2017-06-01 16:42:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 000/212] 3.16.44-rc1 review

This is the start of the stable review cycle for the 3.16.44 release.
There are 212 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sat Jun 03 16:00:00 UTC 2017.
Anything received after that time might be too late.

A combined patch relative to 3.16.43 will be posted as an additional
response to this. A shortlog and diffstat can be found below.

Ben.

-------------

Alex Deucher (1):
drm/radeon: handle vfct with multiple vbios images
[a882f5de402ded769af74fbf276132f9c175049c]

Alexander Stein (1):
W1: ds2490: Increase timeout when waiting for status
[d25221525e0e2cfd70e4ec7216549c06609a8bd2]

Alexey Kodanev (1):
tcp: account for ts offset only if tsecr not zero
[eee2faabc63d863a129000b698a2bca54dff643d]

Amey Telawane (1):
tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
[e09e28671cda63e6308b31798b997639120e2a21]

Andrey Konovalov (3):
net/packet: fix overflow in check for priv area size
[2b6867c2ce76c596676bec7d2d525af525fdc6e2]
net/packet: fix overflow in check for tp_frame_nr
[8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b]
net/packet: fix overflow in check for tp_reserve
[bcc5364bdcfe131e6379363f089e7b4108d35b70]

Andrey Ryabinin (1):
net/dccp: fix use after free in tw_timer_handler()
[ec7cb62d18d854ea09df8b7194e7e710985f8b9a]

Andy Whitcroft (2):
xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
[677e806da4d916052585301785d847c3b3e6186a]
xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
[f843ee6dd019bcece3e74e76ad9df0155655d0df]

Arnaldo Carvalho de Melo (1):
perf tests: Avoid possible truncation with dirent->d_name + snprintf
[2e2bbc039fad9eabad6c4c1a473c8b2554cdd2d4]

Arnd Bergmann (4):
MIPS: 'make -s' should be silent
[8c9b23ffb3f92ffa4cbe37b1bab4542586e0bfd1]
MIPS: ip27: Disable qlge driver in defconfig
[b617649468390713db1515ea79fc772d2eb897a8]
[media] dvb-usb-v2: avoid use-after-free
[005145378c9ad7575a01b6ce1ba118fb427f583a]
staging: rtl: fix possible NULL pointer dereference
[6e017006022abfea5d2466cad936065f45763ad1]

Bart Van Assche (1):
blk-mq: Make bt_clear_tag() easier to read
[9d8f0bcca6ffa024a822ce4ab1008ab663f06672]

Brian Norris (1):
mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print
[6183468a23fc6b6903f8597982017ad2c7fdefcf]

Chao Peng (1):
KVM: VMX: use correct vmcs_read/write for guest segment selector/base
[96794e4ed4d758272c486e1529e431efb7045265]

Chao Yu (1):
f2fs: use for_each_set_bit to simplify the code
[b65ee14818e67127aa242fe1dbd3711b9c095cc0]

Chris Brandt (2):
clk: renesas: mstp: ensure register writes complete
[f59de563358eb9351b7f8f0ba2d3be2ebb70b93d]
i2c: riic: correctly finish transfers
[71ccea095ea1d4efd004dab971be6d599e06fc3f]

Chris Salls (1):
mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
[cf01fb9985e8deb25ccf0ea54d916b8871ae0e62]

Chris Wilson (1):
locking/ww_mutex: Fix compilation of __WW_MUTEX_INITIALIZER
[af2e859edd477fa1ea3d1d106f41a595cff3d162]

Christian Lamparter (1):
ath9k: use correct OTP register offsets for the AR9340 and AR9550
[c9f1e32600816d695f817477d56490bfc2ba43c6]

Christoph Hellwig (3):
nfsd: minor nfsd_setattr cleanup
[758e99fefe1d9230111296956335cd35995c0eaf]
nfsd: special case truncates some more
[783112f7401ff449d979530209b3f6c2594fdb4e]
nfsd: update mtime on truncate
[f0c63124a6165792f6e37e4b5983792d009e1ce8]

Chun-Yi Lee (1):
platform/x86: acer-wmi: setup accelerometer when machine has appropriate notify event
[98d610c3739ac354319a6590b915f4624d9151e6]

Colin Ian King (1):
usb: misc: adutux: remove redundant error check on copy_to_user return code
[453785c64e090d9b4169636b7276fcd6d7489d33]

[email protected] (1):
md linear: fix a race between linear_add() and linear_congested()
[03a9e24ef2aaa5f1f9837356aed79c860521407a]

Craig Gallek (1):
ipv6: Prevent overrun when parsing v6 header options
[2423496af35d94a87156b063ea5cedffc10a70a1]

Dan Carpenter (5):
KEYS: Fix an error code in request_master_key()
[57cb17e764ba0aaa169d07796acce54ccfbc6cae]
adm80211: return an error if adm8211_alloc_rings() fails
[c705a6b3aa7804d7bc6660183f51e510c61dc807]
cpufreq: s3c2416: double free on driver init error path
[a69261e4470d680185a15f748d9cdafb37c57a33]
ipx: call ipxitf_put() in ioctl error path
[ee0d8d8482345ff97a75a7d747efc309f13b0d80]
net/mlx4: && vs & typo
[b2d0fe35471d1a71471f99147ffb5986bd60e744]

David Dillow (1):
iommu/vt-d: Don't over-free page table directories
[f7116e115acdd74bc75a4daf6492b11d43505125]

David Howells (2):
KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
[ee8f844e3c5a73b999edf733df1c529d6503ec2f]
KEYS: Reinstate EPERM for a key type name beginning with a '.'
[54e2c2c1a9d6cbb270b0999a38545fa9a69bee43]

David S. Miller (1):
ipv6: Check ip6_find_1stfragopt() return value properly.
[7dd7eb9513bd02184d45f000ab69d78cb1fa1531]

Dexuan Cui (1):
hv: vmbus_post_msg: retry the hypercall on some transient errors
[89f9f6796d41e10e224b0cb0027ddd78cb881f65]

Dmitry Tunin (1):
Bluetooth: Add another AR3012 04ca:3018 device
[441ad62d6c3f131f1dbd7dcdd9cbe3f74dbd8501]

Eli Cohen (1):
IB/mlx5: Fix retrieval of index to first hi class bfreg
[0b80c14f009758cefeed0edff4f9141957964211]

Eric Biggers (1):
KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
[c9f838d104fed6f2f61d68164712e3204bf5271b]

Eric Dumazet (7):
dccp/tcp: do not inherit mc_list from parent
[657831ffc38e30092a2d5f03d385d710eb88b09a]
ipv6: fix out of bound writes in __ip6_append_data()
[232cd35d0804cc241eb887bb8d4d9b3b9881c64a]
mlx4: reduce OOM risk on arches with large pages
[3608b13ccc51d06e499dfe12b27f134de1286e28]
net/mlx4_en: Use __skb_fill_page_desc()
[7f0137e2ef9f32143df623001a96f7aab61a9595]
net: net_enable_timestamp() can be called from irq contexts
[13baa00ad01bb3a9f893e3a08cbc2d072fc0c15d]
ping: implement proper locking
[43a6684519ab0a6c52024b5e25322476cabad893]
sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
[fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8]

Eugenia Emantayev (1):
net/mlx4: Spoofcheck and zero MAC can't coexist
[745d8ae4622c6808b22e33a944c7decb30074be4]

Felipe Balbi (1):
usb: dwc3: gadget: skip Set/Clear Halt when invalid
[ffb80fc672c3a7b6afd0cefcb1524fb99917b2f3]

Felipe F. Tonello (1):
usb: gadget: define free_ep_req as universal function
[079fe5a6da616891cca1a26e803e1df2a87e9ae5]

Felix Fietkau (2):
ath5k: drop bogus warning on drv_set_key with unsupported cipher
[a70e1d6fd6b5e1a81fa6171600942bee34f5128f]
ath9k: fix race condition in enabling/disabling IRQs
[3a5e969bb2f6692a256352649355d56d018d6b88]

Feras Daoud (6):
IB/ipoib: Change list_del to list_del_init in the tx object
[27d41d29c7f093f6f77843624fbb080c1b4a8b9c]
IB/ipoib: Fix deadlock between rmmod and set_mode
[0a0007f28304cb9fc87809c86abb80ec71317f20]
IB/ipoib: Fix deadlock over vlan_mutex
[1c3098cdb05207e740715857df7b0998e372f527]
IB/ipoib: Replace list_del of the neigh->list with list_del_init
[c586071d1dc8227a7182179b8e50ee92cc43f6d2]
IB/ipoib: Set device connection mode only when needed
[80b5b35aba62232521b31440f0a3cf6caa033849]
IB/ipoib: rtnl_unlock can not come after free_netdev
[89a3987ab7a923c047c6dec008e60ad6f41fac22]

Ganapathi Bhat (1):
mwifiex: Avoid skipping WEP key deletion for AP
[a5b60de6972decc6b50a39abb376077c3c3621c8]

Gavin Shan (1):
mm/page_alloc: fix nodes for reclaim in fast path
[e02dc017c3032dcdce1b993af0db135462e1b4b7]

Guennadi Liakhovetski (1):
[media] uvcvideo: Fix a wrong macro
[17c341ec0115837a610b2da15e32546e26068234]

Haiyang Zhang (1):
hv_vmbus: Add gradually increased delay for retries in vmbus_post_msg()
[e1c0d82dab4a4605d3bd1968436f030dfed4a829]

Hari Vyas (1):
net: ethernet: bgmac: mac address change bug
[fa42245dff4a5f2f8f208da542acbd80c22f7c65]

Herbert Xu (1):
crypto: ahash - Fix EINPROGRESS notification callback
[ef0579b64e93188710d48667cb5e014926af9f1b]

Hou Pengyang (1):
f2fs: add ovp valid_blocks check for bg gc victim to fg_gc
[e93b9865251a0503d83fd570e7d5a7c8bc351715]

Ian Abbott (1):
serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards
[1c9c858e2ff8ae8024a3d75d2ed080063af43754]

Igor Pylypiv (1):
staging: wlan-ng: add missing byte order conversion
[2c474b8579e9b67ff72b2bcefce9f53c7f4469d4]

J. Bruce Fields (4):
NFSv4: fix getacl head length estimation
[6682c14bbe505a8b912c57faf544f866777ee48d]
nfsd4: minor NFSv2/v3 write decoding cleanup
[db44bac41bbfc0c0d9dd943092d8bded3c9db19b]
nfsd: check for oversized NFSv2/v3 arguments
[e6838a29ecb484c97e4efef9429643b9851fba6e]
nfsd: stricter decoding of write-like NFSv2/v3 ops
[13bf9fbff0e5e099e2b6f003a0ab8ae145436309]

James Cowgill (1):
MIPS: OCTEON: Fix copy_from_user fault handling for large buffers
[884b426917e4b3c85f33b382c792a94305dfdd62]

Jan Kara (3):
ext4: avoid deadlock when expanding inode size
[2e81a4eeedcaa66e35f58b81e0755b87057ce392]
ext4: fix data corruption in data=journal mode
[3b136499e906460919f0d21a49db1aaccf0ae963]
ext4: trim allocation requests to group size
[cd648b8a8fd5071d232242d5ee7ee3c0815776af]

Jan Kiszka (1):
serial: exar: Fix initialization of EXAR registers for ports > 0
[5b5f252d67afd7bd5b923c664206d60800bf5054]

Janosch Frank (1):
KVM: s390: Disable dirty log retrieval for UCONTROL guests
[e1e8a9624f7ba8ead4f056ff558ed070e86fa747]

Jason Gunthorpe (1):
RDMA/core: Fix incorrect structure packing for booleans
[55efcfcd7776165b294f8b5cd6e05ca00ec89b7c]

Javier Martinez Canillas (1):
tty: serial: msm: Fix module autoload
[abe81f3b8ed2996e1712d26d38ff6b73f582c616]

Joe Thornber (1):
dm cache: fix corruption seen when using cache > 2TB
[ca763d0a53b264a650342cee206512bc92ac7050]

Johan Hovold (23):
USB: iowarrior: fix NULL-deref at probe
[b7321e81fc369abe353cf094d4f0dc2fe11ab95f]
USB: serial: ark3116: fix open error handling
[b631433b175f1002a31020e09bbfc2e5caecf290]
USB: serial: ark3116: fix register-accessor error handling
[9fef37d7cf170522fb354d6d0ea6de09b9b16678]
USB: serial: ch341: fix modem-status handling
[a0467a967f347842b30739aae636c44980265265]
USB: serial: digi_acceleport: fix OOB data sanity check
[2d380889215fe20b8523345649dee0579821800c]
USB: serial: digi_acceleport: fix incomplete rx sanity check
[1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232]
USB: serial: ftdi_sio: fix extreme low-latency setting
[c6dce2626606ef16434802989466636bc28c1419]
USB: serial: ftdi_sio: fix latency-timer error handling
[e3e574ad85a208cb179f33720bb5f12b453de33c]
USB: serial: ftdi_sio: fix line-status over-reporting
[a6bb1e17a39818b01b55d8e6238b4b5f06d55038]
USB: serial: ftdi_sio: fix modem-status error handling
[427c3a95e3e29e65f59d99aaf320d7506f3eed57]
USB: serial: io_edgeport: fix descriptor error handling
[3c0e25d883d06a1fbd1ad35257e8abaa57befb37]
USB: serial: io_edgeport: fix epic-descriptor handling
[e4457d9798adb96272468e93da663de9bd0a4198]
USB: serial: io_ti: fix information leak in completion handler
[654b404f2a222f918af9b0cd18ad469d0c941a8e]
USB: serial: keyspan_pda: fix receive sanity checks
[c528fcb116e61afc379a2e0a0f70906b937f1e2c]
USB: serial: mct_u232: fix modem-status error handling
[36356a669eddb32917fc4b5c2b9b8bf80ede69de]
USB: serial: mos7840: fix another NULL-deref at open
[5182c2cf2a9bfb7f066ef0bdd2bb6330b94dd74e]
USB: serial: omninet: fix reference leaks at open
[30572418b445d85fcfe6c8fe84c947d2606767d8]
USB: serial: opticon: fix CTS retrieval at open
[2eee05020a0e7ee7c04422cbacdb07859e45dce6]
USB: serial: quatech2: fix control-message error handling
[8c34cb8ddfe808d557b51da983ff10c02793beb2]
USB: serial: sierra: fix bogus alternate-setting assumption
[16620b483eaf7750413bae472f4363b6b959fcaa]
USB: serial: spcp8x5: fix modem-status handling
[5ed8d41023751bdd3546f2fe4118304357efe8d2]
USB: serial: ssu100: fix control-message error handling
[1eac5c244f705182d1552a53e2f74e2775ed95d6]
USB: serial: ti_usb_3410_5052: fix control-message error handling
[39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30]

John Keeping (1):
PM / QoS: Fix memory leak on resume_latency.notifiers
[e84b4a84e52d4cd8770b4242cd09df0133333f63]

Julian Anastasov (1):
ipv4: mask tos for input route
[6e28099d38c0e50d62c1afc054e37e573adf3d21]

Julian Wiedmann (1):
s390/qdio: clear DSCI prior to scanning multiple input queues
[1e4a382fdc0ba8d1a85b758c0811de3a3631085e]

K. Y. Srinivasan (3):
Drivers: hv: vmbus: Reduce the delay between retries in vmbus_post_msg()
[8de0d7e951826d7592e0ba1da655b175c4aa0923]
drivers: hv: Turn off write permission on the hypercall page
[372b1e91343e657a7cc5e2e2bcecd5140ac28119]
scsi: storvsc: Fix a bug in the handling of SRB status flags
[3209f9d780d137cdb54c85e0a776cb19e723a170]

Ken Lin (1):
USB: serial: cp210x: add new IDs for GE Bx50v3 boards
[9a593656def0dc2f6c227851e8e602077267a5f1]

Kirtika Ruchandani (1):
iwlwifi: mvm: rs: Remove unused 'mcs' variable
[9d50443575fa379c3c72848162af1375a4d43b50]

Krzysztof Opasiak (3):
usb: gadget: f_hid: Use spinlock instead of mutex
[33e4c1a9987a1fc3b42c3b534100b5b006d55c61]
usb: gadget: f_hid: fix: Free out requests
[20d2ca955bd09639c7b01db5761d157c297aea0a]
usb: gadget: f_hid: fix: Prevent accessing released memory
[aa65d11aa008f4de58a9cee7e121666d9d68505e]

Lars-Peter Clausen (1):
[media] adv7604: Initialize drive strength to default when using DT
[da8892d410db224d9a24104529794e6e37e0c100]

Leo Yan (1):
clk: hisilicon: fix lock assignment
[55da97e38cab844682abb71400a908b871d0054c]

Leon Romanovsky (2):
IB/mlx5: Fix out-of-bound access
[0fd27a88c2e4f548937fd7d93fc6e65c4ad7c278]
IB/mlx5: Return error for unsupported signature type
[12bbf1ea7e3b35892dbb8636b978160bc9576b61]

Li Qiang (1):
drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
[e7e11f99564222d82f0ce84bd521e57d78a6b678]

Liam Breck (6):
power: supply: bq24190_charger: Call power_supply_changed() for relevant component
[2d9fee6a42ea170e4378b3363a7ad385d0e67281]
power: supply: bq24190_charger: Call set_mode_host() on pm_resume()
[e05ad7e0741ce0505e1df157c62b22b95172bb97]
power: supply: bq24190_charger: Don't read fault register outside irq_handle_thread()
[68abfb8015832ddf728b911769659468efaf8bd9]
power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING
[767eee362fd72bb2ca44cc80419ca4b38c6d8369]
power: supply: bq24190_charger: Handle fault before status on interrupt
[ba52e75718784fda1b683ee0bfded72a0b83b047]
power: supply: bq24190_charger: Install irq_handler_thread() at end of probe()
[d62acc5ef0621463446091ebd7a345e06e9ab80c]

Linus Lüssing (1):
batman-adv: Fix transmission of final, 16th fragment
[51c6b429c0c95e67edd1cb0b548c5cf6a6604763]

Long Li (3):
scsi: storvsc: properly handle SRB_ERROR when sense message is present
[bba5dc332ec2d3a685cb4dae668c793f6a3713a3]
scsi: storvsc: properly set residual data length on errors
[40630f462824ee24bc00d692865c86c3828094e0]
scsi: storvsc: use tagged SRB requests if supported by the device
[3cd6d3d9b1abab8dcdf0800224ce26daac24eea2]

Maciej S. Szmigiero (2):
w1: don't leak refcount on slave attach failure in w1_attach_slave_device()
[d2ce4ea1a0b0162e5d2d7e7942ab6f5cc2063d5a]
w1: ds2490: USB transfer buffers need to be DMAable
[61cd1b4cd1e8f7f7642ab64529d9bd52e8374641]

Majd Dibbiny (1):
net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs
[95f1ba9a24af9769f6e20dfe9a77c863f253f311]

Mantas M (1):
net: ipv6: check route protocol when deleting routes
[c2ed1880fd61a998e3ce40254a99a2ad000f1a7d]

Marc Kleine-Budde (1):
can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
[7c42631376306fb3f34d51fda546b50a9b6dd6ec]

Marc Zyngier (1):
arm/arm64: KVM: Enforce unconditional flush to PoC when mapping to stage-2
[8f36ebaf21fdae99c091c67e8b6fab33969f2667]

Marcin Niestroj (1):
iio: st_pressure: Fix data sign
[1b211d48abaa0e12e6e6177c0316ff55d11fdfce]

Martin Kaiser (1):
clk: samsung: mark s3c...._clk_sleep_init() as __init
[02c952c8f95fd0adf1835704db95215f57cfc8e6]

Mathias Svensson (1):
samples/seccomp: fix 64-bit comparison macros
[916cafdc95843fb9af5fd5f83ca499d75473d107]

Matt Chen (1):
mac80211: flush delayed work when entering suspend
[a9e9200d8661c1a0be8c39f93deb383dc940de35]

Matthias Schiffer (1):
vxlan: correctly validate VXLAN ID against VXLAN_N_VID
[4e37d6911f36545b286d15073f6f2222f840e81c]

Max Filippov (1):
xtensa: move parse_tag_fdt out of #ifdef CONFIG_BLK_DEV_INITRD
[4ab18701c66552944188dbcd0ce0012729baab84]

Michael Petlan (1):
perf script: Fix man page about --dump-raw-trace option
[5c64f99b1d030ce52acce53d83141d88f79e6362]

Michal Hocko (1):
mm/huge_memory.c: fix up "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" backport
[not upstream; fixes bug specific to the stable backport]

Michel Dänzer (1):
drm/ttm: Make sure BOs being swapped out are cacheable
[239ac65fa5ffab71adf66e642750f940e7241d99]

Miklos Szeredi (1):
fuse: add missing FR_FORCE
[2e38bea99a80eab408adee27f873a188d57b76cb]

Mimi Zohar (1):
KEYS: special dot prefixed keyring name bug fix
[a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d]

Minchan Kim (1):
mm: do not access page->mapping directly on page_endio
[dd8416c47715cf324c9a16f13273f9fda87acfed]

Mirko Parthey (1):
MIPS: BCM47XX: Fix button inversion for Asus WL-500W
[bdfdaf1a016ef09cb941f2edad485a713510b8d5]

Murray McAllister (1):
drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
[36274ab8c596f1240c606bb514da329add2a1bcd]

NeilBrown (1):
md: ensure md devices are freed before module is unloaded.
[9356863c9409efc79029c01a85d015efae977e69]

Nicholas Mc Guire (3):
ASoC: rt5640: use msleep() for long delays
[4a312c9c825adf74c0026c98fed4ab59ce190863]
clk: wm831x: fix usleep_range with bad range
[ed784c532a3d0959db488f40a96c5127f63d42dc]
drm/i915: relax uncritical udelay_range()
[15a43cbf4736a3932e6259fa7d6e47558f6222b0]

Nicolai Hähnle (1):
drm/ttm: fix use-after-free races in vm fault handling
[3089c1df10e2931b1d72d2ffa7d86431084c86b3]

Nikola Pajkovsky (1):
x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0
[68dee8e2f2cacc54d038394e70d22411dee89da2]

Omar Sandoval (2):
sbitmap: fix wakeup hang after sbq resize
[6c0ca7ae292adea09b8bdd33a524bb9326c3e989]
virtio-console: avoid DMA from stack
[c4baad50297d84bde1a7ad45e50c73adae4a2192]

Paul Burton (7):
MIPS: Calculate microMIPS ra properly when unwinding the stack
[bb9bc4689b9c635714fbcd5d335bad9934a7ebfc]
MIPS: Clear ISA bit correctly in get_frame_info()
[ccaf7caf2c73c6db920772bf08bf1d47b2170634]
MIPS: Fix get_frame_info() handling of microMIPS function size
[b6c7a324df37bf05ef7a2c1580683cf10d082d97]
MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions
[67c75057709a6d85c681c78b9b2f9b71191f01a2]
MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps
[096a0de427ea333f56f0ee00328cff2a2731bcf1]
MIPS: Netlogic: Fix assembler warning from smpboot.S
[a8b3b0c94ac282628f0668d1366239a3fa72dc9d]
MIPS: Prevent unaligned accesses during stack unwinding
[a3552dace7d1d0cabf573e88fc3025cb90c4a601]

Peter Dunning (1):
sfc: do not device_attach if a reset is pending
[9c568fd8844ec3986eb19b0b5d97536243d10d46]

Peter Oberparleiter (1):
s390/chsc: Add exception handler for CHSC instruction
[77759137248f34864a8f7a58bbcebfcf1047504a]

Peter Rosin (3):
i2c: i2c-mux-gpio: rename i2c-gpio-mux to i2c-mux-gpio
[6b66a6f27e799d9441ef2c0b1e00913a6a070fa5]
iio: pressure: mpl115: do not rely on structure field ordering
[6a6e1d56a0769795a36c0461c64bf5e5b9bbb4c0]
iio: pressure: mpl3115: do not rely on structure field ordering
[9cf6cdba586ced75c69b8314b88b2d2f5ce9b3ed]

Peter Zijlstra (1):
locking/static_keys: Add static_key_{en,dis}able() helpers
[e33886b38cc82a9fc3b2d655dfc7f50467594138]

Ping-Ke Shih (1):
rtlwifi: Fix alignment issues
[40b368af4b750863b2cb66a3a9513241db2f0793]

Rafał Miłecki (1):
bcma: use (get|put)_device when probing/removing device driver
[a971df0b9d04674e325346c17de9a895425ca5e1]

Raghava Aditya Renukunta (2):
scsi: aacraid: Fix memory leak in fib init path
[1bff5abca65d4b9761fcc992ab6288243220003d]
scsi: aacraid: Reorder Adapter status check
[c421530bf848604e97d0785a03b3fe2c62775083]

Ralf Baechle (1):
MIPS: Fix special case in 64 bit IP checksumming.
[66fd848cadaa6be974a8c780fbeb328f0af4d3bd]

Randy Dunlap (2):
[media] media: fix dm1105.c build error
[e3bb3cddd177550d63a3e4909cf1a7782f13414d]
mm: fix <linux/pagemap.h> stray kernel-doc notation
[083fb8edda0487d192e8c117f625563b920cf7a4]

Ravi Bangoria (1):
powerpc/xmon: Fix data-breakpoint
[c21a493a2b44650707d06741601894329486f2ad]

Ravikumar Kattekola (1):
mmc: host: omap_hsmmc: avoid possible overflow of timeout value
[a53210f56d7f3f75d1edc1b3a069ddb87b72a919]

Ridge Kennedy (1):
l2tp: Avoid schedule while atomic in exit_net
[12d656af4e3d2781b9b9f52538593e1717e7c979]

Roman Mashak (1):
net sched actions: decrement module reference count after table flush.
[edb9d1bff4bbe19b8ae0e71b1f38732591a9eeb2]

Soramichi Akiyama (1):
perf evlist: Fix typo in perf_evlist__start_workload()
[e978be9ea2990f1af60fe10eadd2312a6250e0b8]

Steve Wise (1):
rdma_cm: fail iwarp accepts w/o connection params
[f2625f7db4dd0bbd16a9c7d2950e7621f9aa57ad]

Steven Rostedt (1):
ktest: Fix child exit code processing
[32677207dcc5e594254b7fb4fb2352b1755b1d5b]

Sven Eckelmann (1):
batman-adv: Fix double free during fragment merge error
[248e23b50e2da0753f3b5faa068939cbe9f8a75a]

Takashi Iwai (3):
ALSA: ctxfi: Fallback DMA mask to 32bit
[15c75b09f8d190f89ab4db463b87d411ca349dfe]
ALSA: seq: Fix link corruption by event error handling
[f3ac9f737603da80c2da3e84b89e74429836bb6d]
ALSA: timer: Reject user params with too small ticks
[71321eb3f2d0df4e6c327e0b936eec4458a12054]

Theodore Ts'o (7):
ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()
[c755e251357a0cee0679081f08c3f4ba797a8009]
ext4: fix fencepost in s_first_meta_bg validation
[2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2]
ext4: fix inline data error paths
[eb5efbcb762aee4b454b04f7115f73ccbcf8f0ef]
ext4: preserve the needs_recovery flag when the journal is aborted
[97abd7d4b5d9c48ec15c425485f054e1c15e591b]
ext4: return EROFS if device is r/o and journal replay is needed
[4753d8a24d4588657bc0a4cd66d4e282dff15c8c]
ext4: use private version of page_zero_new_buffers() for data=journal mode
[b90197b655185a11640cce3a0a0bc5d8291b8ad2]
jbd2: don't leak modified metadata buffers on an aborted journal
[e112666b4959b25a8552d63bc564e1059be703e8]

Thomas Elste (1):
power: bq24190_charger: Change first_time flag reset condition
[cd054ee16580690830297dbda0abe9c184276d6a]

Thomas Gleixner (2):
goldfish: Sanitize the broken interrupt handler
[6cf18e6927c0b224f972e3042fb85770d63cb9f8]
x86/platform/goldfish: Prevent unconditional loading
[47512cfd0d7a8bd6ab71d01cd89fca19eb2093eb]

Trond Myklebust (3):
NFSv4: Fix memory and state leak in _nfs4_open_and_get_state
[a974deee477af89411e0f80456bfb344ac433c98]
NFSv4: Fix the underestimation of delegation XDR space reservation
[5a1f6d9e9b803003271b40b67786ff46fa4eda01]
nlm: Ensure callback code also checks that the files match
[251af29c320d86071664f02c76f0d063a19fefdf]

Vinayak Menon (1):
mm: vmpressure: fix sending wrong events on underflow
[e1587a4945408faa58d0485002c110eb2454740c]

Vitaly Kuznetsov (3):
Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
[c0bb03924f1a80e7f65900e36c8e6b3dc167c5f8]
hv: allocate synic pages for all present CPUs
[421b8f20d3c381b215f988b42428f56fc3b82405]
hv: init percpu_list in hv_synic_alloc()
[3c7630d35009e6635e5b58d62de554fd5b6db5df]

WANG Cong (1):
ipv6/dccp: do not inherit ipv6_mc_list from parent
[83eaddab4378db256d00d295bda6ca997cd13a52]

Weston Andros Adamson (1):
NFSv4: fix getacl ERANGE for some ACL buffer sizes
[ed92d8c137b7794c2c2aa14479298b9885967607]

Y.C. Chen (1):
drm/ast: Fix AST2400 POST failure without BMC FW or VBIOS
[3856081eede297b617560b85e948cfb00bb395ec]

Documentation/i2c/muxes/i2c-mux-gpio | 20 +--
Documentation/kernel-parameters.txt | 4 +
Makefile | 4 +-
arch/arm/include/asm/kvm_mmu.h | 3 +-
arch/arm64/include/asm/kvm_mmu.h | 3 +-
arch/mips/Makefile | 4 +-
arch/mips/bcm47xx/buttons.c | 10 +-
arch/mips/cavium-octeon/octeon-memcpy.S | 20 +--
arch/mips/configs/ip27_defconfig | 1 -
arch/mips/include/asm/checksum.h | 2 +
arch/mips/kernel/process.c | 153 +++++++++++++--------
arch/mips/netlogic/common/smpboot.S | 4 +-
arch/powerpc/kernel/hw_breakpoint.c | 4 +-
arch/s390/kvm/kvm-s390.c | 3 +
arch/x86/include/uapi/asm/hyperv.h | 2 +
arch/x86/kernel/pci-calgary_64.c | 2 +-
arch/x86/kvm/vmx.c | 2 +-
arch/x86/platform/goldfish/goldfish.c | 14 +-
arch/xtensa/kernel/setup.c | 4 +-
block/blk-mq-tag.c | 44 +++++--
crypto/ahash.c | 79 +++++++----
drivers/base/power/qos.c | 2 +-
drivers/bcma/main.c | 4 +
drivers/bluetooth/ath3k.c | 2 +
drivers/bluetooth/btusb.c | 1 +
drivers/char/virtio_console.c | 12 +-
drivers/clk/clk-wm831x.c | 3 +-
drivers/clk/hisilicon/clkgate-separated.c | 1 +
drivers/clk/samsung/clk-s3c2410.c | 4 +-
drivers/clk/samsung/clk-s3c2412.c | 4 +-
drivers/clk/samsung/clk-s3c2443.c | 4 +-
drivers/clk/samsung/clk-s3c64xx.c | 4 +-
drivers/clk/shmobile/clk-mstp.c | 6 +
drivers/cpufreq/s3c2416-cpufreq.c | 1 -
drivers/gpu/drm/ast/ast_post.c | 38 +++++-
drivers/gpu/drm/i915/intel_dsi_pll.c | 6 +-
drivers/gpu/drm/radeon/radeon_bios.c | 64 +++++----
drivers/gpu/drm/ttm/ttm_bo.c | 4 +-
drivers/gpu/drm/ttm/ttm_bo_vm.c | 12 ++
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 9 +-
drivers/hv/channel.c | 15 ++-
drivers/hv/channel_mgmt.c | 7 +-
drivers/hv/connection.c | 27 +++-
drivers/hv/hv.c | 10 +-
drivers/hv/hyperv_vmbus.h | 2 +-
drivers/i2c/busses/i2c-riic.c | 30 ++++-
drivers/iio/pressure/mpl115.c | 1 +
drivers/iio/pressure/mpl3115.c | 4 +-
drivers/iio/pressure/st_pressure_core.c | 8 +-
drivers/infiniband/core/cma.c | 3 +
drivers/infiniband/hw/mlx5/qp.c | 29 ++--
drivers/infiniband/hw/mlx5/srq.c | 11 +-
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 14 +-
drivers/infiniband/ulp/ipoib/ipoib_main.c | 21 +--
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 10 +-
drivers/iommu/intel-iommu.c | 2 +-
drivers/md/dm-cache-target.c | 6 +-
drivers/md/linear.c | 29 +++-
drivers/md/linear.h | 1 +
drivers/md/md.c | 7 +
drivers/media/i2c/adv7604.c | 3 +
drivers/media/pci/dm1105/Kconfig | 2 +-
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 9 +-
drivers/media/usb/uvc/uvc_queue.c | 2 +-
drivers/mmc/host/omap_hsmmc.c | 7 +-
drivers/net/can/usb/usb_8dev.c | 9 +-
drivers/net/ethernet/broadcom/bgmac.c | 6 +-
drivers/net/ethernet/mellanox/mlx4/cmd.c | 22 +++-
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 6 +-
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 8 +-
drivers/net/ethernet/mellanox/mlx4/main.c | 2 -
drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 3 +-
drivers/net/ethernet/sfc/efx.c | 10 +-
drivers/net/ethernet/sfc/efx.h | 6 +
drivers/net/ethernet/sfc/selftest.c | 2 +-
drivers/net/vxlan.c | 2 +-
drivers/net/wireless/adm8211.c | 3 +-
drivers/net/wireless/ath/ath5k/mac80211-ops.c | 3 +-
drivers/net/wireless/ath/ath9k/ar9003_eeprom.h | 4 +-
drivers/net/wireless/ath/ath9k/ath9k.h | 1 +
drivers/net/wireless/ath/ath9k/init.c | 1 +
drivers/net/wireless/ath/ath9k/mac.c | 44 +++++--
drivers/net/wireless/ath/ath9k/mac.h | 1 +
drivers/net/wireless/ath/ath9k/main.c | 27 ++--
drivers/net/wireless/iwlwifi/mvm/rs.c | 4 +-
drivers/net/wireless/mwifiex/debugfs.c | 3 +-
drivers/net/wireless/mwifiex/sta_ioctl.c | 2 -
drivers/platform/goldfish/pdev_bus.c | 13 +-
drivers/platform/x86/acer-wmi.c | 22 +++-
drivers/power/bq24190_charger.c | 175 ++++++++++---------------
drivers/s390/cio/ioasm.h | 8 +-
drivers/s390/cio/qdio_thinint.c | 8 +-
drivers/scsi/aacraid/commsup.c | 36 ++---
drivers/scsi/aacraid/src.c | 21 ++-
drivers/scsi/storvsc_drv.c | 37 +++++-
drivers/staging/rtl8188eu/core/rtw_recv.c | 4 +
drivers/staging/rtl8192ee/rtl8192ee/hw.c | 2 +-
drivers/staging/rtl8712/rtl871x_recv.c | 7 +-
drivers/staging/rtl8821ae/rtl8821ae/hw.c | 2 +-
drivers/staging/wlan-ng/p80211netdev.c | 2 +-
drivers/tty/serial/8250/8250_pci.c | 36 +++--
drivers/tty/serial/msm_serial.c | 1 +
drivers/usb/dwc3/gadget.c | 6 +
drivers/usb/gadget/f_hid.c | 101 ++++++++++----
drivers/usb/gadget/f_midi.c | 6 -
drivers/usb/gadget/f_sourcesink.c | 6 -
drivers/usb/gadget/g_zero.h | 1 -
drivers/usb/gadget/u_f.c | 1 -
drivers/usb/gadget/u_f.h | 10 +-
drivers/usb/misc/adutux.c | 4 -
drivers/usb/misc/iowarrior.c | 13 +-
drivers/usb/serial/ark3116.c | 38 ++++--
drivers/usb/serial/ch341.c | 27 ++--
drivers/usb/serial/cp210x.c | 2 +
drivers/usb/serial/digi_acceleport.c | 52 +++++---
drivers/usb/serial/ftdi_sio.c | 38 ++++--
drivers/usb/serial/io_edgeport.c | 48 ++++---
drivers/usb/serial/io_ti.c | 2 +-
drivers/usb/serial/keyspan_pda.c | 19 ++-
drivers/usb/serial/mct_u232.c | 6 +-
drivers/usb/serial/mos7840.c | 4 +-
drivers/usb/serial/omninet.c | 6 -
drivers/usb/serial/opticon.c | 2 +-
drivers/usb/serial/quatech2.c | 24 ++--
drivers/usb/serial/sierra.c | 28 +---
drivers/usb/serial/spcp8x5.c | 8 +-
drivers/usb/serial/ssu100.c | 31 ++++-
drivers/usb/serial/ti_usb_3410_5052.c | 12 +-
drivers/w1/masters/ds2490.c | 141 ++++++++++++--------
drivers/w1/w1.c | 1 +
fs/ext4/inline.c | 75 +++++------
fs/ext4/inode.c | 69 ++++++++--
fs/ext4/mballoc.c | 7 +
fs/ext4/super.c | 11 +-
fs/ext4/xattr.c | 35 ++---
fs/ext4/xattr.h | 32 +++++
fs/f2fs/f2fs.h | 3 +
fs/f2fs/gc.c | 28 +++-
fs/f2fs/segment.c | 13 +-
fs/f2fs/segment.h | 9 ++
fs/fuse/file.c | 1 +
fs/jbd2/transaction.c | 4 +-
fs/nfs/nfs4proc.c | 10 +-
fs/nfs/nfs4xdr.c | 4 +-
fs/nfsd/nfs3xdr.c | 12 +-
fs/nfsd/nfssvc.c | 36 +++++
fs/nfsd/nfsxdr.c | 10 +-
fs/nfsd/vfs.c | 63 ++++++---
include/crypto/internal/hash.h | 10 ++
include/linux/jump_label.h | 20 +++
include/linux/lockd/lockd.h | 3 +-
include/linux/mlx4/cmd.h | 2 +-
include/linux/mlx4/driver.h | 10 ++
include/linux/pagemap.h | 1 -
include/linux/ww_mutex.h | 8 +-
include/rdma/ib_sa.h | 6 +-
kernel/sched/core.c | 6 +-
kernel/trace/trace.c | 2 +-
mm/filemap.c | 7 +-
mm/huge_memory.c | 2 +-
mm/mempolicy.c | 20 ++-
mm/page_alloc.c | 2 +-
mm/vmpressure.c | 10 +-
net/batman-adv/fragmentation.c | 16 ++-
net/core/dev.c | 35 ++++-
net/dccp/ipv4.c | 6 +
net/dccp/ipv6.c | 12 ++
net/ipv4/inet_connection_sock.c | 2 +
net/ipv4/ping.c | 5 +-
net/ipv4/route.c | 1 +
net/ipv4/tcp_minisocks.c | 3 +-
net/ipv6/ip6_offload.c | 7 +-
net/ipv6/ip6_output.c | 20 +--
net/ipv6/output_core.c | 14 +-
net/ipv6/route.c | 2 +
net/ipv6/tcp_ipv6.c | 2 +
net/ipv6/udp_offload.c | 6 +-
net/ipx/af_ipx.c | 5 +-
net/l2tp/l2tp_core.c | 4 +-
net/mac80211/pm.c | 1 +
net/packet/af_packet.c | 8 +-
net/sched/act_api.c | 5 +-
net/sctp/ipv6.c | 3 +
net/xfrm/xfrm_user.c | 9 +-
samples/seccomp/bpf-helper.h | 125 ++++++++++--------
security/keys/encrypted-keys/encrypted.c | 2 +-
security/keys/keyctl.c | 24 ++--
security/keys/process_keys.c | 44 ++++---
sound/core/seq/seq_fifo.c | 3 +
sound/core/timer.c | 18 ++-
sound/pci/ctxfi/cthw20k1.c | 19 +--
sound/pci/ctxfi/cthw20k2.c | 18 +--
sound/soc/codecs/rt5640.c | 4 +-
tools/perf/Documentation/perf-script.txt | 4 +-
tools/perf/tests/parse-events.c | 6 +-
tools/perf/util/evlist.c | 2 +-
tools/testing/ktest/ktest.pl | 2 +-
197 files changed, 1917 insertions(+), 1054 deletions(-)

--
Ben Hutchings
The most exhausting thing in life is being insincere. - Anne Morrow Lindberg


2017-06-01 15:44:24

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 002/212] drm/i915: relax uncritical udelay_range()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <[email protected]>

commit 15a43cbf4736a3932e6259fa7d6e47558f6222b0 upstream.

udelay_range(1, 2) is inefficient and as discussions with Jani Nikula
<[email protected]> unnecessary here. This replaces this
tight setting with a relaxed delay of min=20 and max=50 which helps
the hrtimer subsystem optimize timer handling.

Fixes: commit be4fc046bed3 ("drm/i915: add VLV DSI PLL Calculations")
Link: http://lkml.org/lkml/2016/12/15/147
Signed-off-by: Nicholas Mc Guire <[email protected]>
Reviewed-by: Jani Nikula <[email protected]>
Signed-off-by: Jani Nikula <[email protected]>
Link: http://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/i915/intel_dsi_pll.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/i915/intel_dsi_pll.c
+++ b/drivers/gpu/drm/i915/intel_dsi_pll.c
@@ -265,8 +265,10 @@ void vlv_enable_dsi_pll(struct intel_enc

vlv_configure_dsi_pll(encoder);

- /* wait at least 0.5 us after ungating before enabling VCO */
- usleep_range(1, 10);
+ /* wait at least 0.5 us after ungating before enabling VCO,
+ * allow hrtimer subsystem optimization by relaxing timing
+ */
+ usleep_range(10, 50);

tmp = vlv_cck_read(dev_priv, CCK_REG_DSI_PLL_CONTROL);
tmp |= DSI_PLL_VCO_EN;

2017-06-01 15:44:31

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 012/212] MIPS: Netlogic: Fix assembler warning from smpboot.S

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Burton <[email protected]>

commit a8b3b0c94ac282628f0668d1366239a3fa72dc9d upstream.

The netlogic platform can be built for either MIPS32 or MIPS64, and when
built for MIPS32 (as by nlm_xlr_defconfig) the use of the dla
pseudo-instruction leads to warnings such as the following from recent
versions of the GNU assembler:

arch/mips/netlogic/common/smpboot.S: Assembler messages:
arch/mips/netlogic/common/smpboot.S:62: Warning: dla used to load 32-bit register; recommend using la instead
arch/mips/netlogic/common/smpboot.S:63: Warning: dla used to load 32-bit register; recommend using la instead

Avoid these warnings by using the PTR_LA macro to make use of the
appropriate la or dla pseudo-instruction for the build.

Signed-off-by: Paul Burton <[email protected]>
Fixes: 66d29985fab8 ("MIPS: Netlogic: Merge some of XLR/XLP wakup code")
Cc: James Hogan <[email protected]>
Cc: Jayachandran C <[email protected]>
Cc: [email protected]
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/14185/
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/netlogic/common/smpboot.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/mips/netlogic/common/smpboot.S
+++ b/arch/mips/netlogic/common/smpboot.S
@@ -61,8 +61,8 @@ NESTED(xlp_boot_core0_siblings, PT_SIZE,
sync
/* find the location to which nlm_boot_siblings was relocated */
li t0, CKSEG1ADDR(RESET_VEC_PHYS)
- dla t1, nlm_reset_entry
- dla t2, nlm_boot_siblings
+ PTR_LA t1, nlm_reset_entry
+ PTR_LA t2, nlm_boot_siblings
dsubu t2, t1
daddu t2, t0
/* call it */

2017-06-01 15:44:51

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 061/212] power: bq24190_charger: Change first_time flag reset condition

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Elste <[email protected]>

commit cd054ee16580690830297dbda0abe9c184276d6a upstream.

The initial register reset of BQ24190 generates a charger status change
whose propagation via power_supply_changed is prevented using a flag.
This flag gets never reset so all following events are ignored as well
leading for example to userspace not detecting charger connects/disconnects.

Therefor change the reset condition of first_time flag, so only the
propagation of the first charger status change is prevented.

Signed-off-by: Thomas Elste <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/power/bq24190_charger.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/power/bq24190_charger.c
+++ b/drivers/power/bq24190_charger.c
@@ -1268,10 +1268,13 @@ static irqreturn_t bq24190_irq_handler_t
* register reset so we should ignore that one (the very first
* interrupt received).
*/
- if (alert_userspace && !bdi->first_time) {
- power_supply_changed(&bdi->charger);
- power_supply_changed(&bdi->battery);
- bdi->first_time = false;
+ if (alert_userspace) {
+ if (!bdi->first_time) {
+ power_supply_changed(&bdi->charger);
+ power_supply_changed(&bdi->battery);
+ } else {
+ bdi->first_time = false;
+ }
}

out:

2017-06-01 15:45:10

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 082/212] ext4: fix data corruption in data=journal mode

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kara <[email protected]>

commit 3b136499e906460919f0d21a49db1aaccf0ae963 upstream.

ext4_journalled_write_end() did not propely handle all the cases when
generic_perform_write() did not copy all the data into the target page
and could mark buffers with uninitialized contents as uptodate and dirty
leading to possible data corruption (which would be quickly fixed by
generic_perform_write() retrying the write but still). Fix the problem
by carefully handling the case when the page that is written to is not
uptodate.

Reported-by: Al Viro <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/inode.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1171,7 +1171,9 @@ errout:
* set the buffer to be dirty, since in data=journalled mode we need
* to call ext4_handle_dirty_metadata() instead.
*/
-static void zero_new_buffers(struct page *page, unsigned from, unsigned to)
+static void ext4_journalled_zero_new_buffers(handle_t *handle,
+ struct page *page,
+ unsigned from, unsigned to)
{
unsigned int block_start = 0, block_end;
struct buffer_head *head, *bh;
@@ -1188,7 +1190,7 @@ static void zero_new_buffers(struct page
size = min(to, block_end) - start;

zero_user(page, start, size);
- set_buffer_uptodate(bh);
+ write_end_fn(handle, bh);
}
clear_buffer_new(bh);
}
@@ -1219,15 +1221,16 @@ static int ext4_journalled_write_end(str
if (ext4_has_inline_data(inode))
copied = ext4_write_inline_data_end(inode, pos, len,
copied, page);
- else {
- if (copied < len) {
- if (!PageUptodate(page))
- copied = 0;
- zero_new_buffers(page, from+copied, to);
- }
-
+ else if (unlikely(copied < len) && !PageUptodate(page)) {
+ copied = 0;
+ ext4_journalled_zero_new_buffers(handle, page, from, to);
+ } else {
+ if (unlikely(copied < len))
+ ext4_journalled_zero_new_buffers(handle, page,
+ from + copied, to);
ret = ext4_walk_page_buffers(handle, page_buffers(page), from,
- to, &partial, write_end_fn);
+ from + copied, &partial,
+ write_end_fn);
if (!partial)
SetPageUptodate(page);
}

2017-06-01 15:44:56

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 063/212] power: supply: bq24190_charger: Don't read fault register outside irq_handle_thread()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Liam Breck <[email protected]>

commit 68abfb8015832ddf728b911769659468efaf8bd9 upstream.

Caching the fault register after a single I2C read may not keep an accurate
value.

Fix by doing two reads in irq_handle_thread() and using the cached value
elsewhere. If a safety timer fault later clears itself, we apparently don't get
an interrupt (INT), however other interrupts would refresh the register cache.

=46romthe data sheet: "When a fault occurs, the charger device sends out INT
and keeps the fault state in REG09 until the host reads the fault register.
Before the host reads REG09 and all the faults are cleared, the charger
device would not send any INT upon new faults. In order to read the
current fault status, the host has to read REG09 two times consecutively.
The 1st reads fault register status from the last read [1] and the 2nd reads
the current fault register status."

[1] presumably a typo; should be "last fault"

Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <[email protected]>
Acked-by: Mark Greer <[email protected]>
Acked-by: Tony Lindgren <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/power/bq24190_charger.c | 94 ++++++++++------------------------
1 file changed, 27 insertions(+), 67 deletions(-)

--- a/drivers/power/bq24190_charger.c
+++ b/drivers/power/bq24190_charger.c
@@ -144,10 +144,7 @@
* so the first read after a fault returns the latched value and subsequent
* reads return the current value. In order to return the fault status
* to the user, have the interrupt handler save the reg's value and retrieve
- * it in the appropriate health/status routine. Each routine has its own
- * flag indicating whether it should use the value stored by the last run
- * of the interrupt handler or do an actual reg read. That way each routine
- * can report back whatever fault may have occured.
+ * it in the appropriate health/status routine.
*/
struct bq24190_dev_info {
struct i2c_client *client;
@@ -159,9 +156,6 @@ struct bq24190_dev_info {
unsigned int gpio_int;
unsigned int irq;
struct mutex f_reg_lock;
- bool charger_health_valid;
- bool battery_health_valid;
- bool battery_status_valid;
u8 f_reg;
u8 ss_reg;
u8 watchdog;
@@ -637,21 +631,11 @@ static int bq24190_charger_get_health(st
union power_supply_propval *val)
{
u8 v;
- int health, ret;
+ int health;

mutex_lock(&bdi->f_reg_lock);
-
- if (bdi->charger_health_valid) {
- v = bdi->f_reg;
- bdi->charger_health_valid = false;
- mutex_unlock(&bdi->f_reg_lock);
- } else {
- mutex_unlock(&bdi->f_reg_lock);
-
- ret = bq24190_read(bdi, BQ24190_REG_F, &v);
- if (ret < 0)
- return ret;
- }
+ v = bdi->f_reg;
+ mutex_unlock(&bdi->f_reg_lock);

if (v & BQ24190_REG_F_BOOST_FAULT_MASK) {
/*
@@ -943,18 +927,8 @@ static int bq24190_battery_get_status(st
int status, ret;

mutex_lock(&bdi->f_reg_lock);
-
- if (bdi->battery_status_valid) {
- chrg_fault = bdi->f_reg;
- bdi->battery_status_valid = false;
- mutex_unlock(&bdi->f_reg_lock);
- } else {
- mutex_unlock(&bdi->f_reg_lock);
-
- ret = bq24190_read(bdi, BQ24190_REG_F, &chrg_fault);
- if (ret < 0)
- return ret;
- }
+ chrg_fault = bdi->f_reg;
+ mutex_unlock(&bdi->f_reg_lock);

chrg_fault &= BQ24190_REG_F_CHRG_FAULT_MASK;
chrg_fault >>= BQ24190_REG_F_CHRG_FAULT_SHIFT;
@@ -1002,21 +976,11 @@ static int bq24190_battery_get_health(st
union power_supply_propval *val)
{
u8 v;
- int health, ret;
+ int health;

mutex_lock(&bdi->f_reg_lock);
-
- if (bdi->battery_health_valid) {
- v = bdi->f_reg;
- bdi->battery_health_valid = false;
- mutex_unlock(&bdi->f_reg_lock);
- } else {
- mutex_unlock(&bdi->f_reg_lock);
-
- ret = bq24190_read(bdi, BQ24190_REG_F, &v);
- if (ret < 0)
- return ret;
- }
+ v = bdi->f_reg;
+ mutex_unlock(&bdi->f_reg_lock);

if (v & BQ24190_REG_F_BAT_FAULT_MASK) {
health = POWER_SUPPLY_HEALTH_OVERVOLTAGE;
@@ -1211,7 +1175,7 @@ static irqreturn_t bq24190_irq_handler_t
| BQ24190_REG_F_NTC_FAULT_MASK;
bool alert_charger = false, alert_battery = false;
u8 ss_reg = 0, f_reg = 0;
- int ret;
+ int i, ret;

pm_runtime_get_sync(bdi->dev);

@@ -1241,33 +1205,35 @@ static irqreturn_t bq24190_irq_handler_t
alert_battery = true;
if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss))
alert_charger = true;
-
bdi->ss_reg = ss_reg;
}

- mutex_lock(&bdi->f_reg_lock);
-
- ret = bq24190_read(bdi, BQ24190_REG_F, &f_reg);
- if (ret < 0) {
- mutex_unlock(&bdi->f_reg_lock);
- dev_err(bdi->dev, "Can't read F reg: %d\n", ret);
- goto out;
- }
+ i = 0;
+ do {
+ ret = bq24190_read(bdi, BQ24190_REG_F, &f_reg);
+ if (ret < 0) {
+ dev_err(bdi->dev, "Can't read F reg: %d\n", ret);
+ goto out;
+ }
+ } while (f_reg && ++i < 2);

if (f_reg != bdi->f_reg) {
+ dev_info(bdi->dev,
+ "Fault: boost %d, charge %d, battery %d, ntc %d\n",
+ !!(f_reg & BQ24190_REG_F_BOOST_FAULT_MASK),
+ !!(f_reg & BQ24190_REG_F_CHRG_FAULT_MASK),
+ !!(f_reg & BQ24190_REG_F_BAT_FAULT_MASK),
+ !!(f_reg & BQ24190_REG_F_NTC_FAULT_MASK));
+
+ mutex_lock(&bdi->f_reg_lock);
if ((bdi->f_reg & battery_mask_f) != (f_reg & battery_mask_f))
alert_battery = true;
if ((bdi->f_reg & ~battery_mask_f) != (f_reg & ~battery_mask_f))
alert_charger = true;
-
bdi->f_reg = f_reg;
- bdi->charger_health_valid = true;
- bdi->battery_health_valid = true;
- bdi->battery_status_valid = true;
+ mutex_unlock(&bdi->f_reg_lock);
}

- mutex_unlock(&bdi->f_reg_lock);
-
if (alert_charger)
power_supply_changed(&bdi->charger);
if (alert_battery)
@@ -1386,9 +1352,6 @@ static int bq24190_probe(struct i2c_clie
mutex_init(&bdi->f_reg_lock);
bdi->f_reg = 0;
bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
- bdi->charger_health_valid = false;
- bdi->battery_health_valid = false;
- bdi->battery_status_valid = false;

i2c_set_clientdata(client, bdi);

@@ -1497,9 +1460,6 @@ static int bq24190_pm_resume(struct devi

bdi->f_reg = 0;
bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
- bdi->charger_health_valid = false;
- bdi->battery_health_valid = false;
- bdi->battery_status_valid = false;

pm_runtime_get_sync(bdi->dev);
bq24190_register_reset(bdi);

2017-06-01 15:45:02

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 084/212] [media] adv7604: Initialize drive strength to default when using DT

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Lars-Peter Clausen <[email protected]>

commit da8892d410db224d9a24104529794e6e37e0c100 upstream.

The adv7604 driver platform data contains fields for configuring the drive
strength of the output pins. When probing the driver through DT these
fields are not explicitly initialized, which means they are left at 0. This
is a reserved setting for the drive strength configuration though and can
cause signal integrity issues.

Whether these signal integrity issues are visible depends on the PCB
specifics (e.g. the higher the load capacitance for the output the more
visible the issue). But it has been observed on existing solutions at high
pixel clock rates.

Initialize the drive strength settings to the power-on-reset value of the
device when probing through devicetree to avoid this issue.

Fixes: 0e158be0162b ("adv7604: Add DT support")

Signed-off-by: Lars-Peter Clausen <[email protected]>
Reviewed-by: Laurent Pinchart <[email protected]>
Tested-by: Niklas Söderlund <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/i2c/adv7604.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -2735,6 +2735,9 @@ static int adv7604_parse_dt(struct adv76
state->pdata.alt_data_sat = 1;
state->pdata.op_format_mode_sel = ADV7604_OP_FORMAT_MODE0;
state->pdata.bus_order = ADV7604_BUS_ORDER_RGB;
+ state->pdata.dr_str_data = ADV76XX_DR_STR_MEDIUM_HIGH;
+ state->pdata.dr_str_clk = ADV76XX_DR_STR_MEDIUM_HIGH;
+ state->pdata.dr_str_sync = ADV76XX_DR_STR_MEDIUM_HIGH;

return 0;
}

2017-06-01 15:45:27

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 149/212] rdma_cm: fail iwarp accepts w/o connection params

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Steve Wise <[email protected]>

commit f2625f7db4dd0bbd16a9c7d2950e7621f9aa57ad upstream.

cma_accept_iw() needs to return an error if conn_params is NULL.
Since this is coming from user space, we can crash.

Reported-by: Shaobo He <[email protected]>
Acked-by: Sean Hefty <[email protected]>
Signed-off-by: Steve Wise <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/core/cma.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -2952,6 +2952,9 @@ static int cma_accept_iw(struct rdma_id_
struct iw_cm_conn_param iw_param;
int ret;

+ if (!conn_param)
+ return -EINVAL;
+
ret = cma_modify_qp_rtr(id_priv, conn_param);
if (ret)
return ret;

2017-06-01 15:45:00

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 108/212] NFSv4: Fix memory and state leak in _nfs4_open_and_get_state

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <[email protected]>

commit a974deee477af89411e0f80456bfb344ac433c98 upstream.

If we exit because the file access check failed, we currently
leak the struct nfs4_state. We need to attach it to the
open context before returning.

Fixes: 3efb9722475e ("NFSv4: Refactor _nfs4_open_and_get_state..")
Signed-off-by: Trond Myklebust <[email protected]>
Signed-off-by: Anna Schumaker <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfs/nfs4proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -2233,6 +2233,7 @@ static int _nfs4_open_and_get_state(stru
ret = PTR_ERR(state);
if (IS_ERR(state))
goto out;
+ ctx->state = state;
if (server->caps & NFS_CAP_POSIX_LOCK)
set_bit(NFS_STATE_POSIX_LOCKS, &state->flags);

@@ -2255,7 +2256,6 @@ static int _nfs4_open_and_get_state(stru
if (ret != 0)
goto out;

- ctx->state = state;
if (dentry->d_inode == state->inode) {
nfs_inode_attach_open_context(ctx);
if (read_seqcount_retry(&sp->so_reclaim_seqcount, seq))

2017-06-01 15:45:35

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 179/212] can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marc Kleine-Budde <[email protected]>

commit 7c42631376306fb3f34d51fda546b50a9b6dd6ec upstream.

The priv->cmd_msg_buffer is allocated in the probe function, but never
kfree()ed. This patch converts the kzalloc() to resource-managed
kzalloc.

Signed-off-by: Marc Kleine-Budde <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/can/usb/usb_8dev.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)

--- a/drivers/net/can/usb/usb_8dev.c
+++ b/drivers/net/can/usb/usb_8dev.c
@@ -957,8 +957,8 @@ static int usb_8dev_probe(struct usb_int
for (i = 0; i < MAX_TX_URBS; i++)
priv->tx_contexts[i].echo_index = MAX_TX_URBS;

- priv->cmd_msg_buffer = kzalloc(sizeof(struct usb_8dev_cmd_msg),
- GFP_KERNEL);
+ priv->cmd_msg_buffer = devm_kzalloc(&intf->dev, sizeof(struct usb_8dev_cmd_msg),
+ GFP_KERNEL);
if (!priv->cmd_msg_buffer)
goto cleanup_candev;

@@ -972,7 +972,7 @@ static int usb_8dev_probe(struct usb_int
if (err) {
netdev_err(netdev,
"couldn't register CAN device: %d\n", err);
- goto cleanup_cmd_msg_buffer;
+ goto cleanup_candev;
}

err = usb_8dev_cmd_version(priv, &version);
@@ -993,9 +993,6 @@ static int usb_8dev_probe(struct usb_int
cleanup_unregister_candev:
unregister_netdev(priv->netdev);

-cleanup_cmd_msg_buffer:
- kfree(priv->cmd_msg_buffer);
-
cleanup_candev:
free_candev(netdev);


2017-06-01 15:45:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 164/212] vxlan: correctly validate VXLAN ID against VXLAN_N_VID

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Matthias Schiffer <[email protected]>

commit 4e37d6911f36545b286d15073f6f2222f840e81c upstream.

