwifiex: Do not kfree cmd buf while
unregistering PCIe"), but it just fixed the double-free, without
acknowledging the potential for use-after-free.
Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe")
Signed-off-by: Brian Norris <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/mwifiex/pcie.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/net/wireless/mwifiex/pcie.c
+++ b/drivers/net/wireless/mwifiex/pcie.c
@@ -905,6 +905,7 @@ static int mwifiex_pcie_delete_cmdrsp_bu
if (card && card->cmd_buf) {
mwifiex_unmap_pci_memory(adapter, card->cmd_buf,
PCI_DMA_TODEVICE);
+ dev_kfree_skb_any(card->cmd_buf);
}
return 0;
}
@@ -1446,6 +1447,11 @@ mwifiex_pcie_send_cmd(struct mwifiex_ada
return -1;
card->cmd_buf = skb;
+ /*
+ * Need to keep a reference, since core driver might free up this
+ * buffer before we've unmapped it.
+ */
+ skb_get(skb);
/* To send a command, the driver will:
1. Write the 64bit physical address of the data buffer to
@@ -1542,6 +1548,7 @@ static int mwifiex_pcie_process_cmd_comp
if (card->cmd_buf) {
mwifiex_unmap_pci_memory(adapter, card->cmd_buf,
PCI_DMA_TODEVICE);
+ dev_kfree_skb_any(card->cmd_buf);
card->cmd_buf = NULL;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <[email protected]>
commit 3026050179a3a9a6f5c892c414b5e36ecf092081 upstream.
If skb_pad() fails then it frees skb and we don't need to free it again
at the end of the function.
Fixes: dc7bf5d7 ("HSI: Introduce driver for SSI Protocol")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/hsi/clients/ssi_protocol.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/hsi/clients/ssi_protocol.c
+++ b/drivers/hsi/clients/ssi_protocol.c
@@ -976,7 +976,7 @@ static int ssip_pn_xmit(struct sk_buff *
goto drop;
/* Pad to 32-bits - FIXME: Revisit*/
if ((skb->len & 3) && skb_pad(skb, 4 - (skb->len & 3)))
- goto drop;
+ goto inc_dropped;
/*
* Modem sends Phonet messages over SSI with its own endianess...
@@ -1028,8 +1028,9 @@ static int ssip_pn_xmit(struct sk_buff *
drop2:
hsi_free_msg(msg);
drop:
- dev->stats.tx_dropped++;
dev_kfree_skb(skb);
+inc_dropped:
+ dev->stats.tx_dropped++;
return 0;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Coddington <[email protected]>
commit ae97aa524ef495b6276fd26f5d5449fb22975d7c upstream.
Prevent a deadlock that can occur if we wait on allocations
that try to write back our pages.
Signed-off-by: Benjamin Coddington <[email protected]>
Fixes: 00bfa30abe869 ("NFS: Create a common pgio_alloc and pgio_release...")
Signed-off-by: Trond Myklebust <[email protected]>
[bwh: Backported to 3.16:
- Drop changes in nfs_pageio_init()
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfs/pagelist.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/fs/nfs/pagelist.c
+++ b/fs/nfs/pagelist.c
@@ -29,13 +29,14 @@
static struct kmem_cache *nfs_page_cachep;
static const struct rpc_call_ops nfs_pgio_common_ops;
-static bool nfs_pgarray_set(struct nfs_page_array *p, unsigned int pagecount)
+static bool nfs_pgarray_set(struct nfs_page_array *p, unsigned int pagecount,
+ gfp_t gfp_flags)
{
p->npages = pagecount;
if (pagecount <= ARRAY_SIZE(p->page_array))
p->pagevec = p->page_array;
else {
- p->pagevec = kcalloc(pagecount, sizeof(struct page *), GFP_KERNEL);
+ p->pagevec = kcalloc(pagecount, sizeof(struct page *), gfp_flags);
if (!p->pagevec)
p->npages = 0;
}
@@ -739,9 +740,12 @@ int nfs_generic_pgio(struct nfs_pageio_d
struct list_head *head = &desc->pg_list;
struct nfs_commit_info cinfo;
unsigned int pagecount, pageused;
+ gfp_t gfp_flags = GFP_KERNEL;
pagecount = nfs_page_array_len(desc->pg_base, desc->pg_count);
- if (!nfs_pgarray_set(&hdr->page_array, pagecount))
+ if (desc->pg_rw_ops->rw_mode == FMODE_WRITE)
+ gfp_flags = GFP_NOIO;
+ if (!nfs_pgarray_set(&hdr->page_array, pagecount, gfp_flags))
return nfs_pgio_error(desc, hdr);
nfs_init_cinfo(&cinfo, desc->pg_inode, desc->pg_dreq);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Frank Schaefer <[email protected]>
commit 7f140fc2064bcd23e0490d8210650e2ef21c1c89 upstream.
Enabling vflip currently causes wrong colors.
It seems that (at least with the current sensor setup) REG04_VFLIP_IMG only
changes the vertical readout direction.
Because pixels are arranged RGRG... in odd lines and GBGB... in even lines,
either a one line shift or even/odd line swap is required, too, but
apparently this doesn't happen.
I finally figured out that this can be done manually by setting
REG04_VREF_EN.
Looking at hflip, it turns out that bit REG04_HREF_EN is set there
permanetly, but according to my tests has no effect on the pixel readout
order.
So my conclusion is that the current documentation of sensor register 0x04
is wrong (has changed after preliminary datasheet version 2.2).
I'm pretty sure that automatic vertical line shift/switch can be enabled,
too, but until anyone finds ot how this works, we have to stick with manual
switching.
Signed-off-by: Frank Schäfer <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/i2c/soc_camera/ov2640.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/soc_camera/ov2640.c
+++ b/drivers/media/i2c/soc_camera/ov2640.c
@@ -713,8 +713,10 @@ static int ov2640_s_ctrl(struct v4l2_ctr
switch (ctrl->id) {
case V4L2_CID_VFLIP:
- val = ctrl->val ? REG04_VFLIP_IMG : 0x00;
- return ov2640_mask_set(client, REG04, REG04_VFLIP_IMG, val);
+ val = ctrl->val ? REG04_VFLIP_IMG | REG04_VREF_EN : 0x00;
+ return ov2640_mask_set(client, REG04,
+ REG04_VFLIP_IMG | REG04_VREF_EN, val);
+ /* NOTE: REG04_VREF_EN: 1 line shift / even/odd line swap */
case V4L2_CID_HFLIP:
val = ctrl->val ? REG04_HFLIP_IMG : 0x00;
return ov2640_mask_set(client, REG04, REG04_HFLIP_IMG, val);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <[email protected]>
commit b7dcf68f383a05567bd16a390907b67022a62d3d upstream.
The > should be >= or we read one space beyond the end of the array.
Fixes: ab5c4f71d8c7 ("ath9k: allow to load EEPROM content via firmware API")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/ath/ath9k/eeprom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath9k/eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom.c
@@ -118,7 +118,7 @@ static bool ath9k_hw_nvram_read_blob(str
{
u16 *blob_data;
- if (off * sizeof(u16) > ah->eeprom_blob->size)
+ if (off * sizeof(u16) >= ah->eeprom_blob->size)
return false;
blob_data = (u16 *)ah->eeprom_blob->data;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen <[email protected]>
commit 6fc091fb0459ade939a795bfdcaf645385b951d4 upstream.
Print correct command ring address using 'val_64'.
Signed-off-by: Peter Chen <[email protected]>
Signed-off-by: Mathias Nyman <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/host/xhci-mem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -2459,7 +2459,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,
(xhci->cmd_ring->first_seg->dma & (u64) ~CMD_RING_RSVD_BITS) |
xhci->cmd_ring->cycle_state;
xhci_dbg_trace(xhci, trace_xhci_dbg_init,
- "// Setting command ring address to 0x%x", val);
+ "// Setting command ring address to 0x%016llx", val_64);
xhci_write_64(xhci, val_64, &xhci->op_regs->cmd_ring);
xhci_dbg_cmd_ptrs(xhci);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <[email protected]>
commit ea00353f36b64375518662a8ad15e39218a1f324 upstream.
Laurent Pinchart reported that the Renesas R-Car H2 Lager board (r8a7790)
crashes during suspend tests. Geert Uytterhoeven managed to reproduce the
issue on an M2-W Koelsch board (r8a7791):
It occurs when the PME scan runs, once per second. During PME scan, the
PCI host bridge (rcar-pci) registers are accessed while its module clock
has already been disabled, leading to the crash.
One reproducer is to configure s2ram to use "s2idle" instead of "deep"
suspend:
# echo 0 > /sys/module/printk/parameters/console_suspend
# echo s2idle > /sys/power/mem_sleep
# echo mem > /sys/power/state
Another reproducer is to write either "platform" or "processors" to
/sys/power/pm_test. It does not (or is less likely) to happen during full
system suspend ("core" or "none") because system suspend also disables
timers, and thus the workqueue handling PME scans no longer runs. Geert
believes the issue may still happen in the small window between disabling
module clocks and disabling timers:
# echo 0 > /sys/module/printk/parameters/console_suspend
# echo platform > /sys/power/pm_test # Or "processors"
# echo mem > /sys/power/state
(Make sure CONFIG_PCI_RCAR_GEN2 and CONFIG_USB_OHCI_HCD_PCI are enabled.)
Rafael Wysocki agrees that PME scans should be suspended before the host
bridge registers become inaccessible. To that end, queue the task on a
workqueue that gets frozen before devices suspend.
Rafael notes however that as a result, some wakeup events may be missed if
they are delivered via PME from a device without working IRQ (which hence
must be polled) and occur after the workqueue has been frozen. If that
turns out to be an issue in practice, it may be possible to solve it by
calling pci_pme_list_scan() once directly from one of the host bridge's
pm_ops callbacks.
Stacktrace for posterity:
PM: Syncing filesystems ... [ 38.566237] done.
PM: Preparing system for sleep (mem)
Freezing user space processes ... [ 38.579813] (elapsed 0.001 seconds) done.
Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
PM: Suspending system (mem)
PM: suspend of devices complete after 152.456 msecs
PM: late suspend of devices complete after 2.809 msecs
PM: noirq suspend of devices complete after 29.863 msecs
suspend debug: Waiting for 5 second(s).
Unhandled fault: asynchronous external abort (0x1211) at 0x00000000
pgd = c0003000
[00000000] *pgd=80000040004003, *pmd=00000000
Internal error: : 1211 [#1] SMP ARM
Modules linked in:
CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted
4.9.0-rc1-koelsch-00011-g68db9bc814362e7f #3383
Hardware name: Generic R8A7791 (Flattened Device Tree)
Workqueue: events pci_pme_list_scan
task: eb56e140 task.stack: eb58e000
PC is at pci_generic_config_read+0x64/0x6c
LR is at rcar_pci_cfg_base+0x64/0x84
pc : [<c041d7b4>] lr : [<c04309a0>] psr: 600d0093
sp : eb58fe98 ip : c041d750 fp : 00000008
r10: c0e2283c r9 : 00000000 r8 : 600d0013
r7 : 00000008 r6 : eb58fed6 r5 : 00000002 r4 : eb58feb4
r3 : 00000000 r2 : 00000044 r1 : 00000008 r0 : 00000000
Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
Control: 30c5387d Table: 6a9f6c80 DAC: 55555555
Process kworker/1:1 (pid: 20, stack limit = 0xeb58e210)
Stack: (0xeb58fe98 to 0xeb590000)
fe80: 00000002 00000044
fea0: eb6f5800 c041d9b0 eb58feb4 00000008 00000044 00000000 eb78a000 eb78a000
fec0: 00000044 00000000 eb9aff00 c0424bf0 eb78a000 00000000 eb78a000 c0e22830
fee0: ea8a6fc0 c0424c5c eaae79c0 c0424ce0 eb55f380 c0e22838 eb9a9800 c0235fbc
ff00: eb55f380 c0e22838 eb55f380 eb9a9800 eb9a9800 eb58e000 eb9a9824 c0e02100
ff20: eb55f398 c02366c4 eb56e140 eb5631c0 00000000 eb55f380 c023641c 00000000
ff40: 00000000 00000000 00000000 c023a928 cd105598 00000000 40506a34 eb55f380
ff60: 00000000 00000000 dead4ead ffffffff ffffffff eb58ff74 eb58ff74 00000000
ff80: 00000000 dead4ead ffffffff ffffffff eb58ff90 eb58ff90 eb58ffac eb5631c0
ffa0: c023a844 00000000 00000000 c0206d68 00000000 00000000 00000000 00000000
ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 3a81336c 10ccd1dd
[<c041d7b4>] (pci_generic_config_read) from [<c041d9b0>]
(pci_bus_read_config_word+0x58/0x80)
[<c041d9b0>] (pci_bus_read_config_word) from [<c0424bf0>]
(pci_check_pme_status+0x34/0x78)
[<c0424bf0>] (pci_check_pme_status) from [<c0424c5c>] (pci_pme_wakeup+0x28/0x54)
[<c0424c5c>] (pci_pme_wakeup) from [<c0424ce0>] (pci_pme_list_scan+0x58/0xb4)
[<c0424ce0>] (pci_pme_list_scan) from [<c0235fbc>]
(process_one_work+0x1bc/0x308)
[<c0235fbc>] (process_one_work) from [<c02366c4>] (worker_thread+0x2a8/0x3e0)
[<c02366c4>] (worker_thread) from [<c023a928>] (kthread+0xe4/0xfc)
[<c023a928>] (kthread) from [<c0206d68>] (ret_from_fork+0x14/0x2c)
Code: ea000000 e5903000 f57ff04f e3a00000 (e5843000)
---[ end trace 667d43ba3aa9e589 ]---
Fixes: df17e62e5bff ("PCI: Add support for polling PME state on suspended legacy PCI devices")
Reported-and-tested-by: Laurent Pinchart <[email protected]>
Reported-and-tested-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Lukas Wunner <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Reviewed-by: Laurent Pinchart <[email protected]>
Acked-by: Rafael J. Wysocki <[email protected]>
Cc: Mika Westerberg <[email protected]>
Cc: Niklas Söderlund <[email protected]>
Cc: Simon Horman <[email protected]>
Cc: Yinghai Lu <[email protected]>
Cc: Matthew Garrett <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pci/pci.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1676,8 +1676,8 @@ static void pci_pme_list_scan(struct wor
}
}
if (!list_empty(&pci_pme_list))
- schedule_delayed_work(&pci_pme_work,
- msecs_to_jiffies(PME_TIMEOUT));
+ queue_delayed_work(system_freezable_wq, &pci_pme_work,
+ msecs_to_jiffies(PME_TIMEOUT));
mutex_unlock(&pci_pme_list_mutex);
}
@@ -1737,8 +1737,9 @@ void pci_pme_active(struct pci_dev *dev,
mutex_lock(&pci_pme_list_mutex);
list_add(&pme_dev->list, &pci_pme_list);
if (list_is_singular(&pci_pme_list))
- schedule_delayed_work(&pci_pme_work,
- msecs_to_jiffies(PME_TIMEOUT));
+ queue_delayed_work(system_freezable_wq,
+ &pci_pme_work,
+ msecs_to_jiffies(PME_TIMEOUT));
mutex_unlock(&pci_pme_list_mutex);
} else {
mutex_lock(&pci_pme_list_mutex);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Jones <[email protected]>
commit 6c7a5dce22b3f3cc44be098e2837fa6797edb8b8 upstream.
Fix potential races in kvm_psci_vcpu_on() by taking the kvm->lock
mutex. In general, it's a bad idea to allow more than one PSCI_CPU_ON
to process the same target VCPU at the same time. One such problem
that may arise is that one PSCI_CPU_ON could be resetting the target
vcpu, which fills the entire sys_regs array with a temporary value
including the MPIDR register, while another looks up the VCPU based
on the MPIDR value, resulting in no target VCPU found. Resolves both
races found with the kvm-unit-tests/arm/psci unit test.
Reviewed-by: Marc Zyngier <[email protected]>
Reviewed-by: Christoffer Dall <[email protected]>
Reported-by: Levente Kurusa <[email protected]>
Suggested-by: Christoffer Dall <[email protected]>
Signed-off-by: Andrew Jones <[email protected]>
Signed-off-by: Christoffer Dall <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/arm/kvm/psci.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/arch/arm/kvm/psci.c
+++ b/arch/arm/kvm/psci.c
@@ -191,9 +191,10 @@ int kvm_psci_version(struct kvm_vcpu *vc
static int kvm_psci_0_2_call(struct kvm_vcpu *vcpu)
{
- int ret = 1;
+ struct kvm *kvm = vcpu->kvm;
unsigned long psci_fn = *vcpu_reg(vcpu, 0) & ~((u32) 0);
unsigned long val;
+ int ret = 1;
switch (psci_fn) {
case PSCI_0_2_FN_PSCI_VERSION:
@@ -213,7 +214,9 @@ static int kvm_psci_0_2_call(struct kvm_
break;
case PSCI_0_2_FN_CPU_ON:
case PSCI_0_2_FN64_CPU_ON:
+ mutex_lock(&kvm->lock);
val = kvm_psci_vcpu_on(vcpu);
+ mutex_unlock(&kvm->lock);
break;
case PSCI_0_2_FN_AFFINITY_INFO:
case PSCI_0_2_FN64_AFFINITY_INFO:
@@ -269,6 +272,7 @@ static int kvm_psci_0_2_call(struct kvm_
static int kvm_psci_0_1_call(struct kvm_vcpu *vcpu)
{
+ struct kvm *kvm = vcpu->kvm;
unsigned long psci_fn = *vcpu_reg(vcpu, 0) & ~((u32) 0);
unsigned long val;
@@ -278,7 +282,9 @@ static int kvm_psci_0_1_call(struct kvm_
val = PSCI_RET_SUCCESS;
break;
case KVM_PSCI_FN_CPU_ON:
+ mutex_lock(&kvm->lock);
val = kvm_psci_vcpu_on(vcpu);
+ mutex_unlock(&kvm->lock);
break;
case KVM_PSCI_FN_CPU_SUSPEND:
case KVM_PSCI_FN_MIGRATE:
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Ahern <[email protected]>
commit 4a6e3c5def13c91adf2acc613837001f09af3baa upstream.
ndisc_notify is the ipv6 equivalent to arp_notify. When arp_notify is
set to 1, gratuitous arp requests are sent when the device is brought up.
The same is expected when ndisc_notify is set to 1 (per ndisc_notify in
Documentation/networking/ip-sysctl.txt). The NA is not sent on NETDEV_UP
event; add it.
Fixes: 5cb04436eef6 ("ipv6: add knob to send unsolicited ND on link-layer address change")
Signed-off-by: David Ahern <[email protected]>
Acked-by: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/ndisc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1605,6 +1605,8 @@ static int ndisc_netdev_event(struct not
case NETDEV_CHANGEADDR:
neigh_changeaddr(&nd_tbl, dev);
fib6_run_gc(0, net, false);
+ /* fallthrough */
+ case NETDEV_UP:
idev = in6_dev_get(dev);
if (!idev)
break;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <[email protected]>
commit 31c5d1922b90ddc1da6a6ddecef7cd31f17aa32b upstream.
This development kit has an FT4232 on it with a custom USB VID/PID.
The FT4232 provides four UARTs, but only two are used. The UART 0
is used by the FlashPro5 programmer and UART 2 is connected to the
SmartFusion2 CortexM3 SoC UART port.
Note that the USB VID is registered to Actel according to Linux USB
VID database, but that was acquired by Microsemi.