The incorrect check caused an off-by-one error: the maximum VID 0xffffff
was unusable.

Fixes: d342894c5d2f ("vxlan: virtual extensible lan")
Signed-off-by: Matthias Schiffer <[email protected]>
Acked-by: Jiri Benc <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/vxlan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2326,7 +2326,7 @@ static int vxlan_validate(struct nlattr

if (data[IFLA_VXLAN_ID]) {
__u32 id = nla_get_u32(data[IFLA_VXLAN_ID]);
- if (id >= VXLAN_VID_MASK)
+ if (id >= VXLAN_N_VID)
return -ERANGE;
}


2017-06-01 15:45:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 176/212] xtensa: move parse_tag_fdt out of #ifdef CONFIG_BLK_DEV_INITRD

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Max Filippov <[email protected]>

commit 4ab18701c66552944188dbcd0ce0012729baab84 upstream.

FDT tag parsing is not related to whether BLK_DEV_INITRD is configured
or not, move it out of the corresponding #ifdef/#endif block.
This fixes passing external FDT to the kernel configured w/o
BLK_DEV_INITRD support.

Signed-off-by: Max Filippov <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/xtensa/kernel/setup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/xtensa/kernel/setup.c
+++ b/arch/xtensa/kernel/setup.c
@@ -133,6 +133,8 @@ static int __init parse_tag_initrd(const

__tagtable(BP_TAG_INITRD, parse_tag_initrd);

+#endif /* CONFIG_BLK_DEV_INITRD */
+
#ifdef CONFIG_OF

static int __init parse_tag_fdt(const bp_tag_t *tag)
@@ -145,8 +147,6 @@ __tagtable(BP_TAG_FDT, parse_tag_fdt);

#endif /* CONFIG_OF */

-#endif /* CONFIG_BLK_DEV_INITRD */
-
static int __init parse_tag_cmdline(const bp_tag_t* tag)
{
strlcpy(command_line, (char *)(tag->data), COMMAND_LINE_SIZE);

2017-06-01 15:45:37

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 211/212] ipv6/dccp: do not inherit ipv6_mc_list from parent

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: WANG Cong <[email protected]>

commit 83eaddab4378db256d00d295bda6ca997cd13a52 upstream.

Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
we should clear ipv6_mc_list etc. for IPv6 sockets too.

Cc: Eric Dumazet <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/dccp/ipv6.c | 6 ++++++
net/ipv6/tcp_ipv6.c | 2 ++
2 files changed, 8 insertions(+)

--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -486,6 +486,9 @@ static struct sock *dccp_v6_request_recv
newsk->sk_backlog_rcv = dccp_v4_do_rcv;
newnp->pktoptions = NULL;
newnp->opt = NULL;
+ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;
newnp->mcast_oif = inet6_iif(skb);
newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;

@@ -561,6 +564,9 @@ static struct sock *dccp_v6_request_recv
/* Clone RX bits */
newnp->rxopt.all = np->rxopt.all;

+ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;
/* Clone pktoptions received with SYN */
newnp->pktoptions = NULL;
if (ireq->pktopts != NULL) {
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1177,6 +1177,7 @@ static struct sock *tcp_v6_syn_recv_sock
newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
#endif

+ newnp->ipv6_mc_list = NULL;
newnp->ipv6_ac_list = NULL;
newnp->ipv6_fl_list = NULL;
newnp->pktoptions = NULL;
@@ -1246,6 +1247,7 @@ static struct sock *tcp_v6_syn_recv_sock
First: no IPv4 options.
*/
newinet->inet_opt = NULL;
+ newnp->ipv6_mc_list = NULL;
newnp->ipv6_ac_list = NULL;
newnp->ipv6_fl_list = NULL;


2017-06-01 15:45:36

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 207/212] USB: serial: omninet: fix reference leaks at open

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 30572418b445d85fcfe6c8fe84c947d2606767d8 upstream.

This driver needlessly took another reference to the tty on open, a
reference which was then never released on close. This lead to not just
a leak of the tty, but also a driver reference leak that prevented the
driver from being unloaded after a port had once been opened.

Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/omninet.c | 6 ------
1 file changed, 6 deletions(-)

--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -142,12 +142,6 @@ static int omninet_port_remove(struct us

static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port)
{
- struct usb_serial *serial = port->serial;
- struct usb_serial_port *wport;
-
- wport = serial->port[1];
- tty_port_tty_set(&wport->port, tty);
-
return usb_serial_generic_open(tty, port);
}


2017-06-01 15:45:33

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 190/212] net/packet: fix overflow in check for priv area size

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andrey Konovalov <[email protected]>

commit 2b6867c2ce76c596676bec7d2d525af525fdc6e2 upstream.

Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).

Compare them as is instead.

Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.

Signed-off-by: Andrey Konovalov <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/packet/af_packet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3842,8 +3842,8 @@ static int packet_set_ring(struct sock *
if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
goto out;
if (po->tp_version >= TPACKET_V3 &&
- (int)(req->tp_block_size -
- BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
+ req->tp_block_size <=
+ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
goto out;
if (unlikely(req->tp_frame_size < po->tp_hdrlen +
po->tp_reserve))

2017-06-01 15:46:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 173/212] ALSA: ctxfi: Fallback DMA mask to 32bit

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit 15c75b09f8d190f89ab4db463b87d411ca349dfe upstream.

Currently ctxfi driver tries to set only the 64bit DMA mask on 64bit
architectures, and bails out if it fails. This causes a problem on
some platforms since the 64bit DMA isn't always guaranteed. We should
fall back to the default 32bit DMA when 64bit DMA fails.

Fixes: 6d74b86d3c0f ("ALSA: ctxfi - Allow 64bit DMA")
Signed-off-by: Takashi Iwai <[email protected]>
[bwh: Backported to 3.16:
- Old code was using PCI DMA mask functions
- Deleted error message was different]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/sound/pci/ctxfi/cthw20k1.c
+++ b/sound/pci/ctxfi/cthw20k1.c
@@ -27,12 +27,6 @@
#include "cthw20k1.h"
#include "ct20k1reg.h"

-#if BITS_PER_LONG == 32
-#define CT_XFI_DMA_MASK DMA_BIT_MASK(32) /* 32 bit PTE */
-#else
-#define CT_XFI_DMA_MASK DMA_BIT_MASK(64) /* 64 bit PTE */
-#endif
-
struct hw20k1 {
struct hw hw;
spinlock_t reg_20k1_lock;
@@ -1903,19 +1897,18 @@ static int hw_card_start(struct hw *hw)
{
int err;
struct pci_dev *pci = hw->pci;
+ const unsigned int dma_bits = BITS_PER_LONG;

err = pci_enable_device(pci);
if (err < 0)
return err;

/* Set DMA transfer mask */
- if (pci_set_dma_mask(pci, CT_XFI_DMA_MASK) < 0 ||
- pci_set_consistent_dma_mask(pci, CT_XFI_DMA_MASK) < 0) {
- printk(KERN_ERR "architecture does not support PCI "
- "busmaster DMA with mask 0x%llx\n",
- CT_XFI_DMA_MASK);
- err = -ENXIO;
- goto error1;
+ if (dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
+ dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits));
+ } else {
+ dma_set_mask(&pci->dev, DMA_BIT_MASK(32));
+ dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(32));
}

if (!hw->io_base) {
--- a/sound/pci/ctxfi/cthw20k2.c
+++ b/sound/pci/ctxfi/cthw20k2.c
@@ -26,12 +26,6 @@
#include "cthw20k2.h"
#include "ct20k2reg.h"

-#if BITS_PER_LONG == 32
-#define CT_XFI_DMA_MASK DMA_BIT_MASK(32) /* 32 bit PTE */
-#else
-#define CT_XFI_DMA_MASK DMA_BIT_MASK(64) /* 64 bit PTE */
-#endif
-
struct hw20k2 {
struct hw hw;
/* for i2c */
@@ -2026,18 +2020,18 @@ static int hw_card_start(struct hw *hw)
int err = 0;
struct pci_dev *pci = hw->pci;
unsigned int gctl;
+ const unsigned int dma_bits = BITS_PER_LONG;

err = pci_enable_device(pci);
if (err < 0)
return err;

/* Set DMA transfer mask */
- if (pci_set_dma_mask(pci, CT_XFI_DMA_MASK) < 0 ||
- pci_set_consistent_dma_mask(pci, CT_XFI_DMA_MASK) < 0) {
- printk(KERN_ERR "ctxfi: architecture does not support PCI "
- "busmaster DMA with mask 0x%llx\n", CT_XFI_DMA_MASK);
- err = -ENXIO;
- goto error1;
+ if (!dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
+ dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits));
+ } else {
+ dma_set_mask(&pci->dev, DMA_BIT_MASK(32));
+ dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(32));
}

if (!hw->io_base) {

2017-06-01 15:47:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 210/212] sctp: do not inherit ipv6_{mc|ac|fl}_list from parent

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 upstream.

SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
ipv6_mc_list from parent"), otherwise bad things can happen.

Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: Andrey Konovalov <[email protected]>
Tested-by: Andrey Konovalov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/sctp/ipv6.c | 3 +++
1 file changed, 3 insertions(+)

--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -659,6 +659,9 @@ static struct sock *sctp_v6_create_accep
newnp = inet6_sk(newsk);

memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;

rcu_read_lock();
opt = rcu_dereference(np->opt);

2017-06-01 15:47:25

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 163/212] NFSv4: fix getacl ERANGE for some ACL buffer sizes

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Weston Andros Adamson <[email protected]>

commit ed92d8c137b7794c2c2aa14479298b9885967607 upstream.

We're not taking into account that the space needed for the (variable
length) attr bitmap, with the result that we'd sometimes get a spurious
ERANGE when the ACL data got close to the end of a page.

Just add in an extra page to make sure.

Signed-off-by: Weston Andros Adamson <[email protected]>
Signed-off-by: J. Bruce Fields <[email protected]>
Signed-off-by: Anna Schumaker <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfs/nfs4proc.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -4444,7 +4444,7 @@ out:
*/
static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
{
- struct page *pages[NFS4ACL_MAXPAGES] = {NULL, };
+ struct page *pages[NFS4ACL_MAXPAGES + 1] = {NULL, };
struct nfs_getaclargs args = {
.fh = NFS_FH(inode),
.acl_pages = pages,
@@ -4458,13 +4458,9 @@ static ssize_t __nfs4_get_acl_uncached(s
.rpc_argp = &args,
.rpc_resp = &res,
};
- unsigned int npages = DIV_ROUND_UP(buflen, PAGE_SIZE);
+ unsigned int npages = DIV_ROUND_UP(buflen, PAGE_SIZE) + 1;
int ret = -ENOMEM, i;

- /* As long as we're doing a round trip to the server anyway,
- * let's be prepared for a page of acl data. */
- if (npages == 0)
- npages = 1;
if (npages > ARRAY_SIZE(pages))
return -ERANGE;


2017-06-01 15:45:24

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 141/212] nfsd: update mtime on truncate

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <[email protected]>

commit f0c63124a6165792f6e37e4b5983792d009e1ce8 upstream.

This fixes a failure in xfstests generic/313 because nfs doesn't update
mtime on a truncate. The protocol requires this to be done implicity
for a size changing setattr.

Signed-off-by: Christoph Hellwig <[email protected]>
Signed-off-by: J. Bruce Fields <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfsd/vfs.c | 10 ++++++++++
1 file changed, 10 insertions(+)

--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -448,6 +448,16 @@ nfsd_setattr(struct svc_rqst *rqstp, str
if (err)
goto out;
size_change = 1;
+
+ /*
+ * RFC5661, Section 18.30.4:
+ * Changing the size of a file with SETATTR indirectly
+ * changes the time_modify and change attributes.
+ *
+ * (and similar for the older RFCs)
+ */
+ if (iap->ia_size != i_size_read(inode))
+ iap->ia_valid |= ATTR_MTIME;
}

iap->ia_valid |= ATTR_CTIME;

2017-06-01 15:47:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 138/212] PM / QoS: Fix memory leak on resume_latency.notifiers

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: John Keeping <[email protected]>

commit e84b4a84e52d4cd8770b4242cd09df0133333f63 upstream.

Since commit 2d984ad132a8 (PM / QoS: Introcuce latency tolerance device
PM QoS type) we reassign "c" to point at qos->latency_tolerance before
freeing c->notifiers, but the notifiers field of latency_tolerance is
never used.

Restore the original behaviour of freeing the notifiers pointer on
qos->resume_latency, which is used, and fix the following kmemleak
warning.

unreferenced object 0xed9dba00 (size 64):
comm "kworker/0:1", pid 36, jiffies 4294670128 (age 15202.983s)
hex dump (first 32 bytes):
00 00 00 00 04 ba 9d ed 04 ba 9d ed 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<c06f6084>] kmemleak_alloc+0x74/0xb8
[<c011c964>] kmem_cache_alloc_trace+0x170/0x25c
[<c035f448>] dev_pm_qos_constraints_allocate+0x3c/0xe4
[<c035f574>] __dev_pm_qos_add_request+0x84/0x1a0
[<c035f6cc>] dev_pm_qos_add_request+0x3c/0x54
[<c03c3fc4>] usb_hub_create_port_device+0x110/0x2b8
[<c03b2a60>] hub_probe+0xadc/0xc80
[<c03bb050>] usb_probe_interface+0x1b4/0x260
[<c035773c>] driver_probe_device+0x198/0x40c
[<c0357b14>] __device_attach_driver+0x8c/0x98
[<c0355bbc>] bus_for_each_drv+0x8c/0x9c
[<c0357494>] __device_attach+0x98/0x138
[<c0357c64>] device_initial_probe+0x14/0x18
[<c03569dc>] bus_probe_device+0x30/0x88
[<c0354c54>] device_add+0x430/0x554
[<c03b92d8>] usb_set_configuration+0x660/0x6fc

Fixes: 2d984ad132a8 (PM / QoS: Introcuce latency tolerance device PM QoS type)
Signed-off-by: John Keeping <[email protected]>
Signed-off-by: Rafael J. Wysocki <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/base/power/qos.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/base/power/qos.c
+++ b/drivers/base/power/qos.c
@@ -277,7 +277,7 @@ void dev_pm_qos_constraints_destroy(stru
dev->power.qos = ERR_PTR(-ENODEV);
spin_unlock_irq(&dev->power.lock);

- kfree(c->notifiers);
+ kfree(qos->resume_latency.notifiers);
kfree(qos);

out:

2017-06-01 15:47:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 186/212] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andy Whitcroft <[email protected]>

commit 677e806da4d916052585301785d847c3b3e6186a upstream.

When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer. However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call. There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents. We do
not at this point check that the replay_window is within the allocated
memory. This leads to out-of-bounds reads and writes triggered by
netlink packets. This leads to memory corruption and the potential for
priviledge escalation.

We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn. It however does not check the replay_window
remains within that buffer. Add validation of the contained
replay_window.

CVE-2017-7184
Signed-off-by: Andy Whitcroft <[email protected]>
Acked-by: Steffen Klassert <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/xfrm/xfrm_user.c | 3 +++
1 file changed, 3 insertions(+)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -390,6 +390,9 @@ static inline int xfrm_replay_verify_len
if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
return -EINVAL;

+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
+ return -EINVAL;
+
return 0;
}


2017-06-01 15:47:40

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 170/212] mac80211: flush delayed work when entering suspend

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Matt Chen <[email protected]>

commit a9e9200d8661c1a0be8c39f93deb383dc940de35 upstream.

The issue was found when entering suspend and resume.
It triggers a warning in:
mac80211/key.c: ieee80211_enable_keys()
...
WARN_ON_ONCE(sdata->crypto_tx_tailroom_needed_cnt ||
sdata->crypto_tx_tailroom_pending_dec);
...

It points out sdata->crypto_tx_tailroom_pending_dec isn't cleaned up successfully
in a delayed_work during suspend. Add a flush_delayed_work to fix it.

Signed-off-by: Matt Chen <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/mac80211/pm.c | 1 +
1 file changed, 1 insertion(+)

--- a/net/mac80211/pm.c
+++ b/net/mac80211/pm.c
@@ -114,6 +114,7 @@ int __ieee80211_suspend(struct ieee80211
break;
}

+ flush_delayed_work(&sdata->dec_tailroom_needed_wk);
drv_remove_interface(local, sdata);
}


2017-06-01 15:49:11

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 157/212] net/mlx4: Spoofcheck and zero MAC can't coexist

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eugenia Emantayev <[email protected]>

commit 745d8ae4622c6808b22e33a944c7decb30074be4 upstream.

Spoofcheck can't be enabled if VF MAC is zero.
Vice versa, can't zero MAC if spoofcheck is on.

Fixes: 8f7ba3ca12f6 ('net/mlx4: Add set VF mac address support')
Signed-off-by: Eugenia Emantayev <[email protected]>
Signed-off-by: Tariq Toukan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/mellanox/mlx4/cmd.c | 22 ++++++++++++++++++++--
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 6 +-----
include/linux/mlx4/cmd.h | 2 +-
include/linux/mlx4/driver.h | 10 ++++++++++
4 files changed, 32 insertions(+), 8 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c
@@ -42,6 +42,7 @@
#include <linux/mlx4/device.h>
#include <linux/semaphore.h>
#include <rdma/ib_smi.h>
+#include <linux/etherdevice.h>

#include <asm/io.h>

@@ -2409,7 +2410,7 @@ static int mlx4_slaves_closest_port(stru
return port;
}

-int mlx4_set_vf_mac(struct mlx4_dev *dev, int port, int vf, u64 mac)
+int mlx4_set_vf_mac(struct mlx4_dev *dev, int port, int vf, u8 *mac)
{
struct mlx4_priv *priv = mlx4_priv(dev);
struct mlx4_vport_state *s_info;
@@ -2418,13 +2419,22 @@ int mlx4_set_vf_mac(struct mlx4_dev *dev
if (!mlx4_is_master(dev))
return -EPROTONOSUPPORT;

+ if (is_multicast_ether_addr(mac))
+ return -EINVAL;
+
slave = mlx4_get_slave_indx(dev, vf);
if (slave < 0)
return -EINVAL;

port = mlx4_slaves_closest_port(dev, slave, port);
s_info = &priv->mfunc.master.vf_admin[slave].vport[port];
- s_info->mac = mac;
+
+ if (s_info->spoofchk && is_zero_ether_addr(mac)) {
+ mlx4_info(dev, "MAC invalidation is not allowed when spoofchk is on\n");
+ return -EPERM;
+ }
+
+ s_info->mac = mlx4_mac_to_u64(mac);
mlx4_info(dev, "default mac on vf %d port %d to %llX will take afect only after vf restart\n",
vf, port, s_info->mac);
return 0;
@@ -2496,6 +2506,7 @@ int mlx4_set_vf_spoofchk(struct mlx4_dev
struct mlx4_priv *priv = mlx4_priv(dev);
struct mlx4_vport_state *s_info;
int slave;
+ u8 mac[ETH_ALEN];

if ((!mlx4_is_master(dev)) ||
!(dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_FSM))
@@ -2507,6 +2518,13 @@ int mlx4_set_vf_spoofchk(struct mlx4_dev

port = mlx4_slaves_closest_port(dev, slave, port);
s_info = &priv->mfunc.master.vf_admin[slave].vport[port];
+
+ mlx4_u64_to_mac(mac, s_info->mac);
+ if (setting && !is_valid_ether_addr(mac)) {
+ mlx4_info(dev, "Illegal MAC with spoofchk\n");
+ return -EPERM;
+ }
+
s_info->spoofchk = setting;

return 0;
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -2253,12 +2253,8 @@ static int mlx4_en_set_vf_mac(struct net
{
struct mlx4_en_priv *en_priv = netdev_priv(dev);
struct mlx4_en_dev *mdev = en_priv->mdev;
- u64 mac_u64 = mlx4_mac_to_u64(mac);

- if (is_multicast_ether_addr(mac))
- return -EINVAL;
-
- return mlx4_set_vf_mac(mdev->dev, en_priv->port, queue, mac_u64);
+ return mlx4_set_vf_mac(mdev->dev, en_priv->port, queue, mac);
}

static int mlx4_en_set_vf_vlan(struct net_device *dev, int vf, u16 vlan, u8 qos)
--- a/include/linux/mlx4/cmd.h
+++ b/include/linux/mlx4/cmd.h
@@ -236,7 +236,7 @@ struct mlx4_cmd_mailbox *mlx4_alloc_cmd_
void mlx4_free_cmd_mailbox(struct mlx4_dev *dev, struct mlx4_cmd_mailbox *mailbox);

u32 mlx4_comm_get_version(void);
-int mlx4_set_vf_mac(struct mlx4_dev *dev, int port, int vf, u64 mac);
+int mlx4_set_vf_mac(struct mlx4_dev *dev, int port, int vf, u8 *mac);
int mlx4_set_vf_vlan(struct mlx4_dev *dev, int port, int vf, u16 vlan, u8 qos);
int mlx4_set_vf_spoofchk(struct mlx4_dev *dev, int port, int vf, bool setting);
int mlx4_get_vf_config(struct mlx4_dev *dev, int port, int vf, struct ifla_vf_info *ivf);
--- a/include/linux/mlx4/driver.h
+++ b/include/linux/mlx4/driver.h
@@ -76,4 +76,14 @@ static inline u64 mlx4_mac_to_u64(u8 *ad
return mac;
}

+static inline void mlx4_u64_to_mac(u8 *addr, u64 mac)
+{
+ int i;
+
+ for (i = ETH_ALEN; i > 0; i--) {
+ addr[i - 1] = mac && 0xFF;
+ mac >>= 8;
+ }
+}
+
#endif /* MLX4_DRIVER_H */

2017-06-01 15:49:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 134/212] MIPS: OCTEON: Fix copy_from_user fault handling for large buffers

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: James Cowgill <[email protected]>

commit 884b426917e4b3c85f33b382c792a94305dfdd62 upstream.

If copy_from_user is called with a large buffer (>= 128 bytes) and the
userspace buffer refers partially to unreadable memory, then it is
possible for Octeon's copy_from_user to report the wrong number of bytes
have been copied. In the case where the buffer size is an exact multiple
of 128 and the fault occurs in the last 64 bytes, copy_from_user will
report that all the bytes were copied successfully but leave some
garbage in the destination buffer.

The bug is in the main __copy_user_common loop in octeon-memcpy.S where
in the middle of the loop, src and dst are incremented by 128 bytes. The
l_exc_copy fault handler is used after this but that assumes that
"src < THREAD_BUADDR($28)". This is not the case if src has already been
incremented.

Fix by adding an extra fault handler which rewinds the src and dst
pointers 128 bytes before falling though to l_exc_copy.

Thanks to the pwritev test from the strace test suite for originally
highlighting this bug!

Fixes: 5b3b16880f40 ("MIPS: Add Cavium OCTEON processor support ...")
Signed-off-by: James Cowgill <[email protected]>
Acked-by: David Daney <[email protected]>
Reviewed-by: James Hogan <[email protected]>
Cc: Ralf Baechle <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/14978/
Signed-off-by: James Hogan <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/cavium-octeon/octeon-memcpy.S | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)

--- a/arch/mips/cavium-octeon/octeon-memcpy.S
+++ b/arch/mips/cavium-octeon/octeon-memcpy.S
@@ -208,18 +208,18 @@ EXC( STORE t2, UNIT(6)(dst), s_exc_p10u)
ADD src, src, 16*NBYTES
EXC( STORE t3, UNIT(7)(dst), s_exc_p9u)
ADD dst, dst, 16*NBYTES
-EXC( LOAD t0, UNIT(-8)(src), l_exc_copy)
-EXC( LOAD t1, UNIT(-7)(src), l_exc_copy)
-EXC( LOAD t2, UNIT(-6)(src), l_exc_copy)
-EXC( LOAD t3, UNIT(-5)(src), l_exc_copy)
+EXC( LOAD t0, UNIT(-8)(src), l_exc_copy_rewind16)
+EXC( LOAD t1, UNIT(-7)(src), l_exc_copy_rewind16)
+EXC( LOAD t2, UNIT(-6)(src), l_exc_copy_rewind16)
+EXC( LOAD t3, UNIT(-5)(src), l_exc_copy_rewind16)
EXC( STORE t0, UNIT(-8)(dst), s_exc_p8u)
EXC( STORE t1, UNIT(-7)(dst), s_exc_p7u)
EXC( STORE t2, UNIT(-6)(dst), s_exc_p6u)
EXC( STORE t3, UNIT(-5)(dst), s_exc_p5u)
-EXC( LOAD t0, UNIT(-4)(src), l_exc_copy)
-EXC( LOAD t1, UNIT(-3)(src), l_exc_copy)
-EXC( LOAD t2, UNIT(-2)(src), l_exc_copy)
-EXC( LOAD t3, UNIT(-1)(src), l_exc_copy)
+EXC( LOAD t0, UNIT(-4)(src), l_exc_copy_rewind16)
+EXC( LOAD t1, UNIT(-3)(src), l_exc_copy_rewind16)
+EXC( LOAD t2, UNIT(-2)(src), l_exc_copy_rewind16)
+EXC( LOAD t3, UNIT(-1)(src), l_exc_copy_rewind16)
EXC( STORE t0, UNIT(-4)(dst), s_exc_p4u)
EXC( STORE t1, UNIT(-3)(dst), s_exc_p3u)
EXC( STORE t2, UNIT(-2)(dst), s_exc_p2u)
@@ -383,6 +383,10 @@ done:
nop
END(memcpy)

+l_exc_copy_rewind16:
+ /* Rewind src and dst by 16*NBYTES for l_exc_copy */
+ SUB src, src, 16*NBYTES
+ SUB dst, dst, 16*NBYTES
l_exc_copy:
/*
* Copy bytes from src until faulting load address (or until a

2017-06-01 15:49:44

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 156/212] s390/chsc: Add exception handler for CHSC instruction

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Oberparleiter <[email protected]>

commit 77759137248f34864a8f7a58bbcebfcf1047504a upstream.

Prevent kernel crashes due to unhandled exceptions raised by the CHSC
instruction which may for example be triggered by invalid ioctl data.

Fixes: 64150adf89df ("s390/cio: Introduce generic synchronous CHSC IOCTL")
Signed-off-by: Peter Oberparleiter <[email protected]>
Reviewed-by: Sebastian Ott <[email protected]>
Reviewed-by: Cornelia Huck <[email protected]>
Signed-off-by: Martin Schwidefsky <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/s390/cio/ioasm.h | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/s390/cio/ioasm.h
+++ b/drivers/s390/cio/ioasm.h
@@ -138,13 +138,15 @@ static inline int tpi(struct tpi_info *a
static inline int chsc(void *chsc_area)
{
typedef struct { char _[4096]; } addr_type;
- int cc;
+ int cc = -EIO;

asm volatile(
" .insn rre,0xb25f0000,%2,0\n"
- " ipm %0\n"
+ "0: ipm %0\n"
" srl %0,28\n"
- : "=d" (cc), "=m" (*(addr_type *) chsc_area)
+ "1:\n"
+ EX_TABLE(0b, 1b)
+ : "+d" (cc), "=m" (*(addr_type *) chsc_area)
: "d" (chsc_area), "m" (*(addr_type *) chsc_area)
: "cc");
return cc;

2017-06-01 15:49:42

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 182/212] KEYS: special dot prefixed keyring name bug fix

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mimi Zohar <[email protected]>

commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d upstream.

Dot prefixed keyring names are supposed to be reserved for the
kernel, but add_key() calls key_get_type_from_user(), which
incorrectly verifies the 'type' field, not the 'description' field.
This patch verifies the 'description' field isn't dot prefixed,
when creating a new keyring, and removes the dot prefix test in
key_get_type_from_user().

Changelog v6:
- whitespace and other cleanup

Changelog v5:
- Only prevent userspace from creating a dot prefixed keyring, not
regular keys - Dmitry

Reported-by: Dmitry Kasatkin <[email protected]>
Signed-off-by: Mimi Zohar <[email protected]>
Acked-by: David Howells <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
security/keys/keyctl.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -37,8 +37,6 @@ static int key_get_type_from_user(char *
return ret;
if (ret == 0 || ret >= len)
return -EINVAL;
- if (type[0] == '.')
- return -EPERM;
type[len - 1] = '\0';
return 0;
}
@@ -86,6 +84,10 @@ SYSCALL_DEFINE5(add_key, const char __us
if (!*description) {
kfree(description);
description = NULL;
+ } else if ((description[0] == '.') &&
+ (strncmp(type, "keyring", 7) == 0)) {
+ ret = -EPERM;
+ goto error2;
}
}


2017-06-01 15:49:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 181/212] USB: iowarrior: fix NULL-deref at probe

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream.

Make sure to check for the required interrupt-in endpoint to avoid
dereferencing a NULL-pointer should a malicious device lack such an
endpoint.

Note that a fairly recent change purported to fix this issue, but added
an insufficient test on the number of endpoints only, a test which can
now be removed.

Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/misc/iowarrior.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -787,12 +787,6 @@ static int iowarrior_probe(struct usb_in
iface_desc = interface->cur_altsetting;
dev->product_id = le16_to_cpu(udev->descriptor.idProduct);

- if (iface_desc->desc.bNumEndpoints < 1) {
- dev_err(&interface->dev, "Invalid number of endpoints\n");
- retval = -EINVAL;
- goto error;
- }
-
/* set up the endpoint information */
for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
endpoint = &iface_desc->endpoint[i].desc;
@@ -803,6 +797,13 @@ static int iowarrior_probe(struct usb_in
/* this one will match for the IOWarrior56 only */
dev->int_out_endpoint = endpoint;
}
+
+ if (!dev->int_in_endpoint) {
+ dev_err(&interface->dev, "no interrupt-in endpoint found\n");
+ retval = -ENODEV;
+ goto error;
+ }
+
/* we have to check the report_size often, so remember it in the endianness suitable for our machine */
dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&

2017-06-01 15:50:29

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 115/212] serial: exar: Fix initialization of EXAR registers for ports > 0

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kiszka <[email protected]>

commit 5b5f252d67afd7bd5b923c664206d60800bf5054 upstream.

So far, pci_xr17v35x_setup always initialized 8XMODE, FCTR & Co. for
port 0 because it used the address of that port instead of moving the
pointer according to the port number. Fix this and remove the unneeded
temporary ioremap by moving default_setup up and reusing the membase it
fills into the port structure.

Fixes: 14faa8cce88e ("tty/8250 Add support for Commtech's Fastcom Async-335 and Fastcom Async-PCIe cards")
Signed-off-by: Jan Kiszka <[email protected]>
Reviewed-by: Andy Shevchenko <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16:
- Adjust filename, context
- Add 'ret' variable]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -1661,10 +1661,7 @@ pci_xr17v35x_setup(struct serial_private
struct uart_8250_port *port, int idx)
{
u8 __iomem *p;
-
- p = pci_ioremap_bar(priv->dev, 0);
- if (p == NULL)
- return -ENOMEM;
+ int ret;

port->port.flags |= UPF_EXAR_EFR;

@@ -1675,6 +1672,17 @@ pci_xr17v35x_setup(struct serial_private
if (xr17v35x_has_slave(priv) && idx >= 8)
port->port.uartclk = (7812500 * 16 / 2);

+ ret = pci_default_setup(priv, board, port, idx);
+ if (ret)
+ return ret;
+
+ p = port->port.membase;
+
+ writeb(0x00, p + UART_EXAR_8XMODE);
+ writeb(UART_FCTR_EXAR_TRGD, p + UART_EXAR_FCTR);
+ writeb(128, p + UART_EXAR_TXTRG);
+ writeb(128, p + UART_EXAR_RXTRG);
+
/*
* Setup Multipurpose Input/Output pins.
*/
@@ -1692,13 +1700,8 @@ pci_xr17v35x_setup(struct serial_private
writeb(0x00, p + 0x99); /*MPIOSEL[15:8]*/
writeb(0x00, p + 0x9a); /*MPIOOD[15:8]*/
}
- writeb(0x00, p + UART_EXAR_8XMODE);
- writeb(UART_FCTR_EXAR_TRGD, p + UART_EXAR_FCTR);
- writeb(128, p + UART_EXAR_TXTRG);
- writeb(128, p + UART_EXAR_RXTRG);
- iounmap(p);

- return pci_default_setup(priv, board, port, idx);
+ return 0;
}

#define PCI_DEVICE_ID_COMMTECH_4222PCI335 0x0004

2017-06-01 15:50:48

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 204/212] nfsd: stricter decoding of write-like NFSv2/v3 ops

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "J. Bruce Fields" <[email protected]>

commit 13bf9fbff0e5e099e2b6f003a0ab8ae145436309 upstream.

The NFSv2/v3 code does not systematically check whether we decode past
the end of the buffer. This generally appears to be harmless, but there
are a few places where we do arithmetic on the pointers involved and
don't account for the possibility that a length could be negative. Add
checks to catch these.

Reported-by: Tuomas Haanpää <[email protected]>
Reported-by: Ari Kauppi <[email protected]>
Reviewed-by: NeilBrown <[email protected]>
Signed-off-by: J. Bruce Fields <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfsd/nfs3xdr.c | 4 ++++
fs/nfsd/nfsxdr.c | 2 ++
2 files changed, 6 insertions(+)

--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -373,6 +373,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
args->count = ntohl(*p++);
args->stable = ntohl(*p++);
len = args->len = ntohl(*p++);
+ if ((void *)p > head->iov_base + head->iov_len)
+ return 0;
/*
* The count must equal the amount of data passed.
*/
@@ -476,6 +478,8 @@ nfs3svc_decode_symlinkargs(struct svc_rq
/* first copy and check from the first page */
old = (char*)p;
vec = &rqstp->rq_arg.head[0];
+ if ((void *)old > vec->iov_base + vec->iov_len)
+ return 0;
avail = vec->iov_len - (old - (char*)vec->iov_base);
while (len && avail && *old) {
*new++ = *old++;
--- a/fs/nfsd/nfsxdr.c
+++ b/fs/nfsd/nfsxdr.c
@@ -303,6 +303,8 @@ nfssvc_decode_writeargs(struct svc_rqst
* bytes.
*/
hdr = (void*)p - head->iov_base;
+ if (hdr > head->iov_len)
+ return 0;
dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;

/*

2017-06-01 15:50:46

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 172/212] ALSA: timer: Reject user params with too small ticks

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit 71321eb3f2d0df4e6c327e0b936eec4458a12054 upstream.

When a user sets a too small ticks with a fine-grained timer like
hrtimer, the kernel tries to fire up the timer irq too frequently.
This may lead to the condensed locks, eventually the kernel spinlock
lockup with warnings.

For avoiding such a situation, we define a lower limit of the
resolution, namely 1ms. When the user passes a too small tick value
that results in less than that, the kernel returns -EINVAL now.

Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/core/timer.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1715,9 +1715,21 @@ static int snd_timer_user_params(struct
return -EBADFD;
if (copy_from_user(&params, _params, sizeof(params)))
return -EFAULT;
- if (!(t->hw.flags & SNDRV_TIMER_HW_SLAVE) && params.ticks < 1) {
- err = -EINVAL;
- goto _end;
+ if (!(t->hw.flags & SNDRV_TIMER_HW_SLAVE)) {
+ u64 resolution;
+
+ if (params.ticks < 1) {
+ err = -EINVAL;
+ goto _end;
+ }
+
+ /* Don't allow resolution less than 1ms */
+ resolution = snd_timer_resolution(tu->timeri);
+ resolution *= params.ticks;
+ if (resolution < 1000000) {
+ err = -EINVAL;
+ goto _end;
+ }
}
if (params.queue_size > 0 &&
(params.queue_size < 32 || params.queue_size > 1024)) {

2017-06-01 15:50:45

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 175/212] net/mlx4: && vs & typo

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit b2d0fe35471d1a71471f99147ffb5986bd60e744 upstream.

Bitwise & was obviously intended here.

Fixes: 745d8ae4622c ("net/mlx4: Spoofcheck and zero MAC can't coexist")
Signed-off-by: Dan Carpenter <[email protected]>
Reviewed-by: Tariq Toukan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
include/linux/mlx4/driver.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/mlx4/driver.h
+++ b/include/linux/mlx4/driver.h
@@ -81,7 +81,7 @@ static inline void mlx4_u64_to_mac(u8 *a
int i;

for (i = ETH_ALEN; i > 0; i--) {
- addr[i - 1] = mac && 0xFF;
+ addr[i - 1] = mac & 0xFF;
mac >>= 8;
}
}

2017-06-01 15:45:21

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 180/212] net: ethernet: bgmac: mac address change bug

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hari Vyas <[email protected]>

commit fa42245dff4a5f2f8f208da542acbd80c22f7c65 upstream.

ndo_set_mac_address() passes struct sockaddr * as 2nd parameter to
bgmac_set_mac_address() but code assumed u8 *. This caused two bytes
chopping and the wrong mac address was configured.

Signed-off-by: Hari Vyas <[email protected]>
Signed-off-by: Jon Mason <[email protected]>
Fixes: 4e209001b86 ("bgmac: write mac address to hardware in ndo_set_mac_address")
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/broadcom/bgmac.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/bgmac.c
+++ b/drivers/net/ethernet/broadcom/bgmac.c
@@ -1238,12 +1238,16 @@ static netdev_tx_t bgmac_start_xmit(stru
static int bgmac_set_mac_address(struct net_device *net_dev, void *addr)
{
struct bgmac *bgmac = netdev_priv(net_dev);
+ struct sockaddr *sa = addr;
int ret;

ret = eth_prepare_mac_addr_change(net_dev, addr);
if (ret < 0)
return ret;
- bgmac_write_mac_address(bgmac, (u8 *)addr);
+
+ ether_addr_copy(net_dev->dev_addr, sa->sa_data);
+ bgmac_write_mac_address(bgmac, net_dev->dev_addr);
+
eth_commit_mac_addr_change(net_dev, addr);
return 0;
}

2017-06-01 15:52:36

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 200/212] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Amey Telawane <[email protected]>

commit e09e28671cda63e6308b31798b997639120e2a21 upstream.

Strcpy is inherently not safe, and strlcpy() should be used instead.
__trace_find_cmdline() uses strcpy() because the comms saved must have a
terminating nul character, but it doesn't hurt to add the extra protection
of using strlcpy() instead of strcpy().

Link: http://lkml.kernel.org/r/[email protected]

Signed-off-by: Amey Telawane <[email protected]>
[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
Signed-off-by: Amit Pundir <[email protected]>
[ Updated change log and removed the "- 1" from len parameter ]
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
kernel/trace/trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1567,7 +1567,7 @@ static void __trace_find_cmdline(int pid

map = savedcmd->map_pid_to_cmdline[pid];
if (map != NO_CMDLINE_MAP)
- strcpy(comm, get_saved_cmdlines(map));
+ strlcpy(comm, get_saved_cmdlines(map), TASK_COMM_LEN);
else
strcpy(comm, "<...>");
}

2017-06-01 15:52:35

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 203/212] nfsd4: minor NFSv2/v3 write decoding cleanup

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "J. Bruce Fields" <[email protected]>

commit db44bac41bbfc0c0d9dd943092d8bded3c9db19b upstream.

Use a couple shortcuts that will simplify a following bugfix.

Signed-off-by: J. Bruce Fields <[email protected]>
[bwh: Backported to 3.16: in nfs3svc_decode_writeargs(), dlen doesn't include
tail]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/fs/nfsd/nfs3xdr.c
+++ b/fs/nfsd/nfs3xdr.c
@@ -363,6 +363,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
{
unsigned int len, v, hdr, dlen;
u32 max_blocksize = svc_max_payload(rqstp);
+ struct kvec *head = rqstp->rq_arg.head;

p = decode_fh(p, &args->fh);
if (!p)
@@ -382,9 +383,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
* Check to make sure that we got the right number of
* bytes.
*/
- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
- - hdr;
+ hdr = (void*)p - head->iov_base;
+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
/*
* Round the length of the data which was specified up to
* the next multiple of XDR units and then compare that
@@ -401,7 +401,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
len = args->len = max_blocksize;
}
rqstp->rq_vec[0].iov_base = (void*)p;
- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
v = 0;
while (len > rqstp->rq_vec[v].iov_len) {
len -= rqstp->rq_vec[v].iov_len;
--- a/fs/nfsd/nfsxdr.c
+++ b/fs/nfsd/nfsxdr.c
@@ -281,6 +281,7 @@ nfssvc_decode_writeargs(struct svc_rqst
struct nfsd_writeargs *args)
{
unsigned int len, hdr, dlen;
+ struct kvec *head = rqstp->rq_arg.head;
int v;

p = decode_fh(p, &args->fh);
@@ -301,9 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst
* Check to make sure that we got the right number of
* bytes.
*/
- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
- - hdr;
+ hdr = (void*)p - head->iov_base;
+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;

/*
* Round the length of the data which was specified up to
@@ -317,7 +317,7 @@ nfssvc_decode_writeargs(struct svc_rqst
return 0;

rqstp->rq_vec[0].iov_base = (void*)p;
- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
v = 0;
while (len > rqstp->rq_vec[v].iov_len) {
len -= rqstp->rq_vec[v].iov_len;

2017-06-01 15:52:33

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 199/212] platform/x86: acer-wmi: setup accelerometer when machine has appropriate notify event

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Lee, Chun-Yi" <[email protected]>

commit 98d610c3739ac354319a6590b915f4624d9151e6 upstream.

The accelerometer event relies on the ACERWMID_EVENT_GUID notify.
So, this patch changes the codes to setup accelerometer input device
when detected ACERWMID_EVENT_GUID. It avoids that the accel input
device created on every Acer machines.

In addition, patch adds a clearly parsing logic of accelerometer hid
to acer_wmi_get_handle_cb callback function. It is positive matching
the "SENR" name with "BST0001" device to avoid non-supported hardware.

Reported-by: Bjørn Mork <[email protected]>
Cc: Darren Hart <[email protected]>
Signed-off-by: Lee, Chun-Yi <[email protected]>
[andy: slightly massage commit message]
Signed-off-by: Andy Shevchenko <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/platform/x86/acer-wmi.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)

--- a/drivers/platform/x86/acer-wmi.c
+++ b/drivers/platform/x86/acer-wmi.c
@@ -1866,11 +1866,24 @@ static int acer_wmi_enable_lm(void)
return status;
}

+#define ACER_WMID_ACCEL_HID "BST0001"
+
static acpi_status __init acer_wmi_get_handle_cb(acpi_handle ah, u32 level,
void *ctx, void **retval)
{
+ struct acpi_device *dev;
+
+ if (!strcmp(ctx, "SENR")) {
+ if (acpi_bus_get_device(ah, &dev))
+ return AE_OK;
+ if (!strcmp(ACER_WMID_ACCEL_HID, acpi_device_hid(dev)))
+ return AE_OK;
+ } else
+ return AE_OK;
+
*(acpi_handle *)retval = ah;
- return AE_OK;
+
+ return AE_CTRL_TERMINATE;
}

static int __init acer_wmi_get_handle(const char *name, const char *prop,
@@ -1897,7 +1910,7 @@ static int __init acer_wmi_accel_setup(v
{
int err;

- err = acer_wmi_get_handle("SENR", "BST0001", &gsensor_handle);
+ err = acer_wmi_get_handle("SENR", ACER_WMID_ACCEL_HID, &gsensor_handle);
if (err)
return err;

@@ -2268,10 +2281,11 @@ static int __init acer_wmi_init(void)
err = acer_wmi_input_setup();
if (err)
return err;
+ err = acer_wmi_accel_setup();
+ if (err)
+ return err;
}

- acer_wmi_accel_setup();
-
err = platform_driver_register(&acer_platform_driver);
if (err) {
pr_err("Unable to register platform driver\n");

2017-06-01 15:53:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 198/212] net: ipv6: check route protocol when deleting routes

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mantas M <[email protected]>

commit c2ed1880fd61a998e3ce40254a99a2ad000f1a7d upstream.

The protocol field is checked when deleting IPv4 routes, but ignored for
IPv6, which causes problems with routing daemons accidentally deleting
externally set routes (observed by multiple bird6 users).

This can be verified using `ip -6 route del <prefix> proto something`.

Signed-off-by: Mantas Mikulėnas <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/route.c | 2 ++
1 file changed, 2 insertions(+)

--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1733,6 +1733,8 @@ static int ip6_route_del(struct fib6_con
continue;
if (cfg->fc_metric && cfg->fc_metric != rt->rt6i_metric)
continue;
+ if (cfg->fc_protocol && cfg->fc_protocol != rt->rt6i_protocol)
+ continue;
dst_hold(&rt->dst);
read_unlock_bh(&table->tb6_lock);


2017-06-01 15:53:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 197/212] virtio-console: avoid DMA from stack

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <[email protected]>

commit c4baad50297d84bde1a7ad45e50c73adae4a2192 upstream.

put_chars() stuffs the buffer it gets into an sg, but that buffer may be
on the stack. This breaks with CONFIG_VMAP_STACK=y (for me, it
manifested as printks getting turned into NUL bytes).

Signed-off-by: Omar Sandoval <[email protected]>
Signed-off-by: Michael S. Tsirkin <[email protected]>
Reviewed-by: Amit Shah <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/char/virtio_console.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1129,6 +1129,8 @@ static int put_chars(u32 vtermno, const
{
struct port *port;
struct scatterlist sg[1];
+ void *data;
+ int ret;

if (unlikely(early_put_chars))
return early_put_chars(vtermno, buf, count);
@@ -1137,8 +1139,14 @@ static int put_chars(u32 vtermno, const
if (!port)
return -EPIPE;

- sg_init_one(sg, buf, count);
- return __send_to_port(port, sg, 1, count, (void *)buf, false);
+ data = kmemdup(buf, count, GFP_ATOMIC);
+ if (!data)
+ return -ENOMEM;
+
+ sg_init_one(sg, data, count);
+ ret = __send_to_port(port, sg, 1, count, data, false);
+ kfree(data);
+ return ret;
}

/*

2017-06-01 15:54:08

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 191/212] net/packet: fix overflow in check for tp_frame_nr

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andrey Konovalov <[email protected]>

commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b upstream.

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/packet/af_packet.c | 2 ++
1 file changed, 2 insertions(+)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3854,6 +3854,8 @@ static int packet_set_ring(struct sock *
rb->frames_per_block = req->tp_block_size/req->tp_frame_size;
if (unlikely(rb->frames_per_block <= 0))
goto out;
+ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
+ goto out;
if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
req->tp_frame_nr))
goto out;

2017-06-01 15:54:10

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 165/212] mm/page_alloc: fix nodes for reclaim in fast path

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Gavin Shan <[email protected]>

commit e02dc017c3032dcdce1b993af0db135462e1b4b7 upstream.

When @node_reclaim_node isn't 0, the page allocator tries to reclaim
pages if the amount of free memory in the zones are below the low
watermark. On Power platform, none of NUMA nodes are scanned for page
reclaim because no nodes match the condition in zone_allows_reclaim().
On Power platform, RECLAIM_DISTANCE is set to 10 which is the distance
of Node-A to Node-A. So the preferred node even won't be scanned for
page reclaim.

__alloc_pages_nodemask()
get_page_from_freelist()
zone_allows_reclaim()

Anton proposed the test code as below:

# cat alloc.c
:
int main(int argc, char *argv[])
{
void *p;
unsigned long size;
unsigned long start, end;

start = time(NULL);
size = strtoul(argv[1], NULL, 0);
printf("To allocate %ldGB memory\n", size);

size <<= 30;
p = malloc(size);
assert(p);
memset(p, 0, size);

end = time(NULL);
printf("Used time: %ld seconds\n", end - start);
sleep(3600);
return 0;
}

The system I use for testing has two NUMA nodes. Both have 128GB
memory. In below scnario, the page caches on node#0 should be reclaimed
when it encounters pressure to accommodate request of allocation.

# echo 2 > /proc/sys/vm/zone_reclaim_mode; \
sync; \
echo 3 > /proc/sys/vm/drop_caches; \
# taskset -c 0 cat file.32G > /dev/null; \
grep FilePages /sys/devices/system/node/node0/meminfo
Node 0 FilePages: 33619712 kB
# taskset -c 0 ./alloc 128
# grep FilePages /sys/devices/system/node/node0/meminfo
Node 0 FilePages: 33619840 kB
# grep MemFree /sys/devices/system/node/node0/meminfo
Node 0 MemFree: 186816 kB

With the patch applied, the pagecache on node-0 is reclaimed when its
free memory is running out. It's the expected behaviour.

# echo 2 > /proc/sys/vm/zone_reclaim_mode; \
sync; \
echo 3 > /proc/sys/vm/drop_caches
# taskset -c 0 cat file.32G > /dev/null; \
grep FilePages /sys/devices/system/node/node0/meminfo
Node 0 FilePages: 33605568 kB
# taskset -c 0 ./alloc 128
# grep FilePages /sys/devices/system/node/node0/meminfo
Node 0 FilePages: 1379520 kB
# grep MemFree /sys/devices/system/node/node0/meminfo
Node 0 MemFree: 317120 kB

Fixes: 5f7a75acdb24 ("mm: page_alloc: do not cache reclaim distances")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Gavin Shan <[email protected]>
Acked-by: Mel Gorman <[email protected]>
Acked-by: Michal Hocko <[email protected]>
Cc: Anton Blanchard <[email protected]>
Cc: Michael Ellerman <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
mm/page_alloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1883,7 +1883,7 @@ static bool zone_local(struct zone *loca

static bool zone_allows_reclaim(struct zone *local_zone, struct zone *zone)
{
- return node_distance(zone_to_nid(local_zone), zone_to_nid(zone)) <
+ return node_distance(zone_to_nid(local_zone), zone_to_nid(zone)) <=
RECLAIM_DISTANCE;
}


2017-06-01 15:54:07

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 212/212] ipv6: fix out of bound writes in __ip6_append_data()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit 232cd35d0804cc241eb887bb8d4d9b3b9881c64a upstream.

Andrey Konovalov and [email protected] reported crashes caused by
one skb shared_info being overwritten from __ip6_append_data()

Andrey program lead to following state :

copy -4200 datalen 2000 fraglen 2040
maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200

The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
fraggap, 0); is overwriting skb->head and skb_shared_info

Since we apparently detect this rare condition too late, move the
code earlier to even avoid allocating skb and risking crashes.

Once again, many thanks to Andrey and syzkaller team.

Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: Andrey Konovalov <[email protected]>
Tested-by: Andrey Konovalov <[email protected]>
Reported-by: <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/ip6_output.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)

--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1367,6 +1367,11 @@ alloc_new_skb:
*/
alloclen += sizeof(struct frag_hdr);

+ copy = datalen - transhdrlen - fraggap;
+ if (copy < 0) {
+ err = -EINVAL;
+ goto error;
+ }
if (transhdrlen) {
skb = sock_alloc_send_skb(sk,
alloclen + hh_len,
@@ -1419,13 +1424,9 @@ alloc_new_skb:
data += fraggap;
pskb_trim_unique(skb_prev, maxfraglen);
}
- copy = datalen - transhdrlen - fraggap;
-
- if (copy < 0) {
- err = -EINVAL;
- kfree_skb(skb);
- goto error;
- } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
+ if (copy > 0 &&
+ getfrag(from, data + transhdrlen, offset,
+ copy, fraggap, skb) < 0) {
err = -EFAULT;
kfree_skb(skb);
goto error;

2017-06-01 15:45:19

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 174/212] ALSA: seq: Fix link corruption by event error handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit f3ac9f737603da80c2da3e84b89e74429836bb6d upstream.

The sequencer FIFO management has a bug that may lead to a corruption
(shortage) of the cell linked list. When a sequencer client faces an
error at the event delivery, it tries to put back the dequeued cell.
When the first queue was put back, this forgot the tail pointer
tracking, and the link will be screwed up.

Although there is no memory corruption, the sequencer client may stall
forever at exit while flushing the pending FIFO cells in
snd_seq_pool_done(), as spotted by syzkaller.

This patch addresses the missing tail pointer tracking at
snd_seq_fifo_cell_putback(). Also the patch makes sure to clear the
cell->enxt pointer at snd_seq_fifo_event_in() for avoiding a similar
mess-up of the FIFO linked list.

Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/core/seq/seq_fifo.c | 3 +++
1 file changed, 3 insertions(+)

--- a/sound/core/seq/seq_fifo.c
+++ b/sound/core/seq/seq_fifo.c
@@ -135,6 +135,7 @@ int snd_seq_fifo_event_in(struct snd_seq
f->tail = cell;
if (f->head == NULL)
f->head = cell;
+ cell->next = NULL;
f->cells++;
spin_unlock_irqrestore(&f->lock, flags);

@@ -214,6 +215,8 @@ void snd_seq_fifo_cell_putback(struct sn
spin_lock_irqsave(&f->lock, flags);
cell->next = f->head;
f->head = cell;
+ if (!f->tail)
+ f->tail = cell;
f->cells++;
spin_unlock_irqrestore(&f->lock, flags);
}

2017-06-01 15:55:05

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 189/212] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Li Qiang <[email protected]>

commit e7e11f99564222d82f0ce84bd521e57d78a6b678 upstream.

In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
'req->mip_levels' array. This array can be assigned any value from
the user space. As both the 'num_sizes' and the array is uint32_t,
it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
used as the loop count. This can lead an oob write. Add the check of
'req->mip_levels' to avoid this.

Signed-off-by: Li Qiang <[email protected]>
Reviewed-by: Thomas Hellstrom <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -711,8 +711,11 @@ int vmw_surface_define_ioctl(struct drm_
128;

num_sizes = 0;
- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
+ return -EINVAL;
num_sizes += req->mip_levels[i];
+ }

if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
num_sizes == 0)

2017-06-01 15:55:03

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 187/212] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andy Whitcroft <[email protected]>

commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.

Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues. To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.

CVE-2017-7184
Signed-off-by: Andy Whitcroft <[email protected]>
Acked-by: Steffen Klassert <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/xfrm/xfrm_user.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -387,7 +387,11 @@ static inline int xfrm_replay_verify_len
up = nla_data(rp);
ulen = xfrm_replay_state_esn_len(up);

- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+ /* Check the overall length and the internal bitmap length to avoid
+ * potential overflow. */
+ if (nla_len(rp) < ulen ||
+ xfrm_replay_state_esn_len(replay_esn) != ulen ||
+ replay_esn->bmp_len != up->bmp_len)
return -EINVAL;

if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)

2017-06-01 15:55:44

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 161/212] f2fs: add ovp valid_blocks check for bg gc victim to fg_gc

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Hou Pengyang <[email protected]>

commit e93b9865251a0503d83fd570e7d5a7c8bc351715 upstream.

For foreground gc, greedy algorithm should be adapted, which makes
this formula work well:

(2 * (100 / config.overprovision + 1) + 6)

But currently, we fg_gc have a prior to select bg_gc victim segments to gc
first, these victims are selected by cost-benefit algorithm, we can't guarantee
such segments have the small valid blocks, which may destroy the f2fs rule, on
the worstest case, would consume all the free segments.

This patch fix this by add a filter in check_bg_victims, if segment's has # of
valid blocks over overprovision ratio, skip such segments.

Signed-off-by: Hou Pengyang <[email protected]>
Reviewed-by: Chao Yu <[email protected]>
Signed-off-by: Jaegeuk Kim <[email protected]>
[bwh: Backported to 3.16:
- In get_victim_by_default(), use continue rather than goto
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/f2fs/f2fs.h | 3 +++
fs/f2fs/gc.c | 22 ++++++++++++++++++++--
fs/f2fs/segment.h | 9 +++++++++
3 files changed, 32 insertions(+), 2 deletions(-)

--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -489,6 +489,9 @@ struct f2fs_sb_info {
struct f2fs_gc_kthread *gc_thread; /* GC thread */
unsigned int cur_victim_sec; /* current victim section num */

+ /* threshold for converting bg victims for fg */
+ u64 fggc_threshold;
+
/* maximum # of trials to find a victim segment for SSR and GC */
unsigned int max_victim_search;

--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -163,7 +163,8 @@ static void select_policy(struct f2fs_sb
p->ofs_unit = sbi->segs_per_sec;
}

- if (p->max_search > sbi->max_victim_search)
+ /* we need to check every dirty segments in the FG_GC case */
+ if (gc_type != FG_GC && p->max_search > sbi->max_victim_search)
p->max_search = sbi->max_victim_search;

p->offset = sbi->last_victim[p->gc_mode];
@@ -196,6 +197,10 @@ static unsigned int check_bg_victims(str
for_each_set_bit(secno, dirty_i->victim_secmap, TOTAL_SECS(sbi)) {
if (sec_usage_check(sbi, secno))
continue;
+
+ if (no_fggc_candidate(sbi, secno))
+ continue;
+
clear_bit(secno, dirty_i->victim_secmap);
return secno * sbi->segs_per_sec;
}
@@ -302,6 +307,9 @@ static int get_victim_by_default(struct
continue;
if (gc_type == BG_GC && test_bit(secno, dirty_i->victim_secmap))
continue;
+ if (gc_type == FG_GC && p.alloc_mode == LFS &&
+ no_fggc_candidate(sbi, secno))
+ continue;

cost = get_gc_cost(sbi, segno, &p);

@@ -733,7 +741,18 @@ stop:

void build_gc_manager(struct f2fs_sb_info *sbi)
{
+ u64 main_count, resv_count, ovp_count, blocks_per_sec;
+
DIRTY_I(sbi)->v_ops = &default_v_ops;
+
+ /* threshold of # of valid blocks in a section for victims of FG_GC */
+ main_count = SM_I(sbi)->main_segments << sbi->log_blocks_per_seg;
+ resv_count = SM_I(sbi)->reserved_segments << sbi->log_blocks_per_seg;
+ ovp_count = SM_I(sbi)->ovp_segments << sbi->log_blocks_per_seg;
+ blocks_per_sec = sbi->blocks_per_seg * sbi->segs_per_sec;
+
+ sbi->fggc_threshold = div_u64((main_count - ovp_count) * blocks_per_sec,
+ (main_count - resv_count));
}

int __init create_gc_caches(void)
--- a/fs/f2fs/segment.h
+++ b/fs/f2fs/segment.h
@@ -651,6 +651,15 @@ static inline block_t sum_blk_addr(struc
- (base + 1) + type;
}

+static inline bool no_fggc_candidate(struct f2fs_sb_info *sbi,
+ unsigned int secno)
+{
+ if (get_valid_blocks(sbi, secno, sbi->segs_per_sec) >=
+ sbi->fggc_threshold)
+ return true;
+ return false;
+}
+
static inline bool sec_usage_check(struct f2fs_sb_info *sbi, unsigned int secno)
{
if (IS_CURSEC(sbi, secno) || (sbi->cur_victim_sec == secno))

2017-06-01 15:55:42

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 184/212] KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: David Howells <[email protected]>

commit ee8f844e3c5a73b999edf733df1c529d6503ec2f upstream.

This fixes CVE-2016-9604.

Keyrings whose name begin with a '.' are special internal keyrings and so
userspace isn't allowed to create keyrings by this name to prevent
shadowing. However, the patch that added the guard didn't fix
KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings,
it can also subscribe to them as a session keyring if they grant SEARCH
permission to the user.

This, for example, allows a root process to set .builtin_trusted_keys as
its session keyring, at which point it has full access because now the
possessor permissions are added. This permits root to add extra public
keys, thereby bypassing module verification.

This also affects kexec and IMA.