Signed-off-by: Marek Vasut <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 7 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -886,6 +886,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE_AND_INTERFACE_INFO(MICROCHIP_VID, MICROCHIP_USB_BOARD_PID,
USB_CLASS_VENDOR_SPEC,
USB_SUBCLASS_VENDOR_SPEC, 0x00) },
+ { USB_DEVICE_INTERFACE_NUMBER(ACTEL_VID, MICROSEMI_ARROW_SF2PLUS_BOARD_PID, 2) },
{ USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
{ USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -873,6 +873,12 @@
#define FIC_VID 0x1457
#define FIC_NEO1973_DEBUG_PID 0x5118
+/*
+ * Actel / Microsemi
+ */
+#define ACTEL_VID 0x1514
+#define MICROSEMI_ARROW_SF2PLUS_BOARD_PID 0x2008
+
/* Olimex */
#define OLIMEX_VID 0x15BA
#define OLIMEX_ARM_USB_OCD_PID 0x0003
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alyssa Milburn <[email protected]>
commit 950e252cb469f323740d78e4907843acef89eedb upstream.
Otherwise the i2c transfer functions can read or write beyond the end of
stack or heap buffers.
Signed-off-by: Alyssa Milburn <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.16:
- Use obuf instead of state->data
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/dvb-usb/dw2102.c | 54 ++++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
--- a/drivers/media/usb/dvb-usb/dw2102.c
+++ b/drivers/media/usb/dvb-usb/dw2102.c
@@ -247,6 +247,20 @@ static int dw2102_serit_i2c_transfer(str
switch (num) {
case 2:
+ if (msg[0].len != 1) {
+ warn("i2c rd: len=%d is not 1!\n",
+ msg[0].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
+ if (2 + msg[1].len > sizeof(buf6)) {
+ warn("i2c rd: len=%d is too big!\n",
+ msg[1].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
/* read si2109 register by number */
buf6[0] = msg[0].addr << 1;
buf6[1] = msg[0].len;
@@ -262,6 +276,13 @@ static int dw2102_serit_i2c_transfer(str
case 1:
switch (msg[0].addr) {
case 0x68:
+ if (2 + msg[0].len > sizeof(buf6)) {
+ warn("i2c wr: len=%d is too big!\n",
+ msg[0].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
/* write to si2109 register */
buf6[0] = msg[0].addr << 1;
buf6[1] = msg[0].len;
@@ -305,6 +326,13 @@ static int dw2102_earda_i2c_transfer(str
/* first write first register number */
u8 ibuf[MAX_XFER_SIZE], obuf[3];
+ if (2 + msg[0].len != sizeof(obuf)) {
+ warn("i2c rd: len=%d is not 1!\n",
+ msg[0].len);
+ ret = -EOPNOTSUPP;
+ goto unlock;
+ }
+
if (2 + msg[1].len > sizeof(ibuf)) {
warn("i2c rd: len=%d is too big!\n",
msg[1].len);
@@ -505,6 +533,12 @@ static int dw3101_i2c_transfer(struct i2
/* first write first register number */
u8 ibuf[MAX_XFER_SIZE], obuf[3];
+ if (2 + msg[0].len != sizeof(obuf)) {
+ warn("i2c rd: len=%d is not 1!\n",
+ msg[0].len);
+ ret = -EOPNOTSUPP;
+ goto unlock;
+ }
if (2 + msg[1].len > sizeof(ibuf)) {
warn("i2c rd: len=%d is too big!\n",
msg[1].len);
@@ -730,6 +764,13 @@ static int su3000_i2c_transfer(struct i2
msg[0].buf[0] = ibuf[1];
break;
default:
+ if (3 + msg[0].len > sizeof(obuf)) {
+ warn("i2c wr: len=%d is too big!\n",
+ msg[0].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
/* always i2c write*/
obuf[0] = 0x08;
obuf[1] = msg[0].addr;
@@ -745,6 +786,19 @@ static int su3000_i2c_transfer(struct i2
break;
case 2:
/* always i2c read */
+ if (4 + msg[0].len > sizeof(obuf)) {
+ warn("i2c rd: len=%d is too big!\n",
+ msg[0].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+ if (1 + msg[1].len > sizeof(obuf)) {
+ warn("i2c rd: len=%d is too big!\n",
+ msg[1].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
obuf[0] = 0x09;
obuf[1] = msg[0].len;
obuf[2] = msg[1].len;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alyssa Milburn <[email protected]>
commit a12b8ab8c5ff7ccd7b107a564743507c850a441d upstream.
Otherwise ttusb2_i2c_xfer can read or write beyond the end of static and
heap buffers.
Signed-off-by: Alyssa Milburn <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/dvb-usb/ttusb2.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/drivers/media/usb/dvb-usb/ttusb2.c
+++ b/drivers/media/usb/dvb-usb/ttusb2.c
@@ -78,6 +78,9 @@ static int ttusb2_msg(struct dvb_usb_dev
u8 *s, *r = NULL;
int ret = 0;
+ if (4 + rlen > 64)
+ return -EIO;
+
s = kzalloc(wlen+4, GFP_KERNEL);
if (!s)
return -ENOMEM;
@@ -381,6 +384,22 @@ static int ttusb2_i2c_xfer(struct i2c_ad
write_read = i+1 < num && (msg[i+1].flags & I2C_M_RD);
read = msg[i].flags & I2C_M_RD;
+ if (3 + msg[i].len > sizeof(obuf)) {
+ err("i2c wr len=%d too high", msg[i].len);
+ break;
+ }
+ if (write_read) {
+ if (3 + msg[i+1].len > sizeof(ibuf)) {
+ err("i2c rd len=%d too high", msg[i+1].len);
+ break;
+ }
+ } else if (read) {
+ if (3 + msg[i].len > sizeof(ibuf)) {
+ err("i2c rd len=%d too high", msg[i].len);
+ break;
+ }
+ }
+
obuf[0] = (msg[i].addr << 1) | (write_read | read);
if (read)
obuf[1] = 0;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stephane Eranian <[email protected]>
commit daa864b8f8e34477bde817f26d736d89dc6032f3 upstream.
This patch solves a race condition between PEBS and the PMU handler.
In case multiple PEBS events are sampled at the same time,
it is possible to have GLOBAL_STATUS bit 62 set indicating
PEBS buffer overflow and also seeing at most 3 PEBS counters
having their bits set in the status register. This is a sign
that there was at least one PEBS record pending at the time
of the PMU interrupt. PEBS counters must only be processed
via the drain_pebs() calls, and not via the regular sample
processing loop coming after that the function, otherwise
phony regular samples may be generated in the sampling buffer
not marked with the EXACT tag.
Another possibility is to have one PEBS event and at least
one non-PEBS event whic hoverflows while PEBS has armed. In this
case, bit 62 of GLOBAL_STATUS will not be set, yet the overflow
status bit for the PEBS counter will be on Skylake.
To avoid this problem, we systematically ignore the PEBS-enabled
counters from the GLOBAL_STATUS mask and we always process PEBS
events via drain_pebs().
The problem manifested itself by having non-exact samples when
sampling only PEBS events, i.e., the PERF_SAMPLE_RECORD would
not have the EXACT flag set.
Note that this problem is only present on Skylake processor.
This fix is harmless on older processors.
Reported-by: Peter Zijlstra <[email protected]>
Signed-off-by: Stephane Eranian <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Alexander Shishkin <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Vince Weaver <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kernel/cpu/perf_event_intel.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -1402,20 +1402,33 @@ again:
}
/*
+ * In case multiple PEBS events are sampled at the same time,
+ * it is possible to have GLOBAL_STATUS bit 62 set indicating
+ * PEBS buffer overflow and also seeing at most 3 PEBS counters
+ * having their bits set in the status register. This is a sign
+ * that there was at least one PEBS record pending at the time
+ * of the PMU interrupt. PEBS counters must only be processed
+ * via the drain_pebs() calls and not via the regular sample
+ * processing loop coming after that the function, otherwise
+ * phony regular samples may be generated in the sampling buffer
+ * not marked with the EXACT tag. Another possibility is to have
+ * one PEBS event and at least one non-PEBS event whic hoverflows
+ * while PEBS has armed. In this case, bit 62 of GLOBAL_STATUS will
+ * not be set, yet the overflow status bit for the PEBS counter will
+ * be on Skylake.
+ *
+ * To avoid this problem, we systematically ignore the PEBS-enabled
+ * counters from the GLOBAL_STATUS mask and we always process PEBS
+ * events via drain_pebs().
+ */
+ status &= ~cpuc->pebs_enabled;
+
+ /*
* PEBS overflow sets bit 62 in the global status register
*/
if (__test_and_clear_bit(62, (unsigned long *)&status)) {
handled++;
x86_pmu.drain_pebs(regs);
- /*
- * There are cases where, even though, the PEBS ovfl bit is set
- * in GLOBAL_OVF_STATUS, the PEBS events may also have their
- * overflow bits set for their counters. We must clear them
- * here because they have been processed as exact samples in
- * the drain_pebs() routine. They must not be processed again
- * in the for_each_bit_set() loop for regular samples below.
- */
- status &= ~cpuc->pebs_enabled;
status &= x86_pmu.intel_ctrl | GLOBAL_STATUS_TRACE_TOPAPMI;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <[email protected]>
commit 3a92c319c44a7bcee9f48dff9d97d001943b54c6 upstream.
PCI exposes files like /proc/bus/pci/00/00.0 in procfs. These files
support operations like this:
ioctl(fd, PCIIOC_MMAP_IS_IO); # request I/O port space
ioctl(fd, PCIIOC_WRITE_COMBINE, 1); # request write-combining
mmap(fd, ...)
Write combining is useful on PCI memory space, but I don't think it makes
sense on PCI I/O port space.
We *could* change proc_bus_pci_ioctl() to make it impossible to set
mmap_state == pci_mmap_io and write_combine at the same time, but that
would break the following sequence, which is currently legal:
mmap(fd, ...) # default is I/O, non-combining
ioctl(fd, PCIIOC_WRITE_COMBINE, 1); # request write-combining
ioctl(fd, PCIIOC_MMAP_IS_MEM); # request memory space
mmap(fd, ...) # get write-combining mapping
Ignore the write-combining flag when mapping I/O port space.
This patch should have no functional effect, based on this analysis of all
implementations of pci_mmap_page_range():
- ia64 mips parisc sh unicore32 x86 do not support mapping of I/O port
space at all.
- arm cris microblaze mn10300 sparc xtensa support mapping of I/O port
space, but ignore the write_combine argument to pci_mmap_page_range().
- powerpc supports mapping of I/O port space and uses write_combine, and
it disables write combining for I/O port space in
__pci_mmap_set_pgprot().
This patch makes it possible to remove __pci_mmap_set_pgprot() from
powerpc, which simplifies that path.
Signed-off-by: Bjorn Helgaas <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pci/proc.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -231,7 +231,7 @@ static int proc_bus_pci_mmap(struct file
{
struct pci_dev *dev = PDE_DATA(file_inode(file));
struct pci_filp_private *fpriv = file->private_data;
- int i, ret;
+ int i, ret, write_combine;
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
@@ -245,9 +245,12 @@ static int proc_bus_pci_mmap(struct file
if (i >= PCI_ROM_RESOURCE)
return -ENODEV;
+ if (fpriv->mmap_state == pci_mmap_mem)
+ write_combine = fpriv->write_combine;
+ else
+ write_combine = 0;
ret = pci_mmap_page_range(dev, vma,
- fpriv->mmap_state,
- fpriv->write_combine);
+ fpriv->mmap_state, write_combine);
if (ret < 0)
return ret;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (VMware)" <[email protected]>
commit 82cc4fc2e70ec5baeff8f776f2773abc8b2cc0ae upstream.
When two function probes are added to set_ftrace_filter, and then one of
them is removed, the update to the function locations is not performed, and
the record keeping of the function states are corrupted, and causes an
ftrace_bug() to occur.
This is easily reproducable by adding two probes, removing one, and then
adding it back again.
# cd /sys/kernel/debug/tracing
# echo schedule:traceoff > set_ftrace_filter
# echo do_IRQ:traceoff > set_ftrace_filter
# echo \!do_IRQ:traceoff > /debug/tracing/set_ftrace_filter
# echo do_IRQ:traceoff > set_ftrace_filter
Causes:
------------[ cut here ]------------
WARNING: CPU: 2 PID: 1098 at kernel/trace/ftrace.c:2369 ftrace_get_addr_curr+0x143/0x220
Modules linked in: [...]
CPU: 2 PID: 1098 Comm: bash Not tainted 4.10.0-test+ #405
Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
Call Trace:
dump_stack+0x68/0x9f
__warn+0x111/0x130
? trace_irq_work_interrupt+0xa0/0xa0
warn_slowpath_null+0x1d/0x20
ftrace_get_addr_curr+0x143/0x220
? __fentry__+0x10/0x10
ftrace_replace_code+0xe3/0x4f0
? ftrace_int3_handler+0x90/0x90
? printk+0x99/0xb5
? 0xffffffff81000000
ftrace_modify_all_code+0x97/0x110
arch_ftrace_update_code+0x10/0x20
ftrace_run_update_code+0x1c/0x60
ftrace_run_modify_code.isra.48.constprop.62+0x8e/0xd0
register_ftrace_function_probe+0x4b6/0x590
? ftrace_startup+0x310/0x310
? debug_lockdep_rcu_enabled.part.4+0x1a/0x30
? update_stack_state+0x88/0x110
? ftrace_regex_write.isra.43.part.44+0x1d3/0x320
? preempt_count_sub+0x18/0xd0
? mutex_lock_nested+0x104/0x800
? ftrace_regex_write.isra.43.part.44+0x1d3/0x320
? __unwind_start+0x1c0/0x1c0
? _mutex_lock_nest_lock+0x800/0x800
ftrace_trace_probe_callback.isra.3+0xc0/0x130
? func_set_flag+0xe0/0xe0
? __lock_acquire+0x642/0x1790
? __might_fault+0x1e/0x20
? trace_get_user+0x398/0x470
? strcmp+0x35/0x60
ftrace_trace_onoff_callback+0x48/0x70
ftrace_regex_write.isra.43.part.44+0x251/0x320
? match_records+0x420/0x420
ftrace_filter_write+0x2b/0x30
__vfs_write+0xd7/0x330
? do_loop_readv_writev+0x120/0x120
? locks_remove_posix+0x90/0x2f0
? do_lock_file_wait+0x160/0x160
? __lock_is_held+0x93/0x100
? rcu_read_lock_sched_held+0x5c/0xb0
? preempt_count_sub+0x18/0xd0
? __sb_start_write+0x10a/0x230
? vfs_write+0x222/0x240
vfs_write+0xef/0x240
SyS_write+0xab/0x130
? SyS_read+0x130/0x130
? trace_hardirqs_on_caller+0x182/0x280
? trace_hardirqs_on_thunk+0x1a/0x1c
entry_SYSCALL_64_fastpath+0x18/0xad
RIP: 0033:0x7fe61c157c30
RSP: 002b:00007ffe87890258 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: ffffffff8114a410 RCX: 00007fe61c157c30
RDX: 0000000000000010 RSI: 000055814798f5e0 RDI: 0000000000000001
RBP: ffff8800c9027f98 R08: 00007fe61c422740 R09: 00007fe61ca53700
R10: 0000000000000073 R11: 0000000000000246 R12: 0000558147a36400
R13: 00007ffe8788f160 R14: 0000000000000024 R15: 00007ffe8788f15c
? trace_hardirqs_off_caller+0xc0/0x110
---[ end trace 99fa09b3d9869c2c ]---
Bad trampoline accounting at: ffffffff81cc3b00 (do_IRQ+0x0/0x150)
Fixes: 59df055f1991 ("ftrace: trace different functions with a different tracer")
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
[bwh: Backported to 3.16:
- Use ftrace_run_update_code() instead of ftrace_run_modify_code(), and
don't define old_hash
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -3119,23 +3119,24 @@ static void __enable_ftrace_function_pro
ftrace_probe_registered = 1;
}
-static void __disable_ftrace_function_probe(void)
+static bool __disable_ftrace_function_probe(void)
{
int i;
if (!ftrace_probe_registered)
- return;
+ return false;
for (i = 0; i < FTRACE_FUNC_HASHSIZE; i++) {
struct hlist_head *hhd = &ftrace_func_hash[i];
if (hhd->first)
- return;
+ return false;
}
/* no more funcs left */
ftrace_shutdown(&trace_probe_ops, 0);
ftrace_probe_registered = 0;
+ return true;
}
@@ -3263,6 +3264,7 @@ __unregister_ftrace_function_probe(char
int type = MATCH_FULL;
int i, len = 0;
char *search;
+ bool disabled;
if (glob && (strcmp(glob, "*") == 0 || !strlen(glob)))
glob = NULL;
@@ -3316,12 +3318,16 @@ __unregister_ftrace_function_probe(char
}
}
mutex_lock(&ftrace_lock);
- __disable_ftrace_function_probe();
+ disabled = __disable_ftrace_function_probe();
/*
* Remove after the disable is called. Otherwise, if the last
* probe is removed, a null hash means *all enabled*.
*/
ftrace_hash_move(&trace_probe_ops, 1, orig_hash, hash);
+
+ /* still need to update the function call sites */
+ if (ftrace_enabled && !disabled)
+ ftrace_run_update_code(FTRACE_UPDATE_CALLS);
synchronize_sched();
list_for_each_entry_safe(entry, p, &free_list, free_list) {
list_del(&entry->free_list);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <[email protected]>
commit 17caf56731311c9596e7d38a70c88fcb6afa6a1b upstream.
Don't match MMIO maps with I/O BARs and vice versa.
Signed-off-by: David Woodhouse <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pci/proc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -231,14 +231,20 @@ static int proc_bus_pci_mmap(struct file
{
struct pci_dev *dev = PDE_DATA(file_inode(file));
struct pci_filp_private *fpriv = file->private_data;
- int i, ret, write_combine;
+ int i, ret, write_combine, res_bit;
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
+ if (fpriv->mmap_state == pci_mmap_io)
+ res_bit = IORESOURCE_IO;
+ else
+ res_bit = IORESOURCE_MEM;
+
/* Make sure the caller is mapping a real resource for this device */
for (i = 0; i < PCI_ROM_RESOURCE; i++) {
- if (pci_mmap_fits(dev, i, vma, PCI_MMAP_PROCFS))
+ if (dev->resource[i].flags & res_bit &&
+ pci_mmap_fits(dev, i, vma, PCI_MMAP_PROCFS))
break;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <[email protected]>
commit cef4d02305a06be581bb7f4353446717a1b319ec upstream.
The /proc/bus/pci mmap interface allows the user to specify whether they
want WC or not. Don't let them do so on non-prefetchable BARs.
Signed-off-by: David Woodhouse <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pci/proc.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -231,7 +231,7 @@ static int proc_bus_pci_mmap(struct file
{
struct pci_dev *dev = PDE_DATA(file_inode(file));
struct pci_filp_private *fpriv = file->private_data;
- int i, ret, write_combine, res_bit;
+ int i, ret, write_combine = 0, res_bit;
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
@@ -251,10 +251,13 @@ static int proc_bus_pci_mmap(struct file
if (i >= PCI_ROM_RESOURCE)
return -ENODEV;
- if (fpriv->mmap_state == pci_mmap_mem)
- write_combine = fpriv->write_combine;
- else
- write_combine = 0;
+ if (fpriv->mmap_state == pci_mmap_mem &&
+ fpriv->write_combine) {
+ if (dev->resource[i].flags & IORESOURCE_PREFETCH)
+ write_combine = 1;
+ else
+ return -EINVAL;
+ }
ret = pci_mmap_page_range(dev, vma,
fpriv->mmap_state, write_combine);
if (ret < 0)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Carrillo-Cisneros <[email protected]>
commit bb8d521f77f3e68a713456b7fb1e99f52ff3342c upstream.
All paths following perf_session__process_event() in __cmd_inject() are
useless if __cmd_inject() is to fail, some depend on a correct
session->evlist.
First commit to add code that depends on session->evlist without checking
error was commmit e558a5bd8b ("perf inject: Work with files"). It has
grown since then.