This can be tested by (as root):

keyctl session .builtin_trusted_keys
keyctl add user a a @s
keyctl list @s

which on my test box gives me:

2 keys in keyring:
180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
801382539: --alswrv 0 0 user: a


Fix this by rejecting names beginning with a '.' in the keyctl.

Signed-off-by: David Howells <[email protected]>
Acked-by: Mimi Zohar <[email protected]>
cc: [email protected]
Signed-off-by: Ben Hutchings <[email protected]>
---
security/keys/keyctl.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -275,7 +275,8 @@ error:
* Create and join an anonymous session keyring or join a named session
* keyring, creating it if necessary. A named session keyring must have Search
* permission for it to be joined. Session keyrings without this permit will
- * be skipped over.
+ * be skipped over. It is not permitted for userspace to create or join
+ * keyrings whose name begin with a dot.
*
* If successful, the ID of the joined session keyring will be returned.
*/
@@ -292,12 +293,16 @@ long keyctl_join_session_keyring(const c
ret = PTR_ERR(name);
goto error;
}
+
+ ret = -EPERM;
+ if (name[0] == '.')
+ goto error_name;
}

/* join the session */
ret = join_session_keyring(name);
+error_name:
kfree(name);
-
error:
return ret;
}

2017-06-01 15:56:12

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 154/212] scsi: aacraid: Reorder Adapter status check

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Raghava Aditya Renukunta <[email protected]>

commit c421530bf848604e97d0785a03b3fe2c62775083 upstream.

The driver currently checks the SELF_TEST_FAILED first and then
KERNEL_PANIC next. Under error conditions(boot code failure) both
SELF_TEST_FAILED and KERNEL_PANIC can be set at the same time.

The driver has the capability to reset the controller on an KERNEL_PANIC,
but not on SELF_TEST_FAILED.

Fixed by first checking KERNEL_PANIC and then the others.

Fixes: e8b12f0fb835223752 ([SCSI] aacraid: Add new code for PMC-Sierra's SRC base controller family)
Signed-off-by: Raghava Aditya Renukunta <[email protected]>
Reviewed-by: David Carroll <[email protected]>
Reviewed-by: Johannes Thumshirn <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/aacraid/src.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)

--- a/drivers/scsi/aacraid/src.c
+++ b/drivers/scsi/aacraid/src.c
@@ -359,16 +359,23 @@ static int aac_src_check_health(struct a
u32 status = src_readl(dev, MUnit.OMR);

/*
+ * Check to see if the board panic'd.
+ */
+ if (unlikely(status & KERNEL_PANIC))
+ goto err_blink;
+
+ /*
* Check to see if the board failed any self tests.
*/
if (unlikely(status & SELF_TEST_FAILED))
- return -1;
+ goto err_out;

/*
- * Check to see if the board panic'd.
+ * Check to see if the board failed any self tests.
*/
- if (unlikely(status & KERNEL_PANIC))
- return (status >> 16) & 0xFF;
+ if (unlikely(status & MONITOR_PANIC))
+ goto err_out;
+
/*
* Wait for the adapter to be up and running.
*/
@@ -378,6 +385,12 @@ static int aac_src_check_health(struct a
* Everything is OK
*/
return 0;
+
+err_out:
+ return -1;
+
+err_blink:
+ return (status > 16) & 0xFF;
}

/**

2017-06-01 15:56:11

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 113/212] perf tests: Avoid possible truncation with dirent->d_name + snprintf

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnaldo Carvalho de Melo <[email protected]>

commit 2e2bbc039fad9eabad6c4c1a473c8b2554cdd2d4 upstream.

Addressing a few cases spotted by a new warning in gcc 7:

tests/parse-events.c: In function 'test_pmu_events':
tests/parse-events.c:1790:39: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 90 [-Werror=format-truncation=]
snprintf(name, MAX_NAME, "cpu/event=%s/u", ent->d_name);
^~
In file included from /usr/include/stdio.h:939:0,
from /git/linux/tools/perf/util/map.h:9,
from /git/linux/tools/perf/util/symbol.h:7,
from /git/linux/tools/perf/util/evsel.h:10,
from tests/parse-events.c:3:
/usr/include/bits/stdio2.h:64:10: note: '__builtin___snprintf_chk' output between 13 and 268 bytes into a destination of size 100
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tests/parse-events.c:1798:29: error: '%s' directive output may be truncated writing up to 255 bytes into a region of size 100 [-Werror=format-truncation=]
snprintf(name, MAX_NAME, "%s:u,cpu/event=%s/u", ent->d_name, ent->d_name);

Cc: Adrian Hunter <[email protected]>
Cc: David Ahern <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Namhyung Kim <[email protected]>
Cc: Wang Nan <[email protected]>
Fixes: 945aea220bb8 ("perf tests: Move test objects into 'tests' directory")
Link: http://lkml.kernel.org/n/[email protected]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
[bwh: Backported to 3.16: only one snprintf() call needs fixing]
Signed-off-by: Ben Hutchings <[email protected]>
---
tools/perf/tests/parse-events.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)

--- a/tools/perf/tests/parse-events.c
+++ b/tools/perf/tests/parse-events.c
@@ -1539,21 +1539,19 @@ static int test_pmu_events(void)
}

while (!ret && (ent = readdir(dir))) {
-#define MAX_NAME 100
struct evlist_test e;
- char name[MAX_NAME];
+ char name[2 * NAME_MAX + 1 + 12 + 3];

if (!strcmp(ent->d_name, ".") ||
!strcmp(ent->d_name, ".."))
continue;

- snprintf(name, MAX_NAME, "cpu/event=%s/u", ent->d_name);
+ snprintf(name, sizeof(name), "cpu/event=%s/u", ent->d_name);

e.name = name;
e.check = test__checkevent_pmu_events;

ret = test_event(&e);
-#undef MAX_NAME
}

closedir(dir);

2017-06-01 15:56:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 120/212] md linear: fix a race between linear_add() and linear_congested()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "[email protected]" <[email protected]>

commit 03a9e24ef2aaa5f1f9837356aed79c860521407a upstream.

Recently I receive a bug report that on Linux v3.0 based kerenl, hot add
disk to a md linear device causes kernel crash at linear_congested(). From
the crash image analysis, I find in linear_congested(), mddev->raid_disks
contains value N, but conf->disks[] only has N-1 pointers available. Then
a NULL pointer deference crashes the kernel.

There is a race between linear_add() and linear_congested(), RCU stuffs
used in these two functions cannot avoid the race. Since Linuv v4.0
RCU code is replaced by introducing mddev_suspend(). After checking the
upstream code, it seems linear_congested() is not called in
generic_make_request() code patch, so mddev_suspend() cannot provent it
from being called. The possible race still exists.

Here I explain how the race still exists in current code. For a machine
has many CPUs, on one CPU, linear_add() is called to add a hard disk to a
md linear device; at the same time on other CPU, linear_congested() is
called to detect whether this md linear device is congested before issuing
an I/O request onto it.

Now I use a possible code execution time sequence to demo how the possible
race happens,

seq linear_add() linear_congested()
0 conf=mddev->private
1 oldconf=mddev->private
2 mddev->raid_disks++
3 for (i=0; i<mddev->raid_disks;i++)
4 bdev_get_queue(conf->disks[i].rdev->bdev)
5 mddev->private=newconf

In linear_add() mddev->raid_disks is increased in time seq 2, and on
another CPU in linear_congested() the for-loop iterates conf->disks[i] by
the increased mddev->raid_disks in time seq 3,4. But conf with one more
element (which is a pointer to struct dev_info type) to conf->disks[] is
not updated yet, accessing its structure member in time seq 4 will cause a
NULL pointer deference fault.

To fix this race, there are 2 parts of modification in the patch,
1) Add 'int raid_disks' in struct linear_conf, as a copy of
mddev->raid_disks. It is initialized in linear_conf(), always being
consistent with pointers number of 'struct dev_info disks[]'. When
iterating conf->disks[] in linear_congested(), use conf->raid_disks to
replace mddev->raid_disks in the for-loop, then NULL pointer deference
will not happen again.
2) RCU stuffs are back again, and use kfree_rcu() in linear_add() to
free oldconf memory. Because oldconf may be referenced as mddev->private
in linear_congested(), kfree_rcu() makes sure that its memory will not
be released until no one uses it any more.
Also some code comments are added in this patch, to make this modification
to be easier understandable.

This patch can be applied for kernels since v4.0 after commit:
3be260cc18f8 ("md/linear: remove rcu protections in favour of
suspend/resume"). But this bug is reported on Linux v3.0 based kernel, for
people who maintain kernels before Linux v4.0, they need to do some back
back port to this patch.

Changelog:
- V3: add 'int raid_disks' in struct linear_conf, and use kfree_rcu() to
replace rcu_call() in linear_add().
- v2: add RCU stuffs by suggestion from Shaohua and Neil.
- v1: initial effort.

Signed-off-by: Coly Li <[email protected]>
Cc: Shaohua Li <[email protected]>
Cc: Neil Brown <[email protected]>
Signed-off-by: Shaohua Li <[email protected]>
[bwh: Backported to 3.16: no need to restore RCU protections]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/md/linear.c
+++ b/drivers/md/linear.c
@@ -97,6 +97,12 @@ static int linear_mergeable_bvec(struct
return maxsectors << 9;
}

+/*
+ * In linear_congested() conf->raid_disks is used as a copy of
+ * mddev->raid_disks to iterate conf->disks[], because conf->raid_disks
+ * and conf->disks[] are created in linear_conf(), they are always
+ * consitent with each other, but mddev->raid_disks does not.
+ */
static int linear_congested(void *data, int bits)
{
struct mddev *mddev = data;
@@ -109,7 +115,7 @@ static int linear_congested(void *data,
rcu_read_lock();
conf = rcu_dereference(mddev->private);

- for (i = 0; i < mddev->raid_disks && !ret ; i++) {
+ for (i = 0; i < conf->raid_disks && !ret ; i++) {
struct request_queue *q = bdev_get_queue(conf->disks[i].rdev->bdev);
ret |= bdi_congested(&q->backing_dev_info, bits);
}
@@ -196,6 +202,19 @@ static struct linear_conf *linear_conf(s
conf->disks[i-1].end_sector +
conf->disks[i].rdev->sectors;

+ /*
+ * conf->raid_disks is copy of mddev->raid_disks. The reason to
+ * keep a copy of mddev->raid_disks in struct linear_conf is,
+ * mddev->raid_disks may not be consistent with pointers number of
+ * conf->disks[] when it is updated in linear_add() and used to
+ * iterate old conf->disks[] earray in linear_congested().
+ * Here conf->raid_disks is always consitent with number of
+ * pointers in conf->disks[] array, and mddev->private is updated
+ * with rcu_assign_pointer() in linear_addr(), such race can be
+ * avoided.
+ */
+ conf->raid_disks = raid_disks;
+
return conf;

out:
@@ -252,10 +271,18 @@ static int linear_add(struct mddev *mdde
if (!newconf)
return -ENOMEM;

+ /* newconf->raid_disks already keeps a copy of * the increased
+ * value of mddev->raid_disks, WARN_ONCE() is just used to make
+ * sure of this. It is possible that oldconf is still referenced
+ * in linear_congested(), therefore kfree_rcu() is used to free
+ * oldconf until no one uses it anymore.
+ */
oldconf = rcu_dereference_protected(mddev->private,
lockdep_is_held(
&mddev->reconfig_mutex));
mddev->raid_disks++;
+ WARN_ONCE(mddev->raid_disks != newconf->raid_disks,
+ "copied raid_disks doesn't match mddev->raid_disks");
rcu_assign_pointer(mddev->private, newconf);
md_set_array_sectors(mddev, linear_size(mddev, 0, 0));
set_capacity(mddev->gendisk, mddev->array_sectors);
--- a/drivers/md/linear.h
+++ b/drivers/md/linear.h
@@ -10,6 +10,7 @@ struct linear_conf
{
struct rcu_head rcu;
sector_t array_sectors;
+ int raid_disks; /* a copy of mddev->raid_disks */
struct dev_info disks[0];
};
#endif

2017-06-01 15:57:02

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 116/212] drivers: hv: Turn off write permission on the hypercall page

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "K. Y. Srinivasan" <[email protected]>

commit 372b1e91343e657a7cc5e2e2bcecd5140ac28119 upstream.

The hypercall page only needs to be executable but currently it is setup to
be writable as well. Fix the issue.

Signed-off-by: K. Y. Srinivasan <[email protected]>
Acked-by: Kees Cook <[email protected]>
Reported-by: Stephen Hemminger <[email protected]>
Tested-by: Stephen Hemminger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/hv/hv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hv/hv.c
+++ b/drivers/hv/hv.c
@@ -156,7 +156,7 @@ int hv_init(void)
/* See if the hypercall page is already set */
rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);

- virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_EXEC);
+ virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_RX);

if (!virtaddr)
goto cleanup;

2017-06-01 15:57:01

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 178/212] net: net_enable_timestamp() can be called from irq contexts

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit 13baa00ad01bb3a9f893e3a08cbc2d072fc0c15d upstream.

It is now very clear that silly TCP listeners might play with
enabling/disabling timestamping while new children are added
to their accept queue.

Meaning net_enable_timestamp() can be called from BH context
while current state of the static key is not enabled.

Lets play safe and allow all contexts.

The work queue is scheduled only under the problematic cases,
which are the static key enable/disable transition, to not slow down
critical paths.

This extends and improves what we did in commit 5fa8bbda38c6 ("net: use
a work queue to defer net_disable_timestamp() work")

Fixes: b90e5794c5bd ("net: dont call jump_label_dec from irq context")
Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/core/dev.c | 35 +++++++++++++++++++++++++++++++----
1 file changed, 31 insertions(+), 4 deletions(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1601,27 +1601,54 @@ EXPORT_SYMBOL(call_netdevice_notifiers);
static struct static_key netstamp_needed __read_mostly;
#ifdef HAVE_JUMP_LABEL
static atomic_t netstamp_needed_deferred;
+static atomic_t netstamp_wanted;
static void netstamp_clear(struct work_struct *work)
{
int deferred = atomic_xchg(&netstamp_needed_deferred, 0);
+ int wanted;

- while (deferred--)
- static_key_slow_dec(&netstamp_needed);
+ wanted = atomic_add_return(deferred, &netstamp_wanted);
+ if (wanted > 0)
+ static_key_enable(&netstamp_needed);
+ else
+ static_key_disable(&netstamp_needed);
}
static DECLARE_WORK(netstamp_work, netstamp_clear);
#endif

void net_enable_timestamp(void)
{
+#ifdef HAVE_JUMP_LABEL
+ int wanted;
+
+ while (1) {
+ wanted = atomic_read(&netstamp_wanted);
+ if (wanted <= 0)
+ break;
+ if (atomic_cmpxchg(&netstamp_wanted, wanted, wanted + 1) == wanted)
+ return;
+ }
+ atomic_inc(&netstamp_needed_deferred);
+ schedule_work(&netstamp_work);
+#else
static_key_slow_inc(&netstamp_needed);
+#endif
}
EXPORT_SYMBOL(net_enable_timestamp);

void net_disable_timestamp(void)
{
#ifdef HAVE_JUMP_LABEL
- /* net_disable_timestamp() can be called from non process context */
- atomic_inc(&netstamp_needed_deferred);
+ int wanted;
+
+ while (1) {
+ wanted = atomic_read(&netstamp_wanted);
+ if (wanted <= 1)
+ break;
+ if (atomic_cmpxchg(&netstamp_wanted, wanted, wanted - 1) == wanted)
+ return;
+ }
+ atomic_dec(&netstamp_needed_deferred);
schedule_work(&netstamp_work);
#else
static_key_slow_dec(&netstamp_needed);

2017-06-01 15:56:59

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 177/212] locking/static_keys: Add static_key_{en,dis}able() helpers

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <[email protected]>

commit e33886b38cc82a9fc3b2d655dfc7f50467594138 upstream.

Add two helpers to make it easier to treat the refcount as boolean.

Suggested-by: Jason Baron <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Paul E. McKenney <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
include/linux/jump_label.h | 20 ++++++++++++++++++++
kernel/sched/core.c | 6 ++----
2 files changed, 22 insertions(+), 4 deletions(-)

--- a/include/linux/jump_label.h
+++ b/include/linux/jump_label.h
@@ -203,4 +203,24 @@ static inline bool static_key_enabled(st
return static_key_count(key) > 0;
}

+static inline void static_key_enable(struct static_key *key)
+{
+ int count = static_key_count(key);
+
+ WARN_ON_ONCE(count < 0 || count > 1);
+
+ if (!count)
+ static_key_slow_inc(key);
+}
+
+static inline void static_key_disable(struct static_key *key)
+{
+ int count = static_key_count(key);
+
+ WARN_ON_ONCE(count < 0 || count > 1);
+
+ if (count)
+ static_key_slow_dec(key);
+}
+
#endif /* _LINUX_JUMP_LABEL_H */
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -196,14 +196,12 @@ struct static_key sched_feat_keys[__SCHE

static void sched_feat_disable(int i)
{
- if (static_key_enabled(&sched_feat_keys[i]))
- static_key_slow_dec(&sched_feat_keys[i]);
+ static_key_disable(&sched_feat_keys[i]);
}

static void sched_feat_enable(int i)
{
- if (!static_key_enabled(&sched_feat_keys[i]))
- static_key_slow_inc(&sched_feat_keys[i]);
+ static_key_enable(&sched_feat_keys[i]);
}
#else
static void sched_feat_disable(int i) { };

2017-06-01 15:56:58

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 119/212] mmc: host: omap_hsmmc: avoid possible overflow of timeout value

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ravikumar Kattekola <[email protected]>

commit a53210f56d7f3f75d1edc1b3a069ddb87b72a919 upstream.

Fixes: a45c6cb81647 ("[ARM] 5369/1: omap mmc: Add new omap
hsmmc controller for 2430 and 34xx, v3")

when using really large timeout (up to 4*60*1000 ms for bkops)
there is a possibility of data overflow using
unsigned int so use 64 bit unsigned long long.

Signed-off-by: Ravikumar Kattekola <[email protected]>
Signed-off-by: Sekhar Nori <[email protected]>
Signed-off-by: Ulf Hansson <[email protected]>
[bwh: Backported to 3.16: drop change in omap_hsmmc_prepare_data()]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/mmc/host/omap_hsmmc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/mmc/host/omap_hsmmc.c
+++ b/drivers/mmc/host/omap_hsmmc.c
@@ -1393,10 +1393,11 @@ static int omap_hsmmc_setup_dma_transfer
}

static void set_data_timeout(struct omap_hsmmc_host *host,
- unsigned int timeout_ns,
+ unsigned long long timeout_ns,
unsigned int timeout_clks)
{
- unsigned int timeout, cycle_ns;
+ unsigned long long timeout = timeout_ns;
+ unsigned int cycle_ns;
uint32_t reg, clkd, dto = 0;

reg = OMAP_HSMMC_READ(host->base, SYSCTL);
@@ -1405,7 +1406,7 @@ static void set_data_timeout(struct omap
clkd = 1;

cycle_ns = 1000000000 / (host->clk_rate / clkd);
- timeout = timeout_ns / cycle_ns;
+ do_div(timeout, cycle_ns);
timeout += timeout_clks;
if (timeout) {
while ((timeout & 0x80000000) == 0) {

2017-06-01 15:56:56

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 155/212] mm: fix <linux/pagemap.h> stray kernel-doc notation

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <[email protected]>

commit 083fb8edda0487d192e8c117f625563b920cf7a4 upstream.

Delete stray (second) function description in find_lock_page()
kernel-doc notation.

Note: scripts/kernel-doc just ignores the second function description.

Fixes: 2457aec63745e ("mm: non-atomically mark page accessed during page cache allocation where possible")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Randy Dunlap <[email protected]>
Reported-by: Matthew Wilcox <[email protected]>
Cc: Mel Gorman <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
include/linux/pagemap.h | 1 -
1 file changed, 1 deletion(-)

--- a/include/linux/pagemap.h
+++ b/include/linux/pagemap.h
@@ -293,7 +293,6 @@ static inline struct page *find_get_page

/**
* find_lock_page - locate, pin and lock a pagecache page
- * pagecache_get_page - find and get a page reference
* @mapping: the address_space to search
* @offset: the page index
*

2017-06-01 15:45:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 152/212] tcp: account for ts offset only if tsecr not zero

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexey Kodanev <[email protected]>

commit eee2faabc63d863a129000b698a2bca54dff643d upstream.

We can get SYN with zero tsecr, don't apply offset in this case.

Fixes: ee684b6f2830 ("tcp: send packets with a socket timestamp")
Signed-off-by: Alexey Kodanev <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/tcp_minisocks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -101,7 +101,8 @@ tcp_timewait_state_process(struct inet_t
tcp_parse_options(skb, &tmp_opt, 0, NULL);

if (tmp_opt.saw_tstamp) {
- tmp_opt.rcv_tsecr -= tcptw->tw_ts_offset;
+ if (tmp_opt.rcv_tsecr)
+ tmp_opt.rcv_tsecr -= tcptw->tw_ts_offset;
tmp_opt.ts_recent = tcptw->tw_ts_recent;
tmp_opt.ts_recent_stamp = tcptw->tw_ts_recent_stamp;
paws_reject = tcp_paws_reject(&tmp_opt, th->rst);

2017-06-01 15:58:21

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 208/212] ipv6: Prevent overrun when parsing v6 header options

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Craig Gallek <[email protected]>

commit 2423496af35d94a87156b063ea5cedffc10a70a1 upstream.

The KASAN warning repoted below was discovered with a syzkaller
program. The reproducer is basically:
int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
send(s, &one_byte_of_data, 1, MSG_MORE);
send(s, &more_than_mtu_bytes_data, 2000, 0);

The socket() call sets the nexthdr field of the v6 header to
NEXTHDR_HOP, the first send call primes the payload with a non zero
byte of data, and the second send call triggers the fragmentation path.

The fragmentation code tries to parse the header options in order
to figure out where to insert the fragment option. Since nexthdr points
to an invalid option, the calculation of the size of the network header
can made to be much larger than the linear section of the skb and data
is read outside of it.

This fix makes ip6_find_1stfrag return an error if it detects
running out-of-bounds.

[ 42.361487] ==================================================================
[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
[ 42.366469]
[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
[ 42.368824] Call Trace:
[ 42.369183] dump_stack+0xb3/0x10b
[ 42.369664] print_address_description+0x73/0x290
[ 42.370325] kasan_report+0x252/0x370
[ 42.370839] ? ip6_fragment+0x11c8/0x3730
[ 42.371396] check_memory_region+0x13c/0x1a0
[ 42.371978] memcpy+0x23/0x50
[ 42.372395] ip6_fragment+0x11c8/0x3730
[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110
[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0
[ 42.374263] ? ip6_forward+0x2e30/0x2e30
[ 42.374803] ip6_finish_output+0x584/0x990
[ 42.375350] ip6_output+0x1b7/0x690
[ 42.375836] ? ip6_finish_output+0x990/0x990
[ 42.376411] ? ip6_fragment+0x3730/0x3730
[ 42.376968] ip6_local_out+0x95/0x160
[ 42.377471] ip6_send_skb+0xa1/0x330
[ 42.377969] ip6_push_pending_frames+0xb3/0xe0
[ 42.378589] rawv6_sendmsg+0x2051/0x2db0
[ 42.379129] ? rawv6_bind+0x8b0/0x8b0
[ 42.379633] ? _copy_from_user+0x84/0xe0
[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290
[ 42.380878] ? ___sys_sendmsg+0x162/0x930
[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120
[ 42.382074] ? sock_has_perm+0x1f6/0x290
[ 42.382614] ? ___sys_sendmsg+0x167/0x930
[ 42.383173] ? lock_downgrade+0x660/0x660
[ 42.383727] inet_sendmsg+0x123/0x500
[ 42.384226] ? inet_sendmsg+0x123/0x500
[ 42.384748] ? inet_recvmsg+0x540/0x540
[ 42.385263] sock_sendmsg+0xca/0x110
[ 42.385758] SYSC_sendto+0x217/0x380
[ 42.386249] ? SYSC_connect+0x310/0x310
[ 42.386783] ? __might_fault+0x110/0x1d0
[ 42.387324] ? lock_downgrade+0x660/0x660
[ 42.387880] ? __fget_light+0xa1/0x1f0
[ 42.388403] ? __fdget+0x18/0x20
[ 42.388851] ? sock_common_setsockopt+0x95/0xd0
[ 42.389472] ? SyS_setsockopt+0x17f/0x260
[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe
[ 42.390650] SyS_sendto+0x40/0x50
[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.391731] RIP: 0033:0x7fbbb711e383
[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
[ 42.397257]
[ 42.397411] Allocated by task 3789:
[ 42.397702] save_stack_trace+0x16/0x20
[ 42.398005] save_stack+0x46/0xd0
[ 42.398267] kasan_kmalloc+0xad/0xe0
[ 42.398548] kasan_slab_alloc+0x12/0x20
[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380
[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0
[ 42.399654] __alloc_skb+0xf8/0x580
[ 42.400003] sock_wmalloc+0xab/0xf0
[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0
[ 42.400813] ip6_append_data+0x1a8/0x2f0
[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0
[ 42.401505] inet_sendmsg+0x123/0x500
[ 42.401860] sock_sendmsg+0xca/0x110
[ 42.402209] ___sys_sendmsg+0x7cb/0x930
[ 42.402582] __sys_sendmsg+0xd9/0x190
[ 42.402941] SyS_sendmsg+0x2d/0x50
[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.403718]
[ 42.403871] Freed by task 1794:
[ 42.404146] save_stack_trace+0x16/0x20
[ 42.404515] save_stack+0x46/0xd0
[ 42.404827] kasan_slab_free+0x72/0xc0
[ 42.405167] kfree+0xe8/0x2b0
[ 42.405462] skb_free_head+0x74/0xb0
[ 42.405806] skb_release_data+0x30e/0x3a0
[ 42.406198] skb_release_all+0x4a/0x60
[ 42.406563] consume_skb+0x113/0x2e0
[ 42.406910] skb_free_datagram+0x1a/0xe0
[ 42.407288] netlink_recvmsg+0x60d/0xe40
[ 42.407667] sock_recvmsg+0xd7/0x110
[ 42.408022] ___sys_recvmsg+0x25c/0x580
[ 42.408395] __sys_recvmsg+0xd6/0x190
[ 42.408753] SyS_recvmsg+0x2d/0x50
[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.409513]
[ 42.409665] The buggy address belongs to the object at ffff88000969e780
[ 42.409665] which belongs to the cache kmalloc-512 of size 512
[ 42.410846] The buggy address is located 24 bytes inside of
[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980)
[ 42.411941] The buggy address belongs to the page:
[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 42.413298] flags: 0x100000000008100(slab|head)
[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
[ 42.415074] page dumped because: kasan: bad access detected
[ 42.415604]
[ 42.415757] Memory state around the buggy address:
[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 42.418273] ^
[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.419882] ==================================================================

Reported-by: Andrey Konovalov <[email protected]>
Signed-off-by: Craig Gallek <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/ip6_offload.c | 2 ++
net/ipv6/ip6_output.c | 4 ++++
net/ipv6/output_core.c | 14 ++++++++------
net/ipv6/udp_offload.c | 2 ++
4 files changed, 16 insertions(+), 6 deletions(-)

--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -145,6 +145,8 @@ static struct sk_buff *ipv6_gso_segment(

if (udpfrag) {
unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+ if (unfrag_ip6hlen < 0)
+ return ERR_PTR(unfrag_ip6hlen);
fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
fptr->frag_off = htons(offset);
if (skb->next != NULL)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -567,6 +567,10 @@ int ip6_fragment(struct sk_buff *skb, in
struct net *net = dev_net(skb_dst(skb)->dev);

hlen = ip6_find_1stfragopt(skb, &prevhdr);
+ if (hlen < 0) {
+ err = hlen;
+ goto fail;
+ }
nexthdr = *prevhdr;

mtu = ip6_skb_dst_mtu(skb);
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -45,14 +45,13 @@ EXPORT_SYMBOL_GPL(ipv6_proxy_select_iden
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
{
u16 offset = sizeof(struct ipv6hdr);
- struct ipv6_opt_hdr *exthdr =
- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
unsigned int packet_len = skb_tail_pointer(skb) -
skb_network_header(skb);
int found_rhdr = 0;
*nexthdr = &ipv6_hdr(skb)->nexthdr;

- while (offset + 1 <= packet_len) {
+ while (offset <= packet_len) {
+ struct ipv6_opt_hdr *exthdr;

switch (**nexthdr) {

@@ -73,13 +72,16 @@ int ip6_find_1stfragopt(struct sk_buff *
return offset;
}

- offset += ipv6_optlen(exthdr);
- *nexthdr = &exthdr->nexthdr;
+ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+ return -EINVAL;
+
exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
offset);
+ offset += ipv6_optlen(exthdr);
+ *nexthdr = &exthdr->nexthdr;
}

- return offset;
+ return -EINVAL;
}
EXPORT_SYMBOL(ip6_find_1stfragopt);

--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -102,6 +102,8 @@ static struct sk_buff *udp6_ufo_fragment
* bytes to insert fragment header.
*/
unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+ if (unfrag_ip6hlen < 0)
+ return ERR_PTR(unfrag_ip6hlen);
nexthdr = *prevhdr;
*prevhdr = NEXTHDR_FRAGMENT;
unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +

2017-06-01 15:58:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 166/212] mm: vmpressure: fix sending wrong events on underflow

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vinayak Menon <[email protected]>

commit e1587a4945408faa58d0485002c110eb2454740c upstream.

At the end of a window period, if the reclaimed pages is greater than
scanned, an unsigned underflow can result in a huge pressure value and
thus a critical event. Reclaimed pages is found to go higher than
scanned because of the addition of reclaimed slab pages to reclaimed in
shrink_node without a corresponding increment to scanned pages.

Minchan Kim mentioned that this can also happen in the case of a THP
page where the scanned is 1 and reclaimed could be 512.

Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Vinayak Menon <[email protected]>
Acked-by: Minchan Kim <[email protected]>
Acked-by: Michal Hocko <[email protected]>
Cc: Johannes Weiner <[email protected]>
Cc: Mel Gorman <[email protected]>
Cc: Vlastimil Babka <[email protected]>
Cc: Rik van Riel <[email protected]>
Cc: Vladimir Davydov <[email protected]>
Cc: Anton Vorontsov <[email protected]>
Cc: Shiraz Hashim <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
mm/vmpressure.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

--- a/mm/vmpressure.c
+++ b/mm/vmpressure.c
@@ -112,9 +112,16 @@ static enum vmpressure_levels vmpressure
unsigned long reclaimed)
{
unsigned long scale = scanned + reclaimed;
- unsigned long pressure;
+ unsigned long pressure = 0;

/*
+ * reclaimed can be greater than scanned in cases
+ * like THP, where the scanned is 1 and reclaimed
+ * could be 512
+ */
+ if (reclaimed >= scanned)
+ goto out;
+ /*
* We calculate the ratio (in percents) of how many pages were
* scanned vs. reclaimed in a given time frame (window). Note that
* time is in VM reclaimer's "ticks", i.e. number of pages
@@ -124,6 +131,7 @@ static enum vmpressure_levels vmpressure
pressure = scale - (reclaimed * scale / scanned);
pressure = pressure * 100 / scale;

+out:
pr_debug("%s: %3lu (s: %lu r: %lu)\n", __func__, pressure,
scanned, reclaimed);


2017-06-01 15:58:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 209/212] ipv6: Check ip6_find_1stfragopt() return value properly.

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "David S. Miller" <[email protected]>

commit 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 upstream.

Do not use unsigned variables to see if it returns a negative
error or not.

Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
Reported-by: Julia Lawall <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv6/ip6_offload.c | 9 ++++-----
net/ipv6/ip6_output.c | 7 +++----
net/ipv6/udp_offload.c | 8 +++++---
3 files changed, 12 insertions(+), 12 deletions(-)

--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -86,7 +86,6 @@ static struct sk_buff *ipv6_gso_segment(
const struct net_offload *ops;
int proto;
struct frag_hdr *fptr;
- unsigned int unfrag_ip6hlen;
u8 *prevhdr;
int offset = 0;
bool encap, udpfrag;
@@ -144,10 +143,10 @@ static struct sk_buff *ipv6_gso_segment(
skb->network_header = (u8 *)ipv6h - skb->head;

if (udpfrag) {
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
- if (unfrag_ip6hlen < 0)
- return ERR_PTR(unfrag_ip6hlen);
- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
+ int err = ip6_find_1stfragopt(skb, &prevhdr);
+ if (err < 0)
+ return ERR_PTR(err);
+ fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
fptr->frag_off = htons(offset);
if (skb->next != NULL)
fptr->frag_off |= htons(IP6_MF);
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -566,11 +566,10 @@ int ip6_fragment(struct sk_buff *skb, in
u8 *prevhdr, nexthdr = 0;
struct net *net = dev_net(skb_dst(skb)->dev);

- hlen = ip6_find_1stfragopt(skb, &prevhdr);
- if (hlen < 0) {
- err = hlen;
+ err = ip6_find_1stfragopt(skb, &prevhdr);
+ if (err < 0)
goto fail;
- }
+ hlen = err;
nexthdr = *prevhdr;

mtu = ip6_skb_dst_mtu(skb);
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -51,6 +51,7 @@ static struct sk_buff *udp6_ufo_fragment
int offset;
__wsum csum;
int tnl_hlen;
+ int err;

mss = skb_shinfo(skb)->gso_size;
if (unlikely(skb->len <= mss))
@@ -101,9 +102,10 @@ static struct sk_buff *udp6_ufo_fragment
/* Find the unfragmentable header and shift it left by frag_hdr_sz
* bytes to insert fragment header.
*/
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
- if (unfrag_ip6hlen < 0)
- return ERR_PTR(unfrag_ip6hlen);
+ err = ip6_find_1stfragopt(skb, &prevhdr);
+ if (err < 0)
+ return ERR_PTR(err);
+ unfrag_ip6hlen = err;
nexthdr = *prevhdr;
*prevhdr = NEXTHDR_FRAGMENT;
unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +

2017-06-01 15:59:19

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 202/212] nfsd: check for oversized NFSv2/v3 arguments

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "J. Bruce Fields" <[email protected]>

commit e6838a29ecb484c97e4efef9429643b9851fba6e upstream.

A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply. This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE). But a client that sends an incorrectly long reply
can violate those assumptions. This was observed to cause crashes.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

We may also consider rejecting calls that have any extra garbage
appended. That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.

Reported-by: Tuomas Haanpää <[email protected]>
Reported-by: Ari Kauppi <[email protected]>
Reviewed-by: NeilBrown <[email protected]>
Signed-off-by: J. Bruce Fields <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)

--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -642,6 +642,37 @@ static __be32 map_new_errors(u32 vers, _
return nfserr;
}

+/*
+ * A write procedure can have a large argument, and a read procedure can
+ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
+ * reply that can both be larger than a page. The xdr code has taken
+ * advantage of this assumption to be a sloppy about bounds checking in
+ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
+ * problem, we enforce these assumptions here:
+ */
+static bool nfs_request_too_big(struct svc_rqst *rqstp,
+ struct svc_procedure *proc)
+{
+ /*
+ * The ACL code has more careful bounds-checking and is not
+ * susceptible to this problem:
+ */
+ if (rqstp->rq_prog != NFS_PROGRAM)
+ return false;
+ /*
+ * Ditto NFSv4 (which can in theory have argument and reply both
+ * more than a page):
+ */
+ if (rqstp->rq_vers >= 4)
+ return false;
+ /* The reply will be small, we're OK: */
+ if (proc->pc_xdrressize > 0 &&
+ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
+ return false;
+
+ return rqstp->rq_arg.len > PAGE_SIZE;
+}
+
int
nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
{
@@ -654,6 +685,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __
rqstp->rq_vers, rqstp->rq_proc);
proc = rqstp->rq_procinfo;

+ if (nfs_request_too_big(rqstp, proc)) {
+ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
+ *statp = rpc_garbage_args;
+ return 1;
+ }
/*
* Give the xdr decoder a chance to change this if it wants
* (necessary in the NFSv4.0 compound case)

2017-06-01 15:59:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 205/212] dccp/tcp: do not inherit mc_list from parent

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit 657831ffc38e30092a2d5f03d385d710eb88b09a upstream.

syzkaller found a way to trigger double frees from ip_mc_drop_socket()

It turns out that leave a copy of parent mc_list at accept() time,
which is very bad.

Very similar to commit 8b485ce69876 ("tcp: do not inherit
fastopen_req from parent")

Initial report from Pray3r, completed by Andrey one.
Thanks a lot to them !

Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: Pray3r <[email protected]>
Reported-by: Andrey Konovalov <[email protected]>
Tested-by: Andrey Konovalov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/inet_connection_sock.c | 2 ++
1 file changed, 2 insertions(+)

--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -677,6 +677,8 @@ struct sock *inet_csk_clone_lock(const s
inet_sk(newsk)->inet_sport = htons(inet_rsk(req)->ir_num);
newsk->sk_write_space = sk_stream_write_space;

+ inet_sk(newsk)->mc_list = NULL;
+
newsk->sk_mark = inet_rsk(req)->ir_mark;

newicsk->icsk_retransmits = 0;

2017-06-01 15:59:16

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 206/212] USB: serial: io_ti: fix information leak in completion handler

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 654b404f2a222f918af9b0cd18ad469d0c941a8e upstream.

Add missing sanity check to the bulk-in completion handler to avoid an
integer underflow that can be triggered by a malicious device.

This avoids leaking 128 kB of memory content from after the URB transfer
buffer to user space.

Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/io_ti.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1630,7 +1630,7 @@ static void edge_bulk_in_callback(struct

port_number = edge_port->port->port_number;

- if (edge_port->lsr_event) {
+ if (urb->actual_length > 0 && edge_port->lsr_event) {
edge_port->lsr_event = 0;
dev_dbg(dev, "%s ===== Port %u LSR Status = %02x, Data = %02x ======\n",
__func__, port_number, edge_port->lsr_mask, *data);

2017-06-01 16:00:04

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 162/212] NFSv4: fix getacl head length estimation

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "J. Bruce Fields" <[email protected]>

commit 6682c14bbe505a8b912c57faf544f866777ee48d upstream.

Bitmap and attrlen follow immediately after the op reply header. This
was an oversight from commit bf118a342f.

Consequences of this are just minor efficiency (extra calls to
xdr_shrink_bufhead).

Fixes: bf118a342f10 "NFSv4: include bitmap in nfsv4 get acl data"
Reviewed-by: Kinglong Mee <[email protected]>
Signed-off-by: J. Bruce Fields <[email protected]>
Signed-off-by: Anna Schumaker <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfs/nfs4xdr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -2504,7 +2504,7 @@ static void nfs4_xdr_enc_getacl(struct r
encode_compound_hdr(xdr, req, &hdr);
encode_sequence(xdr, &args->seq_args, &hdr);
encode_putfh(xdr, args->fh, &hdr);
- replen = hdr.replen + op_decode_hdr_maxsz + 1;
+ replen = hdr.replen + op_decode_hdr_maxsz;
encode_getattr_two(xdr, FATTR4_WORD0_ACL, 0, &hdr);

xdr_inline_pages(&req->rq_rcv_buf, replen << 2,

2017-06-01 16:00:03

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 139/212] mlx4: reduce OOM risk on arches with large pages

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit 3608b13ccc51d06e499dfe12b27f134de1286e28 upstream.

Since mlx4 NIC are used on PowerPC with 64K pages, we need to adapt
MLX4_EN_ALLOC_PREFER_ORDER definition.

Otherwise, a fragment sitting in an out of order TCP queue can hold
0.5 Mbytes and it is a serious OOM risk.

Fixes: 51151a16a60f ("mlx4: allow order-0 memory allocations in RX path")
Signed-off-by: Eric Dumazet <[email protected]>
Reviewed-by: Tariq Toukan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
+++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h
@@ -98,7 +98,8 @@
/* Use the maximum between 16384 and a single page */
#define MLX4_EN_ALLOC_SIZE PAGE_ALIGN(16384)

-#define MLX4_EN_ALLOC_PREFER_ORDER PAGE_ALLOC_COSTLY_ORDER
+#define MLX4_EN_ALLOC_PREFER_ORDER min_t(int, get_order(32768), \
+ PAGE_ALLOC_COSTLY_ORDER)

/* Receive fragment sizes; we use at most 3 fragments (for 9600 byte MTU
* and 4K allocations) */

2017-06-01 16:00:01

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 167/212] mm: do not access page->mapping directly on page_endio

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Minchan Kim <[email protected]>

commit dd8416c47715cf324c9a16f13273f9fda87acfed upstream.

With rw_page, page_endio is used for completing IO on a page and it
propagates write error to the address space if the IO fails. The
problem is it accesses page->mapping directly which might be okay for
file-backed pages but it shouldn't for anonymous page. Otherwise, it
can corrupt one of field from anon_vma under us and system goes panic
randomly.

swap_writepage
bdev_writepage
ops->rw_page

I encountered the BUG during developing new zram feature and it was
really hard to figure it out because it made random crash, somtime
mmap_sem lockdep, sometime other places where places never related to
zram/zsmalloc, and not reproducible with some configuration.

When I consider how that bug is subtle and people do fast-swap test with
brd, it's worth to add stable mark, I think.

Fixes: dd6bd0d9c7db ("swap: use bdev_read_page() / bdev_write_page()")
Signed-off-by: Minchan Kim <[email protected]>
Acked-by: Michal Hocko <[email protected]>
Cc: Matthew Wilcox <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
mm/filemap.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -795,9 +795,12 @@ void page_endio(struct page *page, int r
unlock_page(page);
} else { /* rw == WRITE */
if (err) {
+ struct address_space *mapping;
+
SetPageError(page);
- if (page->mapping)
- mapping_set_error(page->mapping, err);
+ mapping = page_mapping(page);
+ if (mapping)
+ mapping_set_error(mapping, err);
}
end_page_writeback(page);
}

2017-06-01 15:59:59

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 201/212] ipx: call ipxitf_put() in ioctl error path

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit ee0d8d8482345ff97a75a7d747efc309f13b0d80 upstream.

We should call ipxitf_put() if the copy_to_user() fails.

Reported-by: 李强 <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipx/af_ipx.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd
sipx->sipx_network = ipxif->if_netnum;
memcpy(sipx->sipx_node, ipxif->if_node,
sizeof(sipx->sipx_node));
- rc = -EFAULT;
+ rc = 0;
if (copy_to_user(arg, &ifr, sizeof(ifr)))
- break;
+ rc = -EFAULT;
ipxitf_put(ipxif);
- rc = 0;
break;
}
case SIOCAIPXITFCRT:

2017-06-01 15:59:57

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 168/212] ipv4: mask tos for input route

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Julian Anastasov <[email protected]>

commit 6e28099d38c0e50d62c1afc054e37e573adf3d21 upstream.

Restore the lost masking of TOS in input route code to
allow ip rules to match it properly.

Problem [1] noticed by Shmulik Ladkani <[email protected]>

[1] http://marc.info/?t=137331755300040&r=1&w=2

Fixes: 89aef8921bfb ("ipv4: Delete routing cache.")
Signed-off-by: Julian Anastasov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/route.c | 1 +
1 file changed, 1 insertion(+)

--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1879,6 +1879,7 @@ int ip_route_input_noref(struct sk_buff
{
int res;

+ tos &= IPTOS_RT_MASK;
rcu_read_lock();

/* Multicast recognition logic is moved from route cache to here.

2017-06-01 16:01:33

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 193/212] KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Biggers <[email protected]>

commit c9f838d104fed6f2f61d68164712e3204bf5271b upstream.

This fixes CVE-2017-7472.

Running the following program as an unprivileged user exhausts kernel
memory by leaking thread keyrings:

#include <keyutils.h>

int main()
{
for (;;)
keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
}

Fix it by only creating a new thread keyring if there wasn't one before.
To make things more consistent, make install_thread_keyring_to_cred()
and install_process_keyring_to_cred() both return 0 if the corresponding
keyring is already present.

Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
Signed-off-by: Eric Biggers <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
security/keys/keyctl.c | 11 ++++-------
security/keys/process_keys.c | 44 +++++++++++++++++++++++++++-----------------
2 files changed, 31 insertions(+), 24 deletions(-)

--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1249,8 +1249,8 @@ error:
* Read or set the default keyring in which request_key() will cache keys and
* return the old setting.
*
- * If a process keyring is specified then this will be created if it doesn't
- * yet exist. The old setting will be returned if successful.
+ * If a thread or process keyring is specified then it will be created if it
+ * doesn't yet exist. The old setting will be returned if successful.
*/
long keyctl_set_reqkey_keyring(int reqkey_defl)
{
@@ -1275,11 +1275,8 @@ long keyctl_set_reqkey_keyring(int reqke

case KEY_REQKEY_DEFL_PROCESS_KEYRING:
ret = install_process_keyring_to_cred(new);
- if (ret < 0) {
- if (ret != -EEXIST)
- goto error;
- ret = 0;
- }
+ if (ret < 0)
+ goto error;
goto set;

case KEY_REQKEY_DEFL_DEFAULT:
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -125,13 +125,18 @@ error:
}

/*
- * Install a fresh thread keyring directly to new credentials. This keyring is
- * allowed to overrun the quota.
+ * Install a thread keyring to the given credentials struct if it didn't have
+ * one already. This is allowed to overrun the quota.
+ *
+ * Return: 0 if a thread keyring is now present; -errno on failure.
*/
int install_thread_keyring_to_cred(struct cred *new)
{
struct key *keyring;

+ if (new->thread_keyring)
+ return 0;
+
keyring = keyring_alloc("_tid", new->uid, new->gid, new,
KEY_POS_ALL | KEY_USR_VIEW,
KEY_ALLOC_QUOTA_OVERRUN, NULL);
@@ -143,7 +148,9 @@ int install_thread_keyring_to_cred(struc
}

/*
- * Install a fresh thread keyring, discarding the old one.
+ * Install a thread keyring to the current task if it didn't have one already.
+ *
+ * Return: 0 if a thread keyring is now present; -errno on failure.
*/
static int install_thread_keyring(void)
{
@@ -154,8 +161,6 @@ static int install_thread_keyring(void)
if (!new)
return -ENOMEM;

- BUG_ON(new->thread_keyring);
-
ret = install_thread_keyring_to_cred(new);
if (ret < 0) {
abort_creds(new);
@@ -166,17 +171,17 @@ static int install_thread_keyring(void)
}

/*
- * Install a process keyring directly to a credentials struct.
+ * Install a process keyring to the given credentials struct if it didn't have
+ * one already. This is allowed to overrun the quota.
*
- * Returns -EEXIST if there was already a process keyring, 0 if one installed,
- * and other value on any other error
+ * Return: 0 if a process keyring is now present; -errno on failure.
*/
int install_process_keyring_to_cred(struct cred *new)
{
struct key *keyring;

if (new->process_keyring)
- return -EEXIST;
+ return 0;

keyring = keyring_alloc("_pid", new->uid, new->gid, new,
KEY_POS_ALL | KEY_USR_VIEW,
@@ -189,11 +194,9 @@ int install_process_keyring_to_cred(stru
}

/*
- * Make sure a process keyring is installed for the current process. The
- * existing process keyring is not replaced.
+ * Install a process keyring to the current task if it didn't have one already.
*
- * Returns 0 if there is a process keyring by the end of this function, some
- * error otherwise.
+ * Return: 0 if a process keyring is now present; -errno on failure.
*/
static int install_process_keyring(void)
{
@@ -207,14 +210,18 @@ static int install_process_keyring(void)
ret = install_process_keyring_to_cred(new);
if (ret < 0) {
abort_creds(new);
- return ret != -EEXIST ? ret : 0;
+ return ret;
}

return commit_creds(new);
}

/*
- * Install a session keyring directly to a credentials struct.
+ * Install the given keyring as the session keyring of the given credentials
+ * struct, replacing the existing one if any. If the given keyring is NULL,
+ * then install a new anonymous session keyring.
+ *
+ * Return: 0 on success; -errno on failure.
*/
int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
{
@@ -249,8 +256,11 @@ int install_session_keyring_to_cred(stru
}

/*
- * Install a session keyring, discarding the old one. If a keyring is not
- * supplied, an empty one is invented.
+ * Install the given keyring as the session keyring of the current task,
+ * replacing the existing one if any. If the given keyring is NULL, then
+ * install a new anonymous session keyring.
+ *
+ * Return: 0 on success; -errno on failure.
*/
static int install_session_keyring(struct key *keyring)
{

2017-06-01 16:01:32

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 195/212] crypto: ahash - Fix EINPROGRESS notification callback

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <[email protected]>

commit ef0579b64e93188710d48667cb5e014926af9f1b upstream.

The ahash API modifies the request's callback function in order
to clean up after itself in some corner cases (unaligned final
and missing finup).

When the request is complete ahash will restore the original
callback and everything is fine. However, when the request gets
an EBUSY on a full queue, an EINPROGRESS callback is made while
the request is still ongoing.

In this case the ahash API will incorrectly call its own callback.

This patch fixes the problem by creating a temporary request
object on the stack which is used to relay EINPROGRESS back to
the original completion function.

This patch also adds code to preserve the original flags value.

Fixes: ab6bf4e5e5e4 ("crypto: hash - Fix the pointer voodoo in...")
Reported-by: Sabrina Dubroca <[email protected]>
Tested-by: Sabrina Dubroca <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
crypto/ahash.c | 79 ++++++++++++++++++++++++++----------------
include/crypto/internal/hash.h | 10 ++++++
2 files changed, 60 insertions(+), 29 deletions(-)

--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -31,6 +31,7 @@ struct ahash_request_priv {
crypto_completion_t complete;
void *data;
u8 *result;
+ u32 flags;
void *ubuf[] CRYPTO_MINALIGN_ATTR;
};

@@ -263,6 +264,8 @@ static int ahash_save_req(struct ahash_r
priv->result = req->result;
priv->complete = req->base.complete;
priv->data = req->base.data;
+ priv->flags = req->base.flags;
+
/*
* WARNING: We do not backup req->priv here! The req->priv
* is for internal use of the Crypto API and the
@@ -277,38 +280,44 @@ static int ahash_save_req(struct ahash_r
return 0;
}

-static void ahash_restore_req(struct ahash_request *req)
+static void ahash_restore_req(struct ahash_request *req, int err)
{
struct ahash_request_priv *priv = req->priv;

+ if (!err)
+ memcpy(priv->result, req->result,
+ crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
+
/* Restore the original crypto request. */
req->result = priv->result;
- req->base.complete = priv->complete;
- req->base.data = priv->data;
+
+ ahash_request_set_callback(req, priv->flags,
+ priv->complete, priv->data);
req->priv = NULL;

/* Free the req->priv.priv from the ADJUSTED request. */
kzfree(priv);
}

-static void ahash_op_unaligned_finish(struct ahash_request *req, int err)
+static void ahash_notify_einprogress(struct ahash_request *req)
{
struct ahash_request_priv *priv = req->priv;
+ struct crypto_async_request oreq;

- if (err == -EINPROGRESS)
- return;
-
- if (!err)
- memcpy(priv->result, req->result,
- crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
+ oreq.data = priv->data;

- ahash_restore_req(req);
+ priv->complete(&oreq, -EINPROGRESS);
}

static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
{
struct ahash_request *areq = req->data;

+ if (err == -EINPROGRESS) {
+ ahash_notify_einprogress(areq);
+ return;
+ }
+
/*
* Restore the original request, see ahash_op_unaligned() for what
* goes where.
@@ -319,7 +328,7 @@ static void ahash_op_unaligned_done(stru
*/

/* First copy req->result into req->priv.result */
- ahash_op_unaligned_finish(areq, err);
+ ahash_restore_req(areq, err);

/* Complete the ORIGINAL request. */
areq->base.complete(&areq->base, err);
@@ -335,7 +344,12 @@ static int ahash_op_unaligned(struct aha
return err;

err = op(req);
- ahash_op_unaligned_finish(req, err);
+ if (err == -EINPROGRESS ||
+ (err == -EBUSY && (ahash_request_flags(req) &
+ CRYPTO_TFM_REQ_MAY_BACKLOG)))
+ return err;
+
+ ahash_restore_req(req, err);

return err;
}
@@ -370,25 +384,14 @@ int crypto_ahash_digest(struct ahash_req
}
EXPORT_SYMBOL_GPL(crypto_ahash_digest);

-static void ahash_def_finup_finish2(struct ahash_request *req, int err)
+static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
{
- struct ahash_request_priv *priv = req->priv;
+ struct ahash_request *areq = req->data;

if (err == -EINPROGRESS)
return;

- if (!err)
- memcpy(priv->result, req->result,
- crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-
- ahash_restore_req(req);
-}
-
-static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
-{
- struct ahash_request *areq = req->data;
-
- ahash_def_finup_finish2(areq, err);
+ ahash_restore_req(areq, err);

areq->base.complete(&areq->base, err);
}
@@ -399,11 +402,15 @@ static int ahash_def_finup_finish1(struc
goto out;

req->base.complete = ahash_def_finup_done2;
- req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
+
err = crypto_ahash_reqtfm(req)->final(req);
+ if (err == -EINPROGRESS ||
+ (err == -EBUSY && (ahash_request_flags(req) &
+ CRYPTO_TFM_REQ_MAY_BACKLOG)))
+ return err;

out:
- ahash_def_finup_finish2(req, err);
+ ahash_restore_req(req, err);
return err;
}

@@ -411,7 +418,16 @@ static void ahash_def_finup_done1(struct
{
struct ahash_request *areq = req->data;

+ if (err == -EINPROGRESS) {
+ ahash_notify_einprogress(areq);
+ return;
+ }
+
+ areq->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
+
err = ahash_def_finup_finish1(areq, err);
+ if (areq->priv)
+ return;

areq->base.complete(&areq->base, err);
}
@@ -426,6 +442,11 @@ static int ahash_def_finup(struct ahash_
return err;

err = tfm->update(req);
+ if (err == -EINPROGRESS ||
+ (err == -EBUSY && (ahash_request_flags(req) &
+ CRYPTO_TFM_REQ_MAY_BACKLOG)))
+ return err;
+
return ahash_def_finup_finish1(req, err);
}

--- a/include/crypto/internal/hash.h
+++ b/include/crypto/internal/hash.h
@@ -164,6 +164,16 @@ static inline struct ahash_instance *aha
return crypto_alloc_instance2(name, alg, ahash_instance_headroom());
}

+static inline void ahash_request_complete(struct ahash_request *req, int err)
+{
+ req->base.complete(&req->base, err);
+}
+
+static inline u32 ahash_request_flags(struct ahash_request *req)
+{
+ return req->base.flags;
+}
+
static inline struct crypto_ahash *crypto_spawn_ahash(
struct crypto_ahash_spawn *spawn)
{

2017-06-01 16:01:30

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 196/212] [media] dvb-usb-v2: avoid use-after-free

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <[email protected]>

commit 005145378c9ad7575a01b6ce1ba118fb427f583a upstream.

I ran into a stack frame size warning because of the on-stack copy of
the USB device structure:

drivers/media/usb/dvb-usb-v2/dvb_usb_core.c: In function 'dvb_usbv2_disconnect':
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:1029:1: error: the frame size of 1104 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]

Copying a device structure like this is wrong for a number of other reasons
too aside from the possible stack overflow. One of them is that the
dev_info() call will print the name of the device later, but AFAICT
we have only copied a pointer to the name earlier and the actual name
has been freed by the time it gets printed.

This removes the on-stack copy of the device and instead copies the
device name using kstrdup(). I'm ignoring the possible failure here
as both printk() and kfree() are able to deal with NULL pointers.

Signed-off-by: Arnd Bergmann <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
+++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
@@ -942,8 +942,8 @@ EXPORT_SYMBOL(dvb_usbv2_probe);
void dvb_usbv2_disconnect(struct usb_interface *intf)
{
struct dvb_usb_device *d = usb_get_intfdata(intf);
- const char *name = d->name;
- struct device dev = d->udev->dev;
+ const char *devname = kstrdup(dev_name(&d->udev->dev), GFP_KERNEL);
+ const char *drvname = d->name;
dev_dbg(&d->udev->dev, "%s: bInterfaceNumber=%d\n", __func__,
intf->cur_altsetting->desc.bInterfaceNumber);

@@ -952,8 +952,9 @@ void dvb_usbv2_disconnect(struct usb_int

dvb_usbv2_exit(d);

- dev_info(&dev, "%s: '%s' successfully deinitialized and disconnected\n",
- KBUILD_MODNAME, name);
+ pr_info("%s: '%s:%s' successfully deinitialized and disconnected\n",
+ KBUILD_MODNAME, drvname, devname);
+ kfree(devname);
}
EXPORT_SYMBOL(dvb_usbv2_disconnect);


2017-06-01 16:02:58

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 194/212] mm/mempolicy.c: fix error handling in set_mempolicy and mbind.

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chris Salls <[email protected]>

commit cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 upstream.

In the case that compat_get_bitmap fails we do not want to copy the
bitmap to the user as it will contain uninitialized stack data and leak
sensitive data.

Signed-off-by: Chris Salls <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
mm/mempolicy.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)

--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1559,7 +1559,6 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, in
COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
compat_ulong_t, maxnode)
{
- long err = 0;
unsigned long __user *nm = NULL;
unsigned long nr_bits, alloc_size;
DECLARE_BITMAP(bm, MAX_NUMNODES);
@@ -1568,14 +1567,13 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, in
alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;

if (nmask) {
- err = compat_get_bitmap(bm, nmask, nr_bits);
+ if (compat_get_bitmap(bm, nmask, nr_bits))
+ return -EFAULT;
nm = compat_alloc_user_space(alloc_size);
- err |= copy_to_user(nm, bm, alloc_size);
+ if (copy_to_user(nm, bm, alloc_size))
+ return -EFAULT;
}

- if (err)
- return -EFAULT;
-
return sys_set_mempolicy(mode, nm, nr_bits+1);
}

@@ -1583,7 +1581,6 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulo
compat_ulong_t, mode, compat_ulong_t __user *, nmask,
compat_ulong_t, maxnode, compat_ulong_t, flags)
{
- long err = 0;
unsigned long __user *nm = NULL;
unsigned long nr_bits, alloc_size;
nodemask_t bm;
@@ -1592,14 +1589,13 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulo
alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;

if (nmask) {
- err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
+ if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
+ return -EFAULT;
nm = compat_alloc_user_space(alloc_size);
- err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
+ if (copy_to_user(nm, nodes_addr(bm), alloc_size))
+ return -EFAULT;
}

- if (err)
- return -EFAULT;
-
return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
}


2017-06-01 16:02:57

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 169/212] net sched actions: decrement module reference count after table flush.

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Roman Mashak <[email protected]>

commit edb9d1bff4bbe19b8ae0e71b1f38732591a9eeb2 upstream.

When tc actions are loaded as a module and no actions have been installed,
flushing them would result in actions removed from the memory, but modules
reference count not being decremented, so that the modules would not be
unloaded.

Following is example with GACT action:

% sudo modprobe act_gact
% lsmod
Module Size Used by
act_gact 16384 0
%
% sudo tc actions ls action gact
%
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 1
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 2
% sudo rmmod act_gact
rmmod: ERROR: Module act_gact is in use
....