Change __cmd_inject() to fail immediately after
perf_session__process_event() fails.
Signed-off-by: David Carrillo-Cisneros <[email protected]>
Acked-by: Jiri Olsa <[email protected]>
Cc: Alexander Shishkin <[email protected]>
Cc: Andi Kleen <[email protected]>
Cc: Andrew Vagin <[email protected]>
Cc: He Kuang <[email protected]>
Cc: Masami Hiramatsu <[email protected]>
Cc: Paul Turner <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Simon Que <[email protected]>
Cc: Stephane Eranian <[email protected]>
Cc: Wang Nan <[email protected]>
Fixes: e558a5bd8b74 ("perf inject: Work with files")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
tools/perf/builtin-inject.c | 2 ++
1 file changed, 2 insertions(+)
--- a/tools/perf/builtin-inject.c
+++ b/tools/perf/builtin-inject.c
@@ -387,6 +387,8 @@ static int __cmd_inject(struct perf_inje
lseek(file_out->fd, session->header.data_offset, SEEK_SET);
ret = perf_session__process_events(session, &inject->tool);
+ if (ret)
+ return ret;
if (!file_out->is_pipe) {
session->header.data_size = inject->bytes_written;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kan Liang <[email protected]>
commit fd583ad1563bec5f00140e1f2444adbcd331caad upstream.
Spurious NMIs will be observed with the following command:
while :; do
perf record -bae "cpu/umask=0x01,event=0xcd,ldlat=0x80/pp"
-e "cpu/umask=0x03,event=0x0/"
-e "cpu/umask=0x02,event=0x0/"
-e cycles,branches,cache-misses
-e cache-references -- sleep 10
done
The bug was introduced by commit:
8077eca079a2 ("perf/x86/pebs: Add workaround for broken OVFL status on HSW+")
That commit clears the status bits for the counters used for PEBS
events, by masking the whole 64 bits pebs_enabled. However, only the
low 32 bits of both status and pebs_enabled are reserved for PEBS-able
counters.
For status bits 32-34 are fixed counter overflow bits. For
pebs_enabled bits 32-34 are for PEBS Load Latency.
In the test case, the PEBS Load Latency event and fixed counter event
could overflow at the same time. The fixed counter overflow bit will
be cleared by mistake. Once it is cleared, the fixed counter overflow
never be processed, which finally trigger spurious NMI.
Correct the PEBS enabled mask by ignoring the non-PEBS bits.
Signed-off-by: Kan Liang <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Alexander Shishkin <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Stephane Eranian <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Vince Weaver <[email protected]>
Fixes: 8077eca079a2 ("perf/x86/pebs: Add workaround for broken OVFL status on HSW+")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
[bwh: Backported to 3.16:
- Drop change in get_next_pebs_record_by_bit()
- Adjust filenames]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -1421,7 +1421,7 @@ again:
* counters from the GLOBAL_STATUS mask and we always process PEBS
* events via drain_pebs().
*/
- status &= ~cpuc->pebs_enabled;
+ status &= ~(cpuc->pebs_enabled & PEBS_COUNTER_MASK);
/*
* PEBS overflow sets bit 62 in the global status register
--- a/arch/x86/kernel/cpu/perf_event.h
+++ b/arch/x86/kernel/cpu/perf_event.h
@@ -79,6 +79,7 @@ struct amd_nb {
/* The maximal number of PEBS events: */
#define MAX_PEBS_EVENTS 8
+#define PEBS_COUNTER_MASK ((1ULL << MAX_PEBS_EVENTS) - 1)
/*
* A debug store configuration.
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alyssa Milburn <[email protected]>
commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream.
This code copies actual_length-128 bytes from the header, which will
underflow if the received buffer is too small.
Signed-off-by: Alyssa Milburn <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/zr364xx/zr364xx.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/media/usb/zr364xx/zr364xx.c
+++ b/drivers/media/usb/zr364xx/zr364xx.c
@@ -605,6 +605,14 @@ static int zr364xx_read_video_callback(s
ptr = pdest = frm->lpvbits;
if (frm->ulState == ZR364XX_READ_IDLE) {
+ if (purb->actual_length < 128) {
+ /* header incomplete */
+ dev_info(&cam->udev->dev,
+ "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n",
+ __func__, purb->actual_length);
+ return -EINVAL;
+ }
+
frm->ulState = ZR364XX_READ_FRAME;
frm->cur_size = 0;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Cochran <[email protected]>
commit c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 upstream.
Commit 43530b69d758328d3ffe6ab98fd640463e8e3667 ("regulator: Use
regmap_read/write(), regmap_update_bits functions directly") intended
to replace working inline helper functions with standard regmap
calls. However, it also inverted the set/clear logic of the "CORE ADJ
Allowed" bit. That patch was clearly never tested, since without that
bit cleared, the core VDCDC1 voltage output does not react to I2C
configuration changes.
This patch fixes the issue by clearing the bit as in the original,
correct implementation. Note for stable back porting that, due to
subsequent driver churn, this patch will not apply on every kernel
version.
Fixes: 43530b69d758 ("regulator: Use regmap_read/write(), regmap_update_bits functions directly")
Signed-off-by: Richard Cochran <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/regulator/tps65023-regulator.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/regulator/tps65023-regulator.c
+++ b/drivers/regulator/tps65023-regulator.c
@@ -293,8 +293,7 @@ static int tps_65023_probe(struct i2c_cl
/* Enable setting output voltage by I2C */
regmap_update_bits(tps->regmap, TPS65023_REG_CON_CTRL2,
- TPS65023_REG_CTRL2_CORE_ADJ,
- TPS65023_REG_CTRL2_CORE_ADJ);
+ TPS65023_REG_CTRL2_CORE_ADJ, 0);
return 0;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Ranostay <[email protected]>
commit 84ca8e364acb26aba3292bc113ca8ed4335380fd upstream.
AS3935_WRITE_DATA macro bit is incorrect and the actual write
sequence is two leading zeros.
Cc: George McCollister <[email protected]>
Signed-off-by: Matt Ranostay <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/iio/proximity/as3935.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/proximity/as3935.c
+++ b/drivers/iio/proximity/as3935.c
@@ -50,7 +50,6 @@
#define AS3935_TUNE_CAP 0x08
#define AS3935_CALIBRATE 0x3D
-#define AS3935_WRITE_DATA BIT(15)
#define AS3935_READ_DATA BIT(14)
#define AS3935_ADDRESS(x) ((x) << 8)
@@ -105,7 +104,7 @@ static int as3935_write(struct as3935_st
{
u8 *buf = st->buf;
- buf[0] = (AS3935_WRITE_DATA | AS3935_ADDRESS(reg)) >> 8;
+ buf[0] = AS3935_ADDRESS(reg) >> 8;
buf[1] = val;
return spi_write(st->spi, buf, 2);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <[email protected]>
commit 17c99d9421695a0e0de18bf1e7091d859e20ec1d upstream.
Some newer Loongson-3 have 64 bytes cache lines, so select
MIPS_L1_CACHE_SHIFT_6.
Signed-off-by: Huacai Chen <[email protected]>
Cc: John Crispin <[email protected]>
Cc: Steven J . Hill <[email protected]>
Cc: Fuxin Zhang <[email protected]>
Cc: Zhangjin Wu <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/15755/
Signed-off-by: Ralf Baechle <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -1193,6 +1193,7 @@ config CPU_LOONGSON3
select CPU_SUPPORTS_HUGEPAGES
select WEAK_ORDERING
select WEAK_REORDERING_BEYOND_LLSC
+ select MIPS_L1_CACHE_SHIFT_6
help
The Loongson 3 processor implements the MIPS64R2 instruction
set with many extensions.
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alyssa Milburn <[email protected]>
commit 821117dc21083a99dd99174c10848d70ff43de29 upstream.
Return an error rather than memcpy()ing beyond the end of the buffer.
Internal callers use appropriate sizes, but digitv_i2c_xfer may not.
Signed-off-by: Alyssa Milburn <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/media/usb/dvb-usb/digitv.c
+++ b/drivers/media/usb/dvb-usb/digitv.c
@@ -30,6 +30,10 @@ static int digitv_ctrl_msg(struct dvb_us
{
int wo = (rbuf == NULL || rlen == 0); /* write-only */
u8 sndbuf[7],rcvbuf[7];
+
+ if (wlen > 4 || rlen > 4)
+ return -EIO;
+
memset(sndbuf,0,7); memset(rcvbuf,0,7);
sndbuf[0] = cmd;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ludovic Desroches <[email protected]>
commit 9cdd31e5913c1f86dce7e201b086155b3f24896b upstream.
The voltage reference for the ADC is not 3V but 3.3V since it is connected to
VDDANA.
Signed-off-by: Ludovic Desroches <[email protected]>
Acked-by: Nicolas Ferre <[email protected]>
Signed-off-by: Alexandre Belloni <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/arm/boot/dts/at91-sama5d3_xplained.dts | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts
+++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts
@@ -141,6 +141,7 @@
};
adc0: adc@f8018000 {
+ atmel,adc-vref = <3300>;
pinctrl-0 = <
&pinctrl_adc0_adtrg
&pinctrl_adc0_ad0
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ludovic Desroches <[email protected]>
commit d3df1ec06353e51fc44563d2e7e18d42811af290 upstream.
Remove ADC channels that are not available by default on the sama5d3_xplained
board (resistor not populated) in order to not create confusion.
Signed-off-by: Ludovic Desroches <[email protected]>
Acked-by: Nicolas Ferre <[email protected]>
Signed-off-by: Alexandre Belloni <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/arm/boot/dts/at91-sama5d3_xplained.dts | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts
+++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts
@@ -142,9 +142,9 @@
adc0: adc@f8018000 {
atmel,adc-vref = <3300>;
+ atmel,adc-channels-used = <0xfe>;
pinctrl-0 = <
&pinctrl_adc0_adtrg
- &pinctrl_adc0_ad0
&pinctrl_adc0_ad1
&pinctrl_adc0_ad2
&pinctrl_adc0_ad3
@@ -152,8 +152,6 @@
&pinctrl_adc0_ad5
&pinctrl_adc0_ad6
&pinctrl_adc0_ad7
- &pinctrl_adc0_ad8
- &pinctrl_adc0_ad9
>;
status = "okay";
};
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Roskin <[email protected]>
commit ce420fd4251809b4c3119b3b20c8b13bd8eba150 upstream.
realbits, storagebits and shift should be numbers, not ASCII characters.
Signed-off-by: Pavel Roskin <[email protected]>
Reviewed-by: Lars-Peter Clausen <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/iio/dac/ad7303.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/iio/dac/ad7303.c
+++ b/drivers/iio/dac/ad7303.c
@@ -184,9 +184,9 @@ static const struct iio_chan_spec_ext_in
.address = (chan), \
.scan_type = { \
.sign = 'u', \
- .realbits = '8', \
- .storagebits = '8', \
- .shift = '0', \
+ .realbits = 8, \
+ .storagebits = 8, \
+ .shift = 0, \
}, \
.ext_info = ad7303_ext_info, \
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <[email protected]>
commit 0cfef2b7410b64d7a430947e0b533314c4f97153 upstream.
If the mmap_sem is contented then the vfio type1 IOMMU backend will
defer locked page accounting updates to a workqueue task. This has a
few problems and depending on which side the user tries to play, they
might be over-penalized for unmaps that haven't yet been accounted or
race the workqueue to enter more mappings than they're allowed. The
original intent of this workqueue mechanism seems to be focused on
reducing latency through the ioctl, but we cannot do so at the cost
of correctness. Remove this workqueue mechanism and update the
callers to allow for failure. We can also now recheck the limit under
write lock to make sure we don't exceed it.
vfio_pin_pages_remote() also now necessarily includes an unwind path
which we can jump to directly if the consecutive page pinning finds
that we're exceeding the user's memory limits. This avoids the
current lazy approach which does accounting and mapping up to the
fault, only to return an error on the next iteration to unwind the
entire vfio_dma.
Reviewed-by: Peter Xu <[email protected]>
Reviewed-by: Kirti Wankhede <[email protected]>
Signed-off-by: Alex Williamson <[email protected]>
[bwh: Backported to 3.16:
- vfio_lock_acct() always operates on current->mm
- Drop changes to vfio_{,un}pin_page_external() and
vfio_iommu_unmap_unpin_reaccount()
- Drop test of rsvd flag
- Fix up the disable_hugepages case in vfio_pin_pages()
- Use down_write() instead of down_write_killable()
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -128,57 +128,37 @@ static void vfio_unlink_dma(struct vfio_
rb_erase(&old->node, &iommu->dma_list);
}
-struct vwork {
- struct mm_struct *mm;
- long npage;
- struct work_struct work;
-};
-
-/* delayed decrement/increment for locked_vm */
-static void vfio_lock_acct_bg(struct work_struct *work)
+static int vfio_lock_acct(long npage, bool *lock_cap)
{
- struct vwork *vwork = container_of(work, struct vwork, work);
struct mm_struct *mm;
+ int ret;
- mm = vwork->mm;
- down_write(&mm->mmap_sem);
- mm->locked_vm += vwork->npage;
- up_write(&mm->mmap_sem);
- mmput(mm);
- kfree(vwork);
-}
+ if (!npage)
+ return 0;
-static void vfio_lock_acct(long npage)
-{
- struct vwork *vwork;
- struct mm_struct *mm;
+ mm = current->mm;
+ if (!mm)
+ return -ESRCH; /* process exited */
- if (!current->mm || !npage)
- return; /* process exited or nothing to do */
+ ret = 0;
+ down_write(&mm->mmap_sem);
+ if (npage > 0) {
+ if (lock_cap ? !*lock_cap : !capable(CAP_IPC_LOCK)) {
+ unsigned long limit;
- if (down_write_trylock(¤t->mm->mmap_sem)) {
- current->mm->locked_vm += npage;
- up_write(¤t->mm->mmap_sem);
- return;
- }
+ limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
- /*
- * Couldn't get mmap_sem lock, so must setup to update
- * mm->locked_vm later. If locked_vm were atomic, we
- * wouldn't need this silliness
- */
- vwork = kmalloc(sizeof(struct vwork), GFP_KERNEL);
- if (!vwork)
- return;
- mm = get_task_mm(current);
- if (!mm) {
- kfree(vwork);
- return;
+ if (mm->locked_vm + npage > limit)
+ ret = -ENOMEM;
+ }
}
- INIT_WORK(&vwork->work, vfio_lock_acct_bg);
- vwork->mm = mm;
- vwork->npage = npage;
- schedule_work(&vwork->work);
+
+ if (!ret)
+ mm->locked_vm += npage;
+
+ up_write(&mm->mmap_sem);
+
+ return ret;
}
/*
@@ -260,7 +240,7 @@ static int vaddr_get_pfn(unsigned long v
static long vfio_pin_pages(unsigned long vaddr, long npage,
int prot, unsigned long *pfn_base)
{
- unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
+ unsigned long pfn = 0, limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
bool lock_cap = capable(CAP_IPC_LOCK);
long ret, i;
@@ -282,14 +262,13 @@ static long vfio_pin_pages(unsigned long
}
if (unlikely(disable_hugepages)) {
- vfio_lock_acct(1);
- return 1;
+ ret = vfio_lock_acct(1, &lock_cap);
+ i = 1;
+ goto unpin_out;
}
/* Lock all the consecutive pages from pfn_base */
for (i = 1, vaddr += PAGE_SIZE; i < npage; i++, vaddr += PAGE_SIZE) {
- unsigned long pfn = 0;
-
ret = vaddr_get_pfn(vaddr, prot, &pfn);
if (ret)
break;
@@ -303,11 +282,20 @@ static long vfio_pin_pages(unsigned long
put_pfn(pfn, prot);
pr_warn("%s: RLIMIT_MEMLOCK (%ld) exceeded\n",
__func__, limit << PAGE_SHIFT);
- break;
+ ret = -ENOMEM;
+ goto unpin_out;
}
}
- vfio_lock_acct(i);
+ ret = vfio_lock_acct(i, &lock_cap);
+
+unpin_out:
+ if (ret) {
+ for (pfn = *pfn_base ; i ; pfn++, i--)
+ put_pfn(pfn, prot);
+
+ return ret;
+ }
return i;
}
@@ -322,7 +310,7 @@ static long vfio_unpin_pages(unsigned lo
unlocked += put_pfn(pfn++, prot);
if (do_accounting)
- vfio_lock_acct(-unlocked);
+ vfio_lock_acct(-unlocked, NULL);
return unlocked;
}
@@ -368,7 +356,7 @@ static void vfio_unmap_unpin(struct vfio
iova += unmapped;
}
- vfio_lock_acct(-unlocked);
+ vfio_lock_acct(-unlocked, NULL);
}
static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit 099bd73dc17ed77aa8c98323e043613b6e8f54fc upstream.
An unbalanced and misplaced synchronous put was used to suspend the
device on driver unbind, something which with a likewise misplaced
pm_runtime_disable leads to external aborts when an open port is being
removed.
Unhandled fault: external abort on non-linefetch (0x1028) at 0xfa024010
...
[<c046e760>] (serial_omap_set_mctrl) from [<c046a064>] (uart_update_mctrl+0x50/0x60)
[<c046a064>] (uart_update_mctrl) from [<c046a400>] (uart_shutdown+0xbc/0x138)
[<c046a400>] (uart_shutdown) from [<c046bd2c>] (uart_hangup+0x94/0x190)
[<c046bd2c>] (uart_hangup) from [<c045b760>] (__tty_hangup+0x404/0x41c)
[<c045b760>] (__tty_hangup) from [<c045b794>] (tty_vhangup+0x1c/0x20)
[<c045b794>] (tty_vhangup) from [<c046ccc8>] (uart_remove_one_port+0xec/0x260)
[<c046ccc8>] (uart_remove_one_port) from [<c046ef4c>] (serial_omap_remove+0x40/0x60)
[<c046ef4c>] (serial_omap_remove) from [<c04845e8>] (platform_drv_remove+0x34/0x4c)
Fix this up by resuming the device before deregistering the port and by
suspending and disabling runtime pm only after the port has been
removed.
Also make sure to disable autosuspend before disabling runtime pm so
that the usage count is balanced and device actually suspended before
returning.
Note that due to a negative autosuspend delay being set in probe, the
unbalanced put would actually suspend the device on first driver unbind,
while rebinding and again unbinding would result in a negative
power.usage_count.
Fixes: 7e9c8e7dbf3b ("serial: omap: make sure to suspend device before remove")
Cc: Felipe Balbi <[email protected]>
Cc: Santosh Shilimkar <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Acked-by: Tony Lindgren <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/tty/serial/omap-serial.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/omap-serial.c
+++ b/drivers/tty/serial/omap-serial.c
@@ -1754,9 +1754,13 @@ static int serial_omap_remove(struct pla
{
struct uart_omap_port *up = platform_get_drvdata(dev);
+ pm_runtime_get_sync(up->dev);
+
+ uart_remove_one_port(&serial_omap_reg, &up->port);
+
+ pm_runtime_dont_use_autosuspend(up->dev);
pm_runtime_put_sync(up->dev);
pm_runtime_disable(up->dev);
- uart_remove_one_port(&serial_omap_reg, &up->port);
pm_qos_remove_request(&up->pm_qos_request);
device_init_wakeup(&dev->dev, false);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Giedrius Statkevičius
<[email protected]>
commit bdd9968d35f7fcdb76089347d1529bf079534214 upstream.
val might become 7 in which case stime[7] (array of length 7) would be
accessed during the scnprintf call later and that will cause issues.
Obviously, string concatenation is not intended here so just a comma needs
to be added to fix the issue.
Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver")
Signed-off-by: Giedrius Statkevičius <[email protected]>
Acked-by: Milo Kim <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/power/lp8788-charger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/power/lp8788-charger.c
+++ b/drivers/power/lp8788-charger.c
@@ -642,7 +642,7 @@ static ssize_t lp8788_show_eoc_time(stru
{
struct lp8788_charger *pchg = dev_get_drvdata(dev);
char *stime[] = { "400ms", "5min", "10min", "15min",
- "20min", "25min", "30min" "No timeout" };
+ "20min", "25min", "30min", "No timeout" };
u8 val;
lp8788_read_byte(pchg->lp, LP8788_CHG_EOC, &val);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <[email protected]>
commit 6bccc7f426abd640f08d8c75fb22f99483f201b4 upstream.
In the PCI_MMAP_PROCFS case when the address being passed by the user is a
'user visible' resource address based on the bus window, and not the actual
contents of the resource, that's what we need to be checking it against.
Signed-off-by: David Woodhouse <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pci/pci-sysfs.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -965,15 +965,19 @@ void pci_remove_legacy_files(struct pci_
int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vma,
enum pci_mmap_api mmap_api)
{
- unsigned long nr, start, size, pci_start;
+ unsigned long nr, start, size;
+ resource_size_t pci_start = 0, pci_end;
if (pci_resource_len(pdev, resno) == 0)
return 0;
nr = vma_pages(vma);
start = vma->vm_pgoff;
size = ((pci_resource_len(pdev, resno) - 1) >> PAGE_SHIFT) + 1;
- pci_start = (mmap_api == PCI_MMAP_PROCFS) ?
- pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
+ if (mmap_api == PCI_MMAP_PROCFS) {
+ pci_resource_to_user(pdev, resno, &pdev->resource[resno],
+ &pci_start, &pci_end);
+ pci_start >>= PAGE_SHIFT;
+ }
if (start >= pci_start && start < pci_start + size &&
start + nr <= pci_start + size)
return 1;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit 77e6fe7fd2b7cba0bf2f2dc8cde51d7b9a35bf74 upstream.
Make sure to actually suspend the device before returning after a failed
(or deferred) probe.
Note that autosuspend must be disabled before runtime pm is disabled in
order to balance the usage count due to a negative autosuspend delay as
well as to make the final put suspend the device synchronously.
Fixes: 388bc2622680 ("omap-serial: Fix the error handling in the omap_serial probe")
Cc: Shubhrajyoti D <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Acked-by: Tony Lindgren <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/tty/serial/omap-serial.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/omap-serial.c
+++ b/drivers/tty/serial/omap-serial.c
@@ -1741,7 +1741,8 @@ static int serial_omap_probe(struct plat
return 0;
err_add_port:
- pm_runtime_put(&pdev->dev);
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
err_rs485:
err_port_line:
On Fri, Aug 18, 2017 at 6:13 AM, Ben Hutchings <[email protected]> wrote:
> 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: WANG Cong <[email protected]>
>
> commit 82486aa6f1b9bc8145e6d0fa2bc0b44307f3b875 upstream.
>
> IPv4 dst could use fi->fib_metrics to store metrics but fib_info
> itself is refcnt'ed, so without taking a refcnt fi and
> fi->fib_metrics could be freed while dst metrics still points to
> it. This triggers use-after-free as reported by Andrey twice.
>
> This patch reverts commit 2860583fe840 ("ipv4: Kill rt->fi") to
> restore this reference counting. It is a quick fix for -net and
> -stable, for -net-next, as Eric suggested, we can consider doing
> reference counting for metrics itself instead of relying on fib_info.
>
> IPv6 is very different, it copies or steals the metrics from mx6_config
> in fib6_commit_metrics() so probably doesn't need a refcnt.
>
> Decnet has already done the refcnt'ing, see dn_fib_semantic_match().
>
> Fixes: 2860583fe840 ("ipv4: Kill rt->fi")
> Reported-by: Andrey Konovalov <[email protected]>
> Tested-by: Andrey Konovalov <[email protected]>
> Signed-off-by: Cong Wang <[email protected]>
> Acked-by: Eric Dumazet <[email protected]>
> Signed-off-by: David S. Miller <[email protected]>
> [bwh: Backported to 3.16:
> - Update all 5 places where rtable is initialised
> - Open-code fib_info_hold()
> - Adjust context]
> Signed-off-by: Ben Hutchings <[email protected]>
> ---
I thought we refined this later with :
commit 3fb07daff8e99243366a081e5129560734de4ada
Author: Eric Dumazet <[email protected]>
Date: Thu May 25 14:27:35 2017 -0700
ipv4: add reference counting to metrics
Andrey Konovalov reported crashes in ipv4_mtu()
I could reproduce the issue with KASAN kernels, between
10.246.7.151 and 10.246.7.152 :
1) 20 concurrent netperf -t TCP_RR -H 10.246.7.152 -l 1000 &
2) At the same time run following loop :
while :
do
ip ro add 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
ip ro del 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
done
Cong Wang attempted to add back rt->fi in commit
82486aa6f1b9 ("ipv4: restore rt->fi for reference counting")
but this proved to add some issues that were complex to solve.
Instead, I suggested to add a refcount to the metrics themselves,
being a standalone object (in particular, no reference to other objects)
I tried to make this patch as small as possible to ease its backport,
instead of being super clean. Note that we believe that only ipv4 dst
need to take care of the metric refcount. But if this is wrong,
this patch adds the basic infrastructure to extend this to other
families.
Many thanks to Julian Anastasov for reviewing this patch, and Cong Wang
for his efforts on this problem.
Fixes: 2860583fe840 ("ipv4: Kill rt->fi")
Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: Andrey Konovalov <[email protected]>
Reviewed-by: Julian Anastasov <[email protected]>
Acked-by: Cong Wang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
And then :
commit 187e5b3ac84d3421d2de3aca949b2791fbcad554
Author: Eric Dumazet <[email protected]>
Date: Tue Aug 15 05:26:17 2017 -0700
ipv4: fix NULL dereference in free_fib_info_rcu()
If fi->fib_metrics could not be allocated in fib_create_info()
we attempt to dereference a NULL pointer in free_fib_info_rcu() :
m = fi->fib_metrics;
if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt))
kfree(m);
Before my recent patch, we used to call kfree(NULL) and nothing wrong
happened.
Instead of using RCU to defer freeing while we are under memory stress,
it seems better to take immediate action.
This was reported by syzkaller team.
Fixes: 3fb07daff8e9 ("ipv4: add reference counting to metrics")
Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Cc: Sri Deevi <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/cx231xx/cx231xx-cards.c | 45 +++++++++++++++++++++++++++----
1 file changed, 40 insertions(+), 5 deletions(-)
--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
@@ -1258,6 +1258,9 @@ static int cx231xx_usb_probe(struct usb_
uif = udev->actconfig->interface[dev->current_pcb_config.
hs_config_info[0].interface_info.video_index + 1];
+ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
dev->video_mode.end_point_addr = uif->altsetting[0].
endpoint[isoc_pipe].desc.bEndpointAddress;
@@ -1275,8 +1278,12 @@ static int cx231xx_usb_probe(struct usb_
}
for (i = 0; i < dev->video_mode.num_alt; i++) {
- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
- desc.wMaxPacketSize);
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize);
dev->video_mode.alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
cx231xx_info("Alternate setting %i, max size= %i\n", i,
@@ -1288,6 +1295,9 @@ static int cx231xx_usb_probe(struct usb_
hs_config_info[0].interface_info.
vanc_index + 1];
+ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
dev->vbi_mode.end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].desc.
bEndpointAddress;
@@ -1306,8 +1316,12 @@ static int cx231xx_usb_probe(struct usb_
}
for (i = 0; i < dev->vbi_mode.num_alt; i++) {
- u16 tmp =
- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
desc.wMaxPacketSize);
dev->vbi_mode.alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
@@ -1320,6 +1334,9 @@ static int cx231xx_usb_probe(struct usb_
hs_config_info[0].interface_info.
hanc_index + 1];
+ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
dev->sliced_cc_mode.end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].desc.
bEndpointAddress;
@@ -1338,7 +1355,12 @@ static int cx231xx_usb_probe(struct usb_
}
for (i = 0; i < dev->sliced_cc_mode.num_alt; i++) {
- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
desc.wMaxPacketSize);
dev->sliced_cc_mode.alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
@@ -1353,6 +1375,11 @@ static int cx231xx_usb_probe(struct usb_
interface_info.
ts1_index + 1];
+ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) {
+ retval = -ENODEV;
+ goto err_video_alt;
+ }
+
dev->ts1_mode.end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].
desc.bEndpointAddress;
@@ -1371,7 +1398,14 @@ static int cx231xx_usb_probe(struct usb_
}
for (i = 0; i < dev->ts1_mode.num_alt; i++) {
- u16 tmp = le16_to_cpu(uif->altsetting[i].
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) {
+ retval = -ENODEV;
+ goto err_video_alt;
+ }
+
+ tmp = le16_to_cpu(uif->altsetting[i].
endpoint[isoc_pipe].desc.
wMaxPacketSize);
dev->ts1_mode.alt_max_pkt_size[i] =
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit eacb975b48272f54532b62f515a3cf7eefa35123 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: 2a9f8b5d25be ("V4L/DVB (5206): Usbvision: set alternate interface
modification")
Cc: Thierry MERLE <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/usbvision/usbvision-video.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1599,7 +1599,14 @@ static int usbvision_probe(struct usb_in
}
for (i = 0; i < usbvision->num_alt; i++) {
- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < 2) {
+ ret = -ENODEV;
+ goto err_pkt;
+ }
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
wMaxPacketSize);
usbvision->alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit 65f921647f4c89a2068478c89691f39b309b58f7 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Cc: Sri Deevi <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/cx231xx/cx231xx-audio.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/drivers/media/usb/cx231xx/cx231xx-audio.c
+++ b/drivers/media/usb/cx231xx/cx231xx-audio.c
@@ -699,6 +699,11 @@ static int cx231xx_audio_init(struct cx2
hs_config_info[0].interface_info.
audio_index + 1];
+ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) {
+ err = -ENODEV;
+ goto err_free_card;
+ }
+
adev->end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].desc.
bEndpointAddress;
@@ -714,8 +719,14 @@ static int cx231xx_audio_init(struct cx2
}
for (i = 0; i < adev->num_alt; i++) {
- u16 tmp =
- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) {
+ err = -ENODEV;
+ goto err_free_pkt_size;
+ }
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.
wMaxPacketSize);
adev->alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
@@ -725,6 +736,8 @@ static int cx231xx_audio_init(struct cx2
return 0;
+err_free_pkt_size:
+ kfree(adev->alt_max_pkt_size);
err_free_card:
snd_card_free(card);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <[email protected]>
commit 7a38dc0bfb4cc39ed57e120e2224673f3d4d200f upstream.
The current medium access timeout counter will be increased for
each command, so if there are enough failed commands we'll hit
the medium access timeout for even a single device failure and
the following kernel message is displayed:
sd H:C:T:L: [sdXY] Medium access timeout failure. Offlining disk!
Fix this by making the timeout per EH run, ie the counter will
only be increased once per device and EH run.
Fixes: 18a4d0a ("[SCSI] Handle disk devices which can not process medium access commands")
Cc: Ewan Milne <[email protected]>
Cc: Lawrence Obermann <[email protected]>
Cc: Benjamin Block <[email protected]>
Cc: Steffen Maier <[email protected]>
Signed-off-by: Hannes Reinecke <[email protected]>
Reviewed-by: Christoph Hellwig <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
[bwh: Backported to 3.16:
- Open-code blk_rq_is_passthrough()
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/scsi_error.c | 18 ++++++++++++++++++
drivers/scsi/sd.c | 27 ++++++++++++++++++++++++++-
drivers/scsi/sd.h | 1 +
include/scsi/scsi_driver.h | 1 +
4 files changed, 46 insertions(+), 1 deletion(-)
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -224,6 +224,23 @@ scsi_abort_command(struct scsi_cmnd *scm
}
/**
+ * scsi_eh_reset - call into ->eh_action to reset internal counters
+ * @scmd: scmd to run eh on.
+ *
+ * The scsi driver might be carrying internal state about the
+ * devices, so we need to call into the driver to reset the
+ * internal state once the error handler is started.
+ */
+static void scsi_eh_reset(struct scsi_cmnd *scmd)
+{
+ if (scmd->request->cmd_type == REQ_TYPE_FS) {
+ struct scsi_driver *sdrv = scsi_cmd_to_driver(scmd);
+ if (sdrv->eh_reset)
+ sdrv->eh_reset(scmd);
+ }
+}
+
+/**
* scsi_eh_scmd_add - add scsi cmd to error handling.
* @scmd: scmd to run eh on.
* @eh_flag: optional SCSI_EH flag.
@@ -252,6 +269,7 @@ int scsi_eh_scmd_add(struct scsi_cmnd *s
if (scmd->eh_eflags & SCSI_EH_ABORT_SCHEDULED)
eh_flag &= ~SCSI_EH_CANCEL_CMD;
scmd->eh_eflags |= eh_flag;
+ scsi_eh_reset(scmd);
list_add_tail(&scmd->eh_entry, &shost->eh_cmd_q);
shost->host_failed++;
scsi_eh_wakeup(shost);
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -112,6 +112,7 @@ static void sd_rescan(struct device *);
static int sd_init_command(struct scsi_cmnd *SCpnt);
static void sd_uninit_command(struct scsi_cmnd *SCpnt);
static int sd_done(struct scsi_cmnd *);
+static void sd_eh_reset(struct scsi_cmnd *);
static int sd_eh_action(struct scsi_cmnd *, int);
static void sd_read_capacity(struct scsi_disk *sdkp, unsigned char *buffer);
static void scsi_disk_release(struct device *cdev);
@@ -509,6 +510,7 @@ static struct scsi_driver sd_template =
.uninit_command = sd_uninit_command,
.done = sd_done,
.eh_action = sd_eh_action,
+ .eh_reset = sd_eh_reset,
};
/*
@@ -1536,6 +1538,26 @@ static const struct block_device_operati
};
/**
+ * sd_eh_reset - reset error handling callback
+ * @scmd: sd-issued command that has failed
+ *
+ * This function is called by the SCSI midlayer before starting
+ * SCSI EH. When counting medium access failures we have to be
+ * careful to register it only only once per device and SCSI EH run;
+ * there might be several timed out commands which will cause the
+ * 'max_medium_access_timeouts' counter to trigger after the first
+ * SCSI EH run already and set the device to offline.
+ * So this function resets the internal counter before starting SCSI EH.
+ **/
+static void sd_eh_reset(struct scsi_cmnd *scmd)
+{
+ struct scsi_disk *sdkp = scsi_disk(scmd->request->rq_disk);
+
+ /* New SCSI EH run, reset gate variable */
+ sdkp->ignore_medium_access_errors = false;
+}
+
+/**
* sd_eh_action - error handling callback
* @scmd: sd-issued command that has failed
* @eh_disp: The recovery disposition suggested by the midlayer
@@ -1564,7 +1586,10 @@ static int sd_eh_action(struct scsi_cmnd
* process of recovering or has it suffered an internal failure
* that prevents access to the storage medium.
*/
- sdkp->medium_access_timed_out++;
+ if (!sdkp->ignore_medium_access_errors) {
+ sdkp->medium_access_timed_out++;
+ sdkp->ignore_medium_access_errors = true;
+ }
/*
* If the device keeps failing read/write commands but TEST UNIT
--- a/drivers/scsi/sd.h
+++ b/drivers/scsi/sd.h
@@ -90,6 +90,7 @@ struct scsi_disk {
unsigned lbpvpd : 1;
unsigned ws10 : 1;
unsigned ws16 : 1;
+ unsigned ignore_medium_access_errors : 1;
};
#define to_scsi_disk(obj) container_of(obj,struct scsi_disk,dev)
--- a/include/scsi/scsi_driver.h
+++ b/include/scsi/scsi_driver.h
@@ -17,6 +17,7 @@ struct scsi_driver {
void (*uninit_command)(struct scsi_cmnd *);
int (*done)(struct scsi_cmnd *);
int (*eh_action)(struct scsi_cmnd *, int);
+ void (*eh_reset)(struct scsi_cmnd *);
};
#define to_scsi_driver(drv) \
container_of((drv), struct scsi_driver, gendrv)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit fff1abc4d54e469140a699612b4db8d6397bfcba upstream.
Make sure to release the snd_card also on a late allocation error.
Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Cc: Sri Deevi <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/media/usb/cx231xx/cx231xx-audio.c
+++ b/drivers/media/usb/cx231xx/cx231xx-audio.c
@@ -672,10 +672,8 @@ static int cx231xx_audio_init(struct cx2
spin_lock_init(&adev->slock);
err = snd_pcm_new(card, "Cx231xx Audio", 0, 0, 1, &pcm);
- if (err < 0) {
- snd_card_free(card);
- return err;
- }
+ if (err < 0)
+ goto err_free_card;
snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE,
&snd_cx231xx_pcm_capture);
@@ -689,10 +687,9 @@ static int cx231xx_audio_init(struct cx2
INIT_WORK(&dev->wq_trigger, audio_trigger);
err = snd_card_register(card);
- if (err < 0) {
- snd_card_free(card);
- return err;
- }
+ if (err < 0)
+ goto err_free_card;
+
adev->sndcard = card;
adev->udev = dev->udev;
@@ -710,10 +707,10 @@ static int cx231xx_audio_init(struct cx2
cx231xx_info("EndPoint Addr 0x%x, Alternate settings: %i\n",
adev->end_point_addr, adev->num_alt);
adev->alt_max_pkt_size = kmalloc(32 * adev->num_alt, GFP_KERNEL);
-
- if (adev->alt_max_pkt_size == NULL) {
+ if (!adev->alt_max_pkt_size) {
cx231xx_errdev("out of memory!\n");
- return -ENOMEM;
+ err = -ENOMEM;
+ goto err_free_card;
}
for (i = 0; i < adev->num_alt; i++) {
@@ -727,6 +724,11 @@ static int cx231xx_audio_init(struct cx2
}
return 0;
+
+err_free_card:
+ snd_card_free(card);
+
+ return err;
}
static int cx231xx_audio_fini(struct cx231xx *dev)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kieran Bingham <[email protected]>
commit 360a3a90c6261fe24a959ff38f8f6c3a8468f23c upstream.
The frame counters are inadvertently counting packets with content as
empty.
Fix it by correcting the logic expression
Fixes: 7bc5edb00bbd [media] uvcvideo: Extract video stream statistics
Signed-off-by: Kieran Bingham <[email protected]>
Signed-off-by: Laurent Pinchart <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/uvc/uvc_video.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -810,7 +810,7 @@ static void uvc_video_stats_decode(struc
/* Update the packets counters. */
stream->stats.frame.nb_packets++;
- if (len > header_size)
+ if (len <= header_size)
stream->stats.frame.nb_empty++;
if (data[1] & UVC_STREAM_ERR)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Jason A. Donenfeld" <[email protected]>
commit 07a77929ba672d93642a56dc2255dd21e6e2290b upstream.
The author meant to free the variable that was just allocated, instead
of the one that failed to be allocated, but made a simple typo. This
patch rectifies that.
Signed-off-by: Jason A. Donenfeld <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
kernel/padata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -356,7 +356,7 @@ static int padata_setup_cpumasks(struct
cpumask_and(pd->cpumask.pcpu, pcpumask, cpu_online_mask);
if (!alloc_cpumask_var(&pd->cpumask.cbcpu, GFP_KERNEL)) {
- free_cpumask_var(pd->cpumask.cbcpu);
+ free_cpumask_var(pd->cpumask.pcpu);
return -ENOMEM;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Fabian Frederick <[email protected]>
commit e42fa2092c1049ac9c0e38aaac39ef3c40e91a36 upstream.