After the fix:
% lsmod
Module Size Used by
act_gact 16384 0
%
% sudo tc actions add action pass index 1
% sudo tc actions add action pass index 2
% sudo tc actions add action pass index 3
% lsmod
Module Size Used by
act_gact 16384 3
%
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 0
%
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 0
% sudo rmmod act_gact
% lsmod
Module Size Used by
%

Fixes: f97017cdefef ("net-sched: Fix actions flushing")
Signed-off-by: Roman Mashak <[email protected]>
Signed-off-by: Jamal Hadi Salim <[email protected]>
Acked-by: Cong Wang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/sched/act_api.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)

--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -799,10 +799,8 @@ static int tca_action_flush(struct net *
goto out_module_put;

err = a.ops->walk(skb, &dcb, RTM_DELACTION, &a);
- if (err < 0)
+ if (err <= 0)
goto out_module_put;
- if (err == 0)
- goto noflush_out;

nla_nest_end(skb, nest);

@@ -819,7 +817,6 @@ static int tca_action_flush(struct net *
out_module_put:
module_put(a.ops->owner);
err_out:
-noflush_out:
kfree_skb(skb);
return err;
}

2017-06-01 16:03:40

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 129/212] goldfish: Sanitize the broken interrupt handler

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <[email protected]>

commit 6cf18e6927c0b224f972e3042fb85770d63cb9f8 upstream.

This interrupt handler is broken in several ways:

- It loops forever when the op code is not decodeable

- It never returns IRQ_HANDLED because the only way to exit the loop
returns IRQ_NONE unconditionally.

The whole concept of this is broken. Creating devices in an interrupt
handler is beyond any point of sanity.

Make it at least behave halfways sane so accidental users do not have to
deal with a hard to debug lockup.

Fixes: e809c22b8fb028 ("goldfish: add the goldfish virtual bus")
Reported-by: Gabriel C <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Acked-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/platform/goldfish/pdev_bus.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

--- a/drivers/platform/goldfish/pdev_bus.c
+++ b/drivers/platform/goldfish/pdev_bus.c
@@ -157,23 +157,26 @@ static int goldfish_new_pdev(void)
static irqreturn_t goldfish_pdev_bus_interrupt(int irq, void *dev_id)
{
irqreturn_t ret = IRQ_NONE;
+
while (1) {
u32 op = readl(pdev_bus_base + PDEV_BUS_OP);
- switch (op) {
- case PDEV_BUS_OP_DONE:
- return IRQ_NONE;

+ switch (op) {
case PDEV_BUS_OP_REMOVE_DEV:
goldfish_pdev_remove();
+ ret = IRQ_HANDLED;
break;

case PDEV_BUS_OP_ADD_DEV:
goldfish_new_pdev();
+ ret = IRQ_HANDLED;
break;
+
+ case PDEV_BUS_OP_DONE:
+ default:
+ return ret;
}
- ret = IRQ_HANDLED;
}
- return ret;
}

static int goldfish_pdev_bus_probe(struct platform_device *pdev)

2017-06-01 16:03:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 158/212] net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Majd Dibbiny <[email protected]>

commit 95f1ba9a24af9769f6e20dfe9a77c863f253f311 upstream.

In the VF driver, module parameter mlx4_log_num_mgm_entry_size was
mistakenly overwritten -- and in a manner which overrode the
device-managed flow steering option encoded in the parameter.

log_num_mgm_entry_size is a global module parameter which
affects all ConnectX-3 PFs installed on that host.
If a VF changes log_num_mgm_entry_size, this will affect all PFs
which are probed subsequent to the change (by disabling DMFS for
those PFs).

Fixes: 3c439b5586e9 ("mlx4_core: Allow choosing flow steering mode")
Signed-off-by: Majd Dibbiny <[email protected]>
Reviewed-by: Jack Morgenstein <[email protected]>
Signed-off-by: Tariq Toukan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/mellanox/mlx4/main.c | 2 --
1 file changed, 2 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx4/main.c
+++ b/drivers/net/ethernet/mellanox/mlx4/main.c
@@ -585,8 +585,6 @@ static int mlx4_slave_cap(struct mlx4_de
return -ENOSYS;
}

- mlx4_log_num_mgm_entry_size = hca_param.log_mc_entry_sz;
-
dev->caps.hca_core_clock = hca_param.hca_core_clock;

memset(&dev_cap, 0, sizeof(dev_cap));

2017-06-01 16:03:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 192/212] net/packet: fix overflow in check for tp_reserve

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andrey Konovalov <[email protected]>

commit bcc5364bdcfe131e6379363f089e7b4108d35b70 upstream.

When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.

Fix by checking that tp_reserve <= INT_MAX on assign.

Signed-off-by: Andrey Konovalov <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/packet/af_packet.c | 2 ++
1 file changed, 2 insertions(+)

--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3349,6 +3349,8 @@ packet_setsockopt(struct socket *sock, i
return -EBUSY;
if (copy_from_user(&val, optval, sizeof(val)))
return -EFAULT;
+ if (val > INT_MAX)
+ return -EINVAL;
po->tp_reserve = val;
return 0;
}

2017-06-01 16:04:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 171/212] drm/ast: Fix AST2400 POST failure without BMC FW or VBIOS

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Y.C. Chen" <[email protected]>

commit 3856081eede297b617560b85e948cfb00bb395ec upstream.

The current POST code for the AST2300/2400 family doesn't work properly
if the chip hasn't been initialized previously by either the BMC own FW
or the VBIOS. This fixes it.

Signed-off-by: Y.C. Chen <[email protected]>
Signed-off-by: Benjamin Herrenschmidt <[email protected]>
Tested-by: Y.C. Chen <[email protected]>
Acked-by: Joel Stanley <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/ast/ast_post.c | 38 +++++++++++++++++++++++++++++++++++---
1 file changed, 35 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/ast/ast_post.c
+++ b/drivers/gpu/drm/ast/ast_post.c
@@ -1625,12 +1625,44 @@ static void ast_init_dram_2300(struct dr
temp |= 0x73;
ast_write32(ast, 0x12008, temp);

+ param.dram_freq = 396;
param.dram_type = AST_DDR3;
+ temp = ast_mindwm(ast, 0x1e6e2070);
if (temp & 0x01000000)
param.dram_type = AST_DDR2;
- param.dram_chipid = ast->dram_type;
- param.dram_freq = ast->mclk;
- param.vram_size = ast->vram_size;
+ switch (temp & 0x18000000) {
+ case 0:
+ param.dram_chipid = AST_DRAM_512Mx16;
+ break;
+ default:
+ case 0x08000000:
+ param.dram_chipid = AST_DRAM_1Gx16;
+ break;
+ case 0x10000000:
+ param.dram_chipid = AST_DRAM_2Gx16;
+ break;
+ case 0x18000000:
+ param.dram_chipid = AST_DRAM_4Gx16;
+ break;
+ }
+ switch (temp & 0x0c) {
+ default:
+ case 0x00:
+ param.vram_size = AST_VIDMEM_SIZE_8M;
+ break;
+
+ case 0x04:
+ param.vram_size = AST_VIDMEM_SIZE_16M;
+ break;
+
+ case 0x08:
+ param.vram_size = AST_VIDMEM_SIZE_32M;
+ break;
+
+ case 0x0c:
+ param.vram_size = AST_VIDMEM_SIZE_64M;
+ break;
+ }

if (param.dram_type == AST_DDR3) {
get_ddr3_info(ast, &param);

2017-06-01 16:04:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 183/212] KEYS: Reinstate EPERM for a key type name beginning with a '.'

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: David Howells <[email protected]>

commit 54e2c2c1a9d6cbb270b0999a38545fa9a69bee43 upstream.

Reinstate the generation of EPERM for a key type name beginning with a '.' in
a userspace call. Types whose name begins with a '.' are internal only.

The test was removed by:

commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
Author: Mimi Zohar <[email protected]>
Date: Thu May 22 14:02:23 2014 -0400
Subject: KEYS: special dot prefixed keyring name bug fix

I think we want to keep the restriction on type name so that userspace can't
add keys of a special internal type.

Note that removal of the test causes several of the tests in the keyutils
testsuite to fail.

Signed-off-by: David Howells <[email protected]>
Acked-by: Vivek Goyal <[email protected]>
cc: Mimi Zohar <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
security/keys/keyctl.c | 2 ++
1 file changed, 2 insertions(+)

--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -37,6 +37,8 @@ static int key_get_type_from_user(char *
return ret;
if (ret == 0 || ret >= len)
return -EINVAL;
+ if (type[0] == '.')
+ return -EPERM;
type[len - 1] = '\0';
return 0;
}

2017-06-01 16:04:44

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 150/212] l2tp: Avoid schedule while atomic in exit_net

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ridge Kennedy <[email protected]>

commit 12d656af4e3d2781b9b9f52538593e1717e7c979 upstream.

While destroying a network namespace that contains a L2TP tunnel a
"BUG: scheduling while atomic" can be observed.

Enabling lockdep shows that this is happening because l2tp_exit_net()
is calling l2tp_tunnel_closeall() (via l2tp_tunnel_delete()) from
within an RCU critical section.

l2tp_exit_net() takes rcu_read_lock_bh()
<< list_for_each_entry_rcu() >>
l2tp_tunnel_delete()
l2tp_tunnel_closeall()
__l2tp_session_unhash()
synchronize_rcu() << Illegal inside RCU critical section >>

BUG: sleeping function called from invalid context
in_atomic(): 1, irqs_disabled(): 0, pid: 86, name: kworker/u16:2
INFO: lockdep is turned off.
CPU: 2 PID: 86 Comm: kworker/u16:2 Tainted: G W O 4.4.6-at1 #2
Hardware name: Xen HVM domU, BIOS 4.6.1-xs125300 05/09/2016
Workqueue: netns cleanup_net
0000000000000000 ffff880202417b90 ffffffff812b0013 ffff880202410ac0
ffffffff81870de8 ffff880202417bb8 ffffffff8107aee8 ffffffff81870de8
0000000000000c51 0000000000000000 ffff880202417be0 ffffffff8107b024
Call Trace:
[<ffffffff812b0013>] dump_stack+0x85/0xc2
[<ffffffff8107aee8>] ___might_sleep+0x148/0x240
[<ffffffff8107b024>] __might_sleep+0x44/0x80
[<ffffffff810b21bd>] synchronize_sched+0x2d/0xe0
[<ffffffff8109be6d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff8105c7bb>] ? __local_bh_enable_ip+0x6b/0xc0
[<ffffffff816a1b00>] ? _raw_spin_unlock_bh+0x30/0x40
[<ffffffff81667482>] __l2tp_session_unhash+0x172/0x220
[<ffffffff81667397>] ? __l2tp_session_unhash+0x87/0x220
[<ffffffff8166888b>] l2tp_tunnel_closeall+0x9b/0x140
[<ffffffff81668c74>] l2tp_tunnel_delete+0x14/0x60
[<ffffffff81668dd0>] l2tp_exit_net+0x110/0x270
[<ffffffff81668d5c>] ? l2tp_exit_net+0x9c/0x270
[<ffffffff815001c3>] ops_exit_list.isra.6+0x33/0x60
[<ffffffff81501166>] cleanup_net+0x1b6/0x280
...

This bug can easily be reproduced with a few steps:

$ sudo unshare -n bash # Create a shell in a new namespace
# ip link set lo up
# ip addr add 127.0.0.1 dev lo
# ip l2tp add tunnel remote 127.0.0.1 local 127.0.0.1 tunnel_id 1 \
peer_tunnel_id 1 udp_sport 50000 udp_dport 50000
# ip l2tp add session name foo tunnel_id 1 session_id 1 \
peer_session_id 1
# ip link set foo up
# exit # Exit the shell, in turn exiting the namespace
$ dmesg
...
[942121.089216] BUG: scheduling while atomic: kworker/u16:3/13872/0x00000200
...

To fix this, move the call to l2tp_tunnel_closeall() out of the RCU
critical section, and instead call it from l2tp_tunnel_del_work(), which
is running from the l2tp_wq workqueue.

Fixes: 2b551c6e7d5b ("l2tp: close sessions before initiating tunnel delete")
Signed-off-by: Ridge Kennedy <[email protected]>
Acked-by: Guillaume Nault <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/l2tp/l2tp_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1316,6 +1316,9 @@ static void l2tp_tunnel_del_work(struct
struct sock *sk = NULL;

tunnel = container_of(work, struct l2tp_tunnel, del_work);
+
+ l2tp_tunnel_closeall(tunnel);
+
sk = l2tp_tunnel_sock_lookup(tunnel);
if (!sk)
goto out;
@@ -1676,7 +1679,6 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_create);
int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel)
{
l2tp_tunnel_inc_refcount(tunnel);
- l2tp_tunnel_closeall(tunnel);
if (false == queue_work(l2tp_wq, &tunnel->del_work)) {
l2tp_tunnel_dec_refcount(tunnel);
return 1;

2017-06-01 16:04:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 160/212] f2fs: use for_each_set_bit to simplify the code

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chao Yu <[email protected]>

commit b65ee14818e67127aa242fe1dbd3711b9c095cc0 upstream.

This patch uses for_each_set_bit to simplify some codes in f2fs.

Signed-off-by: Chao Yu <[email protected]>
Signed-off-by: Jaegeuk Kim <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/f2fs/gc.c | 7 ++-----
fs/f2fs/segment.c | 13 ++++---------
2 files changed, 6 insertions(+), 14 deletions(-)

--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -186,7 +186,6 @@ static unsigned int get_max_cost(struct
static unsigned int check_bg_victims(struct f2fs_sb_info *sbi)
{
struct dirty_seglist_info *dirty_i = DIRTY_I(sbi);
- unsigned int hint = 0;
unsigned int secno;

/*
@@ -194,11 +193,9 @@ static unsigned int check_bg_victims(str
* selected by background GC before.
* Those segments guarantee they have small valid blocks.
*/
-next:
- secno = find_next_bit(dirty_i->victim_secmap, TOTAL_SECS(sbi), hint++);
- if (secno < TOTAL_SECS(sbi)) {
+ for_each_set_bit(secno, dirty_i->victim_secmap, TOTAL_SECS(sbi)) {
if (sec_usage_check(sbi, secno))
- goto next;
+ continue;
clear_bit(secno, dirty_i->victim_secmap);
return secno * sbi->segs_per_sec;
}
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -437,17 +437,12 @@ static void add_discard_addrs(struct f2f
static void set_prefree_as_free_segments(struct f2fs_sb_info *sbi)
{
struct dirty_seglist_info *dirty_i = DIRTY_I(sbi);
- unsigned int segno = -1;
+ unsigned int segno;
unsigned int total_segs = TOTAL_SEGS(sbi);

mutex_lock(&dirty_i->seglist_lock);
- while (1) {
- segno = find_next_bit(dirty_i->dirty_segmap[PRE], total_segs,
- segno + 1);
- if (segno >= total_segs)
- break;
+ for_each_set_bit(segno, dirty_i->dirty_segmap[PRE], total_segs)
__set_test_and_free(sbi, segno);
- }
mutex_unlock(&dirty_i->seglist_lock);
}

@@ -1532,7 +1527,7 @@ void flush_sit_entries(struct f2fs_sb_in
struct page *page = NULL;
struct f2fs_sit_block *raw_sit = NULL;
unsigned int start = 0, end = 0;
- unsigned int segno = -1;
+ unsigned int segno;
bool flushed;

mutex_lock(&curseg->curseg_mutex);
@@ -1544,7 +1539,7 @@ void flush_sit_entries(struct f2fs_sb_in
*/
flushed = flush_sits_in_journal(sbi);

- while ((segno = find_next_bit(bitmap, nsegs, segno + 1)) < nsegs) {
+ for_each_set_bit(segno, bitmap, nsegs) {
struct seg_entry *se = get_seg_entry(sbi, segno);
int sit_offset, offset;


2017-06-01 16:04:40

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 185/212] ping: implement proper locking

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit 43a6684519ab0a6c52024b5e25322476cabad893 upstream.

We got a report of yet another bug in ping

http://www.openwall.com/lists/oss-security/2017/03/24/6

->disconnect() is not called with socket lock held.

Fix this by acquiring ping rwlock earlier.

Thanks to Daniel, Alexander and Andrey for letting us know this problem.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Signed-off-by: Eric Dumazet <[email protected]>
Reported-by: Daniel Jiang <[email protected]>
Reported-by: Solar Designer <[email protected]>
Reported-by: Andrey Konovalov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
net/ipv4/ping.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -154,17 +154,18 @@ void ping_hash(struct sock *sk)
void ping_unhash(struct sock *sk)
{
struct inet_sock *isk = inet_sk(sk);
+
pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
+ write_lock_bh(&ping_table.lock);
if (sk_hashed(sk)) {
- write_lock_bh(&ping_table.lock);
hlist_nulls_del(&sk->sk_nulls_node);
sk_nulls_node_init(&sk->sk_nulls_node);
sock_put(sk);
isk->inet_num = 0;
isk->inet_sport = 0;
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
- write_unlock_bh(&ping_table.lock);
}
+ write_unlock_bh(&ping_table.lock);
}
EXPORT_SYMBOL_GPL(ping_unhash);


2017-06-01 16:04:36

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 188/212] drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Murray McAllister <[email protected]>

commit 36274ab8c596f1240c606bb514da329add2a1bcd upstream.

Before memory allocations vmw_surface_define_ioctl() checks the
upper-bounds of a user-supplied size, but does not check if the
supplied size is 0.

Add check to avoid NULL pointer dereferences.

Signed-off-by: Murray McAllister <[email protected]>
Reviewed-by: Sinclair Yeh <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
@@ -714,8 +714,8 @@ int vmw_surface_define_ioctl(struct drm_
for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
num_sizes += req->mip_levels[i];

- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
- DRM_VMW_MAX_MIP_LEVELS)
+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
+ num_sizes == 0)
return -EINVAL;

size = vmw_user_surface_size + 128 +

2017-06-01 16:06:16

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 135/212] MIPS: ip27: Disable qlge driver in defconfig

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <[email protected]>

commit b617649468390713db1515ea79fc772d2eb897a8 upstream.

One of the last remaining failures in kernelci.org is for a gcc bug:

drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: error: insn does not satisfy its constraints:
drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: internal compiler error: in extract_constrain_insn, at recog.c:2190

This is apparently broken in gcc-6 but fixed in gcc-7, and I cannot
reproduce the problem here. However, it is clear that ip27_defconfig
does not actually need this driver as the platform has only PCI-X but
not PCIe, and the qlge adapter in turn is PCIe-only.

The driver was originally enabled in 2010 along with lots of other
drivers.

Fixes: 59d302b342e5 ("MIPS: IP27: Make defconfig useful again.")
Signed-off-by: Arnd Bergmann <[email protected]>
Cc: Ralf Baechle <[email protected]>
Cc: [email protected]
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/15197/
Signed-off-by: James Hogan <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/configs/ip27_defconfig | 1 -
1 file changed, 1 deletion(-)

--- a/arch/mips/configs/ip27_defconfig
+++ b/arch/mips/configs/ip27_defconfig
@@ -206,7 +206,6 @@ CONFIG_MLX4_EN=m
# CONFIG_MLX4_DEBUG is not set
CONFIG_TEHUTI=m
CONFIG_BNX2X=m
-CONFIG_QLGE=m
CONFIG_SFC=m
CONFIG_BE2NET=m
CONFIG_LIBERTAS_THINFIRM=m

2017-06-01 16:06:23

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 130/212] Bluetooth: Add another AR3012 04ca:3018 device

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <[email protected]>

commit 441ad62d6c3f131f1dbd7dcdd9cbe3f74dbd8501 upstream.

T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=04 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=04ca ProdID=3018 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

Signed-off-by: Dmitry Tunin <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -94,6 +94,7 @@ static const struct usb_device_id ath3k_
{ USB_DEVICE(0x04CA, 0x300f) },
{ USB_DEVICE(0x04CA, 0x3010) },
{ USB_DEVICE(0x04CA, 0x3014) },
+ { USB_DEVICE(0x04CA, 0x3018) },
{ USB_DEVICE(0x0930, 0x0219) },
{ USB_DEVICE(0x0930, 0x021c) },
{ USB_DEVICE(0x0930, 0x0220) },
@@ -162,6 +163,7 @@ static const struct usb_device_id ath3k_
{ USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3018), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -188,6 +188,7 @@ static const struct usb_device_id blackl
{ USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3018), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },

2017-06-01 16:06:21

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 132/212] clk: renesas: mstp: ensure register writes complete

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chris Brandt <[email protected]>

commit f59de563358eb9351b7f8f0ba2d3be2ebb70b93d upstream.

When there is no status bit, it is possible for the clock enable/disable
operation to have not completed by the time the driver code resumes
execution. This is due to the fact that write operations are sometimes
queued and delayed internally. Doing a read ensures the write operations
has completed.

Fixes: b6face404f38 ("ARM: shmobile: r7s72100: add essential clock nodes to dtsi")
Signed-off-by: Chris Brandt <[email protected]>
Reviewed-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Stephen Boyd <[email protected]>
[bwh: Backported to 3.16:
- Use barrier() instead of barrier_data()
- Adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/clk/shmobile/clk-mstp.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/drivers/clk/shmobile/clk-mstp.c
+++ b/drivers/clk/shmobile/clk-mstp.c
@@ -85,6 +85,12 @@ static int cpg_mstp_clock_endisable(stru
value |= bitmask;
cpg_mstp_write(group, value, group->smstpcr);

+ if (!group->mstpsr) {
+ /* dummy read to ensure write has completed */
+ cpg_mstp_read(group, group->smstpcr);
+ barrier();
+ }
+
spin_unlock_irqrestore(&group->lock, flags);

if (!enable || !group->mstpsr)

2017-06-01 16:06:18

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 112/212] i2c: riic: correctly finish transfers

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chris Brandt <[email protected]>

commit 71ccea095ea1d4efd004dab971be6d599e06fc3f upstream.

This fixes the condition where the controller has not fully completed its
final transfer and leaves the bus and controller in a undesirable state.

At the end of the last transmitted byte, the existing driver would just
signal for a STOP condition to be transmitted then immediately signal
completion. However, the full STOP procedure might not have fully taken
place by the time the runtime PM shuts off the peripheral clock, leaving
the bus in a suspended state.

Alternatively, the STOP condition on the bus may have completed, but when
the next transaction is requested by the upper layer, not all the
necessary register cleanup was finished from the last transfer which made
the driver return BUS BUSY when it really wasn't.

This patch now makes all transmit and receive transactions wait for the
STOP condition to fully complete before signaling a completed transaction.
With this new method, runtime PM no longer seems to be an issue.

Fixes: 310c18a41450 ("i2c: riic: add driver")
Signed-off-by: Chris Brandt <[email protected]>
Reviewed-by: Wolfram Sang <[email protected]>
Signed-off-by: Wolfram Sang <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/i2c/busses/i2c-riic.c | 30 +++++++++++++++++++++++-------
1 file changed, 23 insertions(+), 7 deletions(-)

--- a/drivers/i2c/busses/i2c-riic.c
+++ b/drivers/i2c/busses/i2c-riic.c
@@ -80,6 +80,7 @@
#define ICIER_TEIE 0x40
#define ICIER_RIE 0x20
#define ICIER_NAKIE 0x10
+#define ICIER_SPIE 0x08

#define ICSR2_NACKF 0x10

@@ -216,11 +217,10 @@ static irqreturn_t riic_tend_isr(int irq
return IRQ_NONE;
}

- if (riic->is_last || riic->err)
+ if (riic->is_last || riic->err) {
+ riic_clear_set_bit(riic, 0, ICIER_SPIE, RIIC_ICIER);
writeb(ICCR2_SP, riic->base + RIIC_ICCR2);
-
- writeb(0, riic->base + RIIC_ICIER);
- complete(&riic->msg_done);
+ }

return IRQ_HANDLED;
}
@@ -240,13 +240,13 @@ static irqreturn_t riic_rdrf_isr(int irq

if (riic->bytes_left == 1) {
/* STOP must come before we set ACKBT! */
- if (riic->is_last)
+ if (riic->is_last) {
+ riic_clear_set_bit(riic, 0, ICIER_SPIE, RIIC_ICIER);
writeb(ICCR2_SP, riic->base + RIIC_ICCR2);
+ }

riic_clear_set_bit(riic, 0, ICMR3_ACKBT, RIIC_ICMR3);

- writeb(0, riic->base + RIIC_ICIER);
- complete(&riic->msg_done);
} else {
riic_clear_set_bit(riic, ICMR3_ACKBT, 0, RIIC_ICMR3);
}
@@ -259,6 +259,21 @@ static irqreturn_t riic_rdrf_isr(int irq
return IRQ_HANDLED;
}

+static irqreturn_t riic_stop_isr(int irq, void *data)
+{
+ struct riic_dev *riic = data;
+
+ /* read back registers to confirm writes have fully propagated */
+ writeb(0, riic->base + RIIC_ICSR2);
+ readb(riic->base + RIIC_ICSR2);
+ writeb(0, riic->base + RIIC_ICIER);
+ readb(riic->base + RIIC_ICIER);
+
+ complete(&riic->msg_done);
+
+ return IRQ_HANDLED;
+}
+
static u32 riic_func(struct i2c_adapter *adap)
{
return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
@@ -326,6 +341,7 @@ static struct riic_irq_desc riic_irqs[]
{ .res_num = 0, .isr = riic_tend_isr, .name = "riic-tend" },
{ .res_num = 1, .isr = riic_rdrf_isr, .name = "riic-rdrf" },
{ .res_num = 2, .isr = riic_tdre_isr, .name = "riic-tdre" },
+ { .res_num = 3, .isr = riic_stop_isr, .name = "riic-stop" },
{ .res_num = 5, .isr = riic_tend_isr, .name = "riic-nack" },
};


2017-06-01 16:06:15

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 117/212] iio: pressure: mpl3115: do not rely on structure field ordering

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Rosin <[email protected]>

commit 9cf6cdba586ced75c69b8314b88b2d2f5ce9b3ed upstream.

Fixes a regression triggered by a change in the layout of
struct iio_chan_spec, but the real bug is in the driver which assumed
a specific structure layout in the first place. Hint: the two bits were
not OR:ed together as implied by the indentation prior to this patch,
there was a comma between them, which accidentally moved the ..._SCALE
bit to the next structure field. That field was .info_mask_shared_by_type
before the _available attributes was added by commit 51239600074b
("iio:core: add a callback to allow drivers to provide _available
attributes") and .info_mask_separate_available afterwards, and the
regression happened.

info_mask_shared_by_type is actually a better choice than the originally
intended info_mask_separate for the ..._SCALE bit since a constant is
returned from mpl3115_read_raw for the scale. Using
info_mask_shared_by_type also preserves the behavior from before the
regression and is therefore less likely to cause other interesting side
effects.

The above mentioned regression causes an unintended sysfs attibute to
show up that is not backed by code, in turn causing the following NULL
pointer defererence to happen on access.

Segmentation fault

Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = ecc3c000
[00000000] *pgd=87f91831
Internal error: Oops: 80000007 [#1] SMP ARM
Modules linked in:
CPU: 1 PID: 1051 Comm: cat Not tainted 4.10.0-rc5-00009-gffd8858-dirty #3
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
task: ed54ec00 task.stack: ee2bc000
PC is at 0x0
LR is at iio_read_channel_info_avail+0x40/0x280
pc : [<00000000>] lr : [<c06fbc1c>] psr: a0070013
sp : ee2bdda8 ip : 00000000 fp : ee2bddf4
r10: c0a53c74 r9 : ed79f000 r8 : ee8d1018
r7 : 00001000 r6 : 00000fff r5 : ee8b9a00 r4 : ed79f000
r3 : ee2bddc4 r2 : ee2bddbc r1 : c0a86dcc r0 : ee8d1000
Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 10c5387d Table: 3cc3c04a DAC: 00000051
Process cat (pid: 1051, stack limit = 0xee2bc210)
Stack: (0xee2bdda8 to 0xee2be000)
dda0: ee2bddc0 00000002 c016d720 c016d394 ed54ec00 00000000
ddc0: 60070013 ed413780 00000001 edffd480 ee8b9a00 00000fff 00001000 ee8d1018
dde0: ed79f000 c0a53c74 ee2bde0c ee2bddf8 c0513c58 c06fbbe8 edffd480 edffd540
de00: ee2bde3c ee2bde10 c0293474 c0513c40 c02933e4 ee2bde60 00000001 ed413780
de20: 00000001 ed413780 00000000 edffd480 ee2bde4c ee2bde40 c0291d00 c02933f0
de40: ee2bde9c ee2bde50 c024679c c0291ce0 edffd4b0 b6e37000 00020000 ee2bdf78
de60: 00000000 00000000 ed54ec00 ed013200 00000817 c0a111fc edffd540 ed413780
de80: b6e37000 00020000 00020000 ee2bdf78 ee2bded4 ee2bdea0 c0292890 c0246604
dea0: c0117940 c016ba50 00000025 c0a111fc b6e37000 ed413780 ee2bdf78 00020000
dec0: ee2bc000 b6e37000 ee2bdf44 ee2bded8 c021d158 c0292770 c0117764 b6e36004
dee0: c0f0d7c4 ee2bdfb0 b6f89228 00021008 ee2bdfac ee2bdf00 c0101374 c0117770
df00: 00000000 00000000 ee2bc000 00000000 ee2bdf34 ee2bdf20 c016ba04 c0171080
df20: 00000000 00020000 ed413780 b6e37000 00000000 ee2bdf78 ee2bdf74 ee2bdf48
df40: c021e7a0 c021d130 c023e300 c023e280 ee2bdf74 00000000 00000000 ed413780
df60: ed413780 00020000 ee2bdfa4 ee2bdf78 c021e870 c021e71c 00000000 00000000
df80: 00020000 00020000 b6e37000 00000003 c0108084 00000000 00000000 ee2bdfa8
dfa0: c0107ee0 c021e838 00020000 00020000 00000003 b6e37000 00020000 0001a2b4
dfc0: 00020000 00020000 b6e37000 00000003 7fffe000 00000000 00000000 00020000
dfe0: 00000000 be98eb4c 0000c740 b6f1985c 60070010 00000003 00000000 00000000
Backtrace:
[<c06fbbdc>] (iio_read_channel_info_avail) from [<c0513c58>] (dev_attr_show+0x24/0x50)
r10:c0a53c74 r9:ed79f000 r8:ee8d1018 r7:00001000 r6:00000fff r5:ee8b9a00
r4:edffd480
[<c0513c34>] (dev_attr_show) from [<c0293474>] (sysfs_kf_seq_show+0x90/0x110)
r5:edffd540 r4:edffd480
[<c02933e4>] (sysfs_kf_seq_show) from [<c0291d00>] (kernfs_seq_show+0x2c/0x30)
r10:edffd480 r9:00000000 r8:ed413780 r7:00000001 r6:ed413780 r5:00000001
r4:ee2bde60 r3:c02933e4
[<c0291cd4>] (kernfs_seq_show) from [<c024679c>] (seq_read+0x1a4/0x4e0)
[<c02465f8>] (seq_read) from [<c0292890>] (kernfs_fop_read+0x12c/0x1cc)
r10:ee2bdf78 r9:00020000 r8:00020000 r7:b6e37000 r6:ed413780 r5:edffd540
r4:c0a111fc
[<c0292764>] (kernfs_fop_read) from [<c021d158>] (__vfs_read+0x34/0x118)
r10:b6e37000 r9:ee2bc000 r8:00020000 r7:ee2bdf78 r6:ed413780 r5:b6e37000
r4:c0a111fc
[<c021d124>] (__vfs_read) from [<c021e7a0>] (vfs_read+0x90/0x11c)
r8:ee2bdf78 r7:00000000 r6:b6e37000 r5:ed413780 r4:00020000
[<c021e710>] (vfs_read) from [<c021e870>] (SyS_read+0x44/0x90)
r8:00020000 r7:ed413780 r6:ed413780 r5:00000000 r4:00000000
[<c021e82c>] (SyS_read) from [<c0107ee0>] (ret_fast_syscall+0x0/0x1c)
r10:00000000 r8:c0108084 r7:00000003 r6:b6e37000 r5:00020000 r4:00020000
Code: bad PC value
---[ end trace 9c4938ccd0389004 ]---

Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver")
Fixes: 51239600074b ("iio:core: add a callback to allow drivers to provide _available attributes")
Reported-by: Ken Lin <[email protected]>
Tested-by: Ken Lin <[email protected]>
Signed-off-by: Peter Rosin <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/iio/pressure/mpl3115.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/iio/pressure/mpl3115.c
+++ b/drivers/iio/pressure/mpl3115.c
@@ -182,7 +182,7 @@ static const struct iio_chan_spec mpl311
{
.type = IIO_PRESSURE,
.info_mask_separate = BIT(IIO_CHAN_INFO_RAW),
- BIT(IIO_CHAN_INFO_SCALE),
+ .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE),
.scan_index = 0,
.scan_type = {
.sign = 'u',
@@ -195,7 +195,7 @@ static const struct iio_chan_spec mpl311
{
.type = IIO_TEMP,
.info_mask_separate = BIT(IIO_CHAN_INFO_RAW),
- BIT(IIO_CHAN_INFO_SCALE),
+ .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE),
.scan_index = 1,
.scan_type = {
.sign = 's',

2017-06-01 16:07:59

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 131/212] dm cache: fix corruption seen when using cache > 2TB

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Joe Thornber <[email protected]>

commit ca763d0a53b264a650342cee206512bc92ac7050 upstream.

A rounding bug due to compiler generated temporary being 32bit was found
in remap_to_cache(). A localized cast in remap_to_cache() fixes the
corruption but this preferred fix (changing from uint32_t to sector_t)
eliminates potential for future rounding errors elsewhere.

Signed-off-by: Joe Thornber <[email protected]>
Signed-off-by: Mike Snitzer <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/md/dm-cache-target.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -210,7 +210,7 @@ struct cache {
/*
* Fields for converting from sectors to blocks.
*/
- uint32_t sectors_per_block;
+ sector_t sectors_per_block;
int sectors_per_block_shift;

spinlock_t lock;
@@ -2823,11 +2823,11 @@ static void cache_status(struct dm_targe

residency = policy_residency(cache->policy);

- DMEMIT("%u %llu/%llu %u %llu/%llu %u %u %u %u %u %u %lu ",
+ DMEMIT("%u %llu/%llu %llu %llu/%llu %u %u %u %u %u %u %lu ",
(unsigned)(DM_CACHE_METADATA_BLOCK_SIZE >> SECTOR_SHIFT),
(unsigned long long)(nr_blocks_metadata - nr_free_blocks_metadata),
(unsigned long long)nr_blocks_metadata,
- cache->sectors_per_block,
+ (unsigned long long)cache->sectors_per_block,
(unsigned long long) from_cblock(residency),
(unsigned long long) from_cblock(cache->cache_size),
(unsigned) atomic_read(&cache->stats.read_hit),

2017-06-01 16:08:29

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 105/212] mwifiex: Avoid skipping WEP key deletion for AP

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ganapathi Bhat <[email protected]>

commit a5b60de6972decc6b50a39abb376077c3c3621c8 upstream.

This patch fixes the issue specific to AP. AP is started with WEP
security and external station is connected to it. Data path works
in this case. Now if AP is restarted with WPA/WPA2 security,
station is able to connect but ping fails.

Driver skips the deletion of WEP keys if interface type is AP.
Removing that redundant check resolves the issue.

Fixes: e57f1734d87a ("mwifiex: add key material v2 support")
Signed-off-by: Ganapathi Bhat <[email protected]>
Signed-off-by: Amitkumar Karwar <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/mwifiex/sta_ioctl.c | 2 --
1 file changed, 2 deletions(-)

--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -1082,8 +1082,6 @@ int mwifiex_set_encode(struct mwifiex_pr
encrypt_key.is_rx_seq_valid = true;
}
} else {
- if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_UAP)
- return 0;
encrypt_key.key_disable = true;
if (mac_addr)
memcpy(encrypt_key.mac_addr, mac_addr, ETH_ALEN);

2017-06-01 16:09:48

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 122/212] nlm: Ensure callback code also checks that the files match

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <[email protected]>

commit 251af29c320d86071664f02c76f0d063a19fefdf upstream.

It is not sufficient to just check that the lock pids match when
granting a callback, we also need to ensure that we're granting
the callback on the right file.

Reported-by: Pankaj Singh <[email protected]>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Trond Myklebust <[email protected]>
Signed-off-by: Anna Schumaker <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
include/linux/lockd/lockd.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/include/linux/lockd/lockd.h
+++ b/include/linux/lockd/lockd.h
@@ -355,7 +355,8 @@ static inline int nlm_privileged_request
static inline int nlm_compare_locks(const struct file_lock *fl1,
const struct file_lock *fl2)
{
- return fl1->fl_pid == fl2->fl_pid
+ return file_inode(fl1->fl_file) == file_inode(fl2->fl_file)
+ && fl1->fl_pid == fl2->fl_pid
&& fl1->fl_owner == fl2->fl_owner
&& fl1->fl_start == fl2->fl_start
&& fl1->fl_end == fl2->fl_end

2017-06-01 16:08:01

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 110/212] USB: serial: mos7840: fix another NULL-deref at open

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 5182c2cf2a9bfb7f066ef0bdd2bb6330b94dd74e upstream.

Fix another NULL-pointer dereference at open should a malicious device
lack an interrupt-in endpoint.

Note that the driver has a broken check for an interrupt-in endpoint
which means that an interrupt URB has never even been submitted.

Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/mos7840.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -1024,6 +1024,7 @@ static int mos7840_open(struct tty_struc
* (can't set it up in mos7840_startup as the structures *
* were not set up at that time.) */
if (port0->open_ports == 1) {
+ /* FIXME: Buffer never NULL, so URB is not submitted. */
if (serial->port[0]->interrupt_in_buffer == NULL) {
/* set up interrupt urb */
usb_fill_int_urb(serial->port[0]->interrupt_in_urb,
@@ -2180,7 +2181,8 @@ static int mos7840_calc_num_ports(struct
static int mos7840_attach(struct usb_serial *serial)
{
if (serial->num_bulk_in < serial->num_ports ||
- serial->num_bulk_out < serial->num_ports) {
+ serial->num_bulk_out < serial->num_ports ||
+ serial->num_interrupt_in < 1) {
dev_err(&serial->interface->dev, "missing endpoints\n");
return -ENODEV;
}

2017-06-01 16:08:27

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 128/212] x86/platform/goldfish: Prevent unconditional loading

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <[email protected]>

commit 47512cfd0d7a8bd6ab71d01cd89fca19eb2093eb upstream.

The goldfish platform code registers the platform device unconditionally
which causes havoc in several ways if the goldfish_pdev_bus driver is
enabled:

- Access to the hardcoded physical memory region, which is either not
available or contains stuff which is completely unrelated.

- Prevents that the interrupt of the serial port can be requested

- In case of a spurious interrupt it goes into a infinite loop in the
interrupt handler of the pdev_bus driver (which needs to be fixed
seperately).

Add a 'goldfish' command line option to make the registration opt-in when
the platform is compiled in.

I'm seriously grumpy about this engineering trainwreck, which has seven
SOBs from Intel developers for 50 lines of code. And none of them figured
out that this is broken. Impressive fail!

Fixes: ddd70cf93d78 ("goldfish: platform device for x86")
Reported-by: Gabriel C <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Acked-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
Documentation/kernel-parameters.txt | 4 ++++
arch/x86/platform/goldfish/goldfish.c | 14 +++++++++++++-
2 files changed, 17 insertions(+), 1 deletion(-)

--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1115,6 +1115,10 @@ bytes respectively. Such letter suffixes
When zero, profiling data is discarded and associated
debugfs files are removed at module unload time.

+ goldfish [X86] Enable the goldfish android emulator platform.
+ Don't use this when you are not running on the
+ android emulator
+
gpt [EFI] Forces disk with valid GPT signature but
invalid Protective MBR to be treated as GPT. If the
primary GPT is corrupted, it enables the backup/alternate
--- a/arch/x86/platform/goldfish/goldfish.c
+++ b/arch/x86/platform/goldfish/goldfish.c
@@ -42,10 +42,22 @@ static struct resource goldfish_pdev_bus
}
};

+static bool goldfish_enable __initdata;
+
+static int __init goldfish_setup(char *str)
+{
+ goldfish_enable = true;
+ return 0;
+}
+__setup("goldfish", goldfish_setup);
+
static int __init goldfish_init(void)
{
+ if (!goldfish_enable)
+ return -ENODEV;
+
platform_device_register_simple("goldfish_pdev_bus", -1,
- goldfish_pdev_bus_resources, 2);
+ goldfish_pdev_bus_resources, 2);
return 0;
}
device_initcall(goldfish_init);

2017-06-01 16:08:30

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 104/212] USB: serial: sierra: fix bogus alternate-setting assumption

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 16620b483eaf7750413bae472f4363b6b959fcaa upstream.

Interface numbers do not change when enabling alternate settings as
comment and code in this driver suggested.

Remove the confusing comment and redundant retrieval of the interface
number in probe, while simplifying and renaming the interface-number
helper.

Fixes: 4db2299da213 ("sierra: driver interface blacklisting")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/sierra.c | 28 +++++-----------------------
1 file changed, 5 insertions(+), 23 deletions(-)

--- a/drivers/usb/serial/sierra.c
+++ b/drivers/usb/serial/sierra.c
@@ -137,24 +137,9 @@ static int is_himemory(const u8 ifnum,
return 0;
}

-static int sierra_calc_interface(struct usb_serial *serial)
+static u8 sierra_interface_num(struct usb_serial *serial)
{
- int interface;
- struct usb_interface *p_interface;
- struct usb_host_interface *p_host_interface;
-
- /* Get the interface structure pointer from the serial struct */
- p_interface = serial->interface;
-
- /* Get a pointer to the host interface structure */
- p_host_interface = p_interface->cur_altsetting;
-
- /* read the interface descriptor for this active altsetting
- * to find out the interface number we are on
- */
- interface = p_host_interface->desc.bInterfaceNumber;
-
- return interface;
+ return serial->interface->cur_altsetting->desc.bInterfaceNumber;
}

static int sierra_probe(struct usb_serial *serial,
@@ -165,7 +150,7 @@ static int sierra_probe(struct usb_seria
u8 ifnum;

udev = serial->dev;
- ifnum = sierra_calc_interface(serial);
+ ifnum = sierra_interface_num(serial);

/*
* If this interface supports more than 1 alternate
@@ -178,9 +163,6 @@ static int sierra_probe(struct usb_seria
usb_set_interface(udev, ifnum, 1);
}

- /* ifnum could have changed - by calling usb_set_interface */
- ifnum = sierra_calc_interface(serial);
-
if (is_blacklisted(ifnum,
(struct sierra_iface_info *)id->driver_info)) {
dev_dbg(&serial->dev->dev,
@@ -342,7 +324,7 @@ static int sierra_send_setup(struct usb_

/* If composite device then properly report interface */
if (serial->num_ports == 1) {
- interface = sierra_calc_interface(serial);
+ interface = sierra_interface_num(serial);
/* Control message is sent only to interfaces with
* interrupt_in endpoints
*/
@@ -916,7 +898,7 @@ static int sierra_port_probe(struct usb_
/* Determine actual memory requirements */
if (serial->num_ports == 1) {
/* Get interface number for composite device */
- ifnum = sierra_calc_interface(serial);
+ ifnum = sierra_interface_num(serial);
himemoryp = &typeB_interface_list;
} else {
/* This is really the usb-serial port number of the interface

2017-06-01 16:09:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 125/212] ext4: fix fencepost in s_first_meta_bg validation

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <[email protected]>

commit 2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2 upstream.

It is OK for s_first_meta_bg to be equal to the number of block group
descriptor blocks. (It rarely happens, but it shouldn't cause any
problems.)

https://bugzilla.kernel.org/show_bug.cgi?id=194567

Fixes: 3a4b77cd47bb837b8557595ec7425f281f2ca1fe
Signed-off-by: Theodore Ts'o <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3916,7 +3916,7 @@ static int ext4_fill_super(struct super_
db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
EXT4_DESC_PER_BLOCK(sb);
if (EXT4_HAS_INCOMPAT_FEATURE(sb,EXT4_FEATURE_INCOMPAT_META_BG)) {
- if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
+ if (le32_to_cpu(es->s_first_meta_bg) > db_count) {
ext4_msg(sb, KERN_WARNING,
"first meta block group too large: %u "
"(group descriptor block count %u)",

2017-06-01 16:09:16

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 126/212] powerpc/xmon: Fix data-breakpoint

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ravi Bangoria <[email protected]>

commit c21a493a2b44650707d06741601894329486f2ad upstream.

Currently xmon data-breakpoint feature is broken.

Whenever there is a watchpoint match occurs, hw_breakpoint_handler will
be called by do_break via notifier chains mechanism. If watchpoint is
registered by xmon, hw_breakpoint_handler won't find any associated
perf_event and returns immediately with NOTIFY_STOP. Similarly, do_break
also returns without notifying to xmon.

Solve this by returning NOTIFY_DONE when hw_breakpoint_handler does not
find any perf_event associated with matched watchpoint, rather than
NOTIFY_STOP, which tells the core code to continue calling the other
breakpoint handlers including the xmon one.

Signed-off-by: Ravi Bangoria <[email protected]>
Signed-off-by: Michael Ellerman <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/powerpc/kernel/hw_breakpoint.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kernel/hw_breakpoint.c
+++ b/arch/powerpc/kernel/hw_breakpoint.c
@@ -227,8 +227,10 @@ int __kprobes hw_breakpoint_handler(stru
rcu_read_lock();

bp = __get_cpu_var(bp_per_reg);
- if (!bp)
+ if (!bp) {
+ rc = NOTIFY_DONE;
goto out;
+ }
info = counter_arch_bp(bp);

/*

2017-06-01 16:09:47

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 123/212] IB/mlx5: Fix out-of-bound access

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <[email protected]>

commit 0fd27a88c2e4f548937fd7d93fc6e65c4ad7c278 upstream.

When we initialize buffer to create SRQ in kernel,
the number of pages was less than actually used in
following mlx5_fill_page_array().

Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
Signed-off-by: Leon Romanovsky <[email protected]>
Reviewed-by: Eli Cohen <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/infiniband/hw/mlx5/srq.c
+++ b/drivers/infiniband/hw/mlx5/srq.c
@@ -156,8 +156,6 @@ static int create_srq_kernel(struct mlx5
int err;
int i;
struct mlx5_wqe_srq_next_seg *next;
- int page_shift;
- int npages;

err = mlx5_db_alloc(&dev->mdev, &srq->db);
if (err) {
@@ -172,7 +170,6 @@ static int create_srq_kernel(struct mlx5
err = -ENOMEM;
goto err_db;
}
- page_shift = srq->buf.page_shift;

srq->head = 0;
srq->tail = srq->msrq.max - 1;
@@ -184,10 +181,8 @@ static int create_srq_kernel(struct mlx5
cpu_to_be16((i + 1) & (srq->msrq.max - 1));
}

- npages = DIV_ROUND_UP(srq->buf.npages, 1 << (page_shift - PAGE_SHIFT));
- mlx5_ib_dbg(dev, "buf_size %d, page_shift %d, npages %d, calc npages %d\n",
- buf_size, page_shift, srq->buf.npages, npages);
- *inlen = sizeof(**in) + sizeof(*(*in)->pas) * npages;
+ mlx5_ib_dbg(dev, "srq->buf.page_shift = %d\n", srq->buf.page_shift);
+ *inlen = sizeof(**in) + sizeof(*(*in)->pas) * srq->buf.npages;
*in = mlx5_vzalloc(*inlen);
if (!*in) {
err = -ENOMEM;
@@ -204,7 +199,7 @@ static int create_srq_kernel(struct mlx5
}
srq->wq_sig = !!srq_signature;

- (*in)->ctx.log_pg_sz = page_shift - MLX5_ADAPTER_PAGE_SHIFT;
+ (*in)->ctx.log_pg_sz = srq->buf.page_shift - MLX5_ADAPTER_PAGE_SHIFT;

return 0;


2017-06-01 15:45:07

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 124/212] IB/mlx5: Return error for unsupported signature type

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Leon Romanovsky <[email protected]>

commit 12bbf1ea7e3b35892dbb8636b978160bc9576b61 upstream.

In case of unsupported singature, we returned positive
value, while the better approach is to return -EINVAL.

In addition, in this change, the error print is enriched
to provide an actual supplied signature type.

Fixes: e6631814fb3a ("IB/mlx5: Support IB_WR_REG_SIG_MR")
Cc: Sagi Grimberg <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/hw/mlx5/qp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -2336,8 +2336,9 @@ static int set_psv_wr(struct ib_sig_doma
break;

default:
- pr_err("Bad signature type given.\n");
- return 1;
+ pr_err("Bad signature type (%d) is given.\n",
+ domain->sig_type);
+ return -EINVAL;
}

return 0;

2017-06-01 16:11:18

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 043/212] USB: serial: ftdi_sio: fix modem-status error handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 427c3a95e3e29e65f59d99aaf320d7506f3eed57 upstream.

Make sure to detect short responses when fetching the modem status in
order to avoid parsing uninitialised buffer data and having bits of it
leak to user space.

Note that we still allow for short 1-byte responses.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -2469,8 +2469,12 @@ static int ftdi_get_modem_status(struct
FTDI_SIO_GET_MODEM_STATUS_REQUEST_TYPE,
0, priv->interface,
buf, len, WDR_TIMEOUT);
- if (ret < 0) {
+
+ /* NOTE: We allow short responses and handle that below. */
+ if (ret < 1) {
dev_err(&port->dev, "failed to get modem status: %d\n", ret);
+ if (ret >= 0)
+ ret = -EIO;
ret = usb_translate_errors(ret);
goto out;
}

2017-06-01 16:11:16

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 097/212] jbd2: don't leak modified metadata buffers on an aborted journal

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <[email protected]>

commit e112666b4959b25a8552d63bc564e1059be703e8 upstream.

If the journal has been aborted, we shouldn't mark the underlying
buffer head as dirty, since that will cause the metadata block to get
modified. And if the journal has been aborted, we shouldn't allow
this since it will almost certainly lead to a corrupted file system.

Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/jbd2/transaction.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -1784,7 +1784,9 @@ static void __jbd2_journal_temp_unlink_b

__blist_del_buffer(list, jh);
jh->b_jlist = BJ_None;
- if (test_clear_buffer_jbddirty(bh))
+ if (transaction && is_journal_aborted(transaction->t_journal))
+ clear_buffer_jbddirty(bh);
+ else if (test_clear_buffer_jbddirty(bh))
mark_buffer_dirty(bh); /* Expose it to the VM */
}


2017-06-01 16:11:13

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 133/212] MIPS: Fix special case in 64 bit IP checksumming.

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ralf Baechle <[email protected]>

commit 66fd848cadaa6be974a8c780fbeb328f0af4d3bd upstream.

For certain arguments such as saddr = 0xc0a8fd60, daddr = 0xc0a8fda1,
len = 80, proto = 17, sum = 0x7eae049d there will be a carry when
folding the intermediate 64 bit checksum to 32 bit but the code doesn't
add the carry back to the one's complement sum, thus an incorrect result
will be generated.

Reported-by: Mark Zhang <[email protected]>
Signed-off-by: Ralf Baechle <[email protected]>
Reviewed-by: James Hogan <[email protected]>
Signed-off-by: James Hogan <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/include/asm/checksum.h | 2 ++
1 file changed, 2 insertions(+)

--- a/arch/mips/include/asm/checksum.h
+++ b/arch/mips/include/asm/checksum.h
@@ -185,7 +185,9 @@ static inline __wsum csum_tcpudp_nofold(
" daddu %0, %4 \n"
" dsll32 $1, %0, 0 \n"
" daddu %0, $1 \n"
+ " sltu $1, %0, $1 \n"
" dsra32 %0, %0, 0 \n"
+ " addu %0, $1 \n"
#endif
" .set pop"
: "=r" (sum)

2017-06-01 16:11:15

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 095/212] x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nikola Pajkovsky <[email protected]>

commit 68dee8e2f2cacc54d038394e70d22411dee89da2 upstream.

commit 8fd524b355da ("x86: Kill bad_dma_address variable") has killed
bad_dma_address variable and used instead of macro DMA_ERROR_CODE
which is always zero. Since dma_addr is unsigned, the statement

dma_addr >= DMA_ERROR_CODE

is always true, and not needed.

arch/x86/kernel/pci-calgary_64.c: In function ‘iommu_free’:
arch/x86/kernel/pci-calgary_64.c:299:2: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits]
if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) {

Fixes: 8fd524b355da ("x86: Kill bad_dma_address variable")
Signed-off-by: Nikola Pajkovsky <[email protected]>
Cc: [email protected]
Cc: Jon Mason <[email protected]>
Cc: Muli Ben-Yehuda <[email protected]>
Link: http://lkml.kernel.org/r/7612c0f9dd7c1290407dbf8e809def922006920b.1479161177.git.npajkovsky@suse.cz
Signed-off-by: Thomas Gleixner <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/kernel/pci-calgary_64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kernel/pci-calgary_64.c
+++ b/arch/x86/kernel/pci-calgary_64.c
@@ -296,7 +296,7 @@ static void iommu_free(struct iommu_tabl

/* were we called with bad_dma_address? */
badend = DMA_ERROR_CODE + (EMERGENCY_PAGES * PAGE_SIZE);
- if (unlikely((dma_addr >= DMA_ERROR_CODE) && (dma_addr < badend))) {
+ if (unlikely(dma_addr < badend)) {
WARN(1, KERN_ERR "Calgary: driver tried unmapping bad DMA "
"address 0x%Lx\n", dma_addr);
return;

2017-06-01 16:11:12

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 098/212] ext4: preserve the needs_recovery flag when the journal is aborted

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <[email protected]>

commit 97abd7d4b5d9c48ec15c425485f054e1c15e591b upstream.

If the journal is aborted, the needs_recovery feature flag should not
be removed. Otherwise, it's the journal might not get replayed and
this could lead to more data getting lost.

Signed-off-by: Theodore Ts'o <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/super.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -783,6 +783,7 @@ static void ext4_put_super(struct super_
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct ext4_super_block *es = sbi->s_es;
+ int aborted = 0;
int i, err;

ext4_unregister_li_request(sb);
@@ -792,9 +793,10 @@ static void ext4_put_super(struct super_
destroy_workqueue(sbi->rsv_conversion_wq);

if (sbi->s_journal) {
+ aborted = is_journal_aborted(sbi->s_journal);
err = jbd2_journal_destroy(sbi->s_journal);
sbi->s_journal = NULL;
- if (err < 0)
+ if ((err < 0) && !aborted)
ext4_abort(sb, "Couldn't clean up the journal");
}

@@ -805,7 +807,7 @@ static void ext4_put_super(struct super_
ext4_ext_release(sb);
ext4_xattr_put_super(sb);

- if (!(sb->s_flags & MS_RDONLY)) {
+ if (!(sb->s_flags & MS_RDONLY) && !aborted) {
EXT4_CLEAR_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER);
es->s_state = cpu_to_le16(sbi->s_mount_state);
}

2017-06-01 16:11:10

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 121/212] md: ensure md devices are freed before module is unloaded.

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown <[email protected]>

commit 9356863c9409efc79029c01a85d015efae977e69 upstream.

Commit: cbd199837750 ("md: Fix unfortunate interaction with evms")
change mddev_put() so that it would not destroy an md device while
->ctime was non-zero.

Unfortunately, we didn't make sure to clear ->ctime when unloading
the module, so it is possible for an md device to remain after
module unload. An attempt to open such a device will trigger
an invalid memory reference in:
get_gendisk -> kobj_lookup -> exact_lock -> get_disk

when tring to access disk->fops, which was in the module that has
been removed.

So ensure we clear ->ctime in md_exit(), and explain how that is useful,
as it isn't immediately obvious when looking at the code.

Fixes: cbd199837750 ("md: Fix unfortunate interaction with evms")
Tested-by: Guoqing Jiang <[email protected]>
Signed-off-by: NeilBrown <[email protected]>
Signed-off-by: Shaohua Li <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/md/md.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -8714,7 +8714,14 @@ static __exit void md_exit(void)

for_each_mddev(mddev, tmp) {
export_array(mddev);
+ mddev->ctime = 0;
mddev->hold_active = 0;
+ /*
+ * for_each_mddev() will call mddev_put() at the end of each
+ * iteration. As the mddev is now fully clear, this will
+ * schedule the mddev for destruction by a workqueue, and the
+ * destroy_workqueue() below will wait for that to complete.
+ */
}
destroy_workqueue(md_misc_wq);
destroy_workqueue(md_wq);

2017-06-01 16:11:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 118/212] iio: pressure: mpl115: do not rely on structure field ordering

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Rosin <[email protected]>

commit 6a6e1d56a0769795a36c0461c64bf5e5b9bbb4c0 upstream.

Fixes a regression triggered by a change in the layout of
struct iio_chan_spec, but the real bug is in the driver which assumed
a specific structure layout in the first place. Hint: the three bits were
not OR:ed together as implied by the indentation prior to this patch,
there was a comma between the first two, which accidentally moved the
..._SCALE and ..._OFFSET bits to the next structure field. That field
was .info_mask_shared_by_type before the _available attributes was added
by commit 51239600074b ("iio:core: add a callback to allow drivers to
provide _available attributes") and .info_mask_separate_available
afterwards, and the regression happened.

info_mask_shared_by_type is actually a better choice than the originally
intended info_mask_separate for the ..._SCALE and ..._OFFSET bits since
a constant is returned from mpl115_read_raw for the scale/offset. Using
info_mask_shared_by_type also preserves the behavior from before the
regression and is therefore less likely to cause other interesting side
effects.

The above mentioned regression causes unintended sysfs attibutes to
show up that are not backed by code, in turn causing a NULL pointer
defererence to happen on access.

Fixes: 3017d90e8931 ("iio: Add Freescale MPL115A2 pressure / temperature sensor driver")
Fixes: 51239600074b ("iio:core: add a callback to allow drivers to provide _available attributes")
Signed-off-by: Peter Rosin <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/iio/pressure/mpl115.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/iio/pressure/mpl115.c
+++ b/drivers/iio/pressure/mpl115.c
@@ -136,6 +136,7 @@ static const struct iio_chan_spec mpl115
{
.type = IIO_TEMP,
.info_mask_separate = BIT(IIO_CHAN_INFO_RAW),
+ .info_mask_shared_by_type =
BIT(IIO_CHAN_INFO_OFFSET) | BIT(IIO_CHAN_INFO_SCALE),
},
};

2017-06-01 16:11:07

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 136/212] MIPS: BCM47XX: Fix button inversion for Asus WL-500W

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mirko Parthey <[email protected]>

commit bdfdaf1a016ef09cb941f2edad485a713510b8d5 upstream.

The Asus WL-500W buttons are active high, but the software treats them
as active low. Fix the inverted logic.

Fixes: 3be972556fa1 ("MIPS: BCM47XX: Import buttons database from OpenWrt")
Signed-off-by: Mirko Parthey <[email protected]>
Acked-by: Rafał Miłecki <[email protected]>
Cc: Hauke Mehrtens <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/15295/
Signed-off-by: James Hogan <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/bcm47xx/buttons.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

--- a/arch/mips/bcm47xx/buttons.c
+++ b/arch/mips/bcm47xx/buttons.c
@@ -17,6 +17,12 @@
.active_low = 1, \
}

+#define BCM47XX_GPIO_KEY_H(_gpio, _code) \
+ { \
+ .code = _code, \
+ .gpio = _gpio, \
+ }
+
/* Asus */

static const struct gpio_keys_button
@@ -74,8 +80,8 @@ bcm47xx_buttons_asus_wl500gpv2[] __initc

static const struct gpio_keys_button
bcm47xx_buttons_asus_wl500w[] __initconst = {
- BCM47XX_GPIO_KEY(6, KEY_RESTART),
- BCM47XX_GPIO_KEY(7, KEY_WPS_BUTTON),
+ BCM47XX_GPIO_KEY_H(6, KEY_RESTART),
+ BCM47XX_GPIO_KEY_H(7, KEY_WPS_BUTTON),
};

static const struct gpio_keys_button

2017-06-01 16:11:05

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 142/212] nfsd: minor nfsd_setattr cleanup

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <[email protected]>

commit 758e99fefe1d9230111296956335cd35995c0eaf upstream.

Simplify exit paths, size_change use.

Signed-off-by: Christoph Hellwig <[email protected]>
Signed-off-by: J. Bruce Fields <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfsd/vfs.c | 29 ++++++++++++-----------------
1 file changed, 12 insertions(+), 17 deletions(-)

--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -407,7 +407,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
__be32 err;
int host_err;
bool get_write_count;
- int size_change = 0;
+ bool size_change = (iap->ia_valid & ATTR_SIZE);

if (iap->ia_valid & (ATTR_ATIME | ATTR_MTIME | ATTR_SIZE))
accmode |= NFSD_MAY_WRITE|NFSD_MAY_OWNER_OVERRIDE;
@@ -420,11 +420,11 @@ nfsd_setattr(struct svc_rqst *rqstp, str
/* Get inode */
err = fh_verify(rqstp, fhp, ftype, accmode);
if (err)
- goto out;
+ return err;
if (get_write_count) {
host_err = fh_want_write(fhp);
if (host_err)
- return nfserrno(host_err);
+ goto out;
}

dentry = fhp->fh_dentry;
@@ -435,19 +435,21 @@ nfsd_setattr(struct svc_rqst *rqstp, str
iap->ia_valid &= ~ATTR_MODE;

if (!iap->ia_valid)
- goto out;
+ return 0;

nfsd_sanitize_attrs(dentry, iap);

+ if (check_guard && guardtime != inode->i_ctime.tv_sec)
+ return nfserr_notsync;
+
/*
* The size case is special, it changes the file in addition to the
* attributes.
*/
- if (iap->ia_valid & ATTR_SIZE) {
+ if (size_change) {
err = nfsd_get_write_access(rqstp, fhp, iap);
if (err)
- goto out;
- size_change = 1;
+ return err;

/*
* RFC5661, Section 18.30.4:
@@ -462,23 +464,16 @@ nfsd_setattr(struct svc_rqst *rqstp, str

iap->ia_valid |= ATTR_CTIME;

- if (check_guard && guardtime != inode->i_ctime.tv_sec) {
- err = nfserr_notsync;
- goto out_put_write_access;
- }
-
fh_lock(fhp);
host_err = notify_change(dentry, iap, NULL);
fh_unlock(fhp);
- err = nfserrno(host_err);

-out_put_write_access:
if (size_change)
put_write_access(inode);
- if (!err)
- commit_metadata(fhp);
out:
- return err;
+ if (!host_err)
+ commit_metadata(fhp);
+ return nfserrno(host_err);
}

#if defined(CONFIG_NFSD_V4)

2017-06-01 16:11:03

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 137/212] sfc: do not device_attach if a reset is pending

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Dunning <[email protected]>

commit 9c568fd8844ec3986eb19b0b5d97536243d10d46 upstream.

efx_start_all can return without initialising queues as a reset is pending.
This means that when netif_device_attach is called, the kernel can start
sending traffic without having an initialised TX queue to send to.
This patch avoids this by not calling netif_device_attach if there is a
pending reset.

Fixes: e283546c0465 ("sfc:On MCDI timeout, issue an FLR (and mark MCDI to fail-fast)")
Signed-off-by: Edward Cree <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16:
- Drop changes in ef10.c and ef10_sriov.c
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/net/ethernet/sfc/efx.c
+++ b/drivers/net/ethernet/sfc/efx.c
@@ -833,7 +833,7 @@ out:
efx_schedule_reset(efx, RESET_TYPE_DISABLE);
} else {
efx_start_all(efx);
- netif_device_attach(efx->net_dev);
+ efx_device_attach_if_not_resetting(efx);
}
return rc;

@@ -2036,6 +2036,8 @@ static int efx_net_open(struct net_devic
efx_link_status_changed(efx);

efx_start_all(efx);
+ if (efx->state == STATE_DISABLED || efx->reset_pending)
+ netif_device_detach(efx->net_dev);
efx_selftest_async_start(efx);
return 0;
}
@@ -2106,7 +2108,7 @@ static int efx_change_mtu(struct net_dev
mutex_unlock(&efx->mac_lock);

efx_start_all(efx);
- netif_device_attach(efx->net_dev);
+ efx_device_attach_if_not_resetting(efx);
return 0;
}

@@ -2455,7 +2457,7 @@ out:
efx->state = STATE_DISABLED;
} else {
netif_dbg(efx, drv, efx->net_dev, "reset complete\n");
- netif_device_attach(efx->net_dev);
+ efx_device_attach_if_not_resetting(efx);
}
return rc;
}
@@ -3035,7 +3037,7 @@ static int efx_pm_thaw(struct device *de

efx_start_all(efx);

- netif_device_attach(efx->net_dev);
+ efx_device_attach_if_not_resetting(efx);

efx->state = STATE_READY;

--- a/drivers/net/ethernet/sfc/efx.h
+++ b/drivers/net/ethernet/sfc/efx.h
@@ -247,4 +247,10 @@ static inline void efx_device_detach_syn
netif_tx_unlock_bh(dev);
}

+static inline void efx_device_attach_if_not_resetting(struct efx_nic *efx)
+{
+ if ((efx->state != STATE_DISABLED) && !efx->reset_pending)
+ netif_device_attach(efx->net_dev);
+}
+
#endif /* EFX_EFX_H */
--- a/drivers/net/ethernet/sfc/selftest.c
+++ b/drivers/net/ethernet/sfc/selftest.c
@@ -749,7 +749,7 @@ int efx_selftest(struct efx_nic *efx, st
__efx_reconfigure_port(efx);
mutex_unlock(&efx->mac_lock);

- netif_device_attach(efx->net_dev);
+ efx_device_attach_if_not_resetting(efx);

return rc_test;
}

2017-06-01 16:11:01

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 099/212] ext4: return EROFS if device is r/o and journal replay is needed

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <[email protected]>

commit 4753d8a24d4588657bc0a4cd66d4e282dff15c8c upstream.

If the file system requires journal recovery, and the device is
read-ony, return EROFS to the mount system call. This allows xfstests
generic/050 to pass.

Signed-off-by: Theodore Ts'o <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4038,7 +4038,8 @@ static int ext4_fill_super(struct super_
*/
if (!test_opt(sb, NOLOAD) &&
EXT4_HAS_COMPAT_FEATURE(sb, EXT4_FEATURE_COMPAT_HAS_JOURNAL)) {
- if (ext4_load_journal(sb, es, journal_devnum))
+ err = ext4_load_journal(sb, es, journal_devnum);
+ if (err)
goto failed_mount3;
} else if (test_opt(sb, NOLOAD) && !(sb->s_flags & MS_RDONLY) &&
EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER)) {

2017-06-01 16:11:00

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 140/212] KVM: VMX: use correct vmcs_read/write for guest segment selector/base

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chao Peng <[email protected]>

commit 96794e4ed4d758272c486e1529e431efb7045265 upstream.

Guest segment selector is 16 bit field and guest segment base is natural
width field. Fix two incorrect invocations accordingly.

Without this patch, build fails when aggressive inlining is used with ICC.

Signed-off-by: Chao Peng <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
[bwh: Backported to 3.16: drop change in kvm_flush_pml_buffers()]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -3231,7 +3231,7 @@ static void fix_rmode_seg(int seg, struc
}

vmcs_write16(sf->selector, var.selector);
- vmcs_write32(sf->base, var.base);
+ vmcs_writel(sf->base, var.base);
vmcs_write32(sf->limit, var.limit);
vmcs_write32(sf->ar_bytes, vmx_segment_access_rights(&var));
}

2017-06-01 16:10:58

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 044/212] USB: serial: ftdi_sio: fix latency-timer error handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit e3e574ad85a208cb179f33720bb5f12b453de33c upstream.

Make sure to detect short responses when reading the latency timer to
avoid using stale buffer data.

Note that no heap data would currently leak through sysfs as
ASYNC_LOW_LATENCY is set by default.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1452,10 +1452,13 @@ static int read_latency_timer(struct usb
FTDI_SIO_GET_LATENCY_TIMER_REQUEST_TYPE,
0, priv->interface,
buf, 1, WDR_TIMEOUT);
- if (rv < 0)
+ if (rv < 1) {
dev_err(&port->dev, "Unable to read latency timer: %i\n", rv);
- else
+ if (rv >= 0)
+ rv = -EIO;
+ } else {
priv->latency = buf[0];
+ }

kfree(buf);


2017-06-01 16:10:57

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 145/212] batman-adv: Fix transmission of final, 16th fragment

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Linus Lüssing <[email protected]>

commit 51c6b429c0c95e67edd1cb0b548c5cf6a6604763 upstream.

Trying to split and transmit a unicast packet in 16 parts will fail for
the final fragment: After having sent the 15th one with a frag_packet.no
index of 14, we will increase the the index to 15 - and return with an
error code immediately, even though one more fragment is due for
transmission and allowed.

Fixing this issue by moving the check before incrementing the index.

While at it, adding an unlikely(), because the check is actually more of
an assertion.

Fixes: ee75ed88879a ("batman-adv: Fragment and send skbs larger than mtu")
Signed-off-by: Linus Lüssing <[email protected]>
Signed-off-by: Sven Eckelmann <[email protected]>
Signed-off-by: Simon Wunderlich <[email protected]>
[bwh: Backported to 3.16: don't return an error code]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/batman-adv/fragmentation.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -461,6 +461,10 @@ bool batadv_frag_send_packet(struct sk_b

/* Eat and send fragments from the tail of skb */
while (skb->len > max_fragment_size) {
+ /* The initial check in this function should cover this case */
+ if (unlikely(frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1))
+ goto out_err;
+
skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
if (!skb_fragment)
goto out_err;
@@ -471,10 +475,6 @@ bool batadv_frag_send_packet(struct sk_b
batadv_send_skb_packet(skb_fragment, neigh_node->if_incoming,
neigh_node->addr);
frag_header.no++;
-
- /* The initial check in this function should cover this case */
- if (frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1)
- goto out_err;
}

/* Make room for the fragment header. */

2017-06-01 16:10:55

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 114/212] KEYS: Fix an error code in request_master_key()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 57cb17e764ba0aaa169d07796acce54ccfbc6cae upstream.

This function has two callers and neither are able to handle a NULL
return. Really, -EINVAL is the correct thing return here anyway. This
fixes some static checker warnings like:

security/keys/encrypted-keys/encrypted.c:709 encrypted_key_decrypt()
error: uninitialized symbol 'master_key'.

Fixes: 7e70cb497850 ("keys: add new key-type encrypted")
Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Mimi Zohar <[email protected]>
Signed-off-by: James Morris <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
security/keys/encrypted-keys/encrypted.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -428,7 +428,7 @@ static int init_blkcipher_desc(struct bl
static struct key *request_master_key(struct encrypted_key_payload *epayload,
u8 **master_key, size_t *master_keylen)
{
- struct key *mkey = NULL;
+ struct key *mkey = ERR_PTR(-EINVAL);

if (!strncmp(epayload->master_desc, KEY_TRUSTED_PREFIX,
KEY_TRUSTED_PREFIX_LEN)) {

2017-06-01 16:10:54

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 148/212] fuse: add missing FR_FORCE

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <[email protected]>

commit 2e38bea99a80eab408adee27f873a188d57b76cb upstream.

fuse_file_put() was missing the "force" flag for the RELEASE request when
sending synchronously (fuseblk).

If this flag is not set, then a sync request may be interrupted before it
is dequeued by the userspace filesystem. In this case the OPEN won't be
balanced with a RELEASE.

Signed-off-by: Miklos Szeredi <[email protected]>
Fixes: 5a18ec176c93 ("fuse: fix hang of single threaded fuseblk filesystem")
[bwh: Backported to 3.16:
- "force" flag is a bitfield
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/fuse/file.c | 1 +
1 file changed, 1 insertion(+)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -136,6 +136,7 @@ static void fuse_file_put(struct fuse_fi
path_put(&req->misc.release.path);
fuse_put_request(ff->fc, req);
} else if (sync) {
+ req->force = 1;
req->background = 0;
fuse_request_send(ff->fc, req);
path_put(&req->misc.release.path);

2017-06-01 16:10:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 147/212] NFSv4: Fix the underestimation of delegation XDR space reservation

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <[email protected]>

commit 5a1f6d9e9b803003271b40b67786ff46fa4eda01 upstream.

Account for the "space_limit" field in struct open_write_delegation4.

Fixes: 2cebf82883f4 ("NFSv4: Fix the underestimate of NFSv4 open request size")
Signed-off-by: Trond Myklebust <[email protected]>
Reviewed-by: Chuck Lever <[email protected]>
Signed-off-by: Anna Schumaker <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfs/nfs4xdr.c | 2 ++
1 file changed, 2 insertions(+)

--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -165,8 +165,10 @@ static int nfs4_stat_to_errno(int);
open_owner_id_maxsz + \
encode_opentype_maxsz + \
encode_claim_null_maxsz)
+#define decode_space_limit_maxsz (3)
#define decode_ace_maxsz (3 + nfs4_owner_maxsz)
#define decode_delegation_maxsz (1 + decode_stateid_maxsz + 1 + \
+ decode_space_limit_maxsz + \
decode_ace_maxsz)
#define decode_change_info_maxsz (5)
#define decode_open_maxsz (op_decode_hdr_maxsz + \

2017-06-01 16:10:50

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 144/212] batman-adv: Fix double free during fragment merge error

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <[email protected]>

commit 248e23b50e2da0753f3b5faa068939cbe9f8a75a upstream.

The function batadv_frag_skb_buffer was supposed not to consume the skbuff
on errors. This was followed in the helper function
batadv_frag_insert_packet when the skb would potentially be inserted in the
fragment queue. But it could happen that the next helper function
batadv_frag_merge_packets would try to merge the fragments and fail. This
results in a kfree_skb of all the enqueued fragments (including the just
inserted one). batadv_recv_frag_packet would detect the error in
batadv_frag_skb_buffer and try to free the skb again.

The behavior of batadv_frag_skb_buffer (and its helper
batadv_frag_insert_packet) must therefore be changed to always consume the
skbuff to have a common behavior and avoid the double kfree_skb.

Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Signed-off-by: Sven Eckelmann <[email protected]>
Signed-off-by: Simon Wunderlich <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
net/batman-adv/fragmentation.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -212,8 +212,10 @@ err_unlock:
spin_unlock_bh(&chain->lock);

err:
- if (!ret)
+ if (!ret) {
kfree(frag_entry_new);
+ kfree_skb(skb);
+ }

return ret;
}
@@ -288,7 +290,7 @@ free:
*
* There are three possible outcomes: 1) Packet is merged: Return true and
* set *skb to merged packet; 2) Packet is buffered: Return true and set *skb
- * to NULL; 3) Error: Return false and leave skb as is.
+ * to NULL; 3) Error: Return false and free skb.
*/
bool batadv_frag_skb_buffer(struct sk_buff **skb,
struct batadv_orig_node *orig_node_src)
@@ -310,9 +312,9 @@ bool batadv_frag_skb_buffer(struct sk_bu
goto out_err;

out:
- *skb = skb_out;
ret = true;
out_err:
+ *skb = skb_out;
return ret;
}


2017-06-01 16:10:47

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 127/212] ath9k: use correct OTP register offsets for the AR9340 and AR9550

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christian Lamparter <[email protected]>

commit c9f1e32600816d695f817477d56490bfc2ba43c6 upstream.

This patch fixes the OTP register definitions for the AR934x and AR9550
WMAC SoC.

Previously, the ath9k driver was unable to initialize the integrated
WMAC on an Aerohive AP121:

| ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
| ath: phy0: timeout (1000 us) on reg 0x30018: 0xbadc0ffe & 0x00000007 != 0x00000004
| ath: phy0: Unable to initialize hardware; initialization status: -5
| ath9k ar934x_wmac: failed to initialize device
| ath9k: probe of ar934x_wmac failed with error -5

It turns out that the AR9300_OTP_STATUS and AR9300_OTP_DATA
definitions contain a typo.

Cc: Gabor Juhos <[email protected]>
Fixes: add295a4afbdf5852d0 "ath9k: use correct OTP register offsets for AR9550"
Signed-off-by: Christian Lamparter <[email protected]>
Signed-off-by: Chris Blake <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/ath/ath9k/ar9003_eeprom.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.h
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.h
@@ -73,13 +73,13 @@
#define AR9300_OTP_BASE \
((AR_SREV_9340(ah) || AR_SREV_9550(ah)) ? 0x30000 : 0x14000)
#define AR9300_OTP_STATUS \
- ((AR_SREV_9340(ah) || AR_SREV_9550(ah)) ? 0x30018 : 0x15f18)
+ ((AR_SREV_9340(ah) || AR_SREV_9550(ah)) ? 0x31018 : 0x15f18)
#define AR9300_OTP_STATUS_TYPE 0x7
#define AR9300_OTP_STATUS_VALID 0x4
#define AR9300_OTP_STATUS_ACCESS_BUSY 0x2
#define AR9300_OTP_STATUS_SM_BUSY 0x1
#define AR9300_OTP_READ_DATA \
- ((AR_SREV_9340(ah) || AR_SREV_9550(ah)) ? 0x3001c : 0x15f1c)
+ ((AR_SREV_9340(ah) || AR_SREV_9550(ah)) ? 0x3101c : 0x15f1c)

enum targetPowerHTRates {
HT_TARGET_RATE_0_8_16,

2017-06-01 16:10:45

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 146/212] drm/ttm: fix use-after-free races in vm fault handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicolai Hähnle <[email protected]>

commit 3089c1df10e2931b1d72d2ffa7d86431084c86b3 upstream.

The vm fault handler relies on the fact that the VMA owns a reference
to the BO. However, once mmap_sem is released, other tasks are free to
destroy the VMA, which can lead to the BO being freed. Fix two code
paths where that can happen, both related to vm fault retries.

Found via a lock debugging warning which flagged &bo->wu_mutex as
locked while being destroyed.

Fixes: cbe12e74ee4e ("drm/ttm: Allow vm fault retries")
Signed-off-by: Nicolai Hähnle <[email protected]>
Reviewed-by: Christian König <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/ttm/ttm_bo_vm.c | 12 ++++++++++++
1 file changed, 12 insertions(+)

--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
@@ -68,8 +68,11 @@ static int ttm_bo_vm_fault_idle(struct t
if (vmf->flags & FAULT_FLAG_RETRY_NOWAIT)
goto out_unlock;

+ ttm_bo_reference(bo);
up_read(&vma->vm_mm->mmap_sem);
(void) ttm_bo_wait(bo, false, true, false);
+ ttm_bo_unreserve(bo);
+ ttm_bo_unref(&bo);
goto out_unlock;
}

@@ -117,8 +120,10 @@ static int ttm_bo_vm_fault(struct vm_are

if (vmf->flags & FAULT_FLAG_ALLOW_RETRY) {
if (!(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
+ ttm_bo_reference(bo);
up_read(&vma->vm_mm->mmap_sem);
(void) ttm_bo_wait_unreserved(bo);
+ ttm_bo_unref(&bo);
}

return VM_FAULT_RETRY;
@@ -163,6 +168,13 @@ static int ttm_bo_vm_fault(struct vm_are
ret = ttm_bo_vm_fault_idle(bo, vma, vmf);
if (unlikely(ret != 0)) {
retval = ret;
+
+ if (retval == VM_FAULT_RETRY &&
+ !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
+ /* The BO has already been unreserved. */
+ return retval;
+ }
+
goto out_unlock;
}


2017-06-01 16:10:42

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 159/212] net/mlx4_en: Use __skb_fill_page_desc()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit 7f0137e2ef9f32143df623001a96f7aab61a9595 upstream.

Or we might miss the fact that a page was allocated from memory reserves.

Fixes: dceeab0e5258 ("mlx4: support __GFP_MEMALLOC for rx")
Signed-off-by: Eric Dumazet <[email protected]>
Signed-off-by: Tariq Toukan <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
@@ -565,10 +565,10 @@ static int mlx4_en_complete_rx_desc(stru
dma_sync_single_for_cpu(priv->ddev, dma, frag_info->frag_size,
DMA_FROM_DEVICE);

- /* Save page reference in skb */
- __skb_frag_set_page(&skb_frags_rx[nr], frags[nr].page);
- skb_frag_size_set(&skb_frags_rx[nr], frag_info->frag_size);
- skb_frags_rx[nr].page_offset = frags[nr].page_offset;
+ __skb_fill_page_desc(skb, nr, frags[nr].page,
+ frags[nr].page_offset,
+ frag_info->frag_size);
+
skb->truesize += frag_info->frag_stride;
frags[nr].page = NULL;
}

2017-06-01 16:10:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 143/212] nfsd: special case truncates some more

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Christoph Hellwig <[email protected]>

commit 783112f7401ff449d979530209b3f6c2594fdb4e upstream.

Both the NFS protocols and the Linux VFS use a setattr operation with a
bitmap of attributes to set to set various file attributes including the
file size and the uid/gid.

The Linux syscalls never mix size updates with unrelated updates like
the uid/gid, and some file systems like XFS and GFS2 rely on the fact
that truncates don't update random other attributes, and many other file
systems handle the case but do not update the other attributes in the
same transaction. NFSD on the other hand passes the attributes it gets
on the wire more or less directly through to the VFS, leading to updates
the file systems don't expect. XFS at least has an assert on the
allowed attributes, which caught an unusual NFS client setting the size
and group at the same time.

To handle this issue properly this splits the notify_change call in
nfsd_setattr into two separate ones.

Signed-off-by: Christoph Hellwig <[email protected]>
Tested-by: Chuck Lever <[email protected]>
Signed-off-by: J. Bruce Fields <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/nfsd/vfs.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)

--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -444,13 +444,19 @@ nfsd_setattr(struct svc_rqst *rqstp, str

/*
* The size case is special, it changes the file in addition to the
- * attributes.
+ * attributes, and file systems don't expect it to be mixed with
+ * "random" attribute changes. We thus split out the size change
+ * into a separate call to ->setattr, and do the rest as a separate
+ * setattr call.
*/
if (size_change) {
err = nfsd_get_write_access(rqstp, fhp, iap);
if (err)
return err;
+ }

+ fh_lock(fhp);
+ if (size_change) {
/*
* RFC5661, Section 18.30.4:
* Changing the size of a file with SETATTR indirectly
@@ -458,16 +464,30 @@ nfsd_setattr(struct svc_rqst *rqstp, str
*
* (and similar for the older RFCs)
*/
- if (iap->ia_size != i_size_read(inode))
- iap->ia_valid |= ATTR_MTIME;
+ struct iattr size_attr = {
+ .ia_valid = ATTR_SIZE | ATTR_CTIME | ATTR_MTIME,
+ .ia_size = iap->ia_size,
+ };
+
+ host_err = notify_change(dentry, &size_attr, NULL);
+ if (host_err)
+ goto out_unlock;
+ iap->ia_valid &= ~ATTR_SIZE;
+
+ /*
+ * Avoid the additional setattr call below if the only other
+ * attribute that the client sends is the mtime, as we update
+ * it as part of the size change above.
+ */
+ if ((iap->ia_valid & ~ATTR_MTIME) == 0)
+ goto out_unlock;
}

iap->ia_valid |= ATTR_CTIME;
-
- fh_lock(fhp);
host_err = notify_change(dentry, iap, NULL);
- fh_unlock(fhp);

+out_unlock:
+ fh_unlock(fhp);
if (size_change)
put_write_access(inode);
out:

2017-06-01 16:10:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 151/212] net/dccp: fix use after free in tw_timer_handler()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Andrey Ryabinin <[email protected]>

commit ec7cb62d18d854ea09df8b7194e7e710985f8b9a upstream.

DCCP doesn't purge timewait sockets on network namespace shutdown.
So, after net namespace destroyed we could still have an active timer
which will trigger use after free in tw_timer_handler():

BUG: KASAN: use-after-free in tw_timer_handler+0x4a/0xa0 at addr ffff88010e0d1e10
Read of size 8 by task swapper/1/0
Call Trace:
__asan_load8+0x54/0x90
tw_timer_handler+0x4a/0xa0
call_timer_fn+0x127/0x480
expire_timers+0x1db/0x2e0
run_timer_softirq+0x12f/0x2a0
__do_softirq+0x105/0x5b4
irq_exit+0xdd/0xf0
smp_apic_timer_interrupt+0x57/0x70
apic_timer_interrupt+0x90/0xa0

Object at ffff88010e0d1bc0, in cache net_namespace size: 6848
Allocated:
save_stack_trace+0x1b/0x20
kasan_kmalloc+0xee/0x180
kasan_slab_alloc+0x12/0x20
kmem_cache_alloc+0x134/0x310
copy_net_ns+0x8d/0x280
create_new_namespaces+0x23f/0x340
unshare_nsproxy_namespaces+0x75/0xf0
SyS_unshare+0x299/0x4f0
entry_SYSCALL_64_fastpath+0x18/0xad
Freed:
save_stack_trace+0x1b/0x20
kasan_slab_free+0xae/0x180
kmem_cache_free+0xb4/0x350
net_drop_ns+0x3f/0x50
cleanup_net+0x3df/0x450
process_one_work+0x419/0xbb0
worker_thread+0x92/0x850
kthread+0x192/0x1e0
ret_from_fork+0x2e/0x40

Add .exit_batch hook to dccp_v4_ops()/dccp_v6_ops() which will purge
timewait sockets on net namespace destruction and prevent above issue.

Fixes: f2bf415cfed7 ("mib: add net to NET_ADD_STATS_BH")
Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Andrey Ryabinin <[email protected]>
Acked-by: Arnaldo Carvalho de Melo <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[bwh: Backported to 3.16: pass twdr parameter to inet_twsk_purge()
Signed-off-by: Ben Hutchings <[email protected]>
---
net/dccp/ipv4.c | 6 ++++++
net/dccp/ipv6.c | 6 ++++++
2 files changed, 12 insertions(+)

--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -1045,9 +1045,15 @@ static void __net_exit dccp_v4_exit_net(
inet_ctl_sock_destroy(net->dccp.v4_ctl_sk);
}

+static void __net_exit dccp_v4_exit_batch(struct list_head *net_exit_list)
+{
+ inet_twsk_purge(&dccp_hashinfo, &dccp_death_row, AF_INET);
+}
+
static struct pernet_operations dccp_v4_ops = {
.init = dccp_v4_init_net,
.exit = dccp_v4_exit_net,
+ .exit_batch = dccp_v4_exit_batch,
};

static int __init dccp_v4_init(void)
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -1143,9 +1143,15 @@ static void __net_exit dccp_v6_exit_net(
inet_ctl_sock_destroy(net->dccp.v6_ctl_sk);
}

+static void __net_exit dccp_v6_exit_batch(struct list_head *net_exit_list)
+{
+ inet_twsk_purge(&dccp_hashinfo, &dccp_death_row, AF_INET6);
+}
+
static struct pernet_operations dccp_v6_ops = {
.init = dccp_v6_init_net,
.exit = dccp_v6_exit_net,
+ .exit_batch = dccp_v6_exit_batch,
};

static int __init dccp_v6_init(void)

2017-06-01 16:10:38

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 153/212] scsi: aacraid: Fix memory leak in fib init path

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Raghava Aditya Renukunta <[email protected]>

commit 1bff5abca65d4b9761fcc992ab6288243220003d upstream.

aac_fib_map_free frees misaligned fib dma memory, additionally it does not
free up the whole memory.

Fixed by changing the code to free up the correct and full memory
allocation.

Fixes: e8b12f0fb835223 ([SCSI] aacraid: Add new code for PMC-Sierra's SRC based controller family)
Signed-off-by: Raghava Aditya Renukunta <[email protected]>
Reviewed-by: David Carroll <[email protected]>
Reviewed-by: Johannes Thumshirn <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
[bwh: Backported to 3.16: s/max_cmd_size/max_fib_size/]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/aacraid/commsup.c | 36 +++++++++++++++++++++---------------
1 file changed, 21 insertions(+), 15 deletions(-)

--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -83,12 +83,20 @@ static int fib_map_alloc(struct aac_dev

void aac_fib_map_free(struct aac_dev *dev)
{
- if (dev->hw_fib_va && dev->max_fib_size) {
- pci_free_consistent(dev->pdev,
- (dev->max_fib_size *
- (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB)),
- dev->hw_fib_va, dev->hw_fib_pa);
- }
+ size_t alloc_size;
+ size_t fib_size;
+ int num_fibs;
+
+ if(!dev->hw_fib_va || !dev->max_fib_size)
+ return;
+
+ num_fibs = dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB;
+ fib_size = dev->max_fib_size + sizeof(struct aac_fib_xporthdr);
+ alloc_size = fib_size * num_fibs + ALIGN32 - 1;
+
+ pci_free_consistent(dev->pdev, alloc_size, dev->hw_fib_va,
+ dev->hw_fib_pa);
+
dev->hw_fib_va = NULL;
dev->hw_fib_pa = 0;
}
@@ -116,22 +124,20 @@ int aac_fib_setup(struct aac_dev * dev)
if (i<0)
return -ENOMEM;

- /* 32 byte alignment for PMC */
- hw_fib_pa = (dev->hw_fib_pa + (ALIGN32 - 1)) & ~(ALIGN32 - 1);
- dev->hw_fib_va = (struct hw_fib *)((unsigned char *)dev->hw_fib_va +
- (hw_fib_pa - dev->hw_fib_pa));
- dev->hw_fib_pa = hw_fib_pa;
memset(dev->hw_fib_va, 0,
(dev->max_fib_size + sizeof(struct aac_fib_xporthdr)) *
(dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB));

+ /* 32 byte alignment for PMC */
+ hw_fib_pa = (dev->hw_fib_pa + (ALIGN32 - 1)) & ~(ALIGN32 - 1);
+ hw_fib = (struct hw_fib *)((unsigned char *)dev->hw_fib_va +
+ (hw_fib_pa - dev->hw_fib_pa));
+
/* add Xport header */
- dev->hw_fib_va = (struct hw_fib *)((unsigned char *)dev->hw_fib_va +
+ hw_fib = (struct hw_fib *)((unsigned char *)hw_fib +
sizeof(struct aac_fib_xporthdr));
- dev->hw_fib_pa += sizeof(struct aac_fib_xporthdr);
+ hw_fib_pa += sizeof(struct aac_fib_xporthdr);

- hw_fib = dev->hw_fib_va;
- hw_fib_pa = dev->hw_fib_pa;
/*
* Initialise the fibs
*/

2017-06-01 16:17:30

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 040/212] USB: serial: ch341: fix modem-status handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit a0467a967f347842b30739aae636c44980265265 upstream.

The modem-status register was read as part of device configuration at
port_probe and then again at open (and reset-resume). During open (and
reset-resume) the MSR was read before submitting the interrupt URB,
something which could lead to an MSR-change going unnoticed when it
races with open (reset-resume).

Fix this by dropping the redundant reconfiguration of the port at every
open, and only read the MSR after the interrupt URB has been submitted.

Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ch341.c | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -246,21 +246,11 @@ static int ch341_configure(struct usb_de
if (r < 0)
goto out;

- /* expect 0xff 0xee */
- r = ch341_get_status(dev, priv);
- if (r < 0)
- goto out;
-
r = ch341_set_baudrate_lcr(dev, priv, 0);
if (r < 0)
goto out;

r = ch341_set_handshake(dev, priv->line_control);
- if (r < 0)
- goto out;
-
- /* expect 0x9f 0xee */
- r = ch341_get_status(dev, priv);

out: kfree(buffer);
return r;
@@ -332,14 +322,9 @@ static void ch341_close(struct usb_seria
/* open this device, set default parameters */
static int ch341_open(struct tty_struct *tty, struct usb_serial_port *port)
{
- struct usb_serial *serial = port->serial;
struct ch341_private *priv = usb_get_serial_port_data(port);
int r;

- r = ch341_configure(serial->dev, priv);
- if (r)
- return r;
-
if (tty)
ch341_set_termios(tty, port, NULL);

@@ -351,6 +336,12 @@ static int ch341_open(struct tty_struct
return r;
}

+ r = ch341_get_status(port->serial->dev, priv);
+ if (r < 0) {
+ dev_err(&port->dev, "failed to read modem status: %d\n", r);
+ goto err_kill_interrupt_urb;
+ }
+
r = usb_serial_generic_open(tty, port);
if (r)
goto err_kill_interrupt_urb;
@@ -593,6 +584,12 @@ static int ch341_reset_resume(struct usb
ret);
return ret;
}
+
+ ret = ch341_get_status(port->serial->dev, priv);
+ if (ret < 0) {
+ dev_err(&port->dev, "failed to read modem status: %d\n",
+ ret);
+ }
}

return usb_serial_generic_resume(serial);

2017-06-01 16:17:47

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 021/212] hv_vmbus: Add gradually increased delay for retries in vmbus_post_msg()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Haiyang Zhang <[email protected]>

commit e1c0d82dab4a4605d3bd1968436f030dfed4a829 upstream.

Most of the retries can be done within a millisecond successfully, so we
sleep 1ms before the first retry, then gradually increase the retry
interval to 2^n with max value of 2048ms. Doing so, we will have shorter
overall delay time, because most of the cases succeed within 1-2 attempts.

Signed-off-by: Haiyang Zhang <[email protected]>
Reviewed-by: K. Y. Srinivasan <[email protected]>
Reviewed-by: Dexuan Cui <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/hv/connection.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/hv/connection.c
+++ b/drivers/hv/connection.c
@@ -418,6 +418,7 @@ int vmbus_post_msg(void *buffer, size_t
union hv_connection_id conn_id;
int ret = 0;
int retries = 0;
+ u32 msec = 1;

conn_id.asu32 = 0;
conn_id.u.id = VMBUS_MESSAGE_CONNECTION_ID;
@@ -427,7 +428,7 @@ int vmbus_post_msg(void *buffer, size_t
* insufficient resources. Retry the operation a couple of
* times before giving up.
*/
- while (retries < 10) {
+ while (retries < 20) {
ret = hv_post_message(conn_id, 1, buffer, buflen);

switch (ret) {
@@ -450,7 +451,9 @@ int vmbus_post_msg(void *buffer, size_t
}

retries++;
- msleep(1000);
+ msleep(msec);
+ if (msec < 2048)
+ msec *= 2;
}
return ret;
}

2017-06-01 16:17:46

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 068/212] usb: gadget: f_hid: fix: Prevent accessing released memory

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Opasiak <[email protected]>

commit aa65d11aa008f4de58a9cee7e121666d9d68505e upstream.

When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.

To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.

Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Tested-by: David Lechner <[email protected]>
Signed-off-by: Krzysztof Opasiak <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/gadget/f_hid.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)

--- a/drivers/usb/gadget/f_hid.c
+++ b/drivers/usb/gadget/f_hid.c
@@ -197,6 +197,13 @@ static ssize_t f_hidg_read(struct file *
/* pick the first one */
list = list_first_entry(&hidg->completed_out_req,
struct f_hidg_req_list, list);
+
+ /*
+ * Remove this from list to protect it from beign free()
+ * while host disables our function
+ */
+ list_del(&list->list);
+
req = list->req;
count = min_t(unsigned int, count, req->actual - list->pos);
spin_unlock_irqrestore(&hidg->spinlock, flags);
@@ -212,15 +219,20 @@ static ssize_t f_hidg_read(struct file *
* call, taking into account its current read position.
*/
if (list->pos == req->actual) {
- spin_lock_irqsave(&hidg->spinlock, flags);
- list_del(&list->list);
kfree(list);
- spin_unlock_irqrestore(&hidg->spinlock, flags);

req->length = hidg->report_length;
ret = usb_ep_queue(hidg->out_ep, req, GFP_KERNEL);
- if (ret < 0)
+ if (ret < 0) {
+ free_ep_req(hidg->out_ep, req);
return ret;
+ }
+ } else {
+ spin_lock_irqsave(&hidg->spinlock, flags);
+ list_add(&list->list, &hidg->completed_out_req);
+ spin_unlock_irqrestore(&hidg->spinlock, flags);
+
+ wake_up(&hidg->read_queue);
}

return count;
@@ -471,6 +483,7 @@ static void hidg_disable(struct usb_func
{
struct f_hidg *hidg = func_to_hidg(f);
struct f_hidg_req_list *list, *next;
+ unsigned long flags;

usb_ep_disable(hidg->in_ep);
hidg->in_ep->driver_data = NULL;
@@ -478,10 +491,13 @@ static void hidg_disable(struct usb_func
usb_ep_disable(hidg->out_ep);
hidg->out_ep->driver_data = NULL;

+ spin_lock_irqsave(&hidg->spinlock, flags);
list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) {
+ free_ep_req(hidg->out_ep, list->req);
list_del(&list->list);
kfree(list);
}
+ spin_unlock_irqrestore(&hidg->spinlock, flags);
}

static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)

2017-06-01 15:44:58

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 107/212] ktest: Fix child exit code processing

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (VMware)" <[email protected]>

commit 32677207dcc5e594254b7fb4fb2352b1755b1d5b upstream.

The child_exit errno needs to be shifted by 8 bits to compare against the
return values for the bisect variables.

Fixes: c5dacb88f0a64 ("ktest: Allow overriding bisect test results")
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
tools/testing/ktest/ktest.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -2445,7 +2445,7 @@ sub do_run_test {
}

waitpid $child_pid, 0;
- $child_exit = $?;
+ $child_exit = $? >> 8;

if (!$bug && $in_bisect) {
if (defined($bisect_ret_good)) {

2017-06-01 16:18:29

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 080/212] ext4: trim allocation requests to group size

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kara <[email protected]>

commit cd648b8a8fd5071d232242d5ee7ee3c0815776af upstream.

If filesystem groups are artifically small (using parameter -g to
mkfs.ext4), ext4_mb_normalize_request() can result in a request that is
larger than a block group. Trim the request size to not confuse
allocation code.

Reported-by: "Kirill A. Shutemov" <[email protected]>
Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/mballoc.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -3091,6 +3091,13 @@ ext4_mb_normalize_request(struct ext4_al
if (ar->pright && start + size - 1 >= ar->lright)
size -= start + size - ar->lright;

+ /*
+ * Trim allocation request for filesystems with artificially small
+ * groups.
+ */
+ if (size > EXT4_BLOCKS_PER_GROUP(ac->ac_sb))
+ size = EXT4_BLOCKS_PER_GROUP(ac->ac_sb);
+
end = start + size;

/* check we don't cross already preallocated blocks */

2017-06-01 16:18:27

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 103/212] USB: serial: ftdi_sio: fix line-status over-reporting

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit a6bb1e17a39818b01b55d8e6238b4b5f06d55038 upstream.

FTDI devices use a receive latency timer to periodically empty the
receive buffer and report modem and line status (also when the buffer is
empty).

When a break or error condition is detected the corresponding status
flags will be set on a packet with nonzero data payload and the flags
are not updated until the break is over or further characters are
received.

In order to avoid over-reporting break and error conditions, these flags
must therefore only be processed for packets with payload.

This specifically fixes the case where after an overrun, the error
condition is continuously reported and NULL-characters inserted until
further data is received.

Reported-by: Michael Walle <[email protected]>
Fixes: 72fda3ca6fc1 ("USB: serial: ftd_sio: implement sysrq handling on
break")
Fixes: 166ceb690750 ("USB: ftdi_sio: clean up line-status handling")
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -2109,6 +2109,20 @@ static int ftdi_process_packet(struct us
priv->prev_status = status;
}

+ /* save if the transmitter is empty or not */
+ if (packet[1] & FTDI_RS_TEMT)
+ priv->transmit_empty = 1;
+ else
+ priv->transmit_empty = 0;
+
+ len -= 2;
+ if (!len)
+ return 0; /* status only */
+
+ /*
+ * Break and error status must only be processed for packets with
+ * data payload to avoid over-reporting.
+ */
flag = TTY_NORMAL;
if (packet[1] & FTDI_RS_ERR_MASK) {
/* Break takes precedence over parity, which takes precedence
@@ -2131,15 +2145,6 @@ static int ftdi_process_packet(struct us
}
}

- /* save if the transmitter is empty or not */
- if (packet[1] & FTDI_RS_TEMT)
- priv->transmit_empty = 1;
- else
- priv->transmit_empty = 0;
-
- len -= 2;
- if (!len)
- return 0; /* status only */
port->icount.rx += len;
ch = packet + 2;


2017-06-01 16:18:56

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 060/212] power: supply: bq24190_charger: Install irq_handler_thread() at end of probe()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Liam Breck <[email protected]>

commit d62acc5ef0621463446091ebd7a345e06e9ab80c upstream.

The device specific data is not fully initialized on
request_threaded_irq(). This may cause a crash when the IRQ handler
tries to reference them.

Fix the issue by installing IRQ handler at the end of the probe.

Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <[email protected]>
Acked-by: Mark Greer <[email protected]>
Acked-by: Tony Lindgren <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/power/bq24190_charger.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)

--- a/drivers/power/bq24190_charger.c
+++ b/drivers/power/bq24190_charger.c
@@ -1398,22 +1398,13 @@ static int bq24190_probe(struct i2c_clie
return -EINVAL;
}

- ret = devm_request_threaded_irq(dev, bdi->irq, NULL,
- bq24190_irq_handler_thread,
- IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
- "bq24190-charger", bdi);
- if (ret < 0) {
- dev_err(dev, "Can't set up irq handler\n");
- goto out1;
- }
-
pm_runtime_enable(dev);
pm_runtime_resume(dev);

ret = bq24190_hw_init(bdi);
if (ret < 0) {
dev_err(dev, "Hardware init failed\n");
- goto out2;
+ goto out1;
}

bq24190_charger_init(&bdi->charger);
@@ -1421,7 +1412,7 @@ static int bq24190_probe(struct i2c_clie
ret = power_supply_register(dev, &bdi->charger);
if (ret) {
dev_err(dev, "Can't register charger\n");
- goto out2;
+ goto out1;
}

bq24190_battery_init(&bdi->battery);
@@ -1429,24 +1420,34 @@ static int bq24190_probe(struct i2c_clie
ret = power_supply_register(dev, &bdi->battery);
if (ret) {
dev_err(dev, "Can't register battery\n");
- goto out3;
+ goto out2;
}

ret = bq24190_sysfs_create_group(bdi);
if (ret) {
dev_err(dev, "Can't create sysfs entries\n");
+ goto out3;
+ }
+
+ ret = devm_request_threaded_irq(dev, bdi->irq, NULL,
+ bq24190_irq_handler_thread,
+ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ "bq24190-charger", bdi);
+ if (ret < 0) {
+ dev_err(dev, "Can't set up irq handler\n");
goto out4;
}

return 0;

out4:
- power_supply_unregister(&bdi->battery);
+ bq24190_sysfs_remove_group(bdi);
out3:
- power_supply_unregister(&bdi->charger);
+ power_supply_unregister(&bdi->battery);
out2:
- pm_runtime_disable(dev);
+ power_supply_unregister(&bdi->charger);
out1:
+ pm_runtime_disable(dev);
if (bdi->gpio_int)
gpio_free(bdi->gpio_int);


2017-06-01 16:18:55

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 079/212] drm/radeon: handle vfct with multiple vbios images

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit a882f5de402ded769af74fbf276132f9c175049c upstream.

The vfct table can contain multiple vbios images if the
platform contains multiple GPUs. Noticed by netkas on
phoronix forums. This patch fixes those platforms.

Signed-off-by: Alex Deucher <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/radeon/radeon_bios.c | 66 ++++++++++++++++++++----------------
1 file changed, 36 insertions(+), 30 deletions(-)

--- a/drivers/gpu/drm/radeon/radeon_bios.c
+++ b/drivers/gpu/drm/radeon/radeon_bios.c
@@ -597,51 +597,57 @@ static bool radeon_read_disabled_bios(st
#ifdef CONFIG_ACPI
static bool radeon_acpi_vfct_bios(struct radeon_device *rdev)
{
- bool ret = false;
struct acpi_table_header *hdr;
acpi_size tbl_size;
UEFI_ACPI_VFCT *vfct;
- GOP_VBIOS_CONTENT *vbios;
- VFCT_IMAGE_HEADER *vhdr;
+ unsigned offset;

if (!ACPI_SUCCESS(acpi_get_table_with_size("VFCT", 1, &hdr, &tbl_size)))
return false;
if (tbl_size < sizeof(UEFI_ACPI_VFCT)) {
DRM_ERROR("ACPI VFCT table present but broken (too short #1)\n");
- goto out_unmap;
+ return false;
}

vfct = (UEFI_ACPI_VFCT *)hdr;
- if (vfct->VBIOSImageOffset + sizeof(VFCT_IMAGE_HEADER) > tbl_size) {
- DRM_ERROR("ACPI VFCT table present but broken (too short #2)\n");
- goto out_unmap;
- }
+ offset = vfct->VBIOSImageOffset;

- vbios = (GOP_VBIOS_CONTENT *)((char *)hdr + vfct->VBIOSImageOffset);
- vhdr = &vbios->VbiosHeader;
- DRM_INFO("ACPI VFCT contains a BIOS for %02x:%02x.%d %04x:%04x, size %d\n",
- vhdr->PCIBus, vhdr->PCIDevice, vhdr->PCIFunction,
- vhdr->VendorID, vhdr->DeviceID, vhdr->ImageLength);
-
- if (vhdr->PCIBus != rdev->pdev->bus->number ||
- vhdr->PCIDevice != PCI_SLOT(rdev->pdev->devfn) ||
- vhdr->PCIFunction != PCI_FUNC(rdev->pdev->devfn) ||
- vhdr->VendorID != rdev->pdev->vendor ||
- vhdr->DeviceID != rdev->pdev->device) {
- DRM_INFO("ACPI VFCT table is not for this card\n");
- goto out_unmap;
+ while (offset < tbl_size) {
+ GOP_VBIOS_CONTENT *vbios = (GOP_VBIOS_CONTENT *)((char *)hdr + offset);
+ VFCT_IMAGE_HEADER *vhdr = &vbios->VbiosHeader;
+
+ offset += sizeof(VFCT_IMAGE_HEADER);
+ if (offset > tbl_size) {
+ DRM_ERROR("ACPI VFCT image header truncated\n");
+ return false;
+ }
+
+ offset += vhdr->ImageLength;
+ if (offset > tbl_size) {
+ DRM_ERROR("ACPI VFCT image truncated\n");
+ return false;
+ }
+
+ if (vhdr->ImageLength &&
+ vhdr->PCIBus == rdev->pdev->bus->number &&
+ vhdr->PCIDevice == PCI_SLOT(rdev->pdev->devfn) &&
+ vhdr->PCIFunction == PCI_FUNC(rdev->pdev->devfn) &&
+ vhdr->VendorID == rdev->pdev->vendor &&
+ vhdr->DeviceID == rdev->pdev->device) {
+ rdev->bios = kmemdup(&vbios->VbiosContent,
+ vhdr->ImageLength,
+ GFP_KERNEL);
+
+ if (!rdev->bios) {
+ kfree(rdev->bios);
+ return false;
+ }
+ return true;
+ }
}

- if (vfct->VBIOSImageOffset + sizeof(VFCT_IMAGE_HEADER) + vhdr->ImageLength > tbl_size) {
- DRM_ERROR("ACPI VFCT image truncated\n");
- goto out_unmap;
- }
-
- rdev->bios = kmemdup(&vbios->VbiosContent, vhdr->ImageLength, GFP_KERNEL);
- ret = !!rdev->bios;
-
-out_unmap:
- return ret;
+ DRM_ERROR("ACPI VFCT table present but broken (too short #2)\n");
+ return false;
}
#else
static inline bool radeon_acpi_vfct_bios(struct radeon_device *rdev)

2017-06-01 16:19:34

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 047/212] USB: serial: mct_u232: fix modem-status error handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 36356a669eddb32917fc4b5c2b9b8bf80ede69de upstream.

Make sure to detect short control-message transfers so that errors are
logged when reading the modem status at open.

Note that while this also avoids initialising the modem status using
uninitialised heap data, these bits could not leak to user space as they
are currently not used.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/mct_u232.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -322,8 +322,12 @@ static int mct_u232_get_modem_stat(struc
MCT_U232_GET_REQUEST_TYPE,
0, 0, buf, MCT_U232_GET_MODEM_STAT_SIZE,
WDR_TIMEOUT);
- if (rc < 0) {
+ if (rc < MCT_U232_GET_MODEM_STAT_SIZE) {
dev_err(&port->dev, "Get MODEM STATus failed (error = %d)\n", rc);
+
+ if (rc >= 0)
+ rc = -EIO;
+
*msr = 0;
} else {
*msr = buf[0];

2017-06-01 16:19:32

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 101/212] USB: serial: cp210x: add new IDs for GE Bx50v3 boards

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ken Lin <[email protected]>

commit 9a593656def0dc2f6c227851e8e602077267a5f1 upstream.

Add new USB IDs for cp2104/5 devices on Bx50v3 boards due to the design
change.

Signed-off-by: Ken Lin <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/cp210x.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -171,6 +171,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
{ USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
+ { USB_DEVICE(0x1901, 0x0195) }, /* GE B850/B650/B450 CP2104 DP UART interface */
+ { USB_DEVICE(0x1901, 0x0196) }, /* GE B850 CP2105 DP UART interface */
{ USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */
{ USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
{ USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */

2017-06-01 16:20:12

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 092/212] USB: serial: keyspan_pda: fix receive sanity checks

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit c528fcb116e61afc379a2e0a0f70906b937f1e2c upstream.

Make sure to check for short transfers before parsing the receive buffer
to avoid acting on stale data.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/keyspan_pda.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)

--- a/drivers/usb/serial/keyspan_pda.c
+++ b/drivers/usb/serial/keyspan_pda.c
@@ -139,6 +139,7 @@ static void keyspan_pda_rx_interrupt(str
{
struct usb_serial_port *port = urb->context;
unsigned char *data = urb->transfer_buffer;
+ unsigned int len = urb->actual_length;
int retval;
int status = urb->status;
struct keyspan_pda_private *priv;
@@ -159,18 +160,26 @@ static void keyspan_pda_rx_interrupt(str
goto exit;
}

+ if (len < 1) {
+ dev_warn(&port->dev, "short message received\n");
+ goto exit;
+ }
+
/* see if the message is data or a status interrupt */
switch (data[0]) {
case 0:
/* rest of message is rx data */
- if (urb->actual_length) {
- tty_insert_flip_string(&port->port, data + 1,
- urb->actual_length - 1);
- tty_flip_buffer_push(&port->port);
- }
+ if (len < 2)
+ break;
+ tty_insert_flip_string(&port->port, data + 1, len - 1);
+ tty_flip_buffer_push(&port->port);
break;
case 1:
/* status interrupt */
+ if (len < 3) {
+ dev_warn(&port->dev, "short interrupt message received\n");
+ break;
+ }
dev_dbg(&port->dev, "rx int, d1=%d, d2=%d\n", data[1], data[2]);
switch (data[1]) {
case 1: /* modemline change */

2017-06-01 16:20:10

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 094/212] s390/qdio: clear DSCI prior to scanning multiple input queues

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Julian Wiedmann <[email protected]>

commit 1e4a382fdc0ba8d1a85b758c0811de3a3631085e upstream.

For devices with multiple input queues, tiqdio_call_inq_handlers()
iterates over all input queues and clears the device's DSCI
during each iteration. If the DSCI is re-armed during one
of the later iterations, we therefore do not scan the previous
queues again.
The re-arming also raises a new adapter interrupt. But its
handler does not trigger a rescan for the device, as the DSCI
has already been erroneously cleared.
This can result in queue stalls on devices with multiple
input queues.

Fix it by clearing the DSCI just once, prior to scanning the queues.

As the code is moved in front of the loop, we also need to access
the DSCI directly (ie irq->dsci) instead of going via each queue's
parent pointer to the same irq. This is not a functional change,
and a follow-up patch will clean up the other users.

In practice, this bug only affects CQ-enabled HiperSockets devices,
ie. devices with sysfs-attribute "hsuid" set. Setting a hsuid is
needed for AF_IUCV socket applications that use HiperSockets
communication.

Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks")
Reviewed-by: Ursula Braun <[email protected]>
Signed-off-by: Julian Wiedmann <[email protected]>
Signed-off-by: Martin Schwidefsky <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/s390/cio/qdio_thinint.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/s390/cio/qdio_thinint.c
+++ b/drivers/s390/cio/qdio_thinint.c
@@ -147,11 +147,11 @@ static inline void tiqdio_call_inq_handl
struct qdio_q *q;
int i;

- for_each_input_queue(irq, q, i) {
- if (!references_shared_dsci(irq) &&
- has_multiple_inq_on_dsci(irq))
- xchg(q->irq_ptr->dsci, 0);
+ if (!references_shared_dsci(irq) &&
+ has_multiple_inq_on_dsci(irq))
+ xchg(irq->dsci, 0);

+ for_each_input_queue(irq, q, i) {
if (q->u.in.queue_start_poll) {
/* skip if polling is enabled or already in work */
if (test_and_set_bit(QDIO_QUEUE_IRQS_DISABLED,

2017-06-01 16:20:08

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 070/212] MIPS: 'make -s' should be silent

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <[email protected]>

commit 8c9b23ffb3f92ffa4cbe37b1bab4542586e0bfd1 upstream.

A clean mips64 build produces no output except for two lines:

Checking missing-syscalls for N32
Checking missing-syscalls for O32

On other architectures, there is no output at all, so let's do the
same here for the sake of build testing. The 'kecho' macro is used
to print the message on a normal build but skip it with 'make -s'.

Fixes: e48ce6b8df5b ("[MIPS] Simplify missing-syscalls for N32 and O32")
Signed-off-by: Arnd Bergmann <[email protected]>
Cc: Paul Burton <[email protected]>
Cc: Matt Redfearn <[email protected]>
Cc: Huacai Chen <[email protected]>
Cc: Maarten ter Huurne <[email protected]>
Cc: [email protected]
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/15040/
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/mips/Makefile
+++ b/arch/mips/Makefile
@@ -333,11 +333,11 @@ CLEAN_FILES += vmlinux.32 vmlinux.64

archprepare:
ifdef CONFIG_MIPS32_N32
- @echo ' Checking missing-syscalls for N32'
+ @$(kecho) ' Checking missing-syscalls for N32'
$(Q)$(MAKE) $(build)=. missing-syscalls missing_syscalls_flags="-mabi=n32"
endif
ifdef CONFIG_MIPS32_O32
- @echo ' Checking missing-syscalls for O32'
+ @$(kecho) ' Checking missing-syscalls for O32'
$(Q)$(MAKE) $(build)=. missing-syscalls missing_syscalls_flags="-mabi=32"
endif


2017-06-01 16:21:04

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 019/212] clk: wm831x: fix usleep_range with bad range

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <[email protected]>

commit ed784c532a3d0959db488f40a96c5127f63d42dc upstream.

The delay here is not in atomic context and does not seem critical with
respect to precision, but usleep_range(min,max) with min==max results in
giving the timer subsystem no room to optimize uncritical delays. Fix
this by setting the range to 2000,3000 us.

Fixes: commit f05259a6ffa4 ("clk: wm831x: Add initial WM831x clock driver")
Signed-off-by: Nicholas Mc Guire <[email protected]>
Acked-by: Charles Keepax <[email protected]>
Signed-off-by: Stephen Boyd <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/clk/clk-wm831x.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/clk/clk-wm831x.c
+++ b/drivers/clk/clk-wm831x.c
@@ -102,7 +102,8 @@ static int wm831x_fll_prepare(struct clk
if (ret != 0)
dev_crit(wm831x->dev, "Failed to enable FLL: %d\n", ret);

- usleep_range(2000, 2000);
+ /* wait 2-3 ms for new frequency taking effect */
+ usleep_range(2000, 3000);

return ret;
}

2017-06-01 16:21:08

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 066/212] usb: gadget: define free_ep_req as universal function

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Felipe F. Tonello" <[email protected]>

commit 079fe5a6da616891cca1a26e803e1df2a87e9ae5 upstream.

This function is shared between gadget functions, so this avoid unnecessary
duplicated code and potentially avoid memory leaks.

Reviewed-by: Robert Baldyga <[email protected]>
Signed-off-by: Felipe F. Tonello <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/gadget/f_midi.c | 6 ------
drivers/usb/gadget/f_sourcesink.c | 6 ------
drivers/usb/gadget/g_zero.h | 1 -
drivers/usb/gadget/u_f.c | 1 -
drivers/usb/gadget/u_f.h | 10 ++++++++--
5 files changed, 8 insertions(+), 16 deletions(-)

--- a/drivers/usb/gadget/f_midi.c
+++ b/drivers/usb/gadget/f_midi.c
@@ -199,12 +199,6 @@ static inline struct usb_request *midi_a
return alloc_ep_req(ep, length, length);
}

-static void free_ep_req(struct usb_ep *ep, struct usb_request *req)
-{
- kfree(req->buf);
- usb_ep_free_request(ep, req);
-}
-
static const uint8_t f_midi_cin_length[] = {
0, 0, 2, 3, 3, 1, 2, 3, 3, 3, 3, 3, 2, 2, 3, 1
};
--- a/drivers/usb/gadget/f_sourcesink.c
+++ b/drivers/usb/gadget/f_sourcesink.c
@@ -307,12 +307,6 @@ static inline struct usb_request *ss_all
return alloc_ep_req(ep, len, buflen);
}

-void free_ep_req(struct usb_ep *ep, struct usb_request *req)
-{
- kfree(req->buf);
- usb_ep_free_request(ep, req);
-}
-
static void disable_ep(struct usb_composite_dev *cdev, struct usb_ep *ep)
{
int value;
--- a/drivers/usb/gadget/g_zero.h
+++ b/drivers/usb/gadget/g_zero.h
@@ -59,7 +59,6 @@ void lb_modexit(void);
int lb_modinit(void);

/* common utilities */
-void free_ep_req(struct usb_ep *ep, struct usb_request *req);
void disable_endpoints(struct usb_composite_dev *cdev,
struct usb_ep *in, struct usb_ep *out,
struct usb_ep *iso_in, struct usb_ep *iso_out);
--- a/drivers/usb/gadget/u_f.c
+++ b/drivers/usb/gadget/u_f.c
@@ -11,7 +11,6 @@
* published by the Free Software Foundation.
*/

-#include <linux/usb/gadget.h>
#include "u_f.h"

struct usb_request *alloc_ep_req(struct usb_ep *ep, int len, int default_len)
--- a/drivers/usb/gadget/u_f.h
+++ b/drivers/usb/gadget/u_f.h
@@ -16,6 +16,8 @@
#ifndef __U_F_H__
#define __U_F_H__

+#include <linux/usb/gadget.h>
+
/* Variable Length Array Macros **********************************************/
#define vla_group(groupname) size_t groupname##__next = 0
#define vla_group_size(groupname) groupname##__next
@@ -45,8 +47,12 @@
struct usb_ep;
struct usb_request;

+/* Requests allocated via alloc_ep_req() must be freed by free_ep_req(). */
struct usb_request *alloc_ep_req(struct usb_ep *ep, int len, int default_len);
+static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
+{
+ kfree(req->buf);
+ usb_ep_free_request(ep, req);
+}

#endif /* __U_F_H__ */
-
-

2017-06-01 16:21:06

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 091/212] USB: serial: digi_acceleport: fix incomplete rx sanity check

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 1b0aed2b1600f6e5c7b9acfbd610a4e351ef5232 upstream.

Make sure the received data has the required headers before parsing it.