Fix checkpatch warning:
WARNING: debugfs_remove(NULL) is safe this check is probably not required
Signed-off-by: Fabian Frederick <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Roland Dreier <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib_fs.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c
@@ -281,10 +281,8 @@ void ipoib_delete_debug_files(struct net
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
- if (priv->mcg_dentry)
- debugfs_remove(priv->mcg_dentry);
- if (priv->path_dentry)
- debugfs_remove(priv->path_dentry);
+ debugfs_remove(priv->mcg_dentry);
+ debugfs_remove(priv->path_dentry);
}
int ipoib_register_debugfs(void)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shamir Rabinovitch <[email protected]>
commit 771a52584096c45e4565e8aabb596eece9d73d61 upstream.
When udev renames the netdev devices, ipoib debugfs entries does not
get renamed. As a result, if subsequent probe of ipoib device reuse the
name then creating a debugfs entry for the new device would fail.
Also, moved ipoib_create_debug_files and ipoib_delete_debug_files as part
of ipoib event handling in order to avoid any race condition between these.
Fixes: 1732b0ef3b3a ([IPoIB] add path record information in debugfs)
Signed-off-by: Vijay Kumar <[email protected]>
Signed-off-by: Shamir Rabinovitch <[email protected]>
Reviewed-by: Mark Bloch <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib_fs.c | 3 +++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 44 +++++++++++++++++++++++++++----
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 3 ---
3 files changed, 42 insertions(+), 8 deletions(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c
@@ -281,8 +281,11 @@ void ipoib_delete_debug_files(struct net
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
+ WARN_ONCE(!priv->mcg_dentry, "null mcg debug file\n");
+ WARN_ONCE(!priv->path_dentry, "null path debug file\n");
debugfs_remove(priv->mcg_dentry);
debugfs_remove(priv->path_dentry);
+ priv->mcg_dentry = priv->path_dentry = NULL;
}
int ipoib_register_debugfs(void)
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -98,6 +98,33 @@ static struct ib_client ipoib_client = {
.remove = ipoib_remove_one
};
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+static int ipoib_netdev_event(struct notifier_block *this,
+ unsigned long event, void *ptr)
+{
+ struct netdev_notifier_info *ni = ptr;
+ struct net_device *dev = ni->dev;
+
+ if (dev->netdev_ops->ndo_open != ipoib_open)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_REGISTER:
+ ipoib_create_debug_files(dev);
+ break;
+ case NETDEV_CHANGENAME:
+ ipoib_delete_debug_files(dev);
+ ipoib_create_debug_files(dev);
+ break;
+ case NETDEV_UNREGISTER:
+ ipoib_delete_debug_files(dev);
+ break;
+ }
+
+ return NOTIFY_DONE;
+}
+#endif
+
int ipoib_open(struct net_device *dev)
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
@@ -1313,8 +1340,6 @@ void ipoib_dev_cleanup(struct net_device
ASSERT_RTNL();
- ipoib_delete_debug_files(dev);
-
/* Delete any child interfaces first */
list_for_each_entry_safe(cpriv, tcpriv, &priv->child_intfs, list) {
/* Stop GC on child */
@@ -1620,8 +1645,6 @@ static struct net_device *ipoib_add_port
goto register_failed;
}
- ipoib_create_debug_files(priv->dev);
-
if (ipoib_cm_add_mode_attr(priv->dev))
goto sysfs_failed;
if (ipoib_add_pkey_attr(priv->dev))
@@ -1636,7 +1659,6 @@ static struct net_device *ipoib_add_port
return priv->dev;
sysfs_failed:
- ipoib_delete_debug_files(priv->dev);
unregister_netdev(priv->dev);
register_failed:
@@ -1727,6 +1749,12 @@ static void ipoib_remove_one(struct ib_d
kfree(dev_list);
}
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+static struct notifier_block ipoib_netdev_notifier = {
+ .notifier_call = ipoib_netdev_event,
+};
+#endif
+
static int __init ipoib_init_module(void)
{
int ret;
@@ -1776,6 +1804,9 @@ static int __init ipoib_init_module(void
if (ret)
goto err_client;
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+ register_netdevice_notifier(&ipoib_netdev_notifier);
+#endif
return 0;
err_client:
@@ -1793,6 +1824,9 @@ err_fs:
static void __exit ipoib_cleanup_module(void)
{
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+ unregister_netdevice_notifier(&ipoib_netdev_notifier);
+#endif
ipoib_netlink_fini();
ib_unregister_client(&ipoib_client);
ib_sa_unregister_client(&ipoib_sa_client);
--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
@@ -86,8 +86,6 @@ int __ipoib_vlan_add(struct ipoib_dev_pr
priv->parent = ppriv->dev;
- ipoib_create_debug_files(priv->dev);
-
/* RTNL childs don't need proprietary sysfs entries */
if (type == IPOIB_LEGACY_CHILD) {
if (ipoib_cm_add_mode_attr(priv->dev))
@@ -109,7 +107,6 @@ int __ipoib_vlan_add(struct ipoib_dev_pr
sysfs_failed:
result = -ENOMEM;
- ipoib_delete_debug_files(priv->dev);
unregister_netdevice(priv->dev);
register_failed:
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit aa58fedb8c7b6cf2f05941d238495f9e2f29655c upstream.
Make sure to check the number of endpoints to avoid accessing memory
beyond the endpoint array should a device lack the expected endpoints.
Note that, as far as I can tell, the gspca framework has already made
sure there is at least one endpoint in the current alternate setting so
there should be no risk for a NULL-pointer dereference here.
Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for
konica chipset using cams")
Cc: Hans de Goede <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/gspca/konica.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/usb/gspca/konica.c
+++ b/drivers/media/usb/gspca/konica.c
@@ -188,6 +188,9 @@ static int sd_start(struct gspca_dev *gs
return -EIO;
}
+ if (alt->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit d5823511c0f8719a39e72ede1bce65411ac653b7 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.
Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge
Nova-TD")
Cc: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/dvb-usb/dib0700_core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/usb/dvb-usb/dib0700_core.c
+++ b/drivers/media/usb/dvb-usb/dib0700_core.c
@@ -769,6 +769,9 @@ int dib0700_rc_setup(struct dvb_usb_devi
/* Starting in firmware 1.20, the RC info is provided on a bulk pipe */
+ if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1)
+ return -ENODEV;
+
purb = usb_alloc_urb(0, GFP_KERNEL);
if (purb == NULL) {
err("rc usb alloc urb failed");
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <[email protected]>
commit 58439280f84e6b39fd7d61f25ab30489c1aaf0a9 upstream.
PINMUX_IPSR_MSEL() macro invocation for the TX2 signal has apparently wrong
1st argument -- most probably a result of cut&paste programming...
Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov <[email protected]>
Signed-off-by: Geert Uytterhoeven <[email protected]>
[bwh: Backported to 3.16:
- Use PINMUX_IPSR_MODSEL_DATA() instead of PINMUX_IPSR_MSEL()
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -1092,7 +1092,7 @@ static const u16 pinmux_data[] = {
PINMUX_IPSR_MODSEL_DATA(IP6_5_3, FMIN_E, SEL_FM_4),
PINMUX_IPSR_DATA(IP6_7_6, AUDIO_CLKOUT),
PINMUX_IPSR_MODSEL_DATA(IP6_7_6, MSIOF1_SS1_B, SEL_SOF1_1),
- PINMUX_IPSR_MODSEL_DATA(IP6_5_3, TX2, SEL_SCIF2_0),
+ PINMUX_IPSR_MODSEL_DATA(IP6_7_6, TX2, SEL_SCIF2_0),
PINMUX_IPSR_MODSEL_DATA(IP6_7_6, SCIFA2_TXD, SEL_SCIFA2_0),
PINMUX_IPSR_DATA(IP6_9_8, IRQ0),
PINMUX_IPSR_MODSEL_DATA(IP6_9_8, SCIFB1_RXD_D, SEL_SCIFB1_3),
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <[email protected]>
commit 1b497e6493c49bbb55c89f53562f7f853495e90d upstream.
The bug is that "val" is unsigned long but we only initialize 32 bits of
it. Then we test "if (val)" and that might be true not because we set the
bits but because some were never initialized.
Fixes: f342d940ee0e ("PCI: exynos: Add support for MSI")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pci/host/pcie-designware.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/pci/host/pcie-designware.c
+++ b/drivers/pci/host/pcie-designware.c
@@ -158,19 +158,20 @@ static struct irq_chip dw_msi_irq_chip =
/* MSI int handler */
irqreturn_t dw_handle_msi_irq(struct pcie_port *pp)
{
- unsigned long val;
+ u32 val;
int i, pos, irq;
irqreturn_t ret = IRQ_NONE;
for (i = 0; i < MAX_MSI_CTRLS; i++) {
dw_pcie_rd_own_conf(pp, PCIE_MSI_INTR0_STATUS + i * 12, 4,
- (u32 *)&val);
+ &val);
if (!val)
continue;
ret = IRQ_HANDLED;
pos = 0;
- while ((pos = find_next_bit(&val, 32, pos)) != 32) {
+ while ((pos = find_next_bit((unsigned long *) &val, 32,
+ pos)) != 32) {
irq = irq_find_mapping(pp->irq_domain, i * 32 + pos);
dw_pcie_wr_own_conf(pp, PCIE_MSI_INTR0_STATUS + i * 12,
4, 1 << pos);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <[email protected]>
commit dbe4a09e8bbcf88809a8394d6a359d8cebd22a86 upstream.
Use "continue" to skip rest of the loop when possible to save an indent
level. No functional change intended.
Suggested-by: walter harms <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pci/host/pcie-designware.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
--- a/drivers/pci/host/pcie-designware.c
+++ b/drivers/pci/host/pcie-designware.c
@@ -165,18 +165,17 @@ irqreturn_t dw_handle_msi_irq(struct pci
for (i = 0; i < MAX_MSI_CTRLS; i++) {
dw_pcie_rd_own_conf(pp, PCIE_MSI_INTR0_STATUS + i * 12, 4,
(u32 *)&val);
- if (val) {
- ret = IRQ_HANDLED;
- pos = 0;
- while ((pos = find_next_bit(&val, 32, pos)) != 32) {
- irq = irq_find_mapping(pp->irq_domain,
- i * 32 + pos);
- dw_pcie_wr_own_conf(pp,
- PCIE_MSI_INTR0_STATUS + i * 12,
- 4, 1 << pos);
- generic_handle_irq(irq);
- pos++;
- }
+ if (!val)
+ continue;
+
+ ret = IRQ_HANDLED;
+ pos = 0;
+ while ((pos = find_next_bit(&val, 32, pos)) != 32) {
+ irq = irq_find_mapping(pp->irq_domain, i * 32 + pos);
+ dw_pcie_wr_own_conf(pp, PCIE_MSI_INTR0_STATUS + i * 12,
+ 4, 1 << pos);
+ generic_handle_irq(irq);
+ pos++;
}
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <[email protected]>
commit a5cb00eb4223458250b55daf03ac7ea5f424d601 upstream.
Clock should be turned off after calling s5p_mfc_init_hw() from the
watchdog worker, like it is already done in the s5p_mfc_open() which also
calls this function.
Fixes: af93574678108 ("[media] MFC: Add MFC 5.1 V4L2 driver")
Signed-off-by: Marek Szyprowski <[email protected]>
Signed-off-by: Sylwester Nawrocki <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/platform/s5p-mfc/s5p_mfc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
@@ -169,6 +169,7 @@ static void s5p_mfc_watchdog_worker(stru
}
s5p_mfc_clock_on();
ret = s5p_mfc_init_hw(dev);
+ s5p_mfc_clock_off();
if (ret)
mfc_err("Failed to reinit FW\n");
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1145,6 +1145,9 @@ static int send_eject_command(struct usb
u8 bulk_out_ep;
int r;
+ if (iface_desc->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
/* Find bulk out endpoint */
for (r = 1; r >= 0; r--) {
endpoint = &iface_desc->endpoint[r].desc;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eva Rachel Retuya <[email protected]>
commit cf6c77323a96fc40309cc8a4921ef206cccdd961 upstream.
Standard deviation is calculated as the square root of the variance
where variance is the mean of sample_sum and length. Correct the
computation of statP->stddev in accordance to the proper calculation.
Fixes: 3c97c08b5735 ("staging: iio: add TAOS tsl2x7x driver")
Reported-by: Abhiram Balasubramanian <[email protected]>
Signed-off-by: Eva Rachel Retuya <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/iio/light/tsl2x7x_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/light/tsl2x7x_core.c
+++ b/drivers/staging/iio/light/tsl2x7x_core.c
@@ -849,7 +849,7 @@ void tsl2x7x_prox_calculate(int *data, i
tmp = data[i] - statP->mean;
sample_sum += tmp * tmp;
}
- statP->stddev = int_sqrt((long)sample_sum)/length;
+ statP->stddev = int_sqrt((long)sample_sum / length);
}
/**
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <[email protected]>
commit 0cbdc11482d72ad164e33ef7cc57b01e8b61e40d upstream.
The IPSR field names in the comments have been fat-fingered in a couple
places -- fix those silly typos...
Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov <[email protected]>
Signed-off-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -4960,7 +4960,7 @@ static const struct pinmux_cfg_reg pinmu
},
{ PINMUX_CFG_REG_VAR("IPSR2", 0xE6060028, 32,
2, 3, 2, 2, 2, 2, 3, 3, 3, 3, 2, 2, 3) {
- /* IP2_31_20 [2] */
+ /* IP2_31_30 [2] */
0, 0, 0, 0,
/* IP2_29_27 [3] */
FN_EX_CS3_N, FN_ATADIR0_N, FN_MSIOF2_TXD,
@@ -4980,7 +4980,7 @@ static const struct pinmux_cfg_reg pinmu
/* IP2_15_13 [3] */
FN_A24, FN_DREQ2, FN_IO3, FN_TX1, FN_SCIFA1_TXD,
0, 0, 0,
- /* IP2_12_0 [3] */
+ /* IP2_12_10 [3] */
FN_A23, FN_IO2, FN_BPFCLK_B, FN_RX0, FN_SCIFA0_RXD,
0, 0, 0,
/* IP2_9_7 [3] */
@@ -5291,7 +5291,7 @@ static const struct pinmux_cfg_reg pinmu
/* IP10_24_22 [3] */
FN_VI0_R1, FN_VI2_DATA2, FN_GLO_I1_B, FN_TS_SCK0_C, FN_ATAG1_N,
0, 0, 0,
- /* IP10_21_29 [3] */
+ /* IP10_21_19 [3] */
FN_VI0_R0, FN_VI2_DATA1, FN_GLO_I0_B,
FN_TS_SDATA0_C, FN_ATACS11_N,
0, 0, 0,
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <[email protected]>
commit da7a692fbbab07f4e9798b5b52798f6e3256dd8f upstream.
The R8A7791 PFC driver was apparently based on the preliminary revisions
of the user's manual, which omitted the HSCIF1 group E signals in the
IPSR4 register description. This would cause HSCIF1's probe to fail with
the messages like below:
sh-pfc e6060000.pfc: cannot locate data/mark enum_id for mark 1989
sh-sci e62c8000.serial: Error applying setting, reverse things back
sh-sci: probe of e62c8000.serial failed with error -22
Add the neceassary PINMUX_IPSR_MSEL() invocations for the HSCK1_E,
HCTS1#_E, and HRTS1#_E signals...
Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov <[email protected]>
Signed-off-by: Geert Uytterhoeven <[email protected]>
[bwh: Backported to 3.16:
- Use PINMUX_IPSR_MODSEL_DATA() instead of PINMUX_IPSR_MSEL()
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -999,14 +999,17 @@ static const u16 pinmux_data[] = {
PINMUX_IPSR_MODSEL_DATA(IP4_12_10, SCL2, SEL_IIC2_0),
PINMUX_IPSR_MODSEL_DATA(IP4_12_10, GPS_CLK_B, SEL_GPS_1),
PINMUX_IPSR_MODSEL_DATA(IP4_12_10, GLO_Q0_D, SEL_GPS_3),
+ PINMUX_IPSR_MODSEL_DATA(IP4_12_10, HSCK1_E, SEL_HSCIF1_4),
PINMUX_IPSR_DATA(IP4_15_13, SSI_WS2),
PINMUX_IPSR_MODSEL_DATA(IP4_15_13, SDA2, SEL_IIC2_0),
PINMUX_IPSR_MODSEL_DATA(IP4_15_13, GPS_SIGN_B, SEL_GPS_1),
PINMUX_IPSR_MODSEL_DATA(IP4_15_13, RX2_E, SEL_SCIF2_4),
PINMUX_IPSR_MODSEL_DATA(IP4_15_13, GLO_Q1_D, SEL_GPS_3),
+ PINMUX_IPSR_MODSEL_DATA(IP4_15_13, HCTS1_N_E, SEL_HSCIF1_4),
PINMUX_IPSR_DATA(IP4_18_16, SSI_SDATA2),
PINMUX_IPSR_MODSEL_DATA(IP4_18_16, GPS_MAG_B, SEL_GPS_1),
PINMUX_IPSR_MODSEL_DATA(IP4_18_16, TX2_E, SEL_SCIF2_4),
+ PINMUX_IPSR_MODSEL_DATA(IP4_18_16, HRTS1_N_E, SEL_HSCIF1_4),
PINMUX_IPSR_DATA(IP4_19, SSI_SCK34),
PINMUX_IPSR_DATA(IP4_20, SSI_WS34),
PINMUX_IPSR_DATA(IP4_21, SSI_SDATA3),
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <[email protected]>
commit 3908632fb829d73317c64c3d04f584b49f62e4ae upstream.
The R8A7791 PFC driver was apparently based on the preliminary revisions
of the user's manual, which omitted the DVC_MUTE signal altogether in
the PFC section. The modern manual has the signal described, so just add
the necassary data to the driver...
Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov <[email protected]>
Signed-off-by: Geert Uytterhoeven <[email protected]>
[bwh: Backported to 3.16:
- Use PINMUX_IPSR_DATA() instead of PINMUX_IPSR_GPSR()
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -192,7 +192,7 @@ enum {
/* IPSR6 */
FN_AUDIO_CLKB, FN_STP_OPWM_0_B, FN_MSIOF1_SCK_B,
- FN_SCIF_CLK, FN_BPFCLK_E,
+ FN_SCIF_CLK, FN_DVC_MUTE, FN_BPFCLK_E,
FN_AUDIO_CLKC, FN_SCIFB0_SCK_C, FN_MSIOF1_SYNC_B, FN_RX2,
FN_SCIFA2_RXD, FN_FMIN_E,
FN_AUDIO_CLKOUT, FN_MSIOF1_SS1_B, FN_TX2, FN_SCIFA2_TXD,
@@ -562,7 +562,7 @@ enum {
/* IPSR6 */
AUDIO_CLKB_MARK, STP_OPWM_0_B_MARK, MSIOF1_SCK_B_MARK,
- SCIF_CLK_MARK, BPFCLK_E_MARK,
+ SCIF_CLK_MARK, DVC_MUTE_MARK, BPFCLK_E_MARK,
AUDIO_CLKC_MARK, SCIFB0_SCK_C_MARK, MSIOF1_SYNC_B_MARK, RX2_MARK,
SCIFA2_RXD_MARK, FMIN_E_MARK,
AUDIO_CLKOUT_MARK, MSIOF1_SS1_B_MARK, TX2_MARK, SCIFA2_TXD_MARK,
@@ -1082,6 +1082,7 @@ static const u16 pinmux_data[] = {
PINMUX_IPSR_MODSEL_DATA(IP6_2_0, STP_OPWM_0_B, SEL_SSP_1),
PINMUX_IPSR_MODSEL_DATA(IP6_2_0, MSIOF1_SCK_B, SEL_SOF1_1),
PINMUX_IPSR_MODSEL_DATA(IP6_2_0, SCIF_CLK, SEL_SCIF_0),
+ PINMUX_IPSR_DATA(IP6_2_0, DVC_MUTE),
PINMUX_IPSR_MODSEL_DATA(IP6_2_0, BPFCLK_E, SEL_FM_4),
PINMUX_IPSR_DATA(IP6_5_3, AUDIO_CLKC),
PINMUX_IPSR_MODSEL_DATA(IP6_5_3, SCIFB0_SCK_C, SEL_SCIFB_2),
@@ -5148,7 +5149,7 @@ static const struct pinmux_cfg_reg pinmu
0, 0,
/* IP6_2_0 [3] */
FN_AUDIO_CLKB, FN_STP_OPWM_0_B, FN_MSIOF1_SCK_B,
- FN_SCIF_CLK, 0, FN_BPFCLK_E,
+ FN_SCIF_CLK, FN_DVC_MUTE, FN_BPFCLK_E,
0, 0, }
},
{ PINMUX_CFG_REG_VAR("IPSR7", 0xE606003C, 32,
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit 03eb2a557ed552e920a0942b774aaf931596eec1 upstream.