Also drop the redundant urb-status check, which has already been handled
by the caller.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/digi_acceleport.c | 38 ++++++++++++++++++++++--------------
1 file changed, 23 insertions(+), 15 deletions(-)

--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1400,25 +1400,30 @@ static int digi_read_inb_callback(struct
{
struct usb_serial_port *port = urb->context;
struct digi_port *priv = usb_get_serial_port_data(port);
- int opcode = ((unsigned char *)urb->transfer_buffer)[0];
- int len = ((unsigned char *)urb->transfer_buffer)[1];
- int port_status = ((unsigned char *)urb->transfer_buffer)[2];
- unsigned char *data = ((unsigned char *)urb->transfer_buffer) + 3;
+ unsigned char *buf = urb->transfer_buffer;
+ int opcode;
+ int len;
+ int port_status;
+ unsigned char *data;
int flag, throttled;
- int status = urb->status;
-
- /* do not process callbacks on closed ports */
- /* but do continue the read chain */
- if (urb->status == -ENOENT)
- return 0;

/* short/multiple packet check */
+ if (urb->actual_length < 2) {
+ dev_warn(&port->dev, "short packet received\n");
+ return -1;
+ }
+
+ opcode = buf[0];
+ len = buf[1];
+
if (urb->actual_length != len + 2) {
- dev_err(&port->dev, "%s: INCOMPLETE OR MULTIPLE PACKET, "
- "status=%d, port=%d, opcode=%d, len=%d, "
- "actual_length=%d, status=%d\n", __func__, status,
- priv->dp_port_num, opcode, len, urb->actual_length,
- port_status);
+ dev_err(&port->dev, "malformed packet received: port=%d, opcode=%d, len=%d, actual_length=%u\n",
+ priv->dp_port_num, opcode, len, urb->actual_length);
+ return -1;
+ }
+
+ if (opcode == DIGI_CMD_RECEIVE_DATA && len < 1) {
+ dev_err(&port->dev, "malformed data packet received\n");
return -1;
}

@@ -1432,6 +1437,9 @@ static int digi_read_inb_callback(struct

/* receive data */
if (opcode == DIGI_CMD_RECEIVE_DATA) {
+ port_status = buf[2];
+ data = &buf[3];
+
/* get flag from port_status */
flag = 0;


2017-06-01 16:21:03

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 093/212] usb: misc: adutux: remove redundant error check on copy_to_user return code

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Colin Ian King <[email protected]>

commit 453785c64e090d9b4169636b7276fcd6d7489d33 upstream.

The 2nd check for a non-zero return from copy_to_user is redundant as
it is has already been made a few lines earlier. This check was made
redundant because of previous fix to the copy_to_user error return
check.

Detected by CoverityScan, CID#114347 ("Logically Dead Code")

Fixes: 1865a9c382ede ("USB: adutux: fix misuse of return value of copy_to_user()")

Signed-off-by: Colin Ian King <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/misc/adutux.c | 4 ----
1 file changed, 4 deletions(-)

--- a/drivers/usb/misc/adutux.c
+++ b/drivers/usb/misc/adutux.c
@@ -389,10 +389,6 @@ static ssize_t adu_read(struct file *fil
dev->secondary_head += (amount - i);
bytes_read += (amount - i);
bytes_to_read -= (amount - i);
- if (i) {
- retval = bytes_read ? bytes_read : -EFAULT;
- goto exit;
- }
} else {
/* we check the primary buffer */
spin_lock_irqsave (&dev->buflock, flags);

2017-06-01 16:21:57

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 111/212] i2c: i2c-mux-gpio: rename i2c-gpio-mux to i2c-mux-gpio

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Peter Rosin <[email protected]>

commit 6b66a6f27e799d9441ef2c0b1e00913a6a070fa5 upstream.

The rename did the wrong thing for this documentation file all those
years ago. Fix that as well as the neglected rename of the platform
data structure.

Fixes: e7065e20d9a6 ("i2c: Rename last mux driver to standard pattern")
Signed-off-by: Peter Rosin <[email protected]>
Signed-off-by: Wolfram Sang <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
Documentation/i2c/muxes/i2c-mux-gpio | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)

--- a/Documentation/i2c/muxes/i2c-mux-gpio
+++ b/Documentation/i2c/muxes/i2c-mux-gpio
@@ -1,11 +1,11 @@
-Kernel driver i2c-gpio-mux
+Kernel driver i2c-mux-gpio

Author: Peter Korsgaard <[email protected]>

Description
-----------

-i2c-gpio-mux is an i2c mux driver providing access to I2C bus segments
+i2c-mux-gpio is an i2c mux driver providing access to I2C bus segments
from a master I2C bus and a hardware MUX controlled through GPIO pins.

E.G.:
@@ -26,16 +26,16 @@ according to the settings of the GPIO pi
Usage
-----

-i2c-gpio-mux uses the platform bus, so you need to provide a struct
+i2c-mux-gpio uses the platform bus, so you need to provide a struct
platform_device with the platform_data pointing to a struct
-gpio_i2cmux_platform_data with the I2C adapter number of the master
+i2c_mux_gpio_platform_data with the I2C adapter number of the master
bus, the number of bus segments to create and the GPIO pins used
-to control it. See include/linux/i2c-gpio-mux.h for details.
+to control it. See include/linux/i2c-mux-gpio.h for details.

E.G. something like this for a MUX providing 4 bus segments
controlled through 3 GPIO pins:

-#include <linux/i2c-gpio-mux.h>
+#include <linux/i2c-mux-gpio.h>
#include <linux/platform_device.h>

static const unsigned myboard_gpiomux_gpios[] = {
@@ -46,7 +46,7 @@ static const unsigned myboard_gpiomux_va
0, 1, 2, 3
};

-static struct gpio_i2cmux_platform_data myboard_i2cmux_data = {
+static struct i2c_mux_gpio_platform_data myboard_i2cmux_data = {
.parent = 1,
.base_nr = 2, /* optional */
.values = myboard_gpiomux_values,
@@ -57,7 +57,7 @@ static struct gpio_i2cmux_platform_data
};

static struct platform_device myboard_i2cmux = {
- .name = "i2c-gpio-mux",
+ .name = "i2c-mux-gpio",
.id = 0,
.dev = {
.platform_data = &myboard_i2cmux_data,
@@ -66,14 +66,14 @@ static struct platform_device myboard_i2

If you don't know the absolute GPIO pin numbers at registration time,
you can instead provide a chip name (.chip_name) and relative GPIO pin
-numbers, and the i2c-gpio-mux driver will do the work for you,
+numbers, and the i2c-mux-gpio driver will do the work for you,
including deferred probing if the GPIO chip isn't immediately
available.

Device Registration
-------------------

-When registering your i2c-gpio-mux device, you should pass the number
+When registering your i2c-mux-gpio device, you should pass the number
of any GPIO pin it uses as the device ID. This guarantees that every
instance has a different ID.


2017-06-01 16:22:21

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 053/212] staging: rtl: fix possible NULL pointer dereference

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Arnd Bergmann <[email protected]>

commit 6e017006022abfea5d2466cad936065f45763ad1 upstream.

gcc-7 detects that wlanhdr_to_ethhdr() in two drivers calls memcpy() with
a destination argument that an earlier function call may have set to NULL:

staging/rtl8188eu/core/rtw_recv.c: In function 'wlanhdr_to_ethhdr':
staging/rtl8188eu/core/rtw_recv.c:1318:2: warning: argument 1 null where non-null expected [-Wnonnull]
staging/rtl8712/rtl871x_recv.c: In function 'r8712_wlanhdr_to_ethhdr':
staging/rtl8712/rtl871x_recv.c:649:2: warning: argument 1 null where non-null expected [-Wnonnull]

I'm fixing this by adding a NULL pointer check and returning failure
from the function, which is hopefully already handled properly.

This seems to date back to when the drivers were originally added,
so backporting the fix to stable seems appropriate. There are other
related realtek drivers in the kernel, but none of them contain a
function with a similar name or produce this warning.

Fixes: 1cc18a22b96b ("staging: r8188eu: Add files for new driver - part 5")
Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
Signed-off-by: Arnd Bergmann <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/staging/rtl8188eu/core/rtw_recv.c
+++ b/drivers/staging/rtl8188eu/core/rtw_recv.c
@@ -1419,10 +1419,14 @@ static int wlanhdr_to_ethhdr(struct recv
eth_type = 0x8712;
/* append rx status for mp test packets */
ptr = recvframe_pull(precvframe, (rmv_len-sizeof(struct ethhdr)+2)-24);
+ if (!ptr)
+ return _FAIL;
memcpy(ptr, get_rxmem(precvframe), 24);
ptr += 24;
} else {
ptr = recvframe_pull(precvframe, (rmv_len-sizeof(struct ethhdr) + (bsnaphdr ? 2 : 0)));
+ if (!ptr)
+ return _FAIL;
}

memcpy(ptr, pattrib->dst, ETH_ALEN);
--- a/drivers/staging/rtl8712/rtl871x_recv.c
+++ b/drivers/staging/rtl8712/rtl871x_recv.c
@@ -639,11 +639,16 @@ sint r8712_wlanhdr_to_ethhdr(union recv_
/* append rx status for mp test packets */
ptr = recvframe_pull(precvframe, (rmv_len -
sizeof(struct ethhdr) + 2) - 24);
+ if (!ptr)
+ return _FAIL;
memcpy(ptr, get_rxmem(precvframe), 24);
ptr += 24;
- } else
+ } else {
ptr = recvframe_pull(precvframe, (rmv_len -
sizeof(struct ethhdr) + (bsnaphdr ? 2 : 0)));
+ if (!ptr)
+ return _FAIL;
+ }

memcpy(ptr, pattrib->dst, ETH_ALEN);
memcpy(ptr+ETH_ALEN, pattrib->src, ETH_ALEN);

2017-06-01 16:22:20

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 055/212] mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Brian Norris <[email protected]>

commit 6183468a23fc6b6903f8597982017ad2c7fdefcf upstream.

Similar to commit fcd2042e8d36 ("mwifiex: printk() overflow with 32-byte
SSIDs"), we failed to account for the existence of 32-char SSIDs in our
debugfs code. Unlike in that case though, we zeroed out the containing
struct first, and I'm pretty sure we're guaranteed to have some padding
after the 'ssid.ssid' and 'ssid.ssid_len' fields (the struct is 33 bytes
long).

So, this is the difference between:

# cat /sys/kernel/debug/mwifiex/mlan0/info
...
essid="0123456789abcdef0123456789abcdef "
...

and the correct output:

# cat /sys/kernel/debug/mwifiex/mlan0/info
...
essid="0123456789abcdef0123456789abcdef"
...

Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
Signed-off-by: Brian Norris <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
[bwh: Backported to 3.16: adjsut filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/mwifiex/debugfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/mwifiex/debugfs.c
+++ b/drivers/net/wireless/mwifiex/debugfs.c
@@ -220,7 +220,8 @@ mwifiex_info_read(struct file *file, cha
if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) {
p += sprintf(p, "multicast_count=\"%d\"\n",
netdev_mc_count(netdev));
- p += sprintf(p, "essid=\"%s\"\n", info.ssid.ssid);
+ p += sprintf(p, "essid=\"%.*s\"\n", info.ssid.ssid_len,
+ info.ssid.ssid);
p += sprintf(p, "bssid=\"%pM\"\n", info.bssid);
p += sprintf(p, "channel=\"%d\"\n", (int) info.bss_chan);
p += sprintf(p, "country_code = \"%s\"\n", info.country_code);

2017-06-01 16:22:19

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 057/212] sbitmap: fix wakeup hang after sbq resize

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <[email protected]>

commit 6c0ca7ae292adea09b8bdd33a524bb9326c3e989 upstream.

When we resize a struct sbitmap_queue, we update the wakeup batch size,
but we don't update the wait count in the struct sbq_wait_states. If we
resized down from a size which could use a bigger batch size, these
counts could be too large and cause us to miss necessary wakeups. To fix
this, update the wait counts when we resize (ensuring some careful
memory ordering so that it's safe w.r.t. concurrent clears).

This also fixes a theoretical issue where two threads could end up
bumping the wait count up by the batch size, which could also
potentially lead to hangs.

Reported-by: Martin Raiber <[email protected]>
Fixes: e3a2b3f931f5 ("blk-mq: allow changing of queue depth through sysfs")
Fixes: 2971c35f3588 ("blk-mq: bitmap tag: fix race on blk_mq_bitmap_tags::wake_cnt")
Signed-off-by: Omar Sandoval <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
[bwh: Backported to 3.16:
- Adjust filename
- Rename almost everything
- Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -340,6 +340,7 @@ static void bt_clear_tag(struct blk_mq_b
{
const int index = TAG_TO_INDEX(bt, tag);
struct bt_wait_state *bs;
+ unsigned int wake_batch;
int wait_cnt;

clear_bit(TAG_TO_BIT(bt, tag), &bt->map[index].word);
@@ -352,10 +353,22 @@ static void bt_clear_tag(struct blk_mq_b
return;

wait_cnt = atomic_dec_return(&bs->wait_cnt);
- if (unlikely(wait_cnt < 0))
- wait_cnt = atomic_inc_return(&bs->wait_cnt);
- if (wait_cnt == 0) {
- atomic_add(bt->wake_cnt, &bs->wait_cnt);
+ if (wait_cnt <= 0) {
+ wake_batch = ACCESS_ONCE(bt->wake_cnt);
+ /*
+ * Pairs with the memory barrier in bt_update_count() to
+ * ensure that we see the batch size update before the wait
+ * count is reset.
+ */
+ smp_mb__before_atomic();
+ /*
+ * If there are concurrent callers to bt_clear_tag(), the last
+ * one to decrement the wait count below zero will bump it back
+ * up. If there is a concurrent resize, the count reset will
+ * either cause the cmpxchg to fail or overwrite after the
+ * cmpxchg.
+ */
+ atomic_cmpxchg(&bs->wait_cnt, wait_cnt, wait_cnt + wake_batch);
bt_index_atomic_inc(&bt->wake_index);
wake_up(&bs->wait);
}
@@ -450,20 +463,30 @@ static void bt_update_count(struct blk_m
{
unsigned int tags_per_word = 1U << bt->bits_per_word;
unsigned int map_depth = depth;
+ unsigned int wake_batch;
+ int i;

if (depth) {
- int i;
-
for (i = 0; i < bt->map_nr; i++) {
bt->map[i].depth = min(map_depth, tags_per_word);
map_depth -= bt->map[i].depth;
}
}

- bt->wake_cnt = BT_WAIT_BATCH;
- if (bt->wake_cnt > depth / BT_WAIT_QUEUES)
- bt->wake_cnt = max(1U, depth / BT_WAIT_QUEUES);
-
+ wake_batch = BT_WAIT_BATCH;
+ if (wake_batch > depth / BT_WAIT_QUEUES)
+ wake_batch = max(1U, depth / BT_WAIT_QUEUES);
+
+ if (bt->wake_cnt != wake_batch) {
+ ACCESS_ONCE(bt->wake_cnt) = wake_batch;
+ /*
+ * Pairs with the memory barrier in bt_clear_tag() to ensure
+ * that the batch size is updated before the wait counts.
+ */
+ smp_mb__before_atomic();
+ for (i = 0; i < BT_WAIT_QUEUES; i++)
+ atomic_set(&bt->bs[i].wait_cnt, 1);
+ }
bt->depth = depth;
}


2017-06-01 16:22:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 078/212] clk: samsung: mark s3c...._clk_sleep_init() as __init

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Martin Kaiser <[email protected]>

commit 02c952c8f95fd0adf1835704db95215f57cfc8e6 upstream.

These functions are referencing s3c...._clk_regs[], which are marked as
__initdata. When compiling with CONFIG_DEBUG_SECTION_MISMATCH=y, this
produces warnings like

WARNING: vmlinux.o(.text+0x198350):
Section mismatch in reference from the function s3c2410_clk_sleep_init()
to the (unknown reference) .init.data:(unknown)

Mark the s3c...._clk_sleep_init() functions as __init in
order to fix this.

Fixes: ca2e90ac1809 ("clk: samsung: add clock controller driver for s3c2412")
Signed-off-by: Martin Kaiser <[email protected]>
Reviewed-by: Chanwoo Choi <[email protected]>
Reviewed-by: Krzysztof Kozlowski <[email protected]>
Signed-off-by: Sylwester Nawrocki <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/clk/samsung/clk-s3c2410.c | 4 ++--
drivers/clk/samsung/clk-s3c2412.c | 4 ++--
drivers/clk/samsung/clk-s3c2443.c | 4 ++--
drivers/clk/samsung/clk-s3c64xx.c | 4 ++--
4 files changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/clk/samsung/clk-s3c2410.c
+++ b/drivers/clk/samsung/clk-s3c2410.c
@@ -78,7 +78,7 @@ static struct syscore_ops s3c2410_clk_sy
.resume = s3c2410_clk_resume,
};

-static void s3c2410_clk_sleep_init(void)
+static void __init s3c2410_clk_sleep_init(void)
{
s3c2410_save = samsung_clk_alloc_reg_dump(s3c2410_clk_regs,
ARRAY_SIZE(s3c2410_clk_regs));
@@ -92,7 +92,7 @@ static void s3c2410_clk_sleep_init(void)
return;
}
#else
-static void s3c2410_clk_sleep_init(void) {}
+static void __init s3c2410_clk_sleep_init(void) {}
#endif

PNAME(fclk_p) = { "mpll", "div_slow" };
--- a/drivers/clk/samsung/clk-s3c2412.c
+++ b/drivers/clk/samsung/clk-s3c2412.c
@@ -69,7 +69,7 @@ static struct syscore_ops s3c2412_clk_sy
.resume = s3c2412_clk_resume,
};

-static void s3c2412_clk_sleep_init(void)
+static void __init s3c2412_clk_sleep_init(void)
{
s3c2412_save = samsung_clk_alloc_reg_dump(s3c2412_clk_regs,
ARRAY_SIZE(s3c2412_clk_regs));
@@ -83,7 +83,7 @@ static void s3c2412_clk_sleep_init(void)
return;
}
#else
-static void s3c2412_clk_sleep_init(void) {}
+static void __init s3c2412_clk_sleep_init(void) {}
#endif

static struct clk_div_table divxti_d[] = {
--- a/drivers/clk/samsung/clk-s3c2443.c
+++ b/drivers/clk/samsung/clk-s3c2443.c
@@ -89,7 +89,7 @@ static struct syscore_ops s3c2443_clk_sy
.resume = s3c2443_clk_resume,
};

-static void s3c2443_clk_sleep_init(void)
+static void __init s3c2443_clk_sleep_init(void)
{
s3c2443_save = samsung_clk_alloc_reg_dump(s3c2443_clk_regs,
ARRAY_SIZE(s3c2443_clk_regs));
@@ -103,7 +103,7 @@ static void s3c2443_clk_sleep_init(void)
return;
}
#else
-static void s3c2443_clk_sleep_init(void) {}
+static void __init s3c2443_clk_sleep_init(void) {}
#endif

PNAME(epllref_p) = { "mpllref", "mpllref", "xti", "ext" };
--- a/drivers/clk/samsung/clk-s3c64xx.c
+++ b/drivers/clk/samsung/clk-s3c64xx.c
@@ -122,7 +122,7 @@ static struct syscore_ops s3c64xx_clk_sy
.resume = s3c64xx_clk_resume,
};

-static void s3c64xx_clk_sleep_init(void)
+static void __init s3c64xx_clk_sleep_init(void)
{
s3c64xx_save_common = samsung_clk_alloc_reg_dump(s3c64xx_clk_regs,
ARRAY_SIZE(s3c64xx_clk_regs));
@@ -146,7 +146,7 @@ err_warn:
__func__);
}
#else
-static void s3c64xx_clk_sleep_init(void) {}
+static void __init s3c64xx_clk_sleep_init(void) {}
#endif

/* List of parent clocks common for all S3C64xx SoCs. */

2017-06-01 16:22:16

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 106/212] ath9k: fix race condition in enabling/disabling IRQs

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Felix Fietkau <[email protected]>

commit 3a5e969bb2f6692a256352649355d56d018d6b88 upstream.

The code currently relies on refcounting to disable IRQs from within the
IRQ handler and re-enabling them again after the tasklet has run.

However, due to race conditions sometimes the IRQ handler might be
called twice, or the tasklet may not run at all (if interrupted in the
middle of a reset).

This can cause nasty imbalances in the irq-disable refcount which will
get the driver permanently stuck until the entire radio has been stopped
and started again (ath_reset will not recover from this).

Instead of using this fragile logic, change the code to ensure that
running the irq handler during tasklet processing is safe, and leave the
refcount untouched.

Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/ath/ath9k/ath9k.h | 1 +
drivers/net/wireless/ath/ath9k/init.c | 1 +
drivers/net/wireless/ath/ath9k/mac.c | 44 ++++++++++++++++++++++++++--------
drivers/net/wireless/ath/ath9k/mac.h | 1 +
drivers/net/wireless/ath/ath9k/main.c | 27 +++++++++------------
5 files changed, 48 insertions(+), 26 deletions(-)

--- a/drivers/net/wireless/ath/ath9k/ath9k.h
+++ b/drivers/net/wireless/ath/ath9k/ath9k.h
@@ -709,6 +709,7 @@ struct ath_softc {
struct survey_info *cur_survey;
struct survey_info survey[ATH9K_NUM_CHANNELS];

+ spinlock_t intr_lock;
struct tasklet_struct intr_tq;
struct tasklet_struct bcon_tasklet;
struct ath_hw *sc_ah;
--- a/drivers/net/wireless/ath/ath9k/init.c
+++ b/drivers/net/wireless/ath/ath9k/init.c
@@ -554,6 +554,7 @@ static int ath9k_init_softc(u16 devid, s
common->bt_ant_diversity = 1;

spin_lock_init(&common->cc_lock);
+ spin_lock_init(&sc->intr_lock);
spin_lock_init(&sc->sc_serial_rw);
spin_lock_init(&sc->sc_pm_lock);
mutex_init(&sc->mutex);
--- a/drivers/net/wireless/ath/ath9k/mac.c
+++ b/drivers/net/wireless/ath/ath9k/mac.c
@@ -805,21 +805,12 @@ void ath9k_hw_disable_interrupts(struct
}
EXPORT_SYMBOL(ath9k_hw_disable_interrupts);

-void ath9k_hw_enable_interrupts(struct ath_hw *ah)
+static void __ath9k_hw_enable_interrupts(struct ath_hw *ah)
{
struct ath_common *common = ath9k_hw_common(ah);
u32 sync_default = AR_INTR_SYNC_DEFAULT;
u32 async_mask;

- if (!(ah->imask & ATH9K_INT_GLOBAL))
- return;
-
- if (!atomic_inc_and_test(&ah->intr_ref_cnt)) {
- ath_dbg(common, INTERRUPT, "Do not enable IER ref count %d\n",
- atomic_read(&ah->intr_ref_cnt));
- return;
- }
-
if (AR_SREV_9340(ah) || AR_SREV_9550(ah) || AR_SREV_9531(ah))
sync_default &= ~AR_INTR_SYNC_HOST1_FATAL;

@@ -840,6 +831,39 @@ void ath9k_hw_enable_interrupts(struct a
ath_dbg(common, INTERRUPT, "AR_IMR 0x%x IER 0x%x\n",
REG_READ(ah, AR_IMR), REG_READ(ah, AR_IER));
}
+
+void ath9k_hw_resume_interrupts(struct ath_hw *ah)
+{
+ struct ath_common *common = ath9k_hw_common(ah);
+
+ if (!(ah->imask & ATH9K_INT_GLOBAL))
+ return;
+
+ if (atomic_read(&ah->intr_ref_cnt) != 0) {
+ ath_dbg(common, INTERRUPT, "Do not enable IER ref count %d\n",
+ atomic_read(&ah->intr_ref_cnt));
+ return;
+ }
+
+ __ath9k_hw_enable_interrupts(ah);
+}
+EXPORT_SYMBOL(ath9k_hw_resume_interrupts);
+
+void ath9k_hw_enable_interrupts(struct ath_hw *ah)
+{
+ struct ath_common *common = ath9k_hw_common(ah);
+
+ if (!(ah->imask & ATH9K_INT_GLOBAL))
+ return;
+
+ if (!atomic_inc_and_test(&ah->intr_ref_cnt)) {
+ ath_dbg(common, INTERRUPT, "Do not enable IER ref count %d\n",
+ atomic_read(&ah->intr_ref_cnt));
+ return;
+ }
+
+ __ath9k_hw_enable_interrupts(ah);
+}
EXPORT_SYMBOL(ath9k_hw_enable_interrupts);

void ath9k_hw_set_interrupts(struct ath_hw *ah)
--- a/drivers/net/wireless/ath/ath9k/mac.h
+++ b/drivers/net/wireless/ath/ath9k/mac.h
@@ -737,6 +737,7 @@ void ath9k_hw_set_interrupts(struct ath_
void ath9k_hw_enable_interrupts(struct ath_hw *ah);
void ath9k_hw_disable_interrupts(struct ath_hw *ah);
void ath9k_hw_kill_interrupts(struct ath_hw *ah);
+void ath9k_hw_resume_interrupts(struct ath_hw *ah);

void ar9002_hw_attach_mac_ops(struct ath_hw *ah);

--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -441,21 +441,20 @@ void ath9k_tasklet(unsigned long data)
struct ath_common *common = ath9k_hw_common(ah);
enum ath_reset_type type;
unsigned long flags;
- u32 status = sc->intrstatus;
+ u32 status;
u32 rxmask;

+ spin_lock_irqsave(&sc->intr_lock, flags);
+ status = sc->intrstatus;
+ sc->intrstatus = 0;
+ spin_unlock_irqrestore(&sc->intr_lock, flags);
+
ath9k_ps_wakeup(sc);
spin_lock(&sc->sc_pcu_lock);

if (status & ATH9K_INT_FATAL) {
type = RESET_TYPE_FATAL_INT;
ath9k_queue_reset(sc, type);
-
- /*
- * Increment the ref. counter here so that
- * interrupts are enabled in the reset routine.
- */
- atomic_inc(&ah->intr_ref_cnt);
ath_dbg(common, RESET, "FATAL: Skipping interrupts\n");
goto out;
}
@@ -471,11 +470,6 @@ void ath9k_tasklet(unsigned long data)
type = RESET_TYPE_BB_WATCHDOG;
ath9k_queue_reset(sc, type);

- /*
- * Increment the ref. counter here so that
- * interrupts are enabled in the reset routine.
- */
- atomic_inc(&ah->intr_ref_cnt);
ath_dbg(common, RESET,
"BB_WATCHDOG: Skipping interrupts\n");
goto out;
@@ -488,7 +482,6 @@ void ath9k_tasklet(unsigned long data)
if ((sc->gtt_cnt >= MAX_GTT_CNT) && !ath9k_hw_check_alive(ah)) {
type = RESET_TYPE_TX_GTT;
ath9k_queue_reset(sc, type);
- atomic_inc(&ah->intr_ref_cnt);
ath_dbg(common, RESET,
"GTT: Skipping interrupts\n");
goto out;
@@ -545,7 +538,7 @@ void ath9k_tasklet(unsigned long data)
ath9k_btcoex_handle_interrupt(sc, status);

/* re-enable hardware interrupt */
- ath9k_hw_enable_interrupts(ah);
+ ath9k_hw_resume_interrupts(ah);
out:
spin_unlock(&sc->sc_pcu_lock);
ath9k_ps_restore(sc);
@@ -612,7 +605,9 @@ irqreturn_t ath_isr(int irq, void *dev)
return IRQ_NONE;

/* Cache the status */
- sc->intrstatus = status;
+ spin_lock(&sc->intr_lock);
+ sc->intrstatus |= status;
+ spin_unlock(&sc->intr_lock);

if (status & SCHED_INTR)
sched = true;
@@ -668,7 +663,7 @@ chip_reset:

if (sched) {
/* turn off every interrupt */
- ath9k_hw_disable_interrupts(ah);
+ ath9k_hw_kill_interrupts(ah);
tasklet_schedule(&sc->intr_tq);
}


2017-06-01 16:22:14

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 081/212] ext4: use private version of page_zero_new_buffers() for data=journal mode

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <[email protected]>

commit b90197b655185a11640cce3a0a0bc5d8291b8ad2 upstream.

If there is a error while copying data from userspace into the page
cache during a write(2) system call, in data=journal mode, in
ext4_journalled_write_end() were using page_zero_new_buffers() from
fs/buffer.c. Unfortunately, this sets the buffer dirty flag, which is
no good if journalling is enabled. This is a long-standing bug that
goes back for years and years in ext3, but a combination of (a)
data=journal not being very common, (b) in many case it only results
in a warning message. and (c) only very rarely causes the kernel hang,
means that we only really noticed this as a problem when commit
998ef75ddb caused this failure to happen frequently enough to cause
generic/208 to fail when run in data=journal mode.

The fix is to have our own version of this function that doesn't call
mark_dirty_buffer(), since we will end up calling
ext4_handle_dirty_metadata() on the buffer head(s) in questions very
shortly afterwards in ext4_journalled_write_end().

Thanks to Dave Hansen and Linus Torvalds for helping to identify the
root cause of the problem.

Signed-off-by: Theodore Ts'o <[email protected]>
Reviewed-by: Jan Kara <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/inode.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1166,6 +1166,38 @@ errout:
return ret ? ret : copied;
}

+/*
+ * This is a private version of page_zero_new_buffers() which doesn't
+ * set the buffer to be dirty, since in data=journalled mode we need
+ * to call ext4_handle_dirty_metadata() instead.
+ */
+static void zero_new_buffers(struct page *page, unsigned from, unsigned to)
+{
+ unsigned int block_start = 0, block_end;
+ struct buffer_head *head, *bh;
+
+ bh = head = page_buffers(page);
+ do {
+ block_end = block_start + bh->b_size;
+ if (buffer_new(bh)) {
+ if (block_end > from && block_start < to) {
+ if (!PageUptodate(page)) {
+ unsigned start, size;
+
+ start = max(from, block_start);
+ size = min(to, block_end) - start;
+
+ zero_user(page, start, size);
+ set_buffer_uptodate(bh);
+ }
+ clear_buffer_new(bh);
+ }
+ }
+ block_start = block_end;
+ bh = bh->b_this_page;
+ } while (bh != head);
+}
+
static int ext4_journalled_write_end(struct file *file,
struct address_space *mapping,
loff_t pos, unsigned len, unsigned copied,
@@ -1191,7 +1223,7 @@ static int ext4_journalled_write_end(str
if (copied < len) {
if (!PageUptodate(page))
copied = 0;
- page_zero_new_buffers(page, from+copied, to);
+ zero_new_buffers(page, from+copied, to);
}

ret = ext4_walk_page_buffers(handle, page_buffers(page), from,

2017-06-01 16:22:12

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 109/212] cpufreq: s3c2416: double free on driver init error path

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit a69261e4470d680185a15f748d9cdafb37c57a33 upstream.

The "goto err_armclk;" error path already does a clk_put(s3c_freq->hclk);
so this is a double free.

Fixes: 34ee55075265 ([CPUFREQ] Add S3C2416/S3C2450 cpufreq driver)
Signed-off-by: Dan Carpenter <[email protected]>
Reviewed-by: Krzysztof Kozlowski <[email protected]>
Acked-by: Viresh Kumar <[email protected]>
Signed-off-by: Rafael J. Wysocki <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/cpufreq/s3c2416-cpufreq.c | 1 -
1 file changed, 1 deletion(-)

--- a/drivers/cpufreq/s3c2416-cpufreq.c
+++ b/drivers/cpufreq/s3c2416-cpufreq.c
@@ -400,7 +400,6 @@ static int s3c2416_cpufreq_driver_init(s
rate = clk_get_rate(s3c_freq->hclk);
if (rate < 133 * 1000 * 1000) {
pr_err("cpufreq: HCLK not at 133MHz\n");
- clk_put(s3c_freq->hclk);
ret = -EINVAL;
goto err_armclk;
}

2017-06-01 16:25:06

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 051/212] USB: serial: ti_usb_3410_5052: fix control-message error handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 39712e8bfa8d3aa6ce1e60fc9d62c9b076c17a30 upstream.

Make sure to detect and return an error on zero-length control-message
transfers when reading from the device.

This addresses a potential failure to detect an empty transmit buffer
during close.

Also remove a redundant check for short transfer when sending a command.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ti_usb_3410_5052.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)

--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -1357,13 +1357,10 @@ static int ti_command_out_sync(struct ti
(USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT),
value, moduleid, data, size, 1000);

- if (status == size)
- status = 0;
-
- if (status > 0)
- status = -ECOMM;
+ if (status < 0)
+ return status;

- return status;
+ return 0;
}


@@ -1379,8 +1376,7 @@ static int ti_command_in_sync(struct ti_

if (status == size)
status = 0;
-
- if (status > 0)
+ else if (status >= 0)
status = -ECOMM;

return status;

2017-06-01 16:25:24

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 073/212] w1: don't leak refcount on slave attach failure in w1_attach_slave_device()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Maciej S. Szmigiero" <[email protected]>

commit d2ce4ea1a0b0162e5d2d7e7942ab6f5cc2063d5a upstream.

Near the beginning of w1_attach_slave_device() we increment a w1 master
reference count.
Later, when we are going to exit this function without actually attaching
a slave device (due to failure of __w1_attach_slave_device()) we need to
decrement this reference count back.

Signed-off-by: Maciej S. Szmigiero <[email protected]>
Fixes: 9fcbbac5ded489 ("w1: process w1 netlink commands in w1_process thread")
Cc: Evgeniy Polyakov <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/w1/w1.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/w1/w1.c
+++ b/drivers/w1/w1.c
@@ -749,6 +749,7 @@ int w1_attach_slave_device(struct w1_mas
dev_err(&dev->dev, "%s: Attaching %s failed.\n", __func__,
sl->name);
w1_family_put(sl->family);
+ atomic_dec(&sl->master->refcnt);
kfree(sl);
return err;
}

2017-06-01 16:25:26

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 100/212] serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ian Abbott <[email protected]>

commit 1c9c858e2ff8ae8024a3d75d2ed080063af43754 upstream.

The MKS Instruments SCOM-0800 and SCOM-0801 cards (originally by Tenta
Technologies) are 3U CompactPCI serial cards with 4 and 8 serial ports,
respectively. The first 4 ports are implemented by an OX16PCI954 chip,
and the second 4 ports are implemented by an OX16C954 chip on a local
bus, bridged by the second PCI function of the OX16PCI954. The ports
are jumper-selectable as RS-232 and RS-422/485, and the UARTs use a
non-standard oscillator frequency of 20 MHz (base_baud = 1250000).

Signed-off-by: Ian Abbott <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/tty/serial/8250/8250_pci.c | 13 +++++++++++++
1 file changed, 13 insertions(+)

--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -2697,6 +2697,8 @@ enum pci_board_num_t {
pbn_b0_4_1152000_200,
pbn_b0_8_1152000_200,

+ pbn_b0_4_1250000,
+
pbn_b0_2_1843200,
pbn_b0_4_1843200,

@@ -2927,6 +2929,13 @@ static struct pciserial_board pci_boards
.uart_offset = 0x200,
},

+ [pbn_b0_4_1250000] = {
+ .flags = FL_BASE0,
+ .num_ports = 4,
+ .base_baud = 1250000,
+ .uart_offset = 8,
+ },
+
[pbn_b0_2_1843200] = {
.flags = FL_BASE0,
.num_ports = 2,
@@ -5526,6 +5535,10 @@ static struct pci_device_id serial_pci_t
{ PCI_DEVICE(0x1c29, 0x1108), .driver_data = pbn_fintek_8 },
{ PCI_DEVICE(0x1c29, 0x1112), .driver_data = pbn_fintek_12 },

+ /* MKS Tenta SCOM-080x serial cards */
+ { PCI_DEVICE(0x1601, 0x0800), .driver_data = pbn_b0_4_1250000 },
+ { PCI_DEVICE(0x1601, 0xa801), .driver_data = pbn_b0_4_1250000 },
+
/*
* These entries match devices with class COMMUNICATION_SERIAL,
* COMMUNICATION_MODEM or COMMUNICATION_MULTISERIAL

2017-06-01 16:25:22

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 102/212] KVM: s390: Disable dirty log retrieval for UCONTROL guests

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Janosch Frank <[email protected]>

commit e1e8a9624f7ba8ead4f056ff558ed070e86fa747 upstream.

User controlled KVM guests do not support the dirty log, as they have
no single gmap that we can check for changes.

As they have no single gmap, kvm->arch.gmap is NULL and all further
referencing to it for dirty checking will result in a NULL
dereference.

Let's return -EINVAL if a caller tries to sync dirty logs for a
UCONTROL guest.

Fixes: 15f36eb ("KVM: s390: Add proper dirty bitmap support to S390 kvm.")

Signed-off-by: Janosch Frank <[email protected]>
Reported-by: Martin Schwidefsky <[email protected]>
Reviewed-by: Cornelia Huck <[email protected]>
Signed-off-by: Christian Borntraeger <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/s390/kvm/kvm-s390.c | 3 +++
1 file changed, 3 insertions(+)

--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -216,6 +216,9 @@ int kvm_vm_ioctl_get_dirty_log(struct kv
struct kvm_memory_slot *memslot;
int is_dirty = 0;

+ if (kvm_is_ucontrol(kvm))
+ return -EINVAL;
+
mutex_lock(&kvm->slots_lock);

r = -EINVAL;

2017-06-01 16:26:22

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 090/212] USB: serial: digi_acceleport: fix OOB data sanity check

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 2d380889215fe20b8523345649dee0579821800c upstream.

Make sure to check for short transfers to avoid underflow in a loop
condition when parsing the receive buffer.

Also fix an off-by-one error in the incomplete sanity check which could
lead to invalid data being parsed.

Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/digi_acceleport.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)

--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1484,16 +1484,20 @@ static int digi_read_oob_callback(struct
struct usb_serial *serial = port->serial;
struct tty_struct *tty;
struct digi_port *priv = usb_get_serial_port_data(port);
+ unsigned char *buf = urb->transfer_buffer;
int opcode, line, status, val;
int i;
unsigned int rts;

+ if (urb->actual_length < 4)
+ return -1;
+
/* handle each oob command */
- for (i = 0; i < urb->actual_length - 3;) {
- opcode = ((unsigned char *)urb->transfer_buffer)[i++];
- line = ((unsigned char *)urb->transfer_buffer)[i++];
- status = ((unsigned char *)urb->transfer_buffer)[i++];
- val = ((unsigned char *)urb->transfer_buffer)[i++];
+ for (i = 0; i < urb->actual_length - 4; i += 4) {
+ opcode = buf[i];
+ line = buf[i + 1];
+ status = buf[i + 2];
+ val = buf[i + 3];

dev_dbg(&port->dev, "digi_read_oob_callback: opcode=%d, line=%d, status=%d, val=%d\n",
opcode, line, status, val);

2017-06-01 16:26:21

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 089/212] [media] uvcvideo: Fix a wrong macro

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Guennadi Liakhovetski <[email protected]>

commit 17c341ec0115837a610b2da15e32546e26068234 upstream.

Don't mix up UVC_BUF_STATE_* and VB2_BUF_STATE_* codes.

Fixes: 6998b6fb4b1c ("[media] uvcvideo: Use videobuf2-vmalloc")

Signed-off-by: Guennadi Liakhovetski <[email protected]>
Signed-off-by: Laurent Pinchart <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/usb/uvc/uvc_queue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/uvc/uvc_queue.c
+++ b/drivers/media/usb/uvc/uvc_queue.c
@@ -390,7 +390,7 @@ struct uvc_buffer *uvc_queue_next_buffer
nextbuf = NULL;
spin_unlock_irqrestore(&queue->irqlock, flags);

- buf->state = buf->error ? VB2_BUF_STATE_ERROR : UVC_BUF_STATE_DONE;
+ buf->state = buf->error ? UVC_BUF_STATE_ERROR : UVC_BUF_STATE_DONE;
vb2_set_plane_payload(&buf->buf, 0, buf->bytesused);
vb2_buffer_done(&buf->buf, VB2_BUF_STATE_DONE);


2017-06-01 16:26:16

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 096/212] ext4: fix inline data error paths

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <[email protected]>

commit eb5efbcb762aee4b454b04f7115f73ccbcf8f0ef upstream.

The write_end() function must always unlock the page and drop its ref
count, even on an error.

Signed-off-by: Theodore Ts'o <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/inline.c | 9 ++++++++-
fs/ext4/inode.c | 20 +++++++++++++++-----
2 files changed, 23 insertions(+), 6 deletions(-)

--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -931,8 +931,15 @@ int ext4_da_write_inline_data_end(struct
struct page *page)
{
int i_size_changed = 0;
+ int ret;

- copied = ext4_write_inline_data_end(inode, pos, len, copied, page);
+ ret = ext4_write_inline_data_end(inode, pos, len, copied, page);
+ if (ret < 0) {
+ unlock_page(page);
+ put_page(page);
+ return ret;
+ }
+ copied = ret;

/*
* No need to use i_size_read() here, the i_size
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1118,8 +1118,11 @@ static int ext4_write_end(struct file *f
if (ext4_has_inline_data(inode)) {
ret = ext4_write_inline_data_end(inode, pos, len,
copied, page);
- if (ret < 0)
+ if (ret < 0) {
+ unlock_page(page);
+ put_page(page);
goto errout;
+ }
copied = ret;
} else
copied = block_write_end(file, mapping, pos,
@@ -1218,10 +1221,16 @@ static int ext4_journalled_write_end(str

BUG_ON(!ext4_handle_valid(handle));

- if (ext4_has_inline_data(inode))
- copied = ext4_write_inline_data_end(inode, pos, len,
- copied, page);
- else if (unlikely(copied < len) && !PageUptodate(page)) {
+ if (ext4_has_inline_data(inode)) {
+ ret = ext4_write_inline_data_end(inode, pos, len,
+ copied, page);
+ if (ret < 0) {
+ unlock_page(page);
+ put_page(page);
+ goto errout;
+ }
+ copied = ret;
+ } else if (unlikely(copied < len) && !PageUptodate(page)) {
copied = 0;
ext4_journalled_zero_new_buffers(handle, page, from, to);
} else {
@@ -1253,6 +1262,7 @@ static int ext4_journalled_write_end(str
*/
ext4_orphan_add(handle, inode);

+errout:
ret2 = ext4_journal_stop(handle);
if (!ret)
ret = ret2;

2017-06-01 16:26:19

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 041/212] USB: serial: ark3116: fix register-accessor error handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 9fef37d7cf170522fb354d6d0ea6de09b9b16678 upstream.

The current implementation failed to detect short transfers, something
which could lead to bits of the uninitialised heap transfer buffer
leaking to user space.

Fixes: 149fc791a452 ("USB: ark3116: Setup some basic infrastructure for
new ark3116 driver.")
Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware
and add close and release functions.")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ark3116.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/usb/serial/ark3116.c
+++ b/drivers/usb/serial/ark3116.c
@@ -99,10 +99,17 @@ static int ark3116_read_reg(struct usb_s
usb_rcvctrlpipe(serial->dev, 0),
0xfe, 0xc0, 0, reg,
buf, 1, ARK_TIMEOUT);
- if (result < 0)
+ if (result < 1) {
+ dev_err(&serial->interface->dev,
+ "failed to read register %u: %d\n",
+ reg, result);
+ if (result >= 0)
+ result = -EIO;
+
return result;
- else
- return buf[0];
+ }
+
+ return buf[0];
}

static inline int calc_divisor(int bps)

2017-06-01 15:44:49

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 062/212] power: supply: bq24190_charger: Call power_supply_changed() for relevant component

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Liam Breck <[email protected]>

commit 2d9fee6a42ea170e4378b3363a7ad385d0e67281 upstream.

We wrongly get uevents for bq24190-charger and bq24190-battery on every
register change.

Fix by checking the association with charger and battery before
emitting uevent(s).

Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <[email protected]>
Acked-by: Mark Greer <[email protected]>
Acked-by: Tony Lindgren <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/power/bq24190_charger.c | 50 ++++++++++++++++++----------------
1 file changed, 27 insertions(+), 23 deletions(-)

--- a/drivers/power/bq24190_charger.c
+++ b/drivers/power/bq24190_charger.c
@@ -159,7 +159,6 @@ struct bq24190_dev_info {
unsigned int gpio_int;
unsigned int irq;
struct mutex f_reg_lock;
- bool first_time;
bool charger_health_valid;
bool battery_health_valid;
bool battery_status_valid;
@@ -1207,7 +1206,10 @@ static void bq24190_battery_init(struct
static irqreturn_t bq24190_irq_handler_thread(int irq, void *data)
{
struct bq24190_dev_info *bdi = data;
- bool alert_userspace = false;
+ const u8 battery_mask_ss = BQ24190_REG_SS_CHRG_STAT_MASK;
+ const u8 battery_mask_f = BQ24190_REG_F_BAT_FAULT_MASK
+ | BQ24190_REG_F_NTC_FAULT_MASK;
+ bool alert_charger = false, alert_battery = false;
u8 ss_reg = 0, f_reg = 0;
int ret;

@@ -1235,8 +1237,12 @@ static irqreturn_t bq24190_irq_handler_t
ret);
}

+ if ((bdi->ss_reg & battery_mask_ss) != (ss_reg & battery_mask_ss))
+ alert_battery = true;
+ if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss))
+ alert_charger = true;
+
bdi->ss_reg = ss_reg;
- alert_userspace = true;
}

mutex_lock(&bdi->f_reg_lock);
@@ -1249,33 +1255,23 @@ static irqreturn_t bq24190_irq_handler_t
}

if (f_reg != bdi->f_reg) {
+ if ((bdi->f_reg & battery_mask_f) != (f_reg & battery_mask_f))
+ alert_battery = true;
+ if ((bdi->f_reg & ~battery_mask_f) != (f_reg & ~battery_mask_f))
+ alert_charger = true;
+
bdi->f_reg = f_reg;
bdi->charger_health_valid = true;
bdi->battery_health_valid = true;
bdi->battery_status_valid = true;
-
- alert_userspace = true;
}

mutex_unlock(&bdi->f_reg_lock);

- /*
- * Sometimes bq24190 gives a steady trickle of interrupts even
- * though the watchdog timer is turned off and neither the STATUS
- * nor FAULT registers have changed. Weed out these sprurious
- * interrupts so userspace isn't alerted for no reason.
- * In addition, the chip always generates an interrupt after
- * register reset so we should ignore that one (the very first
- * interrupt received).
- */
- if (alert_userspace) {
- if (!bdi->first_time) {
- power_supply_changed(&bdi->charger);
- power_supply_changed(&bdi->battery);
- } else {
- bdi->first_time = false;
- }
- }
+ if (alert_charger)
+ power_supply_changed(&bdi->charger);
+ if (alert_battery)
+ power_supply_changed(&bdi->battery);

out:
pm_runtime_put_sync(bdi->dev);
@@ -1310,6 +1306,10 @@ static int bq24190_hw_init(struct bq2419
goto out;

ret = bq24190_set_mode_host(bdi);
+ if (ret < 0)
+ goto out;
+
+ ret = bq24190_read(bdi, BQ24190_REG_SS, &bdi->ss_reg);
out:
pm_runtime_put_sync(bdi->dev);
return ret;
@@ -1384,7 +1384,8 @@ static int bq24190_probe(struct i2c_clie
bdi->model = id->driver_data;
strncpy(bdi->model_name, id->name, I2C_NAME_SIZE);
mutex_init(&bdi->f_reg_lock);
- bdi->first_time = true;
+ bdi->f_reg = 0;
+ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
bdi->charger_health_valid = false;
bdi->battery_health_valid = false;
bdi->battery_status_valid = false;
@@ -1494,6 +1495,8 @@ static int bq24190_pm_resume(struct devi
struct i2c_client *client = to_i2c_client(dev);
struct bq24190_dev_info *bdi = i2c_get_clientdata(client);

+ bdi->f_reg = 0;
+ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
bdi->charger_health_valid = false;
bdi->battery_health_valid = false;
bdi->battery_status_valid = false;
@@ -1501,6 +1504,7 @@ static int bq24190_pm_resume(struct devi
pm_runtime_get_sync(bdi->dev);
bq24190_register_reset(bdi);
bq24190_set_mode_host(bdi);
+ bq24190_read(bdi, BQ24190_REG_SS, &bdi->ss_reg);
pm_runtime_put_sync(bdi->dev);

/* Things may have changed while suspended so alert upper layer */

2017-06-01 16:27:24

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 086/212] staging: wlan-ng: add missing byte order conversion

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Igor Pylypiv <[email protected]>

commit 2c474b8579e9b67ff72b2bcefce9f53c7f4469d4 upstream.

Conversion macros le16_to_cpu was removed and that caused new sparse warning

sparse output:
drivers/staging/wlan-ng/p80211netdev.c:241:44: warning: incorrect type in argument 2 (different base types)
drivers/staging/wlan-ng/p80211netdev.c:241:44: expected unsigned short [unsigned] [usertype] fc
drivers/staging/wlan-ng/p80211netdev.c:241:44: got restricted __le16 [usertype] fc

Fixes: 7ad82572348c ("staging:wlan-ng:Fix sparse warning")
Signed-off-by: Igor Pylypiv <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/staging/wlan-ng/p80211netdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/wlan-ng/p80211netdev.c
+++ b/drivers/staging/wlan-ng/p80211netdev.c
@@ -257,7 +257,7 @@ static int p80211_convert_to_ether(wland
struct p80211_hdr_a3 *hdr;

hdr = (struct p80211_hdr_a3 *) skb->data;
- if (p80211_rx_typedrop(wlandev, hdr->fc))
+ if (p80211_rx_typedrop(wlandev, le16_to_cpu(hdr->fc)))
return CONV_TO_ETHER_SKIPPED;

/* perform mcast filtering: allow my local address through but reject

2017-06-01 16:27:23

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 088/212] iommu/vt-d: Don't over-free page table directories

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: David Dillow <[email protected]>

commit f7116e115acdd74bc75a4daf6492b11d43505125 upstream.

dma_pte_free_level() recurses down the IOMMU page tables and frees
directory pages that are entirely contained in the given PFN range.
Unfortunately, it incorrectly calculates the starting address covered
by the PTE under consideration, which can lead to it clearing an entry
that is still in use.

This occurs if we have a scatterlist with an entry that has a length
greater than 1026 MB and is aligned to 2 MB for both the IOMMU and
physical addresses. For example, if __domain_mapping() is asked to map a
two-entry scatterlist with 2 MB and 1028 MB segments to PFN 0xffff80000,
it will ask if dma_pte_free_pagetable() is asked to PFNs from
0xffff80200 to 0xffffc05ff, it will also incorrectly clear the PFNs from
0xffff80000 to 0xffff801ff because of this issue. The current code will
set level_pfn to 0xffff80200, and 0xffff80200-0xffffc01ff fits inside
the range being cleared. Properly setting the level_pfn for the current
level under consideration catches that this PTE is outside of the range
being cleared.

This patch also changes the value passed into dma_pte_free_level() when
it recurses. This only affects the first PTE of the range being cleared,
and is handled by the existing code that ensures we start our cursor no
lower than start_pfn.

This was found when using dma_map_sg() to map large chunks of contiguous
memory, which immediatedly led to faults on the first access of the
erroneously-deleted mappings.

Fixes: 3269ee0bd668 ("intel-iommu: Fix leaks in pagetable freeing")
Reviewed-by: Benjamin Serebrin <[email protected]>
Signed-off-by: David Dillow <[email protected]>
Signed-off-by: Joerg Roedel <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/iommu/intel-iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -972,7 +972,7 @@ static void dma_pte_free_level(struct dm
if (!dma_pte_present(pte) || dma_pte_superpage(pte))
goto next;

- level_pfn = pfn & level_mask(level - 1);
+ level_pfn = pfn & level_mask(level);
level_pte = phys_to_virt(dma_pte_addr(pte));

if (level > 2)

2017-06-01 16:27:22

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 087/212] [media] media: fix dm1105.c build error

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <[email protected]>

commit e3bb3cddd177550d63a3e4909cf1a7782f13414d upstream.

Fix dm1105 build error when CONFIG_I2C_ALGOBIT=m and
CONFIG_DVB_DM1105=y.

drivers/built-in.o: In function `dm1105_probe':
dm1105.c:(.text+0x2836e7): undefined reference to `i2c_bit_add_bus'

Signed-off-by: Randy Dunlap <[email protected]>
Reported-by: kbuild test robot <[email protected]>
Cc: Javier Martinez Canillas <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/media/pci/dm1105/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/pci/dm1105/Kconfig
+++ b/drivers/media/pci/dm1105/Kconfig
@@ -1,6 +1,6 @@
config DVB_DM1105
tristate "SDMC DM1105 based PCI cards"
- depends on DVB_CORE && PCI && I2C
+ depends on DVB_CORE && PCI && I2C && I2C_ALGOBIT
select DVB_PLL if MEDIA_SUBDRV_AUTOSELECT
select DVB_STV0299 if MEDIA_SUBDRV_AUTOSELECT
select DVB_STV0288 if MEDIA_SUBDRV_AUTOSELECT

2017-06-01 16:28:06

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 064/212] power: supply: bq24190_charger: Handle fault before status on interrupt

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Liam Breck <[email protected]>

commit ba52e75718784fda1b683ee0bfded72a0b83b047 upstream.

Reading both fault and status registers and logging any fault should
take priority over handling status register update.

Fix by moving the status handling to later in interrupt routine.

Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <[email protected]>
Acked-by: Mark Greer <[email protected]>
Acked-by: Tony Lindgren <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/power/bq24190_charger.c | 46 +++++++++++++++++-----------------
1 file changed, 23 insertions(+), 23 deletions(-)

--- a/drivers/power/bq24190_charger.c
+++ b/drivers/power/bq24190_charger.c
@@ -1185,29 +1185,6 @@ static irqreturn_t bq24190_irq_handler_t
goto out;
}

- if (ss_reg != bdi->ss_reg) {
- /*
- * The device is in host mode so when PG_STAT goes from 1->0
- * (i.e., power removed) HIZ needs to be disabled.
- */
- if ((bdi->ss_reg & BQ24190_REG_SS_PG_STAT_MASK) &&
- !(ss_reg & BQ24190_REG_SS_PG_STAT_MASK)) {
- ret = bq24190_write_mask(bdi, BQ24190_REG_ISC,
- BQ24190_REG_ISC_EN_HIZ_MASK,
- BQ24190_REG_ISC_EN_HIZ_SHIFT,
- 0);
- if (ret < 0)
- dev_err(bdi->dev, "Can't access ISC reg: %d\n",
- ret);
- }
-
- if ((bdi->ss_reg & battery_mask_ss) != (ss_reg & battery_mask_ss))
- alert_battery = true;
- if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss))
- alert_charger = true;
- bdi->ss_reg = ss_reg;
- }
-
i = 0;
do {
ret = bq24190_read(bdi, BQ24190_REG_F, &f_reg);
@@ -1234,6 +1211,29 @@ static irqreturn_t bq24190_irq_handler_t
mutex_unlock(&bdi->f_reg_lock);
}

+ if (ss_reg != bdi->ss_reg) {
+ /*
+ * The device is in host mode so when PG_STAT goes from 1->0
+ * (i.e., power removed) HIZ needs to be disabled.
+ */
+ if ((bdi->ss_reg & BQ24190_REG_SS_PG_STAT_MASK) &&
+ !(ss_reg & BQ24190_REG_SS_PG_STAT_MASK)) {
+ ret = bq24190_write_mask(bdi, BQ24190_REG_ISC,
+ BQ24190_REG_ISC_EN_HIZ_MASK,
+ BQ24190_REG_ISC_EN_HIZ_SHIFT,
+ 0);
+ if (ret < 0)
+ dev_err(bdi->dev, "Can't access ISC reg: %d\n",
+ ret);
+ }
+
+ if ((bdi->ss_reg & battery_mask_ss) != (ss_reg & battery_mask_ss))
+ alert_battery = true;
+ if ((bdi->ss_reg & ~battery_mask_ss) != (ss_reg & ~battery_mask_ss))
+ alert_charger = true;
+ bdi->ss_reg = ss_reg;
+ }
+
if (alert_charger)
power_supply_changed(&bdi->charger);
if (alert_battery)

2017-06-01 16:28:05

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 085/212] bcma: use (get|put)_device when probing/removing device driver

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Rafał Miłecki <[email protected]>

commit a971df0b9d04674e325346c17de9a895425ca5e1 upstream.

This allows tracking device state and e.g. makes devm work as expected.

Signed-off-by: Rafał Miłecki <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/bcma/main.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/drivers/bcma/main.c
+++ b/drivers/bcma/main.c
@@ -450,8 +450,11 @@ static int bcma_device_probe(struct devi
drv);
int err = 0;

+ get_device(dev);
if (adrv->probe)
err = adrv->probe(core);
+ if (err)
+ put_device(dev);

return err;
}
@@ -464,6 +467,7 @@ static int bcma_device_remove(struct dev

if (adrv->remove)
adrv->remove(core);
+ put_device(dev);

return 0;
}

2017-06-01 16:28:36

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 083/212] arm/arm64: KVM: Enforce unconditional flush to PoC when mapping to stage-2

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marc Zyngier <[email protected]>

commit 8f36ebaf21fdae99c091c67e8b6fab33969f2667 upstream.

When we fault in a page, we flush it to the PoC (Point of Coherency)
if the faulting vcpu has its own caches off, so that it can observe
the page we just brought it.

But if the vcpu has its caches on, we skip that step. Bad things
happen when *another* vcpu tries to access that page with its own
caches disabled. At that point, there is no garantee that the
data has made it to the PoC, and we access stale data.

The obvious fix is to always flush to PoC when a page is faulted
in, no matter what the state of the vcpu is.

Fixes: 2d58b733c876 ("arm64: KVM: force cache clean on page fault when caches are off")
Reviewed-by: Christoffer Dall <[email protected]>
Signed-off-by: Marc Zyngier <[email protected]>
[bwh: Backported to 3.16: conditions for flushing were simpler here]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/arm/include/asm/kvm_mmu.h | 9 +--------
arch/arm64/include/asm/kvm_mmu.h | 3 +--
2 files changed, 2 insertions(+), 10 deletions(-)

--- a/arch/arm/include/asm/kvm_mmu.h
+++ b/arch/arm/include/asm/kvm_mmu.h
@@ -142,8 +142,7 @@ static inline bool vcpu_has_cache_enable
static inline void coherent_cache_guest_page(struct kvm_vcpu *vcpu, hva_t hva,
unsigned long size)
{
- if (!vcpu_has_cache_enabled(vcpu))
- kvm_flush_dcache_to_poc((void *)hva, size);
+ kvm_flush_dcache_to_poc((void *)hva, size);

/*
* If we are going to insert an instruction page and the icache is
--- a/arch/arm64/include/asm/kvm_mmu.h
+++ b/arch/arm64/include/asm/kvm_mmu.h
@@ -141,8 +141,7 @@ static inline bool vcpu_has_cache_enable
static inline void coherent_cache_guest_page(struct kvm_vcpu *vcpu, hva_t hva,
unsigned long size)
{
- if (!vcpu_has_cache_enabled(vcpu))
- kvm_flush_dcache_to_poc((void *)hva, size);
+ kvm_flush_dcache_to_poc((void *)hva, size);

if (!icache_is_aliasing()) { /* PIPT */
flush_icache_range(hva, hva + size);

2017-06-01 16:28:58

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 035/212] IB/ipoib: Fix deadlock between rmmod and set_mode

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Feras Daoud <[email protected]>

commit 0a0007f28304cb9fc87809c86abb80ec71317f20 upstream.

When calling set_mode from sys/fs, the call flow locks the sys/fs lock
first and then tries to lock rtnl_lock (when calling ipoib_set_mod).
On the other hand, the rmmod call flow takes the rtnl_lock first
(when calling unregister_netdev) and then tries to take the sys/fs
lock. Deadlock a->b, b->a.

The problem starts when ipoib_set_mod frees it's rtnl_lck and tries
to get it after that.

set_mod:
[<ffffffff8104f2bd>] ? check_preempt_curr+0x6d/0x90
[<ffffffff814fee8e>] __mutex_lock_slowpath+0x13e/0x180
[<ffffffff81448655>] ? __rtnl_unlock+0x15/0x20
[<ffffffff814fed2b>] mutex_lock+0x2b/0x50
[<ffffffff81448675>] rtnl_lock+0x15/0x20
[<ffffffffa02ad807>] ipoib_set_mode+0x97/0x160 [ib_ipoib]
[<ffffffffa02b5f5b>] set_mode+0x3b/0x80 [ib_ipoib]
[<ffffffff8134b840>] dev_attr_store+0x20/0x30
[<ffffffff811f0fe5>] sysfs_write_file+0xe5/0x170
[<ffffffff8117b068>] vfs_write+0xb8/0x1a0
[<ffffffff8117ba81>] sys_write+0x51/0x90
[<ffffffff8100b0f2>] system_call_fastpath+0x16/0x1b

rmmod:
[<ffffffff81279ffc>] ? put_dec+0x10c/0x110
[<ffffffff8127a2ee>] ? number+0x2ee/0x320
[<ffffffff814fe6a5>] schedule_timeout+0x215/0x2e0
[<ffffffff8127cc04>] ? vsnprintf+0x484/0x5f0
[<ffffffff8127b550>] ? string+0x40/0x100
[<ffffffff814fe323>] wait_for_common+0x123/0x180
[<ffffffff81060250>] ? default_wake_function+0x0/0x20
[<ffffffff8119661e>] ? ifind_fast+0x5e/0xb0
[<ffffffff814fe43d>] wait_for_completion+0x1d/0x20
[<ffffffff811f2e68>] sysfs_addrm_finish+0x228/0x270
[<ffffffff811f2fb3>] sysfs_remove_dir+0xa3/0xf0
[<ffffffff81273f66>] kobject_del+0x16/0x40
[<ffffffff8134cd14>] device_del+0x184/0x1e0
[<ffffffff8144e59b>] netdev_unregister_kobject+0xab/0xc0
[<ffffffff8143c05e>] rollback_registered+0xae/0x130
[<ffffffff8143c102>] unregister_netdevice+0x22/0x70
[<ffffffff8143c16e>] unregister_netdev+0x1e/0x30
[<ffffffffa02a91b0>] ipoib_remove_one+0xe0/0x120 [ib_ipoib]
[<ffffffffa01ed95f>] ib_unregister_device+0x4f/0x100 [ib_core]
[<ffffffffa021f5e1>] mlx4_ib_remove+0x41/0x180 [mlx4_ib]
[<ffffffffa01ab771>] mlx4_remove_device+0x71/0x90 [mlx4_core]

Fixes: 862096a8bbf8 ("IB/ipoib: Add more rtnl_link_ops callbacks")
Cc: Or Gerlitz <[email protected]>
Signed-off-by: Feras Daoud <[email protected]>
Signed-off-by: Erez Shitrit <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 12 +++++++-----
drivers/infiniband/ulp/ipoib/ipoib_main.c | 6 ++----
2 files changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1496,12 +1496,14 @@ static ssize_t set_mode(struct device *d

ret = ipoib_set_mode(dev, buf);

- rtnl_unlock();
+ /* The assumption is that the function ipoib_set_mode returned
+ * with the rtnl held by it, if not the value -EBUSY returned,
+ * then no need to rtnl_unlock
+ */
+ if (ret != -EBUSY)
+ rtnl_unlock();

- if (!ret)
- return count;
-
- return ret;
+ return (!ret || ret == -EBUSY) ? count : ret;
}

static DEVICE_ATTR(mode, S_IWUSR | S_IRUGO, show_mode, set_mode);
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -243,8 +243,7 @@ int ipoib_set_mode(struct net_device *de
priv->tx_wr.send_flags &= ~IB_SEND_IP_CSUM;

ipoib_flush_paths(dev);
- rtnl_lock();
- return 0;
+ return (!rtnl_trylock()) ? -EBUSY : 0;
}

if (!strcmp(buf, "datagram\n")) {
@@ -253,8 +252,7 @@ int ipoib_set_mode(struct net_device *de
dev_set_mtu(dev, min(priv->mcast_mtu, dev->mtu));
rtnl_unlock();
ipoib_flush_paths(dev);
- rtnl_lock();
- return 0;
+ return (!rtnl_trylock()) ? -EBUSY : 0;
}

return -EINVAL;

2017-06-01 16:28:55

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 058/212] power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Liam Breck <[email protected]>

commit 767eee362fd72bb2ca44cc80419ca4b38c6d8369 upstream.

The interrupt signal is TRIGGER_FALLING. This is is specified in the
data sheet PIN FUNCTIONS: "The INT pin sends active low, 256us
pulse to host to report charger device status and fault."

Also the direction can be seen in the data sheet Figure 37 "BQ24190
with D+/D- Detection and USB On-The-Go (OTG)" which shows a 10k
pull-up resistor installed for the sample configurations.

Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <[email protected]>
Acked-by: Mark Greer <[email protected]>
Acked-by: Tony Lindgren <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/power/bq24190_charger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/power/bq24190_charger.c
+++ b/drivers/power/bq24190_charger.c
@@ -1400,7 +1400,7 @@ static int bq24190_probe(struct i2c_clie

ret = devm_request_threaded_irq(dev, bdi->irq, NULL,
bq24190_irq_handler_thread,
- IRQF_TRIGGER_RISING | IRQF_ONESHOT,
+ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
"bq24190-charger", bdi);
if (ret < 0) {
dev_err(dev, "Can't set up irq handler\n");

2017-06-01 16:28:54

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 032/212] RDMA/core: Fix incorrect structure packing for booleans

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jason Gunthorpe <[email protected]>

commit 55efcfcd7776165b294f8b5cd6e05ca00ec89b7c upstream.

The RDMA core uses ib_pack() to convert from unpacked CPU structs
to on-the-wire bitpacked structs.

This process requires that 1 bit fields are declared as u8 in the
unpacked struct, otherwise the packing process does not read the
value properly and the packed result is wired to 0. Several
places wrongly used int.

Crucially this means the kernel has never, set reversible
correctly in the path record request. It has always asked for
irreversible paths even if the ULP requests otherwise.

When the kernel is used with a SM that supports this feature, it
completely breaks communication management if reversible paths are
not properly requested.

The only reason this ever worked is because opensm ignores the
reversible bit.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
include/rdma/ib_sa.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/include/rdma/ib_sa.h
+++ b/include/rdma/ib_sa.h
@@ -137,12 +137,12 @@ struct ib_sa_path_rec {
union ib_gid sgid;
__be16 dlid;
__be16 slid;
- int raw_traffic;
+ u8 raw_traffic;
/* reserved */
__be32 flow_label;
u8 hop_limit;
u8 traffic_class;
- int reversible;
+ u8 reversible;
u8 numb_path;
__be16 pkey;
__be16 qos_class;
@@ -196,7 +196,7 @@ struct ib_sa_mcmember_rec {
u8 hop_limit;
u8 scope;
u8 join_state;
- int proxy_join;
+ u8 proxy_join;
};

/* Service Record Component Mask Sec 15.2.5.14 Ver 1.1 */

2017-06-01 16:28:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 059/212] power: supply: bq24190_charger: Call set_mode_host() on pm_resume()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Liam Breck <[email protected]>

commit e05ad7e0741ce0505e1df157c62b22b95172bb97 upstream.

pm_resume() does a register_reset() which clears charger host mode.

Fix by calling set_mode_host() after the reset.

Fixes: d7bf353fd0aa3 ("bq24190_charger: Add support for TI BQ24190 Battery Charger")
Signed-off-by: Liam Breck <[email protected]>
Acked-by: Mark Greer <[email protected]>
Acked-by: Tony Lindgren <[email protected]>
Signed-off-by: Sebastian Reichel <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/power/bq24190_charger.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/power/bq24190_charger.c
+++ b/drivers/power/bq24190_charger.c
@@ -1496,6 +1496,7 @@ static int bq24190_pm_resume(struct devi

pm_runtime_get_sync(bdi->dev);
bq24190_register_reset(bdi);
+ bq24190_set_mode_host(bdi);
pm_runtime_put_sync(bdi->dev);

/* Things may have changed while suspended so alert upper layer */

2017-06-01 16:28:50

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 042/212] USB: serial: ark3116: fix open error handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit b631433b175f1002a31020e09bbfc2e5caecf290 upstream.

Fix open error handling which failed to detect errors when reading the
MSR and LSR registers, something which could lead to the shadow
registers being initialised from errnos.

Note that calling the generic close implementation is sufficient in the
error paths as the interrupt urb has not yet been submitted and the
register updates have not been made.

Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware
and add close and release functions.")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ark3116.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)

--- a/drivers/usb/serial/ark3116.c
+++ b/drivers/usb/serial/ark3116.c
@@ -373,23 +373,29 @@ static int ark3116_open(struct tty_struc
dev_dbg(&port->dev,
"%s - usb_serial_generic_open failed: %d\n",
__func__, result);
- goto err_out;
+ goto err_free;
}

/* remove any data still left: also clears error state */
ark3116_read_reg(serial, UART_RX, buf);

/* read modem status */
- priv->msr = ark3116_read_reg(serial, UART_MSR, buf);
+ result = ark3116_read_reg(serial, UART_MSR, buf);
+ if (result < 0)
+ goto err_close;
+ priv->msr = *buf;
+
/* read line status */
- priv->lsr = ark3116_read_reg(serial, UART_LSR, buf);
+ result = ark3116_read_reg(serial, UART_LSR, buf);
+ if (result < 0)
+ goto err_close;
+ priv->lsr = *buf;

result = usb_submit_urb(port->interrupt_in_urb, GFP_KERNEL);
if (result) {
dev_err(&port->dev, "submit irq_in urb failed %d\n",
result);
- ark3116_close(port);
- goto err_out;
+ goto err_close;
}

/* activate interrupts */
@@ -402,8 +408,15 @@ static int ark3116_open(struct tty_struc
if (tty)
ark3116_set_termios(tty, port, NULL);

-err_out:
kfree(buf);
+
+ return 0;
+
+err_close:
+ usb_serial_generic_close(port);
+err_free:
+ kfree(buf);
+
return result;
}


2017-06-01 15:44:47

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 013/212] scsi: storvsc: use tagged SRB requests if supported by the device

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Long Li <[email protected]>

commit 3cd6d3d9b1abab8dcdf0800224ce26daac24eea2 upstream.

Properly set SRB flags when hosting device supports tagged queuing.
This patch improves the performance on Fiber Channel disks.

Signed-off-by: Long Li <[email protected]>
Reviewed-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/storvsc_drv.c | 9 +++++++++
1 file changed, 9 insertions(+)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -133,6 +133,8 @@ struct hv_fc_wwn_packet {
#define SRB_FLAGS_PORT_DRIVER_RESERVED 0x0F000000
#define SRB_FLAGS_CLASS_DRIVER_RESERVED 0xF0000000

+#define SP_UNTAGGED ((unsigned char) ~0)
+#define SRB_SIMPLE_TAG_REQUEST 0x20

/*
* Platform neutral description of a scsi request -
@@ -1612,6 +1614,13 @@ static int storvsc_queuecommand(struct S
vm_srb->win8_extension.srb_flags |=
SRB_FLAGS_DISABLE_SYNCH_TRANSFER;

+ if (scmnd->device->tagged_supported) {
+ vm_srb->win8_extension.srb_flags |=
+ (SRB_FLAGS_QUEUE_ACTION_ENABLE | SRB_FLAGS_NO_QUEUE_FREEZE);
+ vm_srb->win8_extension.queue_tag = SP_UNTAGGED;
+ vm_srb->win8_extension.queue_action = SRB_SIMPLE_TAG_REQUEST;
+ }
+
/* Build the SRB */
switch (scmnd->sc_data_direction) {
case DMA_TO_DEVICE:

2017-06-01 16:30:03

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 015/212] scsi: storvsc: properly handle SRB_ERROR when sense message is present

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Long Li <[email protected]>

commit bba5dc332ec2d3a685cb4dae668c793f6a3713a3 upstream.

When sense message is present on error, we should pass along to the upper
layer to decide how to deal with the error.
This patch fixes connectivity issues with Fiber Channel devices.

Signed-off-by: Long Li <[email protected]>
Reviewed-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/storvsc_drv.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1014,6 +1014,13 @@ static void storvsc_handle_error(struct
switch (SRB_STATUS(vm_srb->srb_status)) {
case SRB_STATUS_ERROR:
/*
+ * Let upper layer deal with error when
+ * sense message is present.
+ */
+
+ if (vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID)
+ break;
+ /*
* If there is an error; offline the device since all
* error recovery strategies would have already been
* deployed on the host side. However, if the command

2017-06-01 16:30:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 052/212] USB: serial: opticon: fix CTS retrieval at open

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 2eee05020a0e7ee7c04422cbacdb07859e45dce6 upstream.

The opticon driver used a control request at open to trigger a CTS
status notification to be sent over the bulk-in pipe. When the driver
was converted to using the generic read implementation, an inverted test
prevented this request from being sent, something which could lead to
TIOCMGET reporting an incorrect CTS state.

Reported-by: Dan Carpenter <[email protected]>
Fixes: 7a6ee2b02751 ("USB: opticon: switch to generic read
implementation")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/opticon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/serial/opticon.c
+++ b/drivers/usb/serial/opticon.c
@@ -142,7 +142,7 @@ static int opticon_open(struct tty_struc
usb_clear_halt(port->serial->dev, port->read_urb->pipe);

res = usb_serial_generic_open(tty, port);
- if (!res)
+ if (res)
return res;

/* Request CTS line state, sometimes during opening the current

2017-06-01 16:30:43

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 074/212] USB: serial: ftdi_sio: fix extreme low-latency setting

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit c6dce2626606ef16434802989466636bc28c1419 upstream.

Since commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY
flag") the FTDI driver has been using a receive latency-timer value of
1 ms instead of the device default of 16 ms.

The latency timer is used to periodically empty a non-full receive
buffer, but a status header is always sent when the timer expires
including when the buffer is empty. This means that a two-byte bulk
message is received every millisecond also for an otherwise idle port as
long as it is open.

Let's restore the pre-2009 behaviour which reduces the rate of the
status messages to 1/16th (e.g. interrupt frequency drops from 1 kHz to
62.5 Hz) by not setting ASYNC_LOW_LATENCY by default.

Anyone willing to pay the price for the minimum-latency behaviour should
set the flag explicitly instead using the TIOCSSERIAL ioctl or a tool
such as setserial (e.g. setserial /dev/ttyUSB0 low_latency).

Note that since commit 0cbd81a9f6ba ("USB: ftdi_sio: remove
tty->low_latency") the ASYNC_LOW_LATENCY flag has no other effects but
to set a minimal latency timer.

Reported-by: Antoine Aubert <[email protected]>
Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag")
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ftdi_sio.c | 2 --
1 file changed, 2 deletions(-)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1828,8 +1828,6 @@ static int ftdi_sio_port_probe(struct us

mutex_init(&priv->cfg_lock);

- priv->flags = ASYNC_LOW_LATENCY;
-
if (quirk && quirk->port_probe)
quirk->port_probe(priv);


2017-06-01 16:30:45

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 072/212] w1: ds2490: USB transfer buffers need to be DMAable

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "Maciej S. Szmigiero" <[email protected]>

commit 61cd1b4cd1e8f7f7642ab64529d9bd52e8374641 upstream.

ds2490 driver was doing USB transfers from / to buffers on a stack.
This is not permitted and made the driver non-working with vmapped stacks.

Since all these transfers are done under the same bus_mutex lock we can
simply use shared buffers in a device private structure for two most common
of them.

While we are at it, let's also fix a comparison between int and size_t in
ds9490r_search() which made the driver spin in this function if state
register get requests were failing.

Signed-off-by: Maciej S. Szmigiero <[email protected]>
Acked-by: Evgeniy Polyakov <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: old code was using printk() directly]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/w1/masters/ds2490.c | 142 ++++++++++++++++++++++++++------------------
1 file changed, 84 insertions(+), 58 deletions(-)

--- a/drivers/w1/masters/ds2490.c
+++ b/drivers/w1/masters/ds2490.c
@@ -153,6 +153,9 @@ struct ds_device
*/
u16 spu_bit;

+ u8 st_buf[ST_SIZE];
+ u8 byte_buf;
+
struct w1_bus_master master;
};

@@ -174,7 +177,6 @@ struct ds_status
u8 data_in_buffer_status;
u8 reserved1;
u8 reserved2;
-
};

static struct usb_device_id ds_id_table [] = {
@@ -244,27 +246,6 @@ static int ds_send_control(struct ds_dev
return err;
}

-static int ds_recv_status_nodump(struct ds_device *dev, struct ds_status *st,
- unsigned char *buf, int size)
-{
- int count, err;
-
- memset(st, 0, sizeof(*st));
-
- count = 0;
- err = usb_interrupt_msg(dev->udev, usb_rcvintpipe(dev->udev,
- dev->ep[EP_STATUS]), buf, size, &count, 1000);
- if (err < 0) {
- printk(KERN_ERR "Failed to read 1-wire data from 0x%x: err=%d.\n", dev->ep[EP_STATUS], err);
- return err;
- }
-
- if (count >= sizeof(*st))
- memcpy(st, buf, sizeof(*st));
-
- return count;
-}
-
static inline void ds_print_msg(unsigned char *buf, unsigned char *str, int off)
{
printk(KERN_INFO "%45s: %8x\n", str, buf[off]);
@@ -323,6 +304,35 @@ static void ds_dump_status(struct ds_dev
}
}

+static int ds_recv_status(struct ds_device *dev, struct ds_status *st,
+ bool dump)
+{
+ int count, err;
+
+ if (st)
+ memset(st, 0, sizeof(*st));
+
+ count = 0;
+ err = usb_interrupt_msg(dev->udev,
+ usb_rcvintpipe(dev->udev,
+ dev->ep[EP_STATUS]),
+ dev->st_buf, sizeof(dev->st_buf),
+ &count, 1000);
+ if (err < 0) {
+ pr_err("Failed to read 1-wire data from 0x%x: err=%d.\n",
+ dev->ep[EP_STATUS], err);
+ return err;
+ }
+
+ if (dump)
+ ds_dump_status(dev, dev->st_buf, count);
+
+ if (st && count >= sizeof(*st))
+ memcpy(st, dev->st_buf, sizeof(*st));
+
+ return count;
+}
+
static void ds_reset_device(struct ds_device *dev)
{
ds_send_control_cmd(dev, CTL_RESET_DEVICE, 0);
@@ -345,7 +355,6 @@ static void ds_reset_device(struct ds_de
static int ds_recv_data(struct ds_device *dev, unsigned char *buf, int size)
{
int count, err;
- struct ds_status st;

/* Careful on size. If size is less than what is available in
* the input buffer, the device fails the bulk transfer and
@@ -360,14 +369,9 @@ static int ds_recv_data(struct ds_device
err = usb_bulk_msg(dev->udev, usb_rcvbulkpipe(dev->udev, dev->ep[EP_DATA_IN]),
buf, size, &count, 1000);
if (err < 0) {
- u8 buf[ST_SIZE];
- int count;
-
printk(KERN_INFO "Clearing ep0x%x.\n", dev->ep[EP_DATA_IN]);
usb_clear_halt(dev->udev, usb_rcvbulkpipe(dev->udev, dev->ep[EP_DATA_IN]));
-
- count = ds_recv_status_nodump(dev, &st, buf, sizeof(buf));
- ds_dump_status(dev, buf, count);
+ ds_recv_status(dev, NULL, true);
return err;
}

@@ -405,7 +409,6 @@ int ds_stop_pulse(struct ds_device *dev,
{
struct ds_status st;
int count = 0, err = 0;
- u8 buf[ST_SIZE];

do {
err = ds_send_control(dev, CTL_HALT_EXE_IDLE, 0);
@@ -414,7 +417,7 @@ int ds_stop_pulse(struct ds_device *dev,
err = ds_send_control(dev, CTL_RESUME_EXE, 0);
if (err)
break;
- err = ds_recv_status_nodump(dev, &st, buf, sizeof(buf));
+ err = ds_recv_status(dev, &st, false);
if (err)
break;

@@ -457,18 +460,17 @@ int ds_detect(struct ds_device *dev, str

static int ds_wait_status(struct ds_device *dev, struct ds_status *st)
{
- u8 buf[ST_SIZE];
int err, count = 0;

do {
st->status = 0;
- err = ds_recv_status_nodump(dev, st, buf, sizeof(buf));
+ err = ds_recv_status(dev, st, false);
#if 0
if (err >= 0) {
int i;
printk("0x%x: count=%d, status: ", dev->ep[EP_STATUS], err);
for (i=0; i<err; ++i)
- printk("%02x ", buf[i]);
+ printk("%02x ", dev->st_buf[i]);
printk("\n");
}
#endif
@@ -486,7 +488,7 @@ static int ds_wait_status(struct ds_devi
* can do something with it).
*/
if (err > 16 || count >= 100 || err < 0)
- ds_dump_status(dev, buf, err);
+ ds_dump_status(dev, dev->st_buf, err);

/* Extended data isn't an error. Well, a short is, but the dump
* would have already told the user that and we can't do anything
@@ -609,7 +611,6 @@ static int ds_write_byte(struct ds_devic
{
int err;
struct ds_status st;
- u8 rbyte;

err = ds_send_control(dev, COMM_BYTE_IO | COMM_IM | dev->spu_bit, byte);
if (err)
@@ -622,11 +623,11 @@ static int ds_write_byte(struct ds_devic
if (err)
return err;

- err = ds_recv_data(dev, &rbyte, sizeof(rbyte));
+ err = ds_recv_data(dev, &dev->byte_buf, 1);
if (err < 0)
return err;

- return !(byte == rbyte);
+ return !(byte == dev->byte_buf);
}

static int ds_read_byte(struct ds_device *dev, u8 *byte)
@@ -713,7 +714,6 @@ static void ds9490r_search(void *data, s
int err;
u16 value, index;
struct ds_status st;
- u8 st_buf[ST_SIZE];
int search_limit;
int found = 0;
int i;
@@ -725,7 +725,12 @@ static void ds9490r_search(void *data, s
/* FIFO 128 bytes, bulk packet size 64, read a multiple of the
* packet size.
*/
- u64 buf[2*64/8];
+ const size_t bufsize = 2 * 64;
+ u64 *buf;
+
+ buf = kmalloc(bufsize, GFP_KERNEL);
+ if (!buf)
+ return;

mutex_lock(&master->bus_mutex);

@@ -746,10 +751,9 @@ static void ds9490r_search(void *data, s
do {
schedule_timeout(jtime);

- if (ds_recv_status_nodump(dev, &st, st_buf, sizeof(st_buf)) <
- sizeof(st)) {
+ err = ds_recv_status(dev, &st, false);
+ if (err < 0 || err < sizeof(st))
break;
- }

if (st.data_in_buffer_status) {
/* Bulk in can receive partial ids, but when it does
@@ -759,7 +763,7 @@ static void ds9490r_search(void *data, s
* bulk without first checking if status says there
* is data to read.
*/
- err = ds_recv_data(dev, (u8 *)buf, sizeof(buf));
+ err = ds_recv_data(dev, (u8 *)buf, bufsize);
if (err < 0)
break;
for (i = 0; i < err/8; ++i) {
@@ -795,9 +799,14 @@ static void ds9490r_search(void *data, s
}
search_out:
mutex_unlock(&master->bus_mutex);
+ kfree(buf);
}

#if 0
+/*
+ * FIXME: if this disabled code is ever used in the future all ds_send_data()
+ * calls must be changed to use a DMAable buffer.
+ */
static int ds_match_access(struct ds_device *dev, u64 init)
{
int err;
@@ -846,13 +855,12 @@ static int ds_set_path(struct ds_device

static u8 ds9490r_touch_bit(void *data, u8 bit)
{
- u8 ret;
struct ds_device *dev = data;

- if (ds_touch_bit(dev, bit, &ret))
+ if (ds_touch_bit(dev, bit, &dev->byte_buf))
return 0;

- return ret;
+ return dev->byte_buf;
}

#if 0
@@ -867,13 +875,12 @@ static u8 ds9490r_read_bit(void *data)
{
struct ds_device *dev = data;
int err;
- u8 bit = 0;

- err = ds_touch_bit(dev, 1, &bit);
+ err = ds_touch_bit(dev, 1, &dev->byte_buf);
if (err)
return 0;

- return bit & 1;
+ return dev->byte_buf & 1;
}
#endif

@@ -888,32 +895,52 @@ static u8 ds9490r_read_byte(void *data)
{
struct ds_device *dev = data;
int err;
- u8 byte = 0;

- err = ds_read_byte(dev, &byte);
+ err = ds_read_byte(dev, &dev->byte_buf);
if (err)
return 0;

- return byte;
+ return dev->byte_buf;
}

static void ds9490r_write_block(void *data, const u8 *buf, int len)
{
struct ds_device *dev = data;
+ u8 *tbuf;
+
+ if (len <= 0)
+ return;
+
+ tbuf = kmalloc(len, GFP_KERNEL);
+ if (!tbuf)
+ return;
+
+ memcpy(tbuf, buf, len);
+ ds_write_block(dev, tbuf, len);

- ds_write_block(dev, (u8 *)buf, len);
+ kfree(tbuf);
}

static u8 ds9490r_read_block(void *data, u8 *buf, int len)
{
struct ds_device *dev = data;
int err;
+ u8 *tbuf;

- err = ds_read_block(dev, buf, len);
- if (err < 0)
+ if (len <= 0)
+ return 0;
+
+ tbuf = kmalloc(len, GFP_KERNEL);
+ if (!tbuf)
return 0;

- return len;
+ err = ds_read_block(dev, tbuf, len);
+ if (err >= 0)
+ memcpy(buf, tbuf, len);
+
+ kfree(tbuf);
+
+ return err >= 0 ? len : 0;
}

static u8 ds9490r_reset(void *data)

2017-06-01 16:30:42

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 076/212] clk: hisilicon: fix lock assignment

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Leo Yan <[email protected]>

commit 55da97e38cab844682abb71400a908b871d0054c upstream.

In clock driver initialize phase the spinlock is missed to assignment
to struct clkgate_separated, finally there have no locking to protect
exclusive accessing for clock registers.

This bug introduces the console has no output after enable coresight
driver on 96boards Hikey; this is because console using UART3, which
has shared the same register with coresight clock enabling bit. After
applied this patch it can assign lock properly to protect exclusive
accessing, and console can work well after enabled coresight modules.

Fixes: 0aa0c95f743a ("clk: hisilicon: add common clock support")
Signed-off-by: Leo Yan <[email protected]>
Signed-off-by: Stephen Boyd <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/clk/hisilicon/clkgate-separated.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/clk/hisilicon/clkgate-separated.c
+++ b/drivers/clk/hisilicon/clkgate-separated.c
@@ -122,6 +122,7 @@ struct clk *hisi_register_clkgate_sep(st
sclk->bit_idx = bit_idx;
sclk->flags = clk_gate_flags;
sclk->hw.init = &init;
+ sclk->lock = lock;

clk = clk_register(dev, &sclk->hw);
if (IS_ERR(clk))

2017-06-01 16:30:40

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 075/212] iwlwifi: mvm: rs: Remove unused 'mcs' variable

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Kirtika Ruchandani <[email protected]>

commit 9d50443575fa379c3c72848162af1375a4d43b50 upstream.

Commit 5fc0f76c4 introduced Rx stats from debugfs, the function
iwl_mvm_reset_frame_stats from that commit defines and sets mcs but
does not use it. Compiling iwlwifi with W=1 gives this warning -

iwlwifi/mvm/rs.c: In function ‘iwl_mvm_update_frame_stats’:
iwlwifi/mvm/rs.c:3074:14: warning: variable ‘mcs’ set but not used [-Wunused-but-set-variable]

Fixes: 5fc0f76c43bd (iwlwifi: mvm: add Rx frames statistics via debugfs)
Signed-off-by: Kirtika Ruchandani <[email protected]>
Cc: Eyal Shapira <[email protected]>
Signed-off-by: Luca Coelho <[email protected]>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/iwlwifi/mvm/rs.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/net/wireless/iwlwifi/mvm/rs.c
+++ b/drivers/net/wireless/iwlwifi/mvm/rs.c
@@ -2481,7 +2481,7 @@ void iwl_mvm_update_frame_stats(struct i
struct iwl_mvm_frame_stats *stats,
u32 rate, bool agg)
{
- u8 nss = 0, mcs = 0;
+ u8 nss = 0;

spin_lock(&mvm->drv_stats_lock);

@@ -2506,11 +2506,9 @@ void iwl_mvm_update_frame_stats(struct i

if (rate & RATE_MCS_HT_MSK) {
stats->ht_frames++;
- mcs = rate & RATE_HT_MCS_RATE_CODE_MSK;
nss = ((rate & RATE_HT_MCS_NSS_MSK) >> RATE_HT_MCS_NSS_POS) + 1;
} else if (rate & RATE_MCS_VHT_MSK) {
stats->vht_frames++;
- mcs = rate & RATE_VHT_MCS_RATE_CODE_MSK;
nss = ((rate & RATE_VHT_MCS_NSS_MSK) >>
RATE_VHT_MCS_NSS_POS) + 1;
} else {

2017-06-01 16:30:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 049/212] USB: serial: spcp8x5: fix modem-status handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 5ed8d41023751bdd3546f2fe4118304357efe8d2 upstream.

Make sure to detect short control transfers and return zero on success
when retrieving the modem status.

This fixes the TIOCMGET implementation which since e1ed212d8593 ("USB:
spcp8x5: add proper modem-status support") has returned TIOCM_LE on
successful retrieval, and avoids leaking bits from the stack on short
transfers.

This also fixes the carrier-detect implementation which since the above
mentioned commit unconditionally has returned true.

Fixes: e1ed212d8593 ("USB: spcp8x5: add proper modem-status support")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/spcp8x5.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/spcp8x5.c
+++ b/drivers/usb/serial/spcp8x5.c
@@ -232,11 +232,17 @@ static int spcp8x5_get_msr(struct usb_se
ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
GET_UART_STATUS, GET_UART_STATUS_TYPE,
0, GET_UART_STATUS_MSR, buf, 1, 100);
- if (ret < 0)
+ if (ret < 1) {
dev_err(&port->dev, "failed to get modem status: %d\n", ret);
+ if (ret >= 0)
+ ret = -EIO;
+ goto out;
+ }

dev_dbg(&port->dev, "0xc0:0x22:0:6 %d - 0x02%x\n", ret, *buf);
*status = *buf;
+ ret = 0;
+out:
kfree(buf);

return ret;

2017-06-01 16:30:37

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 077/212] drm/ttm: Make sure BOs being swapped out are cacheable

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michel Dänzer <[email protected]>

commit 239ac65fa5ffab71adf66e642750f940e7241d99 upstream.

The current caching state may not be tt_cached, even though the
placement contains TTM_PL_FLAG_CACHED, because placement can contain
multiple caching flags. Trying to swap out such a BO would trip up the

BUG_ON(ttm->caching_state != tt_cached);

in ttm_tt_swapout.

Signed-off-by: Michel Dänzer <[email protected]>
Reviewed-by: Thomas Hellstrom <[email protected]>
Reviewed-by: Christian König <[email protected]>.
Reviewed-by: Sinclair Yeh <[email protected]>
Signed-off-by: Christian König <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/gpu/drm/ttm/ttm_bo.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -1641,7 +1641,6 @@ static int ttm_bo_swapout(struct ttm_mem
struct ttm_buffer_object *bo;
int ret = -EBUSY;
int put_count;
- uint32_t swap_placement = (TTM_PL_FLAG_CACHED | TTM_PL_FLAG_SYSTEM);

spin_lock(&glob->lru_lock);
list_for_each_entry(bo, &glob->swap_lru, swap) {
@@ -1679,7 +1678,8 @@ static int ttm_bo_swapout(struct ttm_mem
if (unlikely(ret != 0))
goto out;

- if ((bo->mem.placement & swap_placement) != swap_placement) {
+ if (bo->mem.mem_type != TTM_PL_SYSTEM ||
+ bo->ttm->caching_state != tt_cached) {
struct ttm_mem_reg evict_mem;

evict_mem = bo->mem;

2017-06-01 15:44:45

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 014/212] scsi: storvsc: Fix a bug in the handling of SRB status flags

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "K. Y. Srinivasan" <[email protected]>

commit 3209f9d780d137cdb54c85e0a776cb19e723a170 upstream.

SRB status can have additional information. Mask these out before processing
SRB status.

This patch was sent as part of a collection of patches more than a year ago.
While the rest of the patches in the set were comitted, this patch was not.
I woulod like to thank Olaf for noticing that this patch was not committed
upstream.

Signed-off-by: K. Y. Srinivasan <[email protected]>
Reviewed-by: Long Li <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/storvsc_drv.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -302,11 +302,14 @@ enum storvsc_request_type {
*/

#define SRB_STATUS_AUTOSENSE_VALID 0x80
+#define SRB_STATUS_QUEUE_FROZEN 0x40
#define SRB_STATUS_INVALID_LUN 0x20
#define SRB_STATUS_SUCCESS 0x01
#define SRB_STATUS_ABORTED 0x02
#define SRB_STATUS_ERROR 0x04

+#define SRB_STATUS(status) \
+ (status & ~(SRB_STATUS_AUTOSENSE_VALID | SRB_STATUS_QUEUE_FROZEN))
/*
* This is the end of Protocol specific defines.
*/
@@ -1008,7 +1011,7 @@ static void storvsc_handle_error(struct
void (*process_err_fn)(struct work_struct *work);
bool do_work = false;

- switch (vm_srb->srb_status) {
+ switch (SRB_STATUS(vm_srb->srb_status)) {
case SRB_STATUS_ERROR:
/*
* If there is an error; offline the device since all

2017-06-01 16:32:06

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 016/212] scsi: storvsc: properly set residual data length on errors

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Long Li <[email protected]>

commit 40630f462824ee24bc00d692865c86c3828094e0 upstream.

On I/O errors, the Windows driver doesn't set data_transfer_length
on error conditions other than SRB_STATUS_DATA_OVERRUN.
In these cases we need to set data_transfer_length to 0,
indicating there is no data transferred. On SRB_STATUS_DATA_OVERRUN,
data_transfer_length is set by the Windows driver to the actual data transferred.

Reported-by: Shiva Krishna <[email protected]>
Signed-off-by: Long Li <[email protected]>
Reviewed-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/scsi/storvsc_drv.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -307,6 +307,7 @@ enum storvsc_request_type {
#define SRB_STATUS_SUCCESS 0x01
#define SRB_STATUS_ABORTED 0x02
#define SRB_STATUS_ERROR 0x04
+#define SRB_STATUS_DATA_OVERRUN 0x12

#define SRB_STATUS(status) \
(status & ~(SRB_STATUS_AUTOSENSE_VALID | SRB_STATUS_QUEUE_FROZEN))
@@ -1084,6 +1085,7 @@ static void storvsc_command_completion(s
void (*scsi_done_fn)(struct scsi_cmnd *);
struct scsi_sense_hdr sense_hdr;
struct vmscsi_request *vm_srb;
+ u32 data_transfer_length;
struct stor_mem_pools *memp = scmnd->device->hostdata;
struct Scsi_Host *host;
struct storvsc_device *stor_dev;
@@ -1093,6 +1095,7 @@ static void storvsc_command_completion(s
host = stor_dev->host;

vm_srb = &cmd_request->vstor_packet.vm_srb;
+ data_transfer_length = vm_srb->data_transfer_length;
if (cmd_request->bounce_sgl_count) {
if (vm_srb->data_in == READ_TYPE)
copy_from_bounce_buffer(scsi_sglist(scmnd),
@@ -1111,13 +1114,20 @@ static void storvsc_command_completion(s
scsi_print_sense_hdr("storvsc", &sense_hdr);
}

- if (vm_srb->srb_status != SRB_STATUS_SUCCESS)
+ if (vm_srb->srb_status != SRB_STATUS_SUCCESS) {
storvsc_handle_error(vm_srb, scmnd, host, sense_hdr.asc,
sense_hdr.ascq);
+ /*
+ * The Windows driver set data_transfer_length on
+ * SRB_STATUS_DATA_OVERRUN. On other errors, this value
+ * is untouched. In these cases we set it to 0.
+ */
+ if (vm_srb->srb_status != SRB_STATUS_DATA_OVERRUN)
+ data_transfer_length = 0;
+ }

scsi_set_resid(scmnd,
- cmd_request->data_buffer.len -
- vm_srb->data_transfer_length);
+ cmd_request->data_buffer.len - data_transfer_length);

scsi_done_fn = scmnd->scsi_done;


2017-06-01 16:32:05

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 071/212] W1: ds2490: Increase timeout when waiting for status

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Stein <[email protected]>

commit d25221525e0e2cfd70e4ec7216549c06609a8bd2 upstream.

Adjust the bulk message timeout to the other ones (1000ms). Otherwise the
following dmesg errors can be seen on a Raspberry Pi:
[ 31.492386] Failed to read 1-wire data from 0x81: err=-110.
[ 31.504168] 0x81: count=-110, status:
[ 31.613404] Failed to read 1-wire data from 0x81: err=-110.
[ 31.621915] 0x81: count=-110, status:
[ 43.260968] Failed to read 1-wire data from 0x81: err=-110.
[ 43.270998] 0x81: count=-110, status:
[ 43.379959] Failed to read 1-wire data from 0x81: err=-110.
[ 43.388854] 0x81: count=-110, status:

Signed-off-by: Alexander Stein <[email protected]>
Acked-by: Evgeniy Polyakov <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/w1/masters/ds2490.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/w1/masters/ds2490.c
+++ b/drivers/w1/masters/ds2490.c
@@ -253,7 +253,7 @@ static int ds_recv_status_nodump(struct

count = 0;
err = usb_interrupt_msg(dev->udev, usb_rcvintpipe(dev->udev,
- dev->ep[EP_STATUS]), buf, size, &count, 100);
+ dev->ep[EP_STATUS]), buf, size, &count, 1000);
if (err < 0) {
printk(KERN_ERR "Failed to read 1-wire data from 0x%x: err=%d.\n", dev->ep[EP_STATUS], err);
return err;

2017-06-01 16:32:33

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 017/212] IB/mlx5: Fix retrieval of index to first hi class bfreg

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Eli Cohen <[email protected]>

commit 0b80c14f009758cefeed0edff4f9141957964211 upstream.

First the function retrieving the index of the first hi latency class
blue flame register. High latency class bfregs are located right above
medium latency class bfregs.

Fixes: c1be5232d21d ('IB/mlx5: Fix micro UAR allocator')
Signed-off-by: Eli Cohen <[email protected]>
Reviewed-by: Matan Barak <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Saeed Mahameed <[email protected]>
[bwh: Backported to 3.16:
- s/bfreg/uuar/g
- Adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/hw/mlx5/qp.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)

--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -367,12 +367,21 @@ static int next_uuar(int n)
return n;
}

+enum {
+ /* this is the first blue flame register in the array of bfregs assigned
+ * to a processes. Since we do not use it for blue flame but rather
+ * regular 64 bit doorbells, we do not need a lock for maintaiing
+ * "odd/even" order
+ */
+ NUM_NON_BLUE_FLAME_BFREGS = 1,
+};
+
static int num_med_uuar(struct mlx5_uuar_info *uuari)
{
int n;

n = uuari->num_uars * MLX5_NON_FP_BF_REGS_PER_PAGE -
- uuari->num_low_latency_uuars - 1;
+ uuari->num_low_latency_uuars - NUM_NON_BLUE_FLAME_BFREGS;

return n >= 0 ? n : 0;
}
@@ -385,17 +394,9 @@ static int max_uuari(struct mlx5_uuar_in
static int first_hi_uuar(struct mlx5_uuar_info *uuari)
{
int med;
- int i;
- int t;

med = num_med_uuar(uuari);
- for (t = 0, i = first_med_uuar();; i = next_uuar(i)) {
- t++;
- if (t == med)
- return next_uuar(i);
- }
-
- return 0;
+ return next_uuar(med);
}

static int alloc_high_class_uuar(struct mlx5_uuar_info *uuari)
@@ -421,6 +422,8 @@ static int alloc_med_class_uuar(struct m
for (i = first_med_uuar(); i < first_hi_uuar(uuari); i = next_uuar(i)) {
if (uuari->count[i] < uuari->count[minidx])
minidx = i;
+ if (!uuari->count[minidx])
+ break;
}

uuari->count[minidx]++;
@@ -435,6 +438,7 @@ static int alloc_uuar(struct mlx5_uuar_i
mutex_lock(&uuari->lock);
switch (lat) {
case MLX5_IB_LATENCY_CLASS_LOW:
+ BUILD_BUG_ON(NUM_NON_BLUE_FLAME_BFREGS != 1);
uuarn = 0;
uuari->count[uuarn]++;
break;

2017-06-01 16:32:49

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 069/212] usb: gadget: f_hid: Use spinlock instead of mutex

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Opasiak <[email protected]>

commit 33e4c1a9987a1fc3b42c3b534100b5b006d55c61 upstream.

As IN request has to be allocated in set_alt() and released in
disable() we cannot use mutex to protect it as we cannot sleep
in those funcitons. Let's replace this mutex with a spinlock.

Tested-by: David Lechner <[email protected]>
Signed-off-by: Krzysztof Opasiak <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/gadget/f_hid.c | 57 ++++++++++++++++++++++---------------
1 file changed, 34 insertions(+), 23 deletions(-)

--- a/drivers/usb/gadget/f_hid.c
+++ b/drivers/usb/gadget/f_hid.c
@@ -44,12 +44,12 @@ struct f_hidg {

/* recv report */
struct list_head completed_out_req;
- spinlock_t spinlock;
+ spinlock_t read_spinlock;
wait_queue_head_t read_queue;
unsigned int qlen;

/* send report */
- struct mutex lock;
+ spinlock_t write_spinlock;
bool write_pending;
wait_queue_head_t write_queue;
struct usb_request *req;
@@ -178,20 +178,20 @@ static ssize_t f_hidg_read(struct file *
if (!access_ok(VERIFY_WRITE, buffer, count))
return -EFAULT;

- spin_lock_irqsave(&hidg->spinlock, flags);
+ spin_lock_irqsave(&hidg->read_spinlock, flags);

#define READ_COND (!list_empty(&hidg->completed_out_req))

/* wait for at least one buffer to complete */
while (!READ_COND) {
- spin_unlock_irqrestore(&hidg->spinlock, flags);
+ spin_unlock_irqrestore(&hidg->read_spinlock, flags);
if (file->f_flags & O_NONBLOCK)
return -EAGAIN;

if (wait_event_interruptible(hidg->read_queue, READ_COND))
return -ERESTARTSYS;

- spin_lock_irqsave(&hidg->spinlock, flags);
+ spin_lock_irqsave(&hidg->read_spinlock, flags);
}

/* pick the first one */
@@ -206,7 +206,7 @@ static ssize_t f_hidg_read(struct file *

req = list->req;
count = min_t(unsigned int, count, req->actual - list->pos);
- spin_unlock_irqrestore(&hidg->spinlock, flags);
+ spin_unlock_irqrestore(&hidg->read_spinlock, flags);

/* copy to user outside spinlock */
count -= copy_to_user(buffer, req->buf + list->pos, count);
@@ -228,9 +228,9 @@ static ssize_t f_hidg_read(struct file *
return ret;
}
} else {
- spin_lock_irqsave(&hidg->spinlock, flags);
+ spin_lock_irqsave(&hidg->read_spinlock, flags);
list_add(&list->list, &hidg->completed_out_req);
- spin_unlock_irqrestore(&hidg->spinlock, flags);
+ spin_unlock_irqrestore(&hidg->read_spinlock, flags);

wake_up(&hidg->read_queue);
}
@@ -241,13 +241,16 @@ static ssize_t f_hidg_read(struct file *
static void f_hidg_req_complete(struct usb_ep *ep, struct usb_request *req)
{
struct f_hidg *hidg = (struct f_hidg *)ep->driver_data;
+ unsigned long flags;

if (req->status != 0) {
ERROR(hidg->func.config->cdev,
"End Point Request ERROR: %d\n", req->status);
}

+ spin_lock_irqsave(&hidg->write_spinlock, flags);
hidg->write_pending = 0;
+ spin_unlock_irqrestore(&hidg->write_spinlock, flags);
wake_up(&hidg->write_queue);
}

@@ -255,18 +258,19 @@ static ssize_t f_hidg_write(struct file
size_t count, loff_t *offp)
{
struct f_hidg *hidg = file->private_data;
+ unsigned long flags;
ssize_t status = -ENOMEM;

if (!access_ok(VERIFY_READ, buffer, count))
return -EFAULT;

- mutex_lock(&hidg->lock);
+ spin_lock_irqsave(&hidg->write_spinlock, flags);

#define WRITE_COND (!hidg->write_pending)

/* write queue */
while (!WRITE_COND) {
- mutex_unlock(&hidg->lock);
+ spin_unlock_irqrestore(&hidg->write_spinlock, flags);
if (file->f_flags & O_NONBLOCK)
return -EAGAIN;

@@ -274,17 +278,20 @@ static ssize_t f_hidg_write(struct file
hidg->write_queue, WRITE_COND))
return -ERESTARTSYS;

- mutex_lock(&hidg->lock);
+ spin_lock_irqsave(&hidg->write_spinlock, flags);
}

+ hidg->write_pending = 1;
count = min_t(unsigned, count, hidg->report_length);
+
+ spin_unlock_irqrestore(&hidg->write_spinlock, flags);
status = copy_from_user(hidg->req->buf, buffer, count);

if (status != 0) {
ERROR(hidg->func.config->cdev,
"copy_from_user error\n");
- mutex_unlock(&hidg->lock);
- return -EINVAL;
+ status = -EINVAL;
+ goto release_write_pending;
}

hidg->req->status = 0;
@@ -292,19 +299,23 @@ static ssize_t f_hidg_write(struct file
hidg->req->length = count;
hidg->req->complete = f_hidg_req_complete;
hidg->req->context = hidg;
- hidg->write_pending = 1;

status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC);
if (status < 0) {
ERROR(hidg->func.config->cdev,
"usb_ep_queue error on int endpoint %zd\n", status);
- hidg->write_pending = 0;
- wake_up(&hidg->write_queue);
+ goto release_write_pending;
} else {
status = count;
}

- mutex_unlock(&hidg->lock);
+ return status;
+release_write_pending:
+ spin_lock_irqsave(&hidg->write_spinlock, flags);
+ hidg->write_pending = 0;
+ spin_unlock_irqrestore(&hidg->write_spinlock, flags);
+
+ wake_up(&hidg->write_queue);

return status;
}
@@ -371,9 +382,9 @@ static void hidg_set_report_complete(str

req_list->req = req;

- spin_lock_irqsave(&hidg->spinlock, flags);
+ spin_lock_irqsave(&hidg->read_spinlock, flags);
list_add_tail(&req_list->list, &hidg->completed_out_req);
- spin_unlock_irqrestore(&hidg->spinlock, flags);
+ spin_unlock_irqrestore(&hidg->read_spinlock, flags);

wake_up(&hidg->read_queue);
break;
@@ -491,13 +502,13 @@ static void hidg_disable(struct usb_func
usb_ep_disable(hidg->out_ep);
hidg->out_ep->driver_data = NULL;

- spin_lock_irqsave(&hidg->spinlock, flags);
+ spin_lock_irqsave(&hidg->read_spinlock, flags);
list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) {
free_ep_req(hidg->out_ep, list->req);
list_del(&list->list);
kfree(list);
}
- spin_unlock_irqrestore(&hidg->spinlock, flags);
+ spin_unlock_irqrestore(&hidg->read_spinlock, flags);
}

static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
@@ -642,8 +653,8 @@ static int __init hidg_bind(struct usb_c
if (status)
goto fail;

- mutex_init(&hidg->lock);
- spin_lock_init(&hidg->spinlock);
+ spin_lock_init(&hidg->write_spinlock);
+ spin_lock_init(&hidg->read_spinlock);
init_waitqueue_head(&hidg->write_queue);
init_waitqueue_head(&hidg->read_queue);
INIT_LIST_HEAD(&hidg->completed_out_req);

2017-06-01 16:33:11

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 034/212] IB/ipoib: Fix deadlock over vlan_mutex

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Feras Daoud <[email protected]>

commit 1c3098cdb05207e740715857df7b0998e372f527 upstream.

This patch fixes Deadlock while executing ipoib_vlan_delete.

The function takes the vlan_rwsem semaphore and calls
unregister_netdevice. The later function calls
ipoib_mcast_stop_thread that cause workqueue flush.

When the queue has one of the ipoib_ib_dev_flush_xxx events,
a deadlock occur because these events also tries to catch the
same vlan_rwsem semaphore.

To fix, unregister_netdevice should be called after releasing
the semaphore.

Fixes: cbbe1efa4972 ("IPoIB: Fix deadlock between ipoib_open() and child interface create")
Signed-off-by: Feras Daoud <[email protected]>
Signed-off-by: Erez Shitrit <[email protected]>
Reviewed-by: Alex Vesker <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
@@ -196,7 +196,6 @@ int ipoib_vlan_delete(struct net_device
list_for_each_entry_safe(priv, tpriv, &ppriv->child_intfs, list) {
if (priv->pkey == pkey &&
priv->child_type == IPOIB_LEGACY_CHILD) {
- unregister_netdevice(priv->dev);
list_del(&priv->list);
dev = priv->dev;
break;
@@ -204,6 +203,11 @@ int ipoib_vlan_delete(struct net_device
}
up_write(&ppriv->vlan_rwsem);

+ if (dev) {
+ ipoib_dbg(ppriv, "delete child vlan %s\n", dev->name);
+ unregister_netdevice(dev);
+ }
+
rtnl_unlock();

if (dev) {

2017-06-01 16:33:10

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 065/212] usb: dwc3: gadget: skip Set/Clear Halt when invalid

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Felipe Balbi <[email protected]>

commit ffb80fc672c3a7b6afd0cefcb1524fb99917b2f3 upstream.

At least macOS seems to be sending
ClearFeature(ENDPOINT_HALT) to endpoints which
aren't Halted. This makes DWC3's CLEARSTALL command
time out which causes several issues for the driver.

Instead, let's just return 0 and bail out early.

Signed-off-by: Felipe Balbi <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1346,6 +1346,9 @@ int __dwc3_gadget_ep_set_halt(struct dwc
memset(&params, 0x00, sizeof(params));

if (value) {
+ if (dep->flags & DWC3_EP_STALL)
+ return 0;
+
if (!protocol && ((dep->direction && dep->flags & DWC3_EP_BUSY) ||
(!list_empty(&dep->req_queued) ||
!list_empty(&dep->request_list)))) {
@@ -1362,6 +1365,9 @@ int __dwc3_gadget_ep_set_halt(struct dwc
else
dep->flags |= DWC3_EP_STALL;
} else {
+ if (!(dep->flags & DWC3_EP_STALL))
+ return 0;
+
ret = dwc3_send_gadget_ep_cmd(dwc, dep->number,
DWC3_DEPCMD_CLEARSTALL, &params);
if (ret)

2017-06-01 16:33:08

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 026/212] perf evlist: Fix typo in perf_evlist__start_workload()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Soramichi Akiyama <[email protected]>

commit e978be9ea2990f1af60fe10eadd2312a6250e0b8 upstream.

This patch fixes a typo: s/enable to/unable to/

Signed-off-by: Soramichi AKIYAMA <[email protected]>
Cc: Alexander Shishkin <[email protected]>
Cc: Namhyung Kim <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Fixes: bcf3145fbeb1 ("perf evlist: Enhance perf_evlist__start_workload()")
Link: http://lkml.kernel.org/r/[email protected]
[ Wasn't applying, fixed it up by hand, added Fixes: tag ]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
tools/perf/util/evlist.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/tools/perf/util/evlist.c
+++ b/tools/perf/util/evlist.c
@@ -1133,7 +1133,7 @@ int perf_evlist__start_workload(struct p
*/
ret = write(evlist->workload.cork_fd, &bf, 1);
if (ret < 0)
- perror("enable to write to pipe");
+ perror("unable to write to pipe");

close(evlist->workload.cork_fd);
return ret;

2017-06-01 16:33:07

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 067/212] usb: gadget: f_hid: fix: Free out requests

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Opasiak <[email protected]>

commit 20d2ca955bd09639c7b01db5761d157c297aea0a upstream.

Requests for out endpoint are allocated in bind() function
but never released.

This commit ensures that all pending requests are released
when we disable out endpoint.

Fixes: 99c515005857 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Tested-by: David Lechner <[email protected]>
Signed-off-by: Krzysztof Opasiak <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/gadget/f_hid.c | 32 ++++++++++++++++++++++++--------
1 file changed, 24 insertions(+), 8 deletions(-)

--- a/drivers/usb/gadget/f_hid.c
+++ b/drivers/usb/gadget/f_hid.c
@@ -345,20 +345,36 @@ static inline struct usb_request *hidg_a
static void hidg_set_report_complete(struct usb_ep *ep, struct usb_request *req)
{
struct f_hidg *hidg = (struct f_hidg *) req->context;
+ struct usb_composite_dev *cdev = hidg->func.config->cdev;
struct f_hidg_req_list *req_list;
unsigned long flags;

- req_list = kzalloc(sizeof(*req_list), GFP_ATOMIC);
- if (!req_list)
- return;
+ switch (req->status) {
+ case 0:
+ req_list = kzalloc(sizeof(*req_list), GFP_ATOMIC);
+ if (!req_list) {
+ ERROR(cdev, "Unable to allocate mem for req_list\n");
+ goto free_req;
+ }

- req_list->req = req;
+ req_list->req = req;

- spin_lock_irqsave(&hidg->spinlock, flags);
- list_add_tail(&req_list->list, &hidg->completed_out_req);
- spin_unlock_irqrestore(&hidg->spinlock, flags);
+ spin_lock_irqsave(&hidg->spinlock, flags);
+ list_add_tail(&req_list->list, &hidg->completed_out_req);
+ spin_unlock_irqrestore(&hidg->spinlock, flags);

- wake_up(&hidg->read_queue);
+ wake_up(&hidg->read_queue);
+ break;
+ default:
+ ERROR(cdev, "Set report failed %d\n", req->status);
+ /* FALLTHROUGH */
+ case -ECONNABORTED: /* hardware forced ep reset */
+ case -ECONNRESET: /* request dequeued */
+ case -ESHUTDOWN: /* disconnect from host */
+free_req:
+ free_ep_req(ep, req);
+ return;
+ }
}

static int hidg_setup(struct usb_function *f,

2017-06-01 16:34:05

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 028/212] ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <[email protected]>

commit c755e251357a0cee0679081f08c3f4ba797a8009 upstream.

The xattr_sem deadlock problems fixed in commit 2e81a4eeedca: "ext4:
avoid deadlock when expanding inode size" didn't include the use of
xattr_sem in fs/ext4/inline.c. With the addition of project quota
which added a new extra inode field, this exposed deadlocks in the
inline_data code similar to the ones fixed by 2e81a4eeedca.