Make sure to check for the required out endpoint to avoid dereferencing
a NULL-pointer in mce_request_packet should a malicious device lack such
an endpoint. Note that this path is hit during probe.
Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver")
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Sean Young <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/rc/mceusb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1299,8 +1299,8 @@ static int mceusb_dev_probe(struct usb_i
}
}
}
- if (ep_in == NULL) {
- dev_dbg(&intf->dev, "inbound and/or endpoint not found");
+ if (!ep_in || !ep_out) {
+ dev_dbg(&intf->dev, "required endpoints not found\n");
return -ENODEV;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ajay Kaher <[email protected]>
commit 2f86a96be0ccb1302b7eee7855dbee5ce4dc5dfb upstream.
There is race condition when two USB class drivers try to call
init_usb_class at the same time and leads to crash.
code path: probe->usb_register_dev->init_usb_class
To solve this, mutex locking has been added in init_usb_class() and
destroy_usb_class().
As pointed by Alan, removed "if (usb_class)" test from destroy_usb_class()
because usb_class can never be NULL there.
Signed-off-by: Ajay Kaher <[email protected]>
Acked-by: Alan Stern <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/core/file.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/file.c
+++ b/drivers/usb/core/file.c
@@ -26,6 +26,7 @@
#define MAX_USB_MINORS 256
static const struct file_operations *usb_minors[MAX_USB_MINORS];
static DECLARE_RWSEM(minor_rwsem);
+static DEFINE_MUTEX(init_usb_class_mutex);
static int usb_open(struct inode *inode, struct file *file)
{
@@ -108,8 +109,9 @@ static void release_usb_class(struct kre
static void destroy_usb_class(void)
{
- if (usb_class)
- kref_put(&usb_class->kref, release_usb_class);
+ mutex_lock(&init_usb_class_mutex);
+ kref_put(&usb_class->kref, release_usb_class);
+ mutex_unlock(&init_usb_class_mutex);
}
int usb_major_init(void)
@@ -171,7 +173,10 @@ int usb_register_dev(struct usb_interfac
if (intf->minor >= 0)
return -EADDRINUSE;
+ mutex_lock(&init_usb_class_mutex);
retval = init_usb_class();
+ mutex_unlock(&init_usb_class_mutex);
+
if (retval)
return retval;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tobias Herzog <[email protected]>
commit 1bb9914e1730417d530de9ed37e59efdc647146b upstream.
Notifications may only be 8 bytes long. Accessing the 9th and
10th byte of unimplemented/unknown notifications may be insecure.
Also check the length of known notifications before accessing anything
behind the 8th byte.
Signed-off-by: Tobias Herzog <[email protected]>
Acked-by: Oliver Neukum <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/class/cdc-acm.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -312,6 +312,12 @@ static void acm_ctrl_irq(struct urb *urb
break;
case USB_CDC_NOTIFY_SERIAL_STATE:
+ if (le16_to_cpu(dr->wLength) != 2) {
+ dev_dbg(&acm->control->dev,
+ "%s - malformed serial state\n", __func__);
+ break;
+ }
+
newctrl = get_unaligned_le16(data);
if (!acm->clocal && (acm->ctrlin & ~newctrl & ACM_CTRL_DCD)) {
@@ -348,11 +354,10 @@ static void acm_ctrl_irq(struct urb *urb
default:
dev_dbg(&acm->control->dev,
- "%s - unknown notification %d received: index %d "
- "len %d data0 %d data1 %d\n",
+ "%s - unknown notification %d received: index %d len %d\n",
__func__,
- dr->bNotificationType, dr->wIndex,
- dr->wLength, data[0], data[1]);
+ dr->bNotificationType, dr->wIndex, dr->wLength);
+
break;
}
exit:
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Petazzoni <[email protected]>
commit ee56874f23e5c11576540bd695177a5ebc4f4352 upstream.
In commit eea628199d5b ("mtd: Add device-tree support to fsmc_nand"),
Device Tree support was added to the fmsc_nand driver. However, this
code has a bug in how it handles the bank-width DT property to set the
bus width.
Indeed, in the function fsmc_nand_probe_config_dt() that parses the
Device Tree, it sets pdata->width to either 8 or 16 depending on the
value of the bank-width DT property.
Then, the ->probe() function will test if pdata->width is equal to
FSMC_NAND_BW16 (which is 2) to set NAND_BUSWIDTH_16 in
nand->options. Therefore, with the DT probing, this condition will never
match.
This commit fixes that by removing the "width" field from
fsmc_nand_platform_data and instead have the fsmc_nand_probe_config_dt()
function directly set the appropriate nand->options value.
It is worth mentioning that if this commit gets backported to older
kernels, prior to the drop of non-DT probing, then non-DT probing will
be broken because nand->options will no longer be set to
NAND_BUSWIDTH_16.
Fixes: eea628199d5b ("mtd: Add device-tree support to fsmc_nand")
Signed-off-by: Thomas Petazzoni <[email protected]>
Reviewed-by: Linus Walleij <[email protected]>
Signed-off-by: Boris Brezillon <[email protected]>
[bwh: Backported to 3.16: keep fsmc_and_platform_data::width and the
test in fsmc_nand_probe()]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/mtd/nand/fsmc_nand.c
+++ b/drivers/mtd/nand/fsmc_nand.c
@@ -874,18 +874,19 @@ static int fsmc_nand_probe_config_dt(str
struct fsmc_nand_platform_data *pdata = dev_get_platdata(&pdev->dev);
u32 val;
- /* Set default NAND width to 8 bits */
- pdata->width = 8;
+ pdata->options = 0;
+
if (!of_property_read_u32(np, "bank-width", &val)) {
if (val == 2) {
- pdata->width = 16;
+ pdata->options |= NAND_BUSWIDTH_16;
} else if (val != 1) {
dev_err(&pdev->dev, "invalid bank-width %u\n", val);
return -EINVAL;
}
}
+
if (of_get_property(np, "nand-skip-bbtscan", NULL))
- pdata->options = NAND_SKIP_BBTSCAN;
+ pdata->options |= NAND_SKIP_BBTSCAN;
pdata->nand_timings = devm_kzalloc(&pdev->dev,
sizeof(*pdata->nand_timings), GFP_KERNEL);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young <[email protected]>
commit 069f3b10aed966b2da6bb1161af41da0e8880724 upstream.
This has been broken for a long time, so presumably it is not used. I
have no hardware to test this on.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=61401
Fixes: 90ab5ee ("module_param: make bool parameters really bool")
Signed-off-by: Sean Young <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/media/lirc/lirc_serial.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/staging/media/lirc/lirc_serial.c
+++ b/drivers/staging/media/lirc/lirc_serial.c
@@ -105,7 +105,7 @@ struct lirc_serial {
static int type;
static int io;
static int irq;
-static bool iommap;
+static ulong iommap;
static int ioshift;
static bool softcarrier = 1;
static bool share_irq;
@@ -1205,7 +1205,7 @@ module_param(io, int, S_IRUGO);
MODULE_PARM_DESC(io, "I/O address base (0x3f8 or 0x2f8)");
/* some architectures (e.g. intel xscale) have memory mapped registers */
-module_param(iommap, bool, S_IRUGO);
+module_param(iommap, ulong, S_IRUGO);
MODULE_PARM_DESC(iommap, "physical base for memory mapped I/O"
" (0 = no memory mapped io)");
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <[email protected]>
commit f5cccf49428447dfbc9edb7a04bb8fc316269781 upstream.
While running a bind/unbind stress test with the dwc3 usb driver on rk3399,
the following crash was observed.
Unable to handle kernel NULL pointer dereference at virtual address 00000218
pgd = ffffffc00165f000
[00000218] *pgd=000000000174f003, *pud=000000000174f003,
*pmd=0000000001750003, *pte=00e8000001751713
Internal error: Oops: 96000005 [#1] PREEMPT SMP
Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac
ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat rfcomm
xt_mark fuse bridge stp llc zram btusb btrtl btbcm btintel bluetooth
ip6table_filter mwifiex_pcie mwifiex cfg80211 cdc_ether usbnet r8152 mii joydev
snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async
ppp_generic slhc tun
CPU: 1 PID: 29814 Comm: kworker/1:1 Not tainted 4.4.52 #507
Hardware name: Google Kevin (DT)
Workqueue: pm pm_runtime_work
task: ffffffc0ac540000 ti: ffffffc0af4d4000 task.ti: ffffffc0af4d4000
PC is at autosuspend_check+0x74/0x174
LR is at autosuspend_check+0x70/0x174
...
Call trace:
[<ffffffc00080dcc0>] autosuspend_check+0x74/0x174
[<ffffffc000810500>] usb_runtime_idle+0x20/0x40
[<ffffffc000785ae0>] __rpm_callback+0x48/0x7c
[<ffffffc000786af0>] rpm_idle+0x1e8/0x498
[<ffffffc000787cdc>] pm_runtime_work+0x88/0xcc
[<ffffffc000249bb8>] process_one_work+0x390/0x6b8
[<ffffffc00024abcc>] worker_thread+0x480/0x610
[<ffffffc000251a80>] kthread+0x164/0x178
[<ffffffc0002045d0>] ret_from_fork+0x10/0x40
Source:
(gdb) l *0xffffffc00080dcc0
0xffffffc00080dcc0 is in autosuspend_check
(drivers/usb/core/driver.c:1778).
1773 /* We don't need to check interfaces that are
1774 * disabled for runtime PM. Either they are unbound
1775 * or else their drivers don't support autosuspend
1776 * and so they are permanently active.
1777 */
1778 if (intf->dev.power.disable_depth)
1779 continue;
1780 if (atomic_read(&intf->dev.power.usage_count) > 0)
1781 return -EBUSY;
1782 w |= intf->needs_remote_wakeup;
Code analysis shows that intf is set to NULL in usb_disable_device() prior
to setting actconfig to NULL. At the same time, usb_runtime_idle() does not
lock the usb device, and neither does any of the functions in the
traceback. This means that there is no protection against a race condition
where usb_disable_device() is removing dev->actconfig->interface[] pointers
while those are being accessed from autosuspend_check().
To solve the problem, synchronize and validate device state between
autosuspend_check() and usb_disconnect().
Acked-by: Alan Stern <[email protected]>
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/core/driver.c | 3 +++
drivers/usb/core/hub.c | 6 ++++++
2 files changed, 9 insertions(+)
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -1785,6 +1785,9 @@ static int autosuspend_check(struct usb_
int w, i;
struct usb_interface *intf;
+ if (udev->state == USB_STATE_NOTATTACHED)
+ return -ENODEV;
+
/* Fail if autosuspend is disabled, or any interfaces are in use, or
* any interface drivers require remote wakeup but it isn't available.
*/
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2069,6 +2069,12 @@ void usb_disconnect(struct usb_device **
dev_info(&udev->dev, "USB disconnect, device number %d\n",
udev->devnum);
+ /*
+ * Ensure that the pm runtime code knows that the USB device
+ * is in the process of being disconnected.
+ */
+ pm_runtime_barrier(&udev->dev);
+
usb_lock_device(udev);
hub_disconnect_children(udev);
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <[email protected]>
commit 245b2eecee2aac6fdc77dcafaa73c33f9644c3c7 upstream.
While stress testing a usb controller using a bind/unbind looop, the
following error loop was observed.
usb 7-1.2: new low-speed USB device number 3 using xhci-hcd
usb 7-1.2: hub failed to enable device, error -108
usb 7-1-port2: cannot disable (err = -22)
usb 7-1-port2: couldn't allocate usb_device
usb 7-1-port2: cannot disable (err = -22)
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: activate --> -22
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: activate --> -22
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: activate --> -22
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: activate --> -22
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: activate --> -22
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: activate --> -22
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: activate --> -22
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: activate --> -22
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
hub 7-1:1.0: hub_ext_port_status failed (err = -22)
** 57 printk messages dropped ** hub 7-1:1.0: activate --> -22
** 82 printk messages dropped ** hub 7-1:1.0: hub_ext_port_status failed (err = -22)
This continues forever. After adding tracebacks into the code,
the call sequence leading to this is found to be as follows.
[<ffffffc0007fc8e0>] hub_activate+0x368/0x7b8
[<ffffffc0007fceb4>] hub_resume+0x2c/0x3c
[<ffffffc00080b3b8>] usb_resume_interface.isra.6+0x128/0x158
[<ffffffc00080b5d0>] usb_suspend_both+0x1e8/0x288
[<ffffffc00080c9c4>] usb_runtime_suspend+0x3c/0x98
[<ffffffc0007820a0>] __rpm_callback+0x48/0x7c
[<ffffffc00078217c>] rpm_callback+0xa8/0xd4
[<ffffffc000786234>] rpm_suspend+0x84/0x758
[<ffffffc000786ca4>] rpm_idle+0x2c8/0x498
[<ffffffc000786ed4>] __pm_runtime_idle+0x60/0xac
[<ffffffc00080eba8>] usb_autopm_put_interface+0x6c/0x7c
[<ffffffc000803798>] hub_event+0x10ac/0x12ac
[<ffffffc000249bb8>] process_one_work+0x390/0x6b8
[<ffffffc00024abcc>] worker_thread+0x480/0x610
[<ffffffc000251a80>] kthread+0x164/0x178
[<ffffffc0002045d0>] ret_from_fork+0x10/0x40
kick_hub_wq() is called from hub_activate() even after failures to
communicate with the hub. This results in an endless sequence of
hub event -> hub activate -> wq trigger -> hub event -> ...
Provide two solutions for the problem.
- Only trigger the hub event queue if communication with the hub
is successful.
- After a suspend failure, only resume already suspended interfaces
if the communication with the device is still possible.
Each of the changes fixes the observed problem. Use both to improve
robustness.
Acked-by: Alan Stern <[email protected]>
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/core/driver.c | 18 ++++++++++++++++++
drivers/usb/core/hub.c | 5 ++++-
2 files changed, 22 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -1331,6 +1331,24 @@ static int usb_suspend_both(struct usb_d
*/
if (udev->parent && !PMSG_IS_AUTO(msg))
status = 0;
+
+ /*
+ * If the device is inaccessible, don't try to resume
+ * suspended interfaces and just return the error.
+ */
+ if (status && status != -EBUSY) {
+ int err;
+ u16 devstat;
+
+ err = usb_get_status(udev, USB_RECIP_DEVICE, 0,
+ &devstat);
+ if (err) {
+ dev_err(&udev->dev,
+ "Failed to suspend device, error %d\n",
+ status);
+ goto done;
+ }
+ }
}
/* If the suspend failed, resume interfaces that did get suspended */
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1044,6 +1044,9 @@ static void hub_activate(struct usb_hub
portstatus = portchange = 0;
status = hub_port_status(hub, port1, &portstatus, &portchange);
+ if (status)
+ goto abort;
+
if (udev || (portstatus & USB_PORT_STAT_CONNECTION))
dev_dbg(&port_dev->dev, "status %04x change %04x\n",
portstatus, portchange);
@@ -1176,7 +1179,7 @@ static void hub_activate(struct usb_hub
/* Scan all ports that need attention */
kick_khubd(hub);
-
+ abort:
/* Allow autosuspend if it was suppressed */
if (type <= HUB_INIT3)
usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <[email protected]>
commit 3091ae775fae17084013021d01513bc1ad274e6a upstream.
Update the sh_pfc_soc_info pointer after calling the SoC-specific
initialization function, as it may have been updated to e.g. handle
different SoC revisions. This makes sure the correct subdriver name is
printed later.
Fixes: 0c151062f32c9db8 ("sh-pfc: Add support for SoC-specific initialization")
Signed-off-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/pinctrl/sh-pfc/core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/pinctrl/sh-pfc/core.c
+++ b/drivers/pinctrl/sh-pfc/core.c
@@ -529,6 +529,9 @@ static int sh_pfc_probe(struct platform_
ret = info->ops->init(pfc);
if (ret < 0)
return ret;
+
+ /* .init() may have overridden pfc->info */
+ info = pfc->info;
}
pinctrl_provide_dummies();
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <[email protected]>
commit ca260ece6a57dc7d751e0685f51fa2c55d851873 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device")
Cc: Daniel Drake <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/zd1211rw/zd_usb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/zd1211rw/zd_usb.c
+++ b/drivers/net/wireless/zd1211rw/zd_usb.c
@@ -1278,6 +1278,9 @@ static int eject_installer(struct usb_in
u8 bulk_out_ep;
int r;
+ if (iface_desc->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
/* Find bulk out endpoint */
for (r = 1; r >= 0; r--) {
endpoint = &iface_desc->endpoint[r].desc;
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takatoshi Akiyama <[email protected]>
commit 3c9101766b502a0163d1d437fada5801cf616be2 upstream.
This patch fixes an issue that kernel panic happens when DMA is enabled
and we press enter key while the kernel booting on the serial console.
* An interrupt may occur after sci_request_irq().
* DMA transfer area is initialized by setup_timer() in sci_request_dma()
and used in interrupt.
If an interrupt occurred between sci_request_irq() and setup_timer() in
sci_request_dma(), DMA transfer area has not been initialized yet.
So, this patch changes the order of sci_request_irq() and
sci_request_dma().
Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.")
Signed-off-by: Takatoshi Akiyama <[email protected]>
[Shimoda changes the commit log]
Signed-off-by: Yoshihiro Shimoda <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/tty/serial/sh-sci.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -1715,11 +1715,13 @@ static int sci_startup(struct uart_port
dev_dbg(port->dev, "%s(%d)\n", __func__, port->line);
+ sci_request_dma(port);
+
ret = sci_request_irq(s);
- if (unlikely(ret < 0))
+ if (unlikely(ret < 0)) {
+ sci_free_dma(port);
return ret;
-
- sci_request_dma(port);
+ }
spin_lock_irqsave(&port->lock, flags);
sci_start_tx(port);
@@ -1741,8 +1743,8 @@ static void sci_shutdown(struct uart_por
sci_stop_tx(port);
spin_unlock_irqrestore(&port->lock, flags);
- sci_free_dma(port);
sci_free_irq(s);
+ sci_free_dma(port);
}
static unsigned int sci_scbrr_calc(struct sci_port *s, unsigned int bps,
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Kasatkin <[email protected]>
commit 3034a146820c26fe6da66a45f6340fe87fe0983a upstream.
Empty files and missing xattrs do not guarantee that a file was
just created. This patch passes FILE_CREATED flag to IMA to
reliably identify new files.
Signed-off-by: Dmitry Kasatkin <[email protected]>
Signed-off-by: Mimi Zohar <[email protected]>
[bwh: Backported to 3.16: drop change to ima_fw_from_file()]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3086,7 +3086,7 @@ opened:
error = open_check_o_direct(file);
if (error)
goto exit_fput;
- error = ima_file_check(file, op->acc_mode);
+ error = ima_file_check(file, op->acc_mode, *opened);
if (error)
goto exit_fput;
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -736,7 +736,7 @@ nfsd_open(struct svc_rqst *rqstp, struct
host_err = PTR_ERR(*filp);
*filp = NULL;
} else {
- host_err = ima_file_check(*filp, may_flags);
+ host_err = ima_file_check(*filp, may_flags, 0);
if (may_flags & NFSD_MAY_64BIT_COOKIE)
(*filp)->f_mode |= FMODE_64BITHASH;
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -15,7 +15,7 @@ struct linux_binprm;
#ifdef CONFIG_IMA
extern int ima_bprm_check(struct linux_binprm *bprm);
-extern int ima_file_check(struct file *file, int mask);
+extern int ima_file_check(struct file *file, int mask, int opened);
extern void ima_file_free(struct file *file);
extern int ima_file_mmap(struct file *file, unsigned long prot);
extern int ima_module_check(struct file *file);
@@ -26,7 +26,7 @@ static inline int ima_bprm_check(struct
return 0;
}
-static inline int ima_file_check(struct file *file, int mask)
+static inline int ima_file_check(struct file *file, int mask, int opened)
{
return 0;
}
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -176,7 +176,7 @@ void ima_delete_rules(void);
int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len);
+ int xattr_len, int opened);
int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func);
void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
@@ -192,7 +192,7 @@ static inline int ima_appraise_measureme
struct file *file,
const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len)
+ int xattr_len, int opened)
{
return INTEGRITY_UNKNOWN;
}
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -175,7 +175,7 @@ int ima_read_xattr(struct dentry *dentry
int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
struct file *file, const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
- int xattr_len)
+ int xattr_len, int opened)
{
static const char op[] = "appraise_data";
char *cause = "unknown";
@@ -195,7 +195,7 @@ int ima_appraise_measurement(int func, s
cause = "missing-hash";
status = INTEGRITY_NOLABEL;
- if (inode->i_size == 0) {
+ if (opened & FILE_CREATED) {
iint->flags |= IMA_NEW_FILE;
status = INTEGRITY_PASS;
}
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -161,7 +161,7 @@ void ima_file_free(struct file *file)
}
static int process_measurement(struct file *file, const char *filename,
- int mask, int function)
+ int mask, int function, int opened)
{
struct inode *inode = file_inode(file);
struct integrity_iint_cache *iint;
@@ -229,7 +229,7 @@ static int process_measurement(struct fi
xattr_value, xattr_len);
if (action & IMA_APPRAISE_SUBMASK)
rc = ima_appraise_measurement(_func, iint, file, pathname,
- xattr_value, xattr_len);
+ xattr_value, xattr_len, opened);
if (action & IMA_AUDIT)
ima_audit_measurement(iint, pathname);
kfree(pathbuf);
@@ -258,7 +258,7 @@ out:
int ima_file_mmap(struct file *file, unsigned long prot)
{
if (file && (prot & PROT_EXEC))
- return process_measurement(file, NULL, MAY_EXEC, MMAP_CHECK);
+ return process_measurement(file, NULL, MAY_EXEC, MMAP_CHECK, 0);
return 0;
}
@@ -280,7 +280,7 @@ int ima_bprm_check(struct linux_binprm *
return process_measurement(bprm->file,
(strcmp(bprm->filename, bprm->interp) == 0) ?
bprm->filename : bprm->interp,
- MAY_EXEC, BPRM_CHECK);
+ MAY_EXEC, BPRM_CHECK, 0);
}
/**
@@ -293,12 +293,12 @@ int ima_bprm_check(struct linux_binprm *
* On success return 0. On integrity appraisal error, assuming the file
* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
*/
-int ima_file_check(struct file *file, int mask)
+int ima_file_check(struct file *file, int mask, int opened)
{
ima_rdwr_violation_check(file);
return process_measurement(file, NULL,
mask & (MAY_READ | MAY_WRITE | MAY_EXEC),
- FILE_CHECK);
+ FILE_CHECK, opened);
}
EXPORT_SYMBOL_GPL(ima_file_check);
@@ -321,7 +321,7 @@ int ima_module_check(struct file *file)
#endif
return 0; /* We rely on module signature checking */
}
- return process_measurement(file, NULL, MAY_EXEC, MODULE_CHECK);
+ return process_measurement(file, NULL, MAY_EXEC, MODULE_CHECK, 0);
}
static int __init init_ima(void)
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Glöckner <[email protected]>
commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream.
Modifying the attributes of a file makes ima_inode_post_setattr reset
the IMA cache flags. So if the file, which has just been created,
is opened a second time before the first file descriptor is closed,
verification fails since the security.ima xattr has not been written
yet. We therefore have to look at the IMA_NEW_FILE even if the file
already existed.
With this patch there should no longer be an error when cat tries to
open testfile:
$ rm -f testfile
$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile
A file being new is no reason to accept that it is missing a digital
signature demanded by the policy.
Signed-off-by: Daniel Glöckner <[email protected]>
Signed-off-by: Mimi Zohar <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
security/integrity/ima/ima_appraise.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -195,10 +195,11 @@ int ima_appraise_measurement(int func, s
cause = "missing-hash";
status = INTEGRITY_NOLABEL;
- if (opened & FILE_CREATED) {
+ if (opened & FILE_CREATED)
iint->flags |= IMA_NEW_FILE;
+ if ((iint->flags & IMA_NEW_FILE) &&
+ !(iint->flags & IMA_DIGSIG_REQUIRED))
status = INTEGRITY_PASS;
- }
goto out;
}
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Changbin Du <[email protected]>
commit 3ef5b4023c64c16c793a066a7a2ed6ea3767e0d7 upstream.
Should clear buf 'abs_path', not 'options'.
Signed-off-by: Changbin Du <[email protected]>
Cc: Feng Tang <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Fixes: 341487ab561f ("perf hists browser: Add option for runtime switching perf data file")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
tools/perf/ui/browsers/hists.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/perf/ui/browsers/hists.c
+++ b/tools/perf/ui/browsers/hists.c
@@ -1305,7 +1305,7 @@ static int switch_data_file(void)
return ret;
memset(options, 0, sizeof(options));
- memset(options, 0, sizeof(abs_path));
+ memset(abs_path, 0, sizeof(abs_path));
while ((dent = readdir(pwd_dir))) {
char path[PATH_MAX];
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Tunin <[email protected]>
commit 16ff1fb0e32f76a5d285a6f23b82d21aa52813c6 upstream.
T: Bus=01 Lev=02 Prnt=02 Port=02 Cnt=01 Dev#= 7 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs= 1
P: Vendor=1eda ProdID=2315 Rev=01.08
S: Manufacturer=ATHEROS
S: Product=USB2.0 WLAN
S: SerialNumber=12345
C: #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
Signed-off-by: Dmitry Tunin <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -41,6 +41,7 @@ static struct usb_device_id ath9k_hif_us
{ USB_DEVICE(0x0cf3, 0xb002) }, /* Ubiquiti WifiStation */
{ USB_DEVICE(0x057c, 0x8403) }, /* AVM FRITZ!WLAN 11N v2 USB */
{ USB_DEVICE(0x0471, 0x209e) }, /* Philips (or NXP) PTA01 */
+ { USB_DEVICE(0x1eda, 0x2315) }, /* AirTies */
{ USB_DEVICE(0x0cf3, 0x7015),
.driver_info = AR9287_USB }, /* Atheros */
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Nardella <[email protected]>
commit 0088d27b78f2c0118aee82923269518616481ea0 upstream.
This device is a dongle made by Philips to enhance their TVs with wireless capabilities,
but works flawlessly on any upstream kernel, provided that the ath9k_htc module is attached to it.
It's correctly recognized by lsusb as "0471:209e Philips (or NXP) PTA01 Wireless Adapter" and the
patch has been tested on real hardware.
Signed-off-by: Leon Nardella <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -40,6 +40,7 @@ static struct usb_device_id ath9k_hif_us
{ USB_DEVICE(0x0cf3, 0xb003) }, /* Ubiquiti WifiStation Ext */
{ USB_DEVICE(0x0cf3, 0xb002) }, /* Ubiquiti WifiStation */
{ USB_DEVICE(0x057c, 0x8403) }, /* AVM FRITZ!WLAN 11N v2 USB */
+ { USB_DEVICE(0x0471, 0x209e) }, /* Philips (or NXP) PTA01 */
{ USB_DEVICE(0x0cf3, 0x7015),
.driver_info = AR9287_USB }, /* Atheros */
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <[email protected]>
commit 45292be0b3db0b7f8286683b376e2d9f949d11f9 upstream.
For some reason, the driver does not consider allocation of the
subdevice private data to be a fatal error when attaching the COMEDI
device. It tests the subdevice private data pointer for validity at
certain points, but omits some crucial tests. In particular,
`jr3_pci_auto_attach()` calls `jr3_pci_alloc_spriv()` to allocate and
initialize the subdevice private data, but the same function
subsequently dereferences the pointer to access the `next_time_min` and
`next_time_max` members without checking it first. The other missing
test is in the timer expiry routine `jr3_pci_poll_dev()`, but it will
crash before it gets that far.
Fix the bug by returning `-ENOMEM` from `jr3_pci_auto_attach()` as soon
as one of the calls to `jr3_pci_alloc_spriv()` returns `NULL`. The
COMEDI core will subsequently call `jr3_pci_detach()` to clean up.
Signed-off-by: Ian Abbott <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/comedi/drivers/jr3_pci.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/staging/comedi/drivers/jr3_pci.c
+++ b/drivers/staging/comedi/drivers/jr3_pci.c
@@ -726,11 +726,12 @@ static int jr3_pci_auto_attach(struct co
s->insn_read = jr3_pci_ai_insn_read;
spriv = jr3_pci_alloc_spriv(dev, s);
- if (spriv) {
- /* Channel specific range and maxdata */
- s->range_table_list = spriv->range_table_list;
- s->maxdata_list = spriv->maxdata_list;
- }
+ if (!spriv)
+ return -ENOMEM;
+
+ /* Channel specific range and maxdata */
+ s->range_table_list = spriv->range_table_list;
+ s->maxdata_list = spriv->maxdata_list;
}
/* Reset DSP card */
On 08/18/2017 06:13 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.47 release.
> There are 134 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Mon Aug 21 18:00:00 UTC 2017.
> Anything received after that time might be too late.
>
Build results:
total: 136 pass: 136 fail: 0
Qemu test results:
total: 107 pass: 107 fail: 0
Details are available at http://kerneltests.org/builders.
Guenter
On Fri, 2017-08-18 at 07:55 -0700, Guenter Roeck wrote:
> On 08/18/2017 06:13 AM, Ben Hutchings wrote:
> > This is the start of the stable review cycle for the 3.16.47 release.
> > There are 134 patches in this series, which will be posted as responses
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Mon Aug 21 18:00:00 UTC 2017.
> > Anything received after that time might be too late.
> >
>
> Build results:
> total: 136 pass: 136 fail: 0
> Qemu test results:
> total: 107 pass: 107 fail: 0
>
> Details are available at http://kerneltests.org/builders.
Thanks for checking.
Ben.
--
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.
On Fri, 18 Aug 2017 14:13:20 +0100
Ben Hutchings <[email protected]> wrote:
> 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Maksim Salau <[email protected]>
>
> commit 942a48730faf149ccbf3e12ac718aee120bb3529 upstream.
>
> Allocate buffers on HEAP instead of STACK for local structures
> that are to be received using usb_control_msg().
Hi Ben,
The change has a memory leak, which is fixed by the commit
0bd193d62b4270a2a7a09da43ad1034c7ca5b3d3
If the commit is not in your queue, please add it.
Thanks,
Maksim.
Hi Ben
On Fri, Aug 18, 2017 at 3:13 PM, Ben Hutchings <[email protected]> wrote:
> 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Michael Trimarchi <[email protected]>
>
> commit 633e8799ddc09431be2744c4a1efdbda13af2b0b upstream.
>
> This changed is needed to avoid locking problem during
> boot as shown:
>
No objection
Michael
> <5>[ 8.824096] Registering SWP/SWPB emulation handler
> <6>[ 8.977294] clock: disabling unused clocks to save power
> <3>[ 9.108154] BUG: sleeping function called from invalid context at kernel_albert/kernel/mutex.c:269
> <3>[ 9.122894] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
> <4>[ 9.130249] 3 locks held by swapper/0/1:
> <4>[ 9.134613] #0: (&__lockdep_no_validate__){......}, at: [<c0342430>] __driver_attach+0x58/0xa8
> <4>[ 9.144500] #1: (&__lockdep_no_validate__){......}, at: [<c0342440>] __driver_attach+0x68/0xa8
> <4>[ 9.154357] #2: (&polling_timer){......}, at: [<c0053770>] run_timer_softirq+0x108/0x3ec
> <4>[ 9.163726] Backtrace:
> <4>[ 9.166473] [<c001269c>] (dump_backtrace+0x0/0x114) from [<c067e5f0>] (dump_stack+0x20/0x24)
> <4>[ 9.175811] r6:00203230 r5:0000010d r4:d782e000 r3:60000113
> <4>[ 9.182250] [<c067e5d0>] (dump_stack+0x0/0x24) from [<c007441c>] (__might_sleep+0x10c/0x128)
> <4>[ 9.191650] [<c0074310>] (__might_sleep+0x0/0x128) from [<c0688f60>] (mutex_lock_nested+0x34/0x36c)
> <4>[ 9.201660] r5:c02d5350 r4:d79a0c64
> <4>[ 9.205688] [<c0688f2c>] (mutex_lock_nested+0x0/0x36c) from [<c02d5350>] (regulator_set_current_limit+0x30/0x118)
> <4>[ 9.217071] [<c02d5320>] (regulator_set_current_limit+0x0/0x118) from [<c0435ce0>] (update_charger+0x84/0xc4)
> <4>[ 9.228027] r7:d782fb20 r6:00000101 r5:c1767e94 r4:00000000
> <4>[ 9.234436] [<c0435c5c>] (update_charger+0x0/0xc4) from [<c0435d40>] (psy_changed+0x20/0x48)
> <4>[ 9.243804] r5:d782e000 r4:c1767e94
> <4>[ 9.247802] [<c0435d20>] (psy_changed+0x0/0x48) from [<c0435dec>] (polling_timer_func+0x84/0xb8)
> <4>[ 9.257537] r4:c1767e94 r3:00000002
> <4>[ 9.261566] [<c0435d68>] (polling_timer_func+0x0/0xb8) from [<c00537e4>] (run_timer_softirq+0x17c/0x3ec)
> <4>[ 9.272033] r4:c1767eb0 r3:00000000
> <4>[ 9.276062] [<c0053668>] (run_timer_softirq+0x0/0x3ec) from [<c004b000>] (__do_softirq+0xf0/0x298)
> <4>[ 9.286010] [<c004af10>] (__do_softirq+0x0/0x298) from [<c004b650>] (irq_exit+0x98/0xa0)
> <4>[ 9.295013] [<c004b5b8>] (irq_exit+0x0/0xa0) from [<c000edbc>] (handle_IRQ+0x60/0xc0)
> <4>[ 9.303680] r4:c1194e98 r3:c00bc778
> <4>[ 9.307708] [<c000ed5c>] (handle_IRQ+0x0/0xc0) from [<c0008504>] (gic_handle_irq+0x34/0x68)
> <4>[ 9.316955] r8:000ac383 r7:d782fc3c r6:d782fc08 r5:c11936c4 r4:e0802100
> <4>[ 9.324310] r3:c026ba48
> <4>[ 9.327301] [<c00084d0>] (gic_handle_irq+0x0/0x68) from [<c068c2c0>] (__irq_svc+0x40/0x74)
> <4>[ 9.336456] Exception stack(0xd782fc08 to 0xd782fc50)
> <4>[ 9.342041] fc00: d6e30e6c ac383627 00000000 ac383417 ea19c000 ea200000
> <4>[ 9.351104] fc20: beffffff 00000667 000ac383 d6e30670 d6e3066c d782fc94 d782fbe8 d782fc50
> <4>[ 9.360168] fc40: c026ba48 c001d1f0 00000113 ffffffff
>
> Fixes: b2998049cfae ("[BATTERY] pda_power platform driver")
> Signed-off-by: Michael Trimarchi <[email protected]>
> Signed-off-by: Anthony Brandon <[email protected]>
> Signed-off-by: Sebastian Reichel <[email protected]>
> [bwh: Backported to 3.16: adjust filename]
> Signed-off-by: Ben Hutchings <[email protected]>
> ---
> drivers/power/pda_power.c | 49 ++++++++++++++++++++++------------------
> 1 file changed, 27 insertions(+), 22 deletions(-)
>
> --- a/drivers/power/pda_power.c
> +++ b/drivers/power/pda_power.c
> @@ -30,9 +30,9 @@ static inline unsigned int get_irq_flags
> static struct device *dev;
> static struct pda_power_pdata *pdata;
> static struct resource *ac_irq, *usb_irq;
> -static struct timer_list charger_timer;
> -static struct timer_list supply_timer;
> -static struct timer_list polling_timer;
> +static struct delayed_work charger_work;
> +static struct delayed_work polling_work;
> +static struct delayed_work supply_work;
> static int polling;
>
> #if IS_ENABLED(CONFIG_USB_PHY)
> @@ -143,7 +143,7 @@ static void update_charger(void)
> }
> }
>
> -static void supply_timer_func(unsigned long unused)
> +static void supply_work_func(struct work_struct *work)
> {
> if (ac_status == PDA_PSY_TO_CHANGE) {
> ac_status = new_ac_status;
> @@ -164,11 +164,12 @@ static void psy_changed(void)
> * Okay, charger set. Now wait a bit before notifying supplicants,
> * charge power should stabilize.
> */
> - mod_timer(&supply_timer,
> - jiffies + msecs_to_jiffies(pdata->wait_for_charger));
> + cancel_delayed_work(&supply_work);
> + schedule_delayed_work(&supply_work,
> + msecs_to_jiffies(pdata->wait_for_charger));
> }
>
> -static void charger_timer_func(unsigned long unused)
> +static void charger_work_func(struct work_struct *work)
> {
> update_status();
> psy_changed();
> @@ -187,13 +188,14 @@ static irqreturn_t power_changed_isr(int
> * Wait a bit before reading ac/usb line status and setting charger,
> * because ac/usb status readings may lag from irq.
> */
> - mod_timer(&charger_timer,
> - jiffies + msecs_to_jiffies(pdata->wait_for_status));
> + cancel_delayed_work(&charger_work);
> + schedule_delayed_work(&charger_work,
> + msecs_to_jiffies(pdata->wait_for_status));
>
> return IRQ_HANDLED;
> }
>
> -static void polling_timer_func(unsigned long unused)
> +static void polling_work_func(struct work_struct *work)
> {
> int changed = 0;
>
> @@ -214,8 +216,9 @@ static void polling_timer_func(unsigned
> if (changed)
> psy_changed();
>
> - mod_timer(&polling_timer,
> - jiffies + msecs_to_jiffies(pdata->polling_interval));
> + cancel_delayed_work(&polling_work);
> + schedule_delayed_work(&polling_work,
> + msecs_to_jiffies(pdata->polling_interval));
> }
>
> #if IS_ENABLED(CONFIG_USB_PHY)
> @@ -253,8 +256,9 @@ static int otg_handle_notification(struc
> * Wait a bit before reading ac/usb line status and setting charger,
> * because ac/usb status readings may lag from irq.
> */
> - mod_timer(&charger_timer,
> - jiffies + msecs_to_jiffies(pdata->wait_for_status));
> + cancel_delayed_work(&charger_work);
> + schedule_delayed_work(&charger_work,
> + msecs_to_jiffies(pdata->wait_for_status));
>
> return NOTIFY_OK;
> }
> @@ -302,8 +306,8 @@ static int pda_power_probe(struct platfo
> if (!pdata->ac_max_uA)
> pdata->ac_max_uA = 500000;
>
> - setup_timer(&charger_timer, charger_timer_func, 0);
> - setup_timer(&supply_timer, supply_timer_func, 0);
> + INIT_DELAYED_WORK(&charger_work, charger_work_func);
> + INIT_DELAYED_WORK(&supply_work, supply_work_func);
>
> ac_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "ac");
> usb_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "usb");
> @@ -381,9 +385,10 @@ static int pda_power_probe(struct platfo
>
> if (polling) {
> dev_dbg(dev, "will poll for status\n");
> - setup_timer(&polling_timer, polling_timer_func, 0);
> - mod_timer(&polling_timer,
> - jiffies + msecs_to_jiffies(pdata->polling_interval));
> + INIT_DELAYED_WORK(&polling_work, polling_work_func);
> + cancel_delayed_work(&polling_work);
> + schedule_delayed_work(&polling_work,
> + msecs_to_jiffies(pdata->polling_interval));
> }
>
> if (ac_irq || usb_irq)
> @@ -429,9 +434,9 @@ static int pda_power_remove(struct platf
> free_irq(ac_irq->start, &pda_psy_ac);
>
> if (polling)
> - del_timer_sync(&polling_timer);
> - del_timer_sync(&charger_timer);
> - del_timer_sync(&supply_timer);
> + cancel_delayed_work_sync(&polling_work);
> + cancel_delayed_work_sync(&charger_work);
> + cancel_delayed_work_sync(&supply_work);
>
> if (pdata->is_usb_online)
> power_supply_unregister(&pda_psy_usb);
>
--
| Michael Nazzareno Trimarchi Amarula Solutions BV |
| COO - Founder Cruquiuskade 47 |
| +31(0)851119172 Amsterdam 1018 AM NL |
| [`as] http://www.amarulasolutions.com |
I have no objection.
Anthony
On Sat, Aug 19, 2017 at 6:05 PM, Michael Nazzareno Trimarchi
<[email protected]> wrote:
> Hi Ben
>
> On Fri, Aug 18, 2017 at 3:13 PM, Ben Hutchings <[email protected]> wrote:
>> 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
>>
>> ------------------
>>
>> From: Michael Trimarchi <[email protected]>
>>
>> commit 633e8799ddc09431be2744c4a1efdbda13af2b0b upstream.
>>
>> This changed is needed to avoid locking problem during
>> boot as shown:
>>
>
> No objection
>
> Michael
>
>> <5>[ 8.824096] Registering SWP/SWPB emulation handler
>> <6>[ 8.977294] clock: disabling unused clocks to save power
>> <3>[ 9.108154] BUG: sleeping function called from invalid context at kernel_albert/kernel/mutex.c:269
>> <3>[ 9.122894] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0
>> <4>[ 9.130249] 3 locks held by swapper/0/1:
>> <4>[ 9.134613] #0: (&__lockdep_no_validate__){......}, at: [<c0342430>] __driver_attach+0x58/0xa8
>> <4>[ 9.144500] #1: (&__lockdep_no_validate__){......}, at: [<c0342440>] __driver_attach+0x68/0xa8
>> <4>[ 9.154357] #2: (&polling_timer){......}, at: [<c0053770>] run_timer_softirq+0x108/0x3ec
>> <4>[ 9.163726] Backtrace:
>> <4>[ 9.166473] [<c001269c>] (dump_backtrace+0x0/0x114) from [<c067e5f0>] (dump_stack+0x20/0x24)
>> <4>[ 9.175811] r6:00203230 r5:0000010d r4:d782e000 r3:60000113
>> <4>[ 9.182250] [<c067e5d0>] (dump_stack+0x0/0x24) from [<c007441c>] (__might_sleep+0x10c/0x128)
>> <4>[ 9.191650] [<c0074310>] (__might_sleep+0x0/0x128) from [<c0688f60>] (mutex_lock_nested+0x34/0x36c)
>> <4>[ 9.201660] r5:c02d5350 r4:d79a0c64
>> <4>[ 9.205688] [<c0688f2c>] (mutex_lock_nested+0x0/0x36c) from [<c02d5350>] (regulator_set_current_limit+0x30/0x118)
>> <4>[ 9.217071] [<c02d5320>] (regulator_set_current_limit+0x0/0x118) from [<c0435ce0>] (update_charger+0x84/0xc4)
>> <4>[ 9.228027] r7:d782fb20 r6:00000101 r5:c1767e94 r4:00000000
>> <4>[ 9.234436] [<c0435c5c>] (update_charger+0x0/0xc4) from [<c0435d40>] (psy_changed+0x20/0x48)
>> <4>[ 9.243804] r5:d782e000 r4:c1767e94
>> <4>[ 9.247802] [<c0435d20>] (psy_changed+0x0/0x48) from [<c0435dec>] (polling_timer_func+0x84/0xb8)
>> <4>[ 9.257537] r4:c1767e94 r3:00000002
>> <4>[ 9.261566] [<c0435d68>] (polling_timer_func+0x0/0xb8) from [<c00537e4>] (run_timer_softirq+0x17c/0x3ec)
>> <4>[ 9.272033] r4:c1767eb0 r3:00000000
>> <4>[ 9.276062] [<c0053668>] (run_timer_softirq+0x0/0x3ec) from [<c004b000>] (__do_softirq+0xf0/0x298)
>> <4>[ 9.286010] [<c004af10>] (__do_softirq+0x0/0x298) from [<c004b650>] (irq_exit+0x98/0xa0)
>> <4>[ 9.295013] [<c004b5b8>] (irq_exit+0x0/0xa0) from [<c000edbc>] (handle_IRQ+0x60/0xc0)
>> <4>[ 9.303680] r4:c1194e98 r3:c00bc778
>> <4>[ 9.307708] [<c000ed5c>] (handle_IRQ+0x0/0xc0) from [<c0008504>] (gic_handle_irq+0x34/0x68)
>> <4>[ 9.316955] r8:000ac383 r7:d782fc3c r6:d782fc08 r5:c11936c4 r4:e0802100
>> <4>[ 9.324310] r3:c026ba48
>> <4>[ 9.327301] [<c00084d0>] (gic_handle_irq+0x0/0x68) from [<c068c2c0>] (__irq_svc+0x40/0x74)
>> <4>[ 9.336456] Exception stack(0xd782fc08 to 0xd782fc50)
>> <4>[ 9.342041] fc00: d6e30e6c ac383627 00000000 ac383417 ea19c000 ea200000
>> <4>[ 9.351104] fc20: beffffff 00000667 000ac383 d6e30670 d6e3066c d782fc94 d782fbe8 d782fc50
>> <4>[ 9.360168] fc40: c026ba48 c001d1f0 00000113 ffffffff
>>
>> Fixes: b2998049cfae ("[BATTERY] pda_power platform driver")
>> Signed-off-by: Michael Trimarchi <[email protected]>
>> Signed-off-by: Anthony Brandon <[email protected]>
>> Signed-off-by: Sebastian Reichel <[email protected]>
>> [bwh: Backported to 3.16: adjust filename]
>> Signed-off-by: Ben Hutchings <[email protected]>
>> ---
>> drivers/power/pda_power.c | 49 ++++++++++++++++++++++------------------
>> 1 file changed, 27 insertions(+), 22 deletions(-)
>>
>> --- a/drivers/power/pda_power.c
>> +++ b/drivers/power/pda_power.c
>> @@ -30,9 +30,9 @@ static inline unsigned int get_irq_flags
>> static struct device *dev;
>> static struct pda_power_pdata *pdata;
>> static struct resource *ac_irq, *usb_irq;
>> -static struct timer_list charger_timer;
>> -static struct timer_list supply_timer;
>> -static struct timer_list polling_timer;
>> +static struct delayed_work charger_work;
>> +static struct delayed_work polling_work;
>> +static struct delayed_work supply_work;
>> static int polling;
>>
>> #if IS_ENABLED(CONFIG_USB_PHY)
>> @@ -143,7 +143,7 @@ static void update_charger(void)
>> }
>> }
>>
>> -static void supply_timer_func(unsigned long unused)
>> +static void supply_work_func(struct work_struct *work)
>> {
>> if (ac_status == PDA_PSY_TO_CHANGE) {
>> ac_status = new_ac_status;
>> @@ -164,11 +164,12 @@ static void psy_changed(void)
>> * Okay, charger set. Now wait a bit before notifying supplicants,
>> * charge power should stabilize.
>> */
>> - mod_timer(&supply_timer,
>> - jiffies + msecs_to_jiffies(pdata->wait_for_charger));
>> + cancel_delayed_work(&supply_work);
>> + schedule_delayed_work(&supply_work,
>> + msecs_to_jiffies(pdata->wait_for_charger));
>> }
>>
>> -static void charger_timer_func(unsigned long unused)
>> +static void charger_work_func(struct work_struct *work)
>> {
>> update_status();
>> psy_changed();
>> @@ -187,13 +188,14 @@ static irqreturn_t power_changed_isr(int
>> * Wait a bit before reading ac/usb line status and setting charger,
>> * because ac/usb status readings may lag from irq.
>> */
>> - mod_timer(&charger_timer,
>> - jiffies + msecs_to_jiffies(pdata->wait_for_status));
>> + cancel_delayed_work(&charger_work);
>> + schedule_delayed_work(&charger_work,
>> + msecs_to_jiffies(pdata->wait_for_status));
>>
>> return IRQ_HANDLED;
>> }
>>
>> -static void polling_timer_func(unsigned long unused)
>> +static void polling_work_func(struct work_struct *work)
>> {
>> int changed = 0;
>>
>> @@ -214,8 +216,9 @@ static void polling_timer_func(unsigned
>> if (changed)
>> psy_changed();
>>
>> - mod_timer(&polling_timer,
>> - jiffies + msecs_to_jiffies(pdata->polling_interval));
>> + cancel_delayed_work(&polling_work);
>> + schedule_delayed_work(&polling_work,
>> + msecs_to_jiffies(pdata->polling_interval));
>> }
>>
>> #if IS_ENABLED(CONFIG_USB_PHY)
>> @@ -253,8 +256,9 @@ static int otg_handle_notification(struc
>> * Wait a bit before reading ac/usb line status and setting charger,
>> * because ac/usb status readings may lag from irq.
>> */
>> - mod_timer(&charger_timer,
>> - jiffies + msecs_to_jiffies(pdata->wait_for_status));
>> + cancel_delayed_work(&charger_work);
>> + schedule_delayed_work(&charger_work,
>> + msecs_to_jiffies(pdata->wait_for_status));
>>
>> return NOTIFY_OK;
>> }
>> @@ -302,8 +306,8 @@ static int pda_power_probe(struct platfo
>> if (!pdata->ac_max_uA)
>> pdata->ac_max_uA = 500000;
>>
>> - setup_timer(&charger_timer, charger_timer_func, 0);
>> - setup_timer(&supply_timer, supply_timer_func, 0);
>> + INIT_DELAYED_WORK(&charger_work, charger_work_func);
>> + INIT_DELAYED_WORK(&supply_work, supply_work_func);
>>
>> ac_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "ac");
>> usb_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "usb");
>> @@ -381,9 +385,10 @@ static int pda_power_probe(struct platfo
>>
>> if (polling) {
>> dev_dbg(dev, "will poll for status\n");
>> - setup_timer(&polling_timer, polling_timer_func, 0);
>> - mod_timer(&polling_timer,
>> - jiffies + msecs_to_jiffies(pdata->polling_interval));
>> + INIT_DELAYED_WORK(&polling_work, polling_work_func);
>> + cancel_delayed_work(&polling_work);
>> + schedule_delayed_work(&polling_work,
>> + msecs_to_jiffies(pdata->polling_interval));
>> }
>>
>> if (ac_irq || usb_irq)
>> @@ -429,9 +434,9 @@ static int pda_power_remove(struct platf
>> free_irq(ac_irq->start, &pda_psy_ac);
>>
>> if (polling)
>> - del_timer_sync(&polling_timer);
>> - del_timer_sync(&charger_timer);
>> - del_timer_sync(&supply_timer);
>> + cancel_delayed_work_sync(&polling_work);
>> + cancel_delayed_work_sync(&charger_work);
>> + cancel_delayed_work_sync(&supply_work);
>>
>> if (pdata->is_usb_online)
>> power_supply_unregister(&pda_psy_usb);
>>
>
>
>
> --
> | Michael Nazzareno Trimarchi Amarula Solutions BV |
> | COO - Founder Cruquiuskade 47 |
> | +31(0)851119172 Amsterdam 1018 AM NL |
> | [`as] http://www.amarulasolutions.com |
On 18/08/2017 4:13 PM, Ben Hutchings wrote:
> 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
Please notice that there's a fix for this patch, here:
6dc06c08bef1 net/mlx4: Fix the check in attaching steering rules
>
> ------------------
>
> From: Talat Batheesh <[email protected]>
>
> commit 89c557687a32c294e9d25670a96e9287c09f2d5f upstream.
>
> Inserting steering rules with illegal ring is an invalid operation,
> block it.
>
> Fixes: 820672812f82 ('net/mlx4_en: Manage flow steering rules with ethtool')
> Signed-off-by: Talat Batheesh <[email protected]>
> Signed-off-by: Tariq Toukan <[email protected]>
> Signed-off-by: David S. Miller <[email protected]>
> Signed-off-by: Ben Hutchings <[email protected]>
> ---
> drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> --- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
> +++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
> @@ -930,6 +930,11 @@ static int mlx4_en_flow_replace(struct n
> qpn = priv->drop_qp.qpn;
> else if (cmd->fs.ring_cookie & EN_ETHTOOL_QP_ATTACH) {
> qpn = cmd->fs.ring_cookie & (EN_ETHTOOL_QP_ATTACH - 1);
> + if (qpn < priv->rss_map.base_qpn ||
> + qpn >= priv->rss_map.base_qpn + priv->rx_ring_num) {
> + en_warn(priv, "rxnfc: QP (0x%x) doesn't exist\n", qpn);
> + return -EINVAL;
> + }
> } else {
> if (cmd->fs.ring_cookie >= priv->rx_ring_num) {
> en_warn(priv, "rxnfc: RX ring (%llu) doesn't exist\n",
>
3.16 doesn't need this, because 3.16 doesn't support Loongson-3 R2/R3.
Huacai
On Fri, Aug 18, 2017 at 9:13 PM, Ben Hutchings <[email protected]> wrote:
> 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Huacai Chen <[email protected]>
>
> commit 17c99d9421695a0e0de18bf1e7091d859e20ec1d upstream.
>
> Some newer Loongson-3 have 64 bytes cache lines, so select
> MIPS_L1_CACHE_SHIFT_6.
>
> Signed-off-by: Huacai Chen <[email protected]>
> Cc: John Crispin <[email protected]>
> Cc: Steven J . Hill <[email protected]>
> Cc: Fuxin Zhang <[email protected]>
> Cc: Zhangjin Wu <[email protected]>
> Cc: [email protected]
> Patchwork: https://patchwork.linux-mips.org/patch/15755/
> Signed-off-by: Ralf Baechle <[email protected]>
> [bwh: Backported to 3.16: adjust context]
> Signed-off-by: Ben Hutchings <[email protected]>
> ---
> arch/mips/Kconfig | 1 +
> 1 file changed, 1 insertion(+)
>
> --- a/arch/mips/Kconfig
> +++ b/arch/mips/Kconfig
> @@ -1193,6 +1193,7 @@ config CPU_LOONGSON3
> select CPU_SUPPORTS_HUGEPAGES
> select WEAK_ORDERING
> select WEAK_REORDERING_BEYOND_LLSC
> + select MIPS_L1_CACHE_SHIFT_6
> help
> The Loongson 3 processor implements the MIPS64R2 instruction
> set with many extensions.
>
>
On Fri, 2017-08-18 at 06:53 -0700, Eric Dumazet wrote:
> > On Fri, Aug 18, 2017 at 6:13 AM, Ben Hutchings <[email protected]> wrote:
> > 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: WANG Cong <[email protected]>
> >
> > commit 82486aa6f1b9bc8145e6d0fa2bc0b44307f3b875 upstream.
[...]
> I thought we refined this later with :
In fact it was reverted upstream, then replaced by the commits you
point out. Thanks; I don't know why I missed that.
> commit 3fb07daff8e99243366a081e5129560734de4ada
> Author: Eric Dumazet <[email protected]>
> Date: Thu May 25 14:27:35 2017 -0700
>
> ipv4: add reference counting to metrics
[...]
It's not obvious how to backport this, as it adds:
+#define DST_METRICS_REFCOUNTED 0x2UL
but 3.16 already has a flag with value 2. I don't think we can take
another bit from the pointer as metrics are only 32-bit aligned.
Ben.
--
Ben Hutchings
One of the nice things about standards is that there are so many of
them.
On Mon, 2017-08-21 at 10:24 +0800, Huacai Chen wrote:
> 3.16 doesn't need this, because 3.16 doesn't support Loongson-3 R2/R3.
Thanks, I'll drop this.
Ben.
> Huacai
>
> > On Fri, Aug 18, 2017 at 9:13 PM, Ben Hutchings <[email protected]> wrote:
> > 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > > > From: Huacai Chen <[email protected]>
> >
> > commit 17c99d9421695a0e0de18bf1e7091d859e20ec1d upstream.
> >
> > Some newer Loongson-3 have 64 bytes cache lines, so select
> > MIPS_L1_CACHE_SHIFT_6.
> >
> > Signed-off-by: Huacai Chen <[email protected]>
> > Cc: John Crispin <[email protected]>
> > Cc: Steven J . Hill <[email protected]>
> > Cc: Fuxin Zhang <[email protected]>
> > Cc: Zhangjin Wu <[email protected]>
> > Cc: [email protected]
> > Patchwork: https://patchwork.linux-mips.org/patch/15755/
> > Signed-off-by: Ralf Baechle <[email protected]>
> > [bwh: Backported to 3.16: adjust context]
> > Signed-off-by: Ben Hutchings <[email protected]>
> > ---
> > arch/mips/Kconfig | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > --- a/arch/mips/Kconfig
> > +++ b/arch/mips/Kconfig
> > @@ -1193,6 +1193,7 @@ config CPU_LOONGSON3
> > select CPU_SUPPORTS_HUGEPAGES
> > select WEAK_ORDERING
> > select WEAK_REORDERING_BEYOND_LLSC
> > + select MIPS_L1_CACHE_SHIFT_6
> > help
> > The Loongson 3 processor implements the MIPS64R2 instruction
> > set with many extensions.
> >
> >
--
Ben Hutchings
One of the nice things about standards is that there are so many of
them.
On Sat, 2017-08-19 at 09:29 +0300, Maksim Salau wrote:
> On Fri, 18 Aug 2017 14:13:20 +0100
> Ben Hutchings <[email protected]> wrote:
>
> > 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Maksim Salau <[email protected]>
> >
> > commit 942a48730faf149ccbf3e12ac718aee120bb3529 upstream.
> >
> > Allocate buffers on HEAP instead of STACK for local structures
> > that are to be received using usb_control_msg().
>
> Hi Ben,
>
> The change has a memory leak, which is fixed by the commit
> 0bd193d62b4270a2a7a09da43ad1034c7ca5b3d3
> If the commit is not in your queue, please add it.
Thanks, I've added this.
Ben.
--
Ben Hutchings
One of the nice things about standards is that there are so many of
them.
On Sun, 2017-08-20 at 12:19 +0300, Tariq Toukan wrote:
> On 18/08/2017 4:13 PM, Ben Hutchings wrote:
> > 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
>
> Please notice that there's a fix for this patch, here:
>
> 6dc06c08bef1 net/mlx4: Fix the check in attaching steering rules
[...]
Thanks, I've added that.
Ben.
--
Ben Hutchings
One of the nice things about standards is that there are so many of
them.