The deadlock can be reproduced via:

dmesg -n 7
mke2fs -t ext4 -O inline_data -Fq -I 256 /dev/vdc 32768
mount -t ext4 -o debug_want_extra_isize=24 /dev/vdc /vdc
mkdir /vdc/a
umount /vdc
mount -t ext4 /dev/vdc /vdc
echo foo > /vdc/a/foo

and looks like this:

[ 11.158815]
[ 11.160276] =============================================
[ 11.161960] [ INFO: possible recursive locking detected ]
[ 11.161960] 4.10.0-rc3-00015-g011b30a8a3cf #160 Tainted: G W
[ 11.161960] ---------------------------------------------
[ 11.161960] bash/2519 is trying to acquire lock:
[ 11.161960] (&ei->xattr_sem){++++..}, at: [<c1225a4b>] ext4_expand_extra_isize_ea+0x3d/0x4cd
[ 11.161960]
[ 11.161960] but task is already holding lock:
[ 11.161960] (&ei->xattr_sem){++++..}, at: [<c1227941>] ext4_try_add_inline_entry+0x3a/0x152
[ 11.161960]
[ 11.161960] other info that might help us debug this:
[ 11.161960] Possible unsafe locking scenario:
[ 11.161960]
[ 11.161960] CPU0
[ 11.161960] ----
[ 11.161960] lock(&ei->xattr_sem);
[ 11.161960] lock(&ei->xattr_sem);
[ 11.161960]
[ 11.161960] *** DEADLOCK ***
[ 11.161960]
[ 11.161960] May be due to missing lock nesting notation
[ 11.161960]
[ 11.161960] 4 locks held by bash/2519:
[ 11.161960] #0: (sb_writers#3){.+.+.+}, at: [<c11a2414>] mnt_want_write+0x1e/0x3e
[ 11.161960] #1: (&type->i_mutex_dir_key){++++++}, at: [<c119508b>] path_openat+0x338/0x67a
[ 11.161960] #2: (jbd2_handle){++++..}, at: [<c123314a>] start_this_handle+0x582/0x622
[ 11.161960] #3: (&ei->xattr_sem){++++..}, at: [<c1227941>] ext4_try_add_inline_entry+0x3a/0x152
[ 11.161960]
[ 11.161960] stack backtrace:
[ 11.161960] CPU: 0 PID: 2519 Comm: bash Tainted: G W 4.10.0-rc3-00015-g011b30a8a3cf #160
[ 11.161960] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1 04/01/2014
[ 11.161960] Call Trace:
[ 11.161960] dump_stack+0x72/0xa3
[ 11.161960] __lock_acquire+0xb7c/0xcb9
[ 11.161960] ? kvm_clock_read+0x1f/0x29
[ 11.161960] ? __lock_is_held+0x36/0x66
[ 11.161960] ? __lock_is_held+0x36/0x66
[ 11.161960] lock_acquire+0x106/0x18a
[ 11.161960] ? ext4_expand_extra_isize_ea+0x3d/0x4cd
[ 11.161960] down_write+0x39/0x72
[ 11.161960] ? ext4_expand_extra_isize_ea+0x3d/0x4cd
[ 11.161960] ext4_expand_extra_isize_ea+0x3d/0x4cd
[ 11.161960] ? _raw_read_unlock+0x22/0x2c
[ 11.161960] ? jbd2_journal_extend+0x1e2/0x262
[ 11.161960] ? __ext4_journal_get_write_access+0x3d/0x60
[ 11.161960] ext4_mark_inode_dirty+0x17d/0x26d
[ 11.161960] ? ext4_add_dirent_to_inline.isra.12+0xa5/0xb2
[ 11.161960] ext4_add_dirent_to_inline.isra.12+0xa5/0xb2
[ 11.161960] ext4_try_add_inline_entry+0x69/0x152
[ 11.161960] ext4_add_entry+0xa3/0x848
[ 11.161960] ? __brelse+0x14/0x2f
[ 11.161960] ? _raw_spin_unlock_irqrestore+0x44/0x4f
[ 11.161960] ext4_add_nondir+0x17/0x5b
[ 11.161960] ext4_create+0xcf/0x133
[ 11.161960] ? ext4_mknod+0x12f/0x12f
[ 11.161960] lookup_open+0x39e/0x3fb
[ 11.161960] ? __wake_up+0x1a/0x40
[ 11.161960] ? lock_acquire+0x11e/0x18a
[ 11.161960] path_openat+0x35c/0x67a
[ 11.161960] ? sched_clock_cpu+0xd7/0xf2
[ 11.161960] do_filp_open+0x36/0x7c
[ 11.161960] ? _raw_spin_unlock+0x22/0x2c
[ 11.161960] ? __alloc_fd+0x169/0x173
[ 11.161960] do_sys_open+0x59/0xcc
[ 11.161960] SyS_open+0x1d/0x1f
[ 11.161960] do_int80_syscall_32+0x4f/0x61
[ 11.161960] entry_INT80_32+0x2f/0x2f
[ 11.161960] EIP: 0xb76ad469
[ 11.161960] EFLAGS: 00000286 CPU: 0
[ 11.161960] EAX: ffffffda EBX: 08168ac8 ECX: 00008241 EDX: 000001b6
[ 11.161960] ESI: b75e46bc EDI: b7755000 EBP: bfbdb108 ESP: bfbdafc0
[ 11.161960] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b

Reported-by: George Spelvin <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/inline.c | 66 ++++++++++++++++++++++++++------------------------------
fs/ext4/xattr.c | 30 +++++++++++---------------
fs/ext4/xattr.h | 32 +++++++++++++++++++++++++++
3 files changed, 74 insertions(+), 54 deletions(-)

--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -380,7 +380,7 @@ out:
static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode,
unsigned int len)
{
- int ret, size;
+ int ret, size, no_expand;
struct ext4_inode_info *ei = EXT4_I(inode);

if (!ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
@@ -390,15 +390,14 @@ static int ext4_prepare_inline_data(hand
if (size < len)
return -ENOSPC;

- down_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_lock_xattr(inode, &no_expand);

if (ei->i_inline_off)
ret = ext4_update_inline_data(handle, inode, len);
else
ret = ext4_create_inline_data(handle, inode, len);

- up_write(&EXT4_I(inode)->xattr_sem);
-
+ ext4_write_unlock_xattr(inode, &no_expand);
return ret;
}

@@ -528,7 +527,7 @@ static int ext4_convert_inline_data_to_e
struct inode *inode,
unsigned flags)
{
- int ret, needed_blocks;
+ int ret, needed_blocks, no_expand;
handle_t *handle = NULL;
int retries = 0, sem_held = 0;
struct page *page = NULL;
@@ -568,7 +567,7 @@ retry:
goto out;
}

- down_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_lock_xattr(inode, &no_expand);
sem_held = 1;
/* If some one has already done this for us, just exit. */
if (!ext4_has_inline_data(inode)) {
@@ -603,7 +602,7 @@ retry:
unlock_page(page);
page_cache_release(page);
ext4_orphan_add(handle, inode);
- up_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_unlock_xattr(inode, &no_expand);
sem_held = 0;
ext4_journal_stop(handle);
handle = NULL;
@@ -628,7 +627,7 @@ out:
page_cache_release(page);
}
if (sem_held)
- up_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_unlock_xattr(inode, &no_expand);
if (handle)
ext4_journal_stop(handle);
brelse(iloc.bh);
@@ -721,7 +720,7 @@ convert:
int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
unsigned copied, struct page *page)
{
- int ret;
+ int ret, no_expand;
void *kaddr;
struct ext4_iloc iloc;

@@ -739,7 +738,7 @@ int ext4_write_inline_data_end(struct in
goto out;
}

- down_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_lock_xattr(inode, &no_expand);
BUG_ON(!ext4_has_inline_data(inode));

kaddr = kmap_atomic(page);
@@ -749,7 +748,7 @@ int ext4_write_inline_data_end(struct in
/* clear page dirty so that writepages wouldn't work for us. */
ClearPageDirty(page);

- up_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_unlock_xattr(inode, &no_expand);
brelse(iloc.bh);
out:
return copied;
@@ -760,7 +759,7 @@ ext4_journalled_write_inline_data(struct
unsigned len,
struct page *page)
{
- int ret;
+ int ret, no_expand;
void *kaddr;
struct ext4_iloc iloc;

@@ -770,11 +769,11 @@ ext4_journalled_write_inline_data(struct
return NULL;
}

- down_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_lock_xattr(inode, &no_expand);
kaddr = kmap_atomic(page);
ext4_write_inline_data(inode, &iloc, kaddr, 0, len);
kunmap_atomic(kaddr);
- up_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_unlock_xattr(inode, &no_expand);

return iloc.bh;
}
@@ -1238,7 +1237,7 @@ out:
int ext4_try_add_inline_entry(handle_t *handle, struct dentry *dentry,
struct inode *inode)
{
- int ret, inline_size;
+ int ret, inline_size, no_expand;
void *inline_start;
struct ext4_iloc iloc;
struct inode *dir = dentry->d_parent->d_inode;
@@ -1247,7 +1246,7 @@ int ext4_try_add_inline_entry(handle_t *
if (ret)
return ret;

- down_write(&EXT4_I(dir)->xattr_sem);
+ ext4_write_lock_xattr(dir, &no_expand);
if (!ext4_has_inline_data(dir))
goto out;

@@ -1292,7 +1291,7 @@ int ext4_try_add_inline_entry(handle_t *

out:
ext4_mark_inode_dirty(handle, dir);
- up_write(&EXT4_I(dir)->xattr_sem);
+ ext4_write_unlock_xattr(dir, &no_expand);
brelse(iloc.bh);
return ret;
}
@@ -1648,7 +1647,7 @@ int ext4_delete_inline_entry(handle_t *h
struct buffer_head *bh,
int *has_inline_data)
{
- int err, inline_size;
+ int err, inline_size, no_expand;
struct ext4_iloc iloc;
void *inline_start;

@@ -1656,7 +1655,7 @@ int ext4_delete_inline_entry(handle_t *h
if (err)
return err;

- down_write(&EXT4_I(dir)->xattr_sem);
+ ext4_write_lock_xattr(dir, &no_expand);
if (!ext4_has_inline_data(dir)) {
*has_inline_data = 0;
goto out;
@@ -1691,7 +1690,7 @@ int ext4_delete_inline_entry(handle_t *h

ext4_show_inline_dir(dir, iloc.bh, inline_start, inline_size);
out:
- up_write(&EXT4_I(dir)->xattr_sem);
+ ext4_write_unlock_xattr(dir, &no_expand);
brelse(iloc.bh);
if (err != -ENOENT)
ext4_std_error(dir->i_sb, err);
@@ -1790,11 +1789,11 @@ out:

int ext4_destroy_inline_data(handle_t *handle, struct inode *inode)
{
- int ret;
+ int ret, no_expand;

- down_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_lock_xattr(inode, &no_expand);
ret = ext4_destroy_inline_data_nolock(handle, inode);
- up_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_unlock_xattr(inode, &no_expand);

return ret;
}
@@ -1872,7 +1871,7 @@ out:
void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
{
handle_t *handle;
- int inline_size, value_len, needed_blocks;
+ int inline_size, value_len, needed_blocks, no_expand;
size_t i_size;
void *value = NULL;
struct ext4_xattr_ibody_find is = {
@@ -1889,7 +1888,7 @@ void ext4_inline_data_truncate(struct in
if (IS_ERR(handle))
return;

- down_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_lock_xattr(inode, &no_expand);
if (!ext4_has_inline_data(inode)) {
*has_inline = 0;
ext4_journal_stop(handle);
@@ -1947,7 +1946,7 @@ out_error:
up_write(&EXT4_I(inode)->i_data_sem);
out:
brelse(is.iloc.bh);
- up_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_unlock_xattr(inode, &no_expand);
kfree(value);
if (inode->i_nlink)
ext4_orphan_del(handle, inode);
@@ -1963,7 +1962,7 @@ out:

int ext4_convert_inline_data(struct inode *inode)
{
- int error, needed_blocks;
+ int error, needed_blocks, no_expand;
handle_t *handle;
struct ext4_iloc iloc;

@@ -1985,15 +1984,10 @@ int ext4_convert_inline_data(struct inod
goto out_free;
}

- down_write(&EXT4_I(inode)->xattr_sem);
- if (!ext4_has_inline_data(inode)) {
- up_write(&EXT4_I(inode)->xattr_sem);
- goto out;
- }
-
- error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
- up_write(&EXT4_I(inode)->xattr_sem);
-out:
+ ext4_write_lock_xattr(inode, &no_expand);
+ if (ext4_has_inline_data(inode))
+ error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
+ ext4_write_unlock_xattr(inode, &no_expand);
ext4_journal_stop(handle);
out_free:
brelse(iloc.bh);
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1106,16 +1106,14 @@ ext4_xattr_set_handle(handle_t *handle,
struct ext4_xattr_block_find bs = {
.s = { .not_found = -ENODATA, },
};
- unsigned long no_expand;
+ int no_expand;
int error;

if (!name)
return -EINVAL;
if (strlen(name) > 255)
return -ERANGE;
- down_write(&EXT4_I(inode)->xattr_sem);
- no_expand = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND);
- ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
+ ext4_write_lock_xattr(inode, &no_expand);

error = ext4_reserve_inode_write(handle, inode, &is.iloc);
if (error)
@@ -1176,7 +1174,7 @@ ext4_xattr_set_handle(handle_t *handle,
ext4_xattr_update_super_block(handle, inode->i_sb);
inode->i_ctime = ext4_current_time(inode);
if (!value)
- ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
+ no_expand = 0;
error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
/*
* The bh is consumed by ext4_mark_iloc_dirty, even with
@@ -1190,9 +1188,7 @@ ext4_xattr_set_handle(handle_t *handle,
cleanup:
brelse(is.iloc.bh);
brelse(bs.bh);
- if (no_expand == 0)
- ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
- up_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_unlock_xattr(inode, &no_expand);
return error;
}

@@ -1275,12 +1271,11 @@ int ext4_expand_extra_isize_ea(struct in
void *base, *start, *end;
int extra_isize = 0, error = 0, tried_min_extra_isize = 0;
int s_min_extra_isize = le16_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_min_extra_isize);
+ int no_expand;
+
+ if (ext4_write_trylock_xattr(inode, &no_expand) == 0)
+ return 0;

- down_write(&EXT4_I(inode)->xattr_sem);
- /*
- * Set EXT4_STATE_NO_EXPAND to avoid recursion when marking inode dirty
- */
- ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
retry:
if (EXT4_I(inode)->i_extra_isize >= new_extra_isize)
goto out;
@@ -1469,8 +1464,7 @@ retry:
}
brelse(bh);
out:
- ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
- up_write(&EXT4_I(inode)->xattr_sem);
+ ext4_write_unlock_xattr(inode, &no_expand);
return 0;

cleanup:
@@ -1482,10 +1476,10 @@ cleanup:
kfree(bs);
brelse(bh);
/*
- * We deliberately leave EXT4_STATE_NO_EXPAND set here since inode
- * size expansion failed.
+ * Inode size expansion failed; don't try again
*/
- up_write(&EXT4_I(inode)->xattr_sem);
+ no_expand = 1;
+ ext4_write_unlock_xattr(inode, &no_expand);
return error;
}

--- a/fs/ext4/xattr.h
+++ b/fs/ext4/xattr.h
@@ -98,6 +98,38 @@ extern const struct xattr_handler ext4_x
extern const struct xattr_handler ext4_xattr_trusted_handler;
extern const struct xattr_handler ext4_xattr_security_handler;

+/*
+ * The EXT4_STATE_NO_EXPAND is overloaded and used for two purposes.
+ * The first is to signal that there the inline xattrs and data are
+ * taking up so much space that we might as well not keep trying to
+ * expand it. The second is that xattr_sem is taken for writing, so
+ * we shouldn't try to recurse into the inode expansion. For this
+ * second case, we need to make sure that we take save and restore the
+ * NO_EXPAND state flag appropriately.
+ */
+static inline void ext4_write_lock_xattr(struct inode *inode, int *save)
+{
+ down_write(&EXT4_I(inode)->xattr_sem);
+ *save = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND);
+ ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
+}
+
+static inline int ext4_write_trylock_xattr(struct inode *inode, int *save)
+{
+ if (down_write_trylock(&EXT4_I(inode)->xattr_sem) == 0)
+ return 0;
+ *save = ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND);
+ ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
+ return 1;
+}
+
+static inline void ext4_write_unlock_xattr(struct inode *inode, int *save)
+{
+ if (*save == 0)
+ ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
+ up_write(&EXT4_I(inode)->xattr_sem);
+}
+
extern ssize_t ext4_listxattr(struct dentry *, char *, size_t);

extern int ext4_xattr_get(struct inode *, int, const char *, void *, size_t);

2017-06-01 16:34:03

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 056/212] blk-mq: Make bt_clear_tag() easier to read

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <[email protected]>

commit 9d8f0bcca6ffa024a822ce4ab1008ab663f06672 upstream.

Eliminate a backwards goto statement from bt_clear_tag().

Signed-off-by: Bart Van Assche <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
block/blk-mq-tag.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)

--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -352,15 +352,12 @@ static void bt_clear_tag(struct blk_mq_b
return;

wait_cnt = atomic_dec_return(&bs->wait_cnt);
+ if (unlikely(wait_cnt < 0))
+ wait_cnt = atomic_inc_return(&bs->wait_cnt);
if (wait_cnt == 0) {
-wake:
atomic_add(bt->wake_cnt, &bs->wait_cnt);
bt_index_atomic_inc(&bt->wake_index);
wake_up(&bs->wait);
- } else if (wait_cnt < 0) {
- wait_cnt = atomic_inc_return(&bs->wait_cnt);
- if (!wait_cnt)
- goto wake;
}
}


2017-06-01 16:34:01

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 036/212] IB/ipoib: rtnl_unlock can not come after free_netdev

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Feras Daoud <[email protected]>

commit 89a3987ab7a923c047c6dec008e60ad6f41fac22 upstream.

The ipoib_vlan_add function calls rtnl_unlock after free_netdev,
rtnl_unlock not only releases the lock, but also calls netdev_run_todo.
The latter function browses the net_todo_list array and completes the
unregistration of all its net_device instances. If we call free_netdev
before rtnl_unlock, then netdev_run_todo call over the freed device causes
panic.
To fix, move rtnl_unlock call before free_netdev call.

Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support")
Cc: Or Gerlitz <[email protected]>
Signed-off-by: Feras Daoud <[email protected]>
Signed-off-by: Erez Shitrit <[email protected]>
Reviewed-by: Yuval Shaia <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
@@ -168,11 +168,11 @@ int ipoib_vlan_add(struct net_device *pd
out:
up_write(&ppriv->vlan_rwsem);

+ rtnl_unlock();
+
if (result)
free_netdev(priv->dev);

- rtnl_unlock();
-
return result;
}


2017-06-01 15:44:41

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 010/212] MIPS: Calculate microMIPS ra properly when unwinding the stack

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Burton <[email protected]>

commit bb9bc4689b9c635714fbcd5d335bad9934a7ebfc upstream.

get_frame_info() calculates the offset of the return address within a
stack frame simply by dividing a the bottom 16 bits of the instruction,
treated as a signed integer, by the size of a long. Whilst this works
for MIPS32 & MIPS64 ISAs where the sw or sd instructions are used, it's
incorrect for microMIPS where encodings differ. The result is that we
typically completely fail to unwind the stack on microMIPS.

Fix this by adjusting is_ra_save_ins() to calculate the return address
offset, and take into account the various different encodings there in
the same place as we consider whether an instruction is storing the
ra/$31 register.

With this we are now able to unwind the stack for kernels targetting the
microMIPS ISA, for example we can produce:

Call Trace:
[<80109e1f>] show_stack+0x63/0x7c
[<8011ea17>] __warn+0x9b/0xac
[<8011ea45>] warn_slowpath_fmt+0x1d/0x20
[<8013fe53>] register_console+0x43/0x314
[<8067c58d>] of_setup_earlycon+0x1dd/0x1ec
[<8067f63f>] early_init_dt_scan_chosen_stdout+0xe7/0xf8
[<8066c115>] do_early_param+0x75/0xac
[<801302f9>] parse_args+0x1dd/0x308
[<8066c459>] parse_early_options+0x25/0x28
[<8066c48b>] parse_early_param+0x2f/0x38
[<8066e8cf>] setup_arch+0x113/0x488
[<8066c4f3>] start_kernel+0x57/0x328
---[ end trace 0000000000000000 ]---

Whereas previously we only produced:

Call Trace:
[<80109e1f>] show_stack+0x63/0x7c
---[ end trace 0000000000000000 ]---

Signed-off-by: Paul Burton <[email protected]>
Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
Cc: Leonid Yegoshin <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/14532/
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/kernel/process.c | 83 +++++++++++++++++++++++++++++++++++-----------
1 file changed, 63 insertions(+), 20 deletions(-)

--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -223,7 +223,7 @@ struct mips_frame_info {
#define J_TARGET(pc,target) \
(((unsigned long)(pc) & 0xf0000000) | ((target) << 2))

-static inline int is_ra_save_ins(union mips_instruction *ip)
+static inline int is_ra_save_ins(union mips_instruction *ip, int *poff)
{
#ifdef CONFIG_CPU_MICROMIPS
/*
@@ -236,25 +236,70 @@ static inline int is_ra_save_ins(union m
* microMIPS is way more fun...
*/
if (mm_insn_16bit(ip->halfword[1])) {
- return (ip->mm16_r5_format.opcode == mm_swsp16_op &&
- ip->mm16_r5_format.rt == 31) ||
- (ip->mm16_m_format.opcode == mm_pool16c_op &&
- ip->mm16_m_format.func == mm_swm16_op);
- }
- else {
- return (ip->mm_m_format.opcode == mm_pool32b_op &&
- ip->mm_m_format.rd > 9 &&
- ip->mm_m_format.base == 29 &&
- ip->mm_m_format.func == mm_swm32_func) ||
- (ip->i_format.opcode == mm_sw32_op &&
- ip->i_format.rs == 29 &&
- ip->i_format.rt == 31);
+ switch (ip->mm16_r5_format.opcode) {
+ case mm_swsp16_op:
+ if (ip->mm16_r5_format.rt != 31)
+ return 0;
+
+ *poff = ip->mm16_r5_format.simmediate;
+ *poff = (*poff << 2) / sizeof(ulong);
+ return 1;
+
+ case mm_pool16c_op:
+ switch (ip->mm16_m_format.func) {
+ case mm_swm16_op:
+ *poff = ip->mm16_m_format.imm;
+ *poff += 1 + ip->mm16_m_format.rlist;
+ *poff = (*poff << 2) / sizeof(ulong);
+ return 1;
+
+ default:
+ return 0;
+ }
+
+ default:
+ return 0;
+ }
+ }
+
+ switch (ip->i_format.opcode) {
+ case mm_sw32_op:
+ if (ip->i_format.rs != 29)
+ return 0;
+ if (ip->i_format.rt != 31)
+ return 0;
+
+ *poff = ip->i_format.simmediate / sizeof(ulong);
+ return 1;
+
+ case mm_pool32b_op:
+ switch (ip->mm_m_format.func) {
+ case mm_swm32_func:
+ if (ip->mm_m_format.rd < 0x10)
+ return 0;
+ if (ip->mm_m_format.base != 29)
+ return 0;
+
+ *poff = ip->mm_m_format.simmediate;
+ *poff += (ip->mm_m_format.rd & 0xf) * sizeof(u32);
+ *poff /= sizeof(ulong);
+ return 1;
+ default:
+ return 0;
+ }
+
+ default:
+ return 0;
}
#else
/* sw / sd $ra, offset($sp) */
- return (ip->i_format.opcode == sw_op || ip->i_format.opcode == sd_op) &&
- ip->i_format.rs == 29 &&
- ip->i_format.rt == 31;
+ if ((ip->i_format.opcode == sw_op || ip->i_format.opcode == sd_op) &&
+ ip->i_format.rs == 29 && ip->i_format.rt == 31) {
+ *poff = ip->i_format.simmediate / sizeof(ulong);
+ return 1;
+ }
+
+ return 0;
#endif
}

@@ -377,11 +422,9 @@ static int get_frame_info(struct mips_fr
}
continue;
}
- if (info->pc_offset == -1 && is_ra_save_ins(&insn)) {
- info->pc_offset =
- ip->i_format.simmediate / sizeof(long);
+ if (info->pc_offset == -1 &&
+ is_ra_save_ins(&insn, &info->pc_offset))
break;
- }
}
if (info->frame_size && info->pc_offset >= 0) /* nested */
return 0;

2017-06-01 16:34:52

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 054/212] perf script: Fix man page about --dump-raw-trace option

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michael Petlan <[email protected]>

commit 5c64f99b1d030ce52acce53d83141d88f79e6362 upstream.

The "--dump-raw-script" is not a valid option, replace it with the valid
one, "--dump-raw-trace"

Signed-off-by: Michael Petlan <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Fixes: 133dc4c39c57 ("perf: Rename 'perf trace' to 'perf script'")
LPU-Reference: [email protected]
Signed-off-by: Arnaldo Carvalho de Melo <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
tools/perf/Documentation/perf-script.txt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/tools/perf/Documentation/perf-script.txt
+++ b/tools/perf/Documentation/perf-script.txt
@@ -36,7 +36,7 @@ There are several variants of perf scrip

'perf script report <script> [args]' to run and display the results
of <script>. <script> is the name displayed in the output of 'perf
- trace --list' i.e. the actual script name minus any language
+ script --list' i.e. the actual script name minus any language
extension. The perf.data output from a previous run of 'perf script
record <script>' is used and should be present for this command to
succeed. [args] refers to the (mainly optional) args expected by
@@ -76,7 +76,7 @@ OPTIONS
Any command you can specify in a shell.

-D::
---dump-raw-script=::
+--dump-raw-trace=::
Display verbose dump of the trace data.

-L::

2017-06-01 16:35:07

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 030/212] ath5k: drop bogus warning on drv_set_key with unsupported cipher

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Felix Fietkau <[email protected]>

commit a70e1d6fd6b5e1a81fa6171600942bee34f5128f upstream.

Simply return -EOPNOTSUPP instead.

Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/ath/ath5k/mac80211-ops.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/net/wireless/ath/ath5k/mac80211-ops.c
+++ b/drivers/net/wireless/ath/ath5k/mac80211-ops.c
@@ -511,8 +511,7 @@ ath5k_set_key(struct ieee80211_hw *hw, e
break;
return -EOPNOTSUPP;
default:
- WARN_ON(1);
- return -EINVAL;
+ return -EOPNOTSUPP;
}

mutex_lock(&ah->lock);

2017-06-01 16:35:27

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 029/212] tty: serial: msm: Fix module autoload

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Javier Martinez Canillas <[email protected]>

commit abe81f3b8ed2996e1712d26d38ff6b73f582c616 upstream.

If the driver is built as a module, autoload won't work because the module
alias information is not filled. So user-space can't match the registered
device with the corresponding module.

Export the module alias information using the MODULE_DEVICE_TABLE() macro.

Before this patch:

$ modinfo drivers/tty/serial/msm_serial.ko | grep alias
$

After this patch:

$ modinfo drivers/tty/serial/msm_serial.ko | grep alias
alias: of:N*T*Cqcom,msm-uartdmC*
alias: of:N*T*Cqcom,msm-uartdm
alias: of:N*T*Cqcom,msm-uartC*
alias: of:N*T*Cqcom,msm-uart

Signed-off-by: Javier Martinez Canillas <[email protected]>
Acked-by: Bjorn Andersson <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/tty/serial/msm_serial.c | 1 +
1 file changed, 1 insertion(+)

--- a/drivers/tty/serial/msm_serial.c
+++ b/drivers/tty/serial/msm_serial.c
@@ -1054,6 +1054,7 @@ static struct of_device_id msm_match_tab
{ .compatible = "qcom,msm-uartdm" },
{}
};
+MODULE_DEVICE_TABLE(of, msm_match_table);

static struct platform_driver msm_platform_driver = {
.remove = msm_serial_remove,

2017-06-01 16:36:13

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 048/212] USB: serial: quatech2: fix control-message error handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 8c34cb8ddfe808d557b51da983ff10c02793beb2 upstream.

Make sure to detect short control-message transfers when fetching
modem and line state in open and when retrieving registers.

This specifically makes sure that an errno is returned to user space on
errors in TIOCMGET instead of a zero bitmask.

Also drop the unused getdevice function which also lacked appropriate
error handling.

Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/quatech2.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)

--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -188,22 +188,22 @@ static inline int qt2_setdevice(struct u
}


-static inline int qt2_getdevice(struct usb_device *dev, u8 *data)
-{
- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
- QT_SET_GET_DEVICE, 0xc0, 0, 0,
- data, 3, QT2_USB_TIMEOUT);
-}
-
static inline int qt2_getregister(struct usb_device *dev,
u8 uart,
u8 reg,
u8 *data)
{
- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
- QT_SET_GET_REGISTER, 0xc0, reg,
- uart, data, sizeof(*data), QT2_USB_TIMEOUT);
+ int ret;

+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+ QT_SET_GET_REGISTER, 0xc0, reg,
+ uart, data, sizeof(*data), QT2_USB_TIMEOUT);
+ if (ret < sizeof(*data)) {
+ if (ret >= 0)
+ ret = -EIO;
+ }
+
+ return ret;
}

static inline int qt2_setregister(struct usb_device *dev,
@@ -372,9 +372,11 @@ static int qt2_open(struct tty_struct *t
0xc0, 0,
device_port, data, 2, QT2_USB_TIMEOUT);

- if (status < 0) {
+ if (status < 2) {
dev_err(&port->dev, "%s - open port failed %i\n", __func__,
status);
+ if (status >= 0)
+ status = -EIO;
kfree(data);
return status;
}

2017-06-01 16:36:11

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 050/212] USB: serial: ssu100: fix control-message error handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 1eac5c244f705182d1552a53e2f74e2775ed95d6 upstream.

Make sure to detect short control-message transfers rather than continue
with zero-initialised data when retrieving modem status and during
device initialisation.

Fixes: 52af95459939 ("USB: add USB serial ssu100 driver")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/ssu100.c | 31 ++++++++++++++++++++++++-------
1 file changed, 24 insertions(+), 7 deletions(-)

--- a/drivers/usb/serial/ssu100.c
+++ b/drivers/usb/serial/ssu100.c
@@ -80,9 +80,17 @@ static inline int ssu100_setdevice(struc

static inline int ssu100_getdevice(struct usb_device *dev, u8 *data)
{
- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
- QT_SET_GET_DEVICE, 0xc0, 0, 0,
- data, 3, 300);
+ int ret;
+
+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+ QT_SET_GET_DEVICE, 0xc0, 0, 0,
+ data, 3, 300);
+ if (ret < 3) {
+ if (ret >= 0)
+ ret = -EIO;
+ }
+
+ return ret;
}

static inline int ssu100_getregister(struct usb_device *dev,
@@ -90,10 +98,17 @@ static inline int ssu100_getregister(str
unsigned short reg,
u8 *data)
{
- return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
- QT_SET_GET_REGISTER, 0xc0, reg,
- uart, data, sizeof(*data), 300);
+ int ret;

+ ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+ QT_SET_GET_REGISTER, 0xc0, reg,
+ uart, data, sizeof(*data), 300);
+ if (ret < sizeof(*data)) {
+ if (ret >= 0)
+ ret = -EIO;
+ }
+
+ return ret;
}


@@ -289,8 +304,10 @@ static int ssu100_open(struct tty_struct
QT_OPEN_CLOSE_CHANNEL,
QT_TRANSFER_IN, 0x01,
0, data, 2, 300);
- if (result < 0) {
+ if (result < 2) {
dev_dbg(&port->dev, "%s - open failed %i\n", __func__, result);
+ if (result >= 0)
+ result = -EIO;
kfree(data);
return result;
}

2017-06-01 16:36:57

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 022/212] Drivers: hv: vmbus: Reduce the delay between retries in vmbus_post_msg()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: "K. Y. Srinivasan" <[email protected]>

commit 8de0d7e951826d7592e0ba1da655b175c4aa0923 upstream.

The current delay between retries is unnecessarily high and is negatively
affecting the time it takes to boot the system.

Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/hv/connection.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/hv/connection.c
+++ b/drivers/hv/connection.c
@@ -418,7 +418,7 @@ int vmbus_post_msg(void *buffer, size_t
union hv_connection_id conn_id;
int ret = 0;
int retries = 0;
- u32 msec = 1;
+ u32 usec = 1;

conn_id.asu32 = 0;
conn_id.u.id = VMBUS_MESSAGE_CONNECTION_ID;
@@ -451,9 +451,9 @@ int vmbus_post_msg(void *buffer, size_t
}

retries++;
- msleep(msec);
- if (msec < 2048)
- msec *= 2;
+ udelay(usec);
+ if (usec < 2048)
+ usec *= 2;
}
return ret;
}

2017-06-01 16:36:55

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 046/212] USB: serial: io_edgeport: fix descriptor error handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 3c0e25d883d06a1fbd1ad35257e8abaa57befb37 upstream.

Make sure to detect short control-message transfers and log an error
when reading incomplete manufacturer and boot descriptors.

Note that the default all-zero descriptors will now be used after a
short transfer is detected instead of partially initialised ones.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/io_edgeport.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)

--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2109,8 +2109,7 @@ static int rom_write(struct usb_serial *
* rom_read
* reads a number of bytes from the Edgeport device starting at the given
* address.
- * If successful returns the number of bytes read, otherwise it returns
- * a negative error number of the problem.
+ * Returns zero on success or a negative error number.
****************************************************************************/
static int rom_read(struct usb_serial *serial, __u16 extAddr,
__u16 addr, __u16 length, __u8 *data)
@@ -2135,12 +2134,17 @@ static int rom_read(struct usb_serial *s
USB_REQUEST_ION_READ_ROM,
0xC0, addr, extAddr, transfer_buffer,
current_length, 300);
- if (result < 0)
+ if (result < current_length) {
+ if (result >= 0)
+ result = -EIO;
break;
+ }
memcpy(data, transfer_buffer, current_length);
length -= current_length;
addr += current_length;
data += current_length;
+
+ result = 0;
}

kfree(transfer_buffer);
@@ -2597,9 +2601,10 @@ static void get_manufacturing_desc(struc
EDGE_MANUF_DESC_LEN,
(__u8 *)(&edge_serial->manuf_descriptor));

- if (response < 1)
- dev_err(dev, "error in getting manufacturer descriptor\n");
- else {
+ if (response < 0) {
+ dev_err(dev, "error in getting manufacturer descriptor: %d\n",
+ response);
+ } else {
char string[30];
dev_dbg(dev, "**Manufacturer Descriptor\n");
dev_dbg(dev, " RomSize: %dK\n",
@@ -2656,9 +2661,10 @@ static void get_boot_desc(struct edgepor
EDGE_BOOT_DESC_LEN,
(__u8 *)(&edge_serial->boot_descriptor));

- if (response < 1)
- dev_err(dev, "error in getting boot descriptor\n");
- else {
+ if (response < 0) {
+ dev_err(dev, "error in getting boot descriptor: %d\n",
+ response);
+ } else {
dev_dbg(dev, "**Boot Descriptor:\n");
dev_dbg(dev, " BootCodeLength: %d\n",
le16_to_cpu(edge_serial->boot_descriptor.BootCodeLength));

2017-06-01 16:37:32

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 037/212] IB/ipoib: Replace list_del of the neigh->list with list_del_init

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Feras Daoud <[email protected]>

commit c586071d1dc8227a7182179b8e50ee92cc43f6d2 upstream.

In order to resolve a situation where a few process delete
the same list element in sequence and cause panic, list_del
is replaced with list_del_init. In this case if the first
process that calls list_del releases the lock before acquiring
it again, other processes who can acquire the lock will call
list_del_init.

Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup")
Signed-off-by: Feras Daoud <[email protected]>
Signed-off-by: Erez Shitrit <[email protected]>
Reviewed-by: Alex Vesker <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Reviewed-by: Yuval Shaia <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib_main.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -940,7 +940,7 @@ static void __ipoib_reap_neigh(struct ip
rcu_dereference_protected(neigh->hnext,
lockdep_is_held(&priv->lock)));
/* remove from path/mc list */
- list_del(&neigh->list);
+ list_del_init(&neigh->list);
call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
} else {
np = &neigh->hnext;
@@ -1103,7 +1103,7 @@ void ipoib_neigh_free(struct ipoib_neigh
rcu_dereference_protected(neigh->hnext,
lockdep_is_held(&priv->lock)));
/* remove from parent list */
- list_del(&neigh->list);
+ list_del_init(&neigh->list);
call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
return;
} else {
@@ -1188,7 +1188,7 @@ void ipoib_del_neighs_by_gid(struct net_
rcu_dereference_protected(neigh->hnext,
lockdep_is_held(&priv->lock)));
/* remove from parent list */
- list_del(&neigh->list);
+ list_del_init(&neigh->list);
call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
} else {
np = &neigh->hnext;
@@ -1230,7 +1230,7 @@ static void ipoib_flush_neighs(struct ip
rcu_dereference_protected(neigh->hnext,
lockdep_is_held(&priv->lock)));
/* remove from path/mc list */
- list_del(&neigh->list);
+ list_del_init(&neigh->list);
call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
}
}

2017-06-01 16:37:30

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 039/212] locking/ww_mutex: Fix compilation of __WW_MUTEX_INITIALIZER

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Chris Wilson <[email protected]>

commit af2e859edd477fa1ea3d1d106f41a595cff3d162 upstream.

=46romconflicting macro parameters, passing the wrong name to
__MUTEX_INITIALIZER and a stray '\', #define __WW_MUTEX_INITIALIZER was
very unhappy.

One unnecessary change was to choose to pass &ww_class instead of
implicitly taking the address of the class within the macro.

Signed-off-by: Chris Wilson <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Maarten Lankhorst <[email protected]>
Cc: Paul E. McKenney <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Fixes: 1b375dc30710 ("mutex: Move ww_mutex definitions to ww_mutex.h")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
include/linux/ww_mutex.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

--- a/include/linux/ww_mutex.h
+++ b/include/linux/ww_mutex.h
@@ -51,10 +51,10 @@ struct ww_mutex {
};

#ifdef CONFIG_DEBUG_LOCK_ALLOC
-# define __WW_CLASS_MUTEX_INITIALIZER(lockname, ww_class) \
- , .ww_class = &ww_class
+# define __WW_CLASS_MUTEX_INITIALIZER(lockname, class) \
+ , .ww_class = class
#else
-# define __WW_CLASS_MUTEX_INITIALIZER(lockname, ww_class)
+# define __WW_CLASS_MUTEX_INITIALIZER(lockname, class)
#endif

#define __WW_CLASS_INITIALIZER(ww_class) \
@@ -63,7 +63,7 @@ struct ww_mutex {
, .mutex_name = #ww_class "_mutex" }

#define __WW_MUTEX_INITIALIZER(lockname, class) \
- { .base = { \__MUTEX_INITIALIZER(lockname) } \
+ { .base = __MUTEX_INITIALIZER(lockname.base) \
__WW_CLASS_MUTEX_INITIALIZER(lockname, class) }

#define DEFINE_WW_CLASS(classname) \

2017-06-01 16:37:29

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 020/212] hv: vmbus_post_msg: retry the hypercall on some transient errors

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dexuan Cui <[email protected]>

commit 89f9f6796d41e10e224b0cb0027ddd78cb881f65 upstream.

I got HV_STATUS_INVALID_CONNECTION_ID on Hyper-V 2008 R2 when keeping running
"rmmod hv_netvsc; modprobe hv_netvsc; rmmod hv_utils; modprobe hv_utils"
in a Linux guest. Looks the host has some kind of throttling mechanism if
some kinds of hypercalls are sent too frequently.
Without the patch, the driver can occasionally fail to load.

Also let's retry HV_STATUS_INSUFFICIENT_MEMORY, though we didn't get it
before.

Removed 'case -ENOMEM', since the hypervisor doesn't return this.

CC: "K. Y. Srinivasan" <[email protected]>
Reviewed-by: Jason Wang <[email protected]>
Signed-off-by: Dexuan Cui <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/x86/include/uapi/asm/hyperv.h | 2 ++
drivers/hv/connection.c | 11 +++++++++--
2 files changed, 11 insertions(+), 2 deletions(-)

--- a/arch/x86/include/uapi/asm/hyperv.h
+++ b/arch/x86/include/uapi/asm/hyperv.h
@@ -214,6 +214,8 @@
#define HV_STATUS_INVALID_HYPERCALL_CODE 2
#define HV_STATUS_INVALID_HYPERCALL_INPUT 3
#define HV_STATUS_INVALID_ALIGNMENT 4
+#define HV_STATUS_INSUFFICIENT_MEMORY 11
+#define HV_STATUS_INVALID_CONNECTION_ID 18
#define HV_STATUS_INSUFFICIENT_BUFFERS 19

typedef struct _HV_REFERENCE_TSC_PAGE {
--- a/drivers/hv/connection.c
+++ b/drivers/hv/connection.c
@@ -431,9 +431,16 @@ int vmbus_post_msg(void *buffer, size_t
ret = hv_post_message(conn_id, 1, buffer, buflen);

switch (ret) {
+ case HV_STATUS_INVALID_CONNECTION_ID:
+ /*
+ * We could get this if we send messages too
+ * frequently.
+ */
+ ret = -EAGAIN;
+ break;
+ case HV_STATUS_INSUFFICIENT_MEMORY:
case HV_STATUS_INSUFFICIENT_BUFFERS:
ret = -ENOMEM;
- case -ENOMEM:
break;
case HV_STATUS_SUCCESS:
return ret;
@@ -443,7 +450,7 @@ int vmbus_post_msg(void *buffer, size_t
}

retries++;
- msleep(100);
+ msleep(1000);
}
return ret;
}

2017-06-01 16:37:27

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 045/212] USB: serial: io_edgeport: fix epic-descriptor handling

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit e4457d9798adb96272468e93da663de9bd0a4198 upstream.

Use a dedicated buffer for the DMA transfer and make sure to detect
short transfers to avoid parsing a corrupt descriptor.

Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/usb/serial/io_edgeport.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)

--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -492,20 +492,24 @@ static int get_epic_descriptor(struct ed
int result;
struct usb_serial *serial = ep->serial;
struct edgeport_product_info *product_info = &ep->product_info;
- struct edge_compatibility_descriptor *epic = &ep->epic_descriptor;
+ struct edge_compatibility_descriptor *epic;
struct edge_compatibility_bits *bits;
struct device *dev = &serial->dev->dev;

ep->is_epic = 0;
+
+ epic = kmalloc(sizeof(*epic), GFP_KERNEL);
+ if (!epic)
+ return -ENOMEM;
+
result = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
USB_REQUEST_ION_GET_EPIC_DESC,
0xC0, 0x00, 0x00,
- &ep->epic_descriptor,
- sizeof(struct edge_compatibility_descriptor),
+ epic, sizeof(*epic),
300);
-
- if (result > 0) {
+ if (result == sizeof(*epic)) {
ep->is_epic = 1;
+ memcpy(&ep->epic_descriptor, epic, sizeof(*epic));
memset(product_info, 0, sizeof(struct edgeport_product_info));

product_info->NumPorts = epic->NumPorts;
@@ -534,8 +538,16 @@ static int get_epic_descriptor(struct ed
dev_dbg(dev, " IOSPWriteLCR : %s\n", bits->IOSPWriteLCR ? "TRUE": "FALSE");
dev_dbg(dev, " IOSPSetBaudRate : %s\n", bits->IOSPSetBaudRate ? "TRUE": "FALSE");
dev_dbg(dev, " TrueEdgeport : %s\n", bits->TrueEdgeport ? "TRUE": "FALSE");
+
+ result = 0;
+ } else if (result >= 0) {
+ dev_warn(&serial->interface->dev, "short epic descriptor received: %d\n",
+ result);
+ result = -EIO;
}

+ kfree(epic);
+
return result;
}

@@ -2789,7 +2801,7 @@ static int edge_startup(struct usb_seria
dev_info(&serial->dev->dev, "%s detected\n", edge_serial->name);

/* Read the epic descriptor */
- if (get_epic_descriptor(edge_serial) <= 0) {
+ if (get_epic_descriptor(edge_serial) < 0) {
/* memcpy descriptor to Supports structures */
memcpy(&edge_serial->epic_descriptor.Supports, descriptor,
sizeof(struct edge_compatibility_bits));

2017-06-01 16:37:26

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 025/212] hv: init percpu_list in hv_synic_alloc()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vitaly Kuznetsov <[email protected]>

commit 3c7630d35009e6635e5b58d62de554fd5b6db5df upstream.

Initializing hv_context.percpu_list in hv_synic_alloc() helps to prevent a
crash in percpu_channel_enq() when not all CPUs were online during
initialization and it naturally belongs there.

Signed-off-by: Vitaly Kuznetsov <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/hv/hv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/hv/hv.c
+++ b/drivers/hv/hv.c
@@ -295,6 +295,8 @@ int hv_synic_alloc(void)
pr_err("Unable to allocate post msg page\n");
goto err;
}
+
+ INIT_LIST_HEAD(&hv_context.percpu_list[cpu]);
}

return 0;
@@ -386,8 +388,6 @@ void hv_synic_init(void *arg)
*/
rdmsrl(HV_X64_MSR_VP_INDEX, vp_index);
hv_context.vp_index[cpu] = (u32)vp_index;
-
- INIT_LIST_HEAD(&hv_context.percpu_list[cpu]);
return;
}


2017-06-01 16:37:24

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 024/212] hv: allocate synic pages for all present CPUs

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vitaly Kuznetsov <[email protected]>

commit 421b8f20d3c381b215f988b42428f56fc3b82405 upstream.

It may happen that not all CPUs are online when we do hv_synic_alloc() and
in case more CPUs come online later we may try accessing these allocated
structures.

Signed-off-by: Vitaly Kuznetsov <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/hv/hv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/hv/hv.c
+++ b/drivers/hv/hv.c
@@ -264,7 +264,7 @@ int hv_synic_alloc(void)
size_t size = sizeof(struct tasklet_struct);
int cpu;

- for_each_online_cpu(cpu) {
+ for_each_present_cpu(cpu) {
hv_context.event_dpc[cpu] = kmalloc(size, GFP_ATOMIC);
if (hv_context.event_dpc[cpu] == NULL) {
pr_err("Unable to allocate event dpc\n");
@@ -317,7 +317,7 @@ void hv_synic_free(void)
{
int cpu;

- for_each_online_cpu(cpu)
+ for_each_present_cpu(cpu)
hv_synic_free_cpu(cpu);
}


2017-06-01 15:44:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 007/212] MIPS: Prevent unaligned accesses during stack unwinding

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Burton <[email protected]>

commit a3552dace7d1d0cabf573e88fc3025cb90c4a601 upstream.

During stack unwinding we call a number of functions to determine what
type of instruction we're looking at. The union mips_instruction pointer
provided to them may be pointing at a 2 byte, but not 4 byte, aligned
address & we thus cannot directly access the 4 byte wide members of the
union mips_instruction. To avoid this is_ra_save_ins() copies the
required half-words of the microMIPS instruction to a correctly aligned
union mips_instruction on the stack, which it can then access safely.
The is_jump_ins() & is_sp_move_ins() functions do not correctly perform
this temporary copy, and instead attempt to directly dereference 4 byte
fields which may be misaligned and lead to an address exception.

Fix this by copying the instruction halfwords to a temporary union
mips_instruction in get_frame_info() such that we can provide a 4 byte
aligned union mips_instruction to the is_*_ins() functions and they do
not need to deal with misalignment themselves.

Signed-off-by: Paul Burton <[email protected]>
Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
Cc: Leonid Yegoshin <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/14529/
Signed-off-by: Ralf Baechle <[email protected]>
[bwh: Backported to 3.16: old code had extra parentheses]
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/kernel/process.c | 70 +++++++++++++++++++++++-----------------------
1 file changed, 35 insertions(+), 35 deletions(-)

--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -226,8 +226,6 @@ struct mips_frame_info {
static inline int is_ra_save_ins(union mips_instruction *ip)
{
#ifdef CONFIG_CPU_MICROMIPS
- union mips_instruction mmi;
-
/*
* swsp ra,offset
* swm16 reglist,offset(sp)
@@ -237,23 +235,20 @@ static inline int is_ra_save_ins(union m
*
* microMIPS is way more fun...
*/
- if (mm_insn_16bit(ip->halfword[0])) {
- mmi.word = (ip->halfword[0] << 16);
- return ((mmi.mm16_r5_format.opcode == mm_swsp16_op &&
- mmi.mm16_r5_format.rt == 31) ||
- (mmi.mm16_m_format.opcode == mm_pool16c_op &&
- mmi.mm16_m_format.func == mm_swm16_op));
+ if (mm_insn_16bit(ip->halfword[1])) {
+ return (ip->mm16_r5_format.opcode == mm_swsp16_op &&
+ ip->mm16_r5_format.rt == 31) ||
+ (ip->mm16_m_format.opcode == mm_pool16c_op &&
+ ip->mm16_m_format.func == mm_swm16_op);
}
else {
- mmi.halfword[0] = ip->halfword[1];
- mmi.halfword[1] = ip->halfword[0];
- return ((mmi.mm_m_format.opcode == mm_pool32b_op &&
- mmi.mm_m_format.rd > 9 &&
- mmi.mm_m_format.base == 29 &&
- mmi.mm_m_format.func == mm_swm32_func) ||
- (mmi.i_format.opcode == mm_sw32_op &&
- mmi.i_format.rs == 29 &&
- mmi.i_format.rt == 31));
+ return (ip->mm_m_format.opcode == mm_pool32b_op &&
+ ip->mm_m_format.rd > 9 &&
+ ip->mm_m_format.base == 29 &&
+ ip->mm_m_format.func == mm_swm32_func) ||
+ (ip->i_format.opcode == mm_sw32_op &&
+ ip->i_format.rs == 29 &&
+ ip->i_format.rt == 31);
}
#else
/* sw / sd $ra, offset($sp) */
@@ -274,12 +269,8 @@ static inline int is_jump_ins(union mips
*
* microMIPS is kind of more fun...
*/
- union mips_instruction mmi;
-
- mmi.word = (ip->halfword[0] << 16);
-
- if ((mmi.mm16_r5_format.opcode == mm_pool16c_op &&
- (mmi.mm16_r5_format.rt & mm_jr16_op) == mm_jr16_op) ||
+ if ((ip->mm16_r5_format.opcode == mm_pool16c_op &&
+ (ip->mm16_r5_format.rt & mm_jr16_op) == mm_jr16_op) ||
ip->j_format.opcode == mm_jal32_op)
return 1;
if (ip->r_format.opcode != mm_pool32a_op ||
@@ -308,15 +299,13 @@ static inline int is_sp_move_ins(union m
*
* microMIPS is not more fun...
*/
- if (mm_insn_16bit(ip->halfword[0])) {
- union mips_instruction mmi;
-
- mmi.word = (ip->halfword[0] << 16);
- return ((mmi.mm16_r3_format.opcode == mm_pool16d_op &&
- mmi.mm16_r3_format.simmediate && mm_addiusp_func) ||
- (mmi.mm16_r5_format.opcode == mm_pool16d_op &&
- mmi.mm16_r5_format.rt == 29));
+ if (mm_insn_16bit(ip->halfword[1])) {
+ return (ip->mm16_r3_format.opcode == mm_pool16d_op &&
+ ip->mm16_r3_format.simmediate && mm_addiusp_func) ||
+ (ip->mm16_r5_format.opcode == mm_pool16d_op &&
+ ip->mm16_r5_format.rt == 29);
}
+
return (ip->mm_i_format.opcode == mm_addiu32_op &&
ip->mm_i_format.rt == 29 && ip->mm_i_format.rs == 29);
#else
@@ -331,7 +320,8 @@ static inline int is_sp_move_ins(union m

static int get_frame_info(struct mips_frame_info *info)
{
- union mips_instruction *ip;
+ bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS);
+ union mips_instruction insn, *ip;
unsigned max_insns = info->func_size / sizeof(union mips_instruction);
unsigned i;

@@ -347,11 +337,21 @@ static int get_frame_info(struct mips_fr
max_insns = min(128U, max_insns);

for (i = 0; i < max_insns; i++, ip++) {
+ if (is_mmips && mm_insn_16bit(ip->halfword[0])) {
+ insn.halfword[0] = 0;
+ insn.halfword[1] = ip->halfword[0];
+ } else if (is_mmips) {
+ insn.halfword[0] = ip->halfword[1];
+ insn.halfword[1] = ip->halfword[0];
+ } else {
+ insn.word = ip->word;
+ }

- if (is_jump_ins(ip))
+ if (is_jump_ins(&insn))
break;
+
if (!info->frame_size) {
- if (is_sp_move_ins(ip))
+ if (is_sp_move_ins(&insn))
{
#ifdef CONFIG_CPU_MICROMIPS
if (mm_insn_16bit(ip->halfword[0]))
@@ -374,7 +374,7 @@ static int get_frame_info(struct mips_fr
}
continue;
}
- if (info->pc_offset == -1 && is_ra_save_ins(ip)) {
+ if (info->pc_offset == -1 && is_ra_save_ins(&insn)) {
info->pc_offset =
ip->i_format.simmediate / sizeof(long);
break;

2017-06-01 16:39:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 038/212] IB/ipoib: Change list_del to list_del_init in the tx object

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Feras Daoud <[email protected]>

commit 27d41d29c7f093f6f77843624fbb080c1b4a8b9c upstream.

Since ipoib_cm_tx_start function and ipoib_cm_tx_reap function
belong to different work queues, they can run in parallel.
In this case if ipoib_cm_tx_reap calls list_del and release the
lock, ipoib_cm_tx_start may acquire it and call list_del_init
on the already deleted object.
Changing list_del to list_del_init in ipoib_cm_tx_reap fixes the problem.

Fixes: 839fcaba355a ("IPoIB: Connected mode experimental support")
Signed-off-by: Feras Daoud <[email protected]>
Signed-off-by: Erez Shitrit <[email protected]>
Reviewed-by: Alex Vesker <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Reviewed-by: Yuval Shaia <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1376,7 +1376,7 @@ static void ipoib_cm_tx_reap(struct work

while (!list_empty(&priv->cm.reap_list)) {
p = list_entry(priv->cm.reap_list.next, typeof(*p), list);
- list_del(&p->list);
+ list_del_init(&p->list);
spin_unlock_irqrestore(&priv->lock, flags);
netif_tx_unlock_bh(dev);
ipoib_cm_tx_destroy(p);

2017-06-01 16:39:57

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 011/212] MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Burton <[email protected]>

commit 096a0de427ea333f56f0ee00328cff2a2731bcf1 upstream.

is_jump_ins() checks for plain jump ("j") instructions since commit
e7438c4b893e ("MIPS: Fix sibling call handling in get_frame_info") but
that commit didn't make the same change to the microMIPS code, leaving
it inconsistent with the MIPS32/MIPS64 code. Handle the microMIPS
encoding of the jump instruction too such that it behaves consistently.

Signed-off-by: Paul Burton <[email protected]>
Fixes: e7438c4b893e ("MIPS: Fix sibling call handling in get_frame_info")
Cc: Tony Wu <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/14533/
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/kernel/process.c | 2 ++
1 file changed, 2 insertions(+)

--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -321,6 +321,8 @@ static inline int is_jump_ins(union mips
return 0;
}

+ if (ip->j_format.opcode == mm_j32_op)
+ return 1;
if (ip->j_format.opcode == mm_jal32_op)
return 1;
if (ip->r_format.opcode != mm_pool32a_op ||

2017-06-01 16:40:17

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 006/212] MIPS: Clear ISA bit correctly in get_frame_info()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Burton <[email protected]>

commit ccaf7caf2c73c6db920772bf08bf1d47b2170634 upstream.

get_frame_info() can be called in microMIPS kernels with the ISA bit
already clear. For example this happens when unwind_stack_by_address()
is called because we begin with a PC that has the ISA bit set & subtract
the (odd) offset from the preceding symbol (which does not have the ISA
bit set). Since get_frame_info() unconditionally subtracts 1 from the PC
in microMIPS kernels it incorrectly misaligns the address it then
attempts to access code at, leading to an address error exception.

Fix this by using msk_isa16_mode() to clear the ISA bit, which allows
get_frame_info() to function regardless of whether it is provided with a
PC that has the ISA bit set or not.

Signed-off-by: Paul Burton <[email protected]>
Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
Cc: Leonid Yegoshin <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/14528/
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/kernel/process.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)

--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -331,17 +331,14 @@ static inline int is_sp_move_ins(union m

static int get_frame_info(struct mips_frame_info *info)
{
-#ifdef CONFIG_CPU_MICROMIPS
- union mips_instruction *ip = (void *) (((char *) info->func) - 1);
-#else
- union mips_instruction *ip = info->func;
-#endif
+ union mips_instruction *ip;
unsigned max_insns = info->func_size / sizeof(union mips_instruction);
unsigned i;

info->pc_offset = -1;
info->frame_size = 0;

+ ip = (void *)msk_isa16_mode((ulong)info->func);
if (!ip)
goto err;


2017-06-01 15:44:37

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 009/212] MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Burton <[email protected]>

commit 67c75057709a6d85c681c78b9b2f9b71191f01a2 upstream.

is_jump_ins() checks 16b instruction fields without verifying that the
instruction is indeed 16b, as is done by is_ra_save_ins() &
is_sp_move_ins(). Add the appropriate check.

Signed-off-by: Paul Burton <[email protected]>
Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
Cc: Leonid Yegoshin <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/14531/
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/kernel/process.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)

--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -269,9 +269,14 @@ static inline int is_jump_ins(union mips
*
* microMIPS is kind of more fun...
*/
- if ((ip->mm16_r5_format.opcode == mm_pool16c_op &&
- (ip->mm16_r5_format.rt & mm_jr16_op) == mm_jr16_op) ||
- ip->j_format.opcode == mm_jal32_op)
+ if (mm_insn_16bit(ip->halfword[1])) {
+ if ((ip->mm16_r5_format.opcode == mm_pool16c_op &&
+ (ip->mm16_r5_format.rt & mm_jr16_op) == mm_jr16_op))
+ return 1;
+ return 0;
+ }
+
+ if (ip->j_format.opcode == mm_jal32_op)
return 1;
if (ip->r_format.opcode != mm_pool32a_op ||
ip->r_format.func != mm_pool32axf_op)

2017-06-01 16:40:36

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 031/212] ASoC: rt5640: use msleep() for long delays

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Nicholas Mc Guire <[email protected]>

commit 4a312c9c825adf74c0026c98fed4ab59ce190863 upstream.

ulseep_range() uses hrtimers and provides no advantage over msleep()
for larger delays. Fix up the 70/80ms delays here passing the "min"
value to msleep(). This reduces the load on the hrtimer subsystem.

Link: http://lkml.org/lkml/2017/1/11/377
Fixes: commit 246693ba7b0b ("ASoC: rt5640: change widget sequence for depop")
Signed-off-by: Nicholas Mc Guire <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
sound/soc/codecs/rt5640.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/sound/soc/codecs/rt5640.c
+++ b/sound/soc/codecs/rt5640.c
@@ -974,7 +974,7 @@ static int rt5640_hp_event(struct snd_so

case SND_SOC_DAPM_PRE_PMD:
rt5640->hp_mute = 1;
- usleep_range(70000, 75000);
+ msleep(70);
break;

default:
@@ -1038,7 +1038,7 @@ static int rt5640_hp_post_event(struct s
switch (event) {
case SND_SOC_DAPM_POST_PMU:
if (!rt5640->hp_mute)
- usleep_range(80000, 85000);
+ msleep(80);

break;


2017-06-01 16:40:34

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 033/212] IB/ipoib: Set device connection mode only when needed

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Feras Daoud <[email protected]>

commit 80b5b35aba62232521b31440f0a3cf6caa033849 upstream.

When changing the connection mode, the ipoib_set_mode function
did not check if the previous connection mode equals to the
new one. This commit adds the required check and return 0 if the new
mode equals to the previous one.

Fixes: 839fcaba355a ("IPoIB: Connected mode experimental support")
Signed-off-by: Feras Daoud <[email protected]>
Signed-off-by: Erez Shitrit <[email protected]>
Reviewed-by: Alex Vesker <[email protected]>
Reviewed-by: Yuval Shaia <[email protected]>
Signed-off-by: Leon Romanovsky <[email protected]>
Signed-off-by: Doug Ledford <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/infiniband/ulp/ipoib/ipoib_main.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -226,6 +226,13 @@ int ipoib_set_mode(struct net_device *de
{
struct ipoib_dev_priv *priv = netdev_priv(dev);

+ if ((test_bit(IPOIB_FLAG_ADMIN_CM, &priv->flags) &&
+ !strcmp(buf, "connected\n")) ||
+ (!test_bit(IPOIB_FLAG_ADMIN_CM, &priv->flags) &&
+ !strcmp(buf, "datagram\n"))) {
+ return 0;
+ }
+
/* flush paths if we switch modes so that connections are restarted */
if (IPOIB_CM_SUPPORTED(dev->dev_addr) && !strcmp(buf, "connected\n")) {
set_bit(IPOIB_FLAG_ADMIN_CM, &priv->flags);

2017-06-01 16:41:10

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 023/212] Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Vitaly Kuznetsov <[email protected]>

commit c0bb03924f1a80e7f65900e36c8e6b3dc167c5f8 upstream.

DoS protection conditions were altered in WS2016 and now it's easy to get
-EAGAIN returned from vmbus_post_msg() (e.g. when we try changing MTU on a
netvsc device in a loop). All vmbus_post_msg() callers don't retry the
operation and we usually end up with a non-functional device or crash.

While host's DoS protection conditions are unknown to me my tests show that
it can take up to 10 seconds before the message is sent so doing udelay()
is not an option, we really need to sleep. Almost all vmbus_post_msg()
callers are ready to sleep but there is one special case:
vmbus_initiate_unload() which can be called from interrupt/NMI context and
we can't sleep there. I'm also not sure about the lonely
vmbus_send_tl_connect_request() which has no in-tree users but its external
users are most likely waiting for the host to reply so sleeping there is
also appropriate.

Signed-off-by: Vitaly Kuznetsov <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[bwh: Backported to 3.16:
- Drop changes in vmbus_send_tl_connect_request(),
vmbus_initiate_unload()
- Adjust context, indentation]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
@@ -163,7 +163,7 @@ int vmbus_open(struct vmbus_channel *new
spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);

ret = vmbus_post_msg(open_msg,
- sizeof(struct vmbus_channel_open_channel));
+ sizeof(struct vmbus_channel_open_channel), true);

if (ret != 0) {
err = ret;
@@ -391,7 +391,7 @@ int vmbus_establish_gpadl(struct vmbus_c
spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);

ret = vmbus_post_msg(gpadlmsg, msginfo->msgsize -
- sizeof(*msginfo));
+ sizeof(*msginfo), true);
if (ret != 0)
goto cleanup;

@@ -407,8 +407,8 @@ int vmbus_establish_gpadl(struct vmbus_c
gpadl_body->gpadl = next_gpadl_handle;

ret = vmbus_post_msg(gpadl_body,
- submsginfo->msgsize -
- sizeof(*submsginfo));
+ submsginfo->msgsize - sizeof(*submsginfo),
+ true);
if (ret != 0)
goto cleanup;

@@ -456,8 +456,8 @@ int vmbus_teardown_gpadl(struct vmbus_ch
list_add_tail(&info->msglistentry,
&vmbus_connection.chn_msg_list);
spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);
- ret = vmbus_post_msg(msg,
- sizeof(struct vmbus_channel_gpadl_teardown));
+ ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_gpadl_teardown),
+ true);

if (ret)
goto post_msg_err;
@@ -502,7 +502,8 @@ static int vmbus_close_internal(struct v
msg->header.msgtype = CHANNELMSG_CLOSECHANNEL;
msg->child_relid = channel->offermsg.child_relid;

- ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_close_channel));
+ ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_close_channel),
+ true);

if (ret) {
pr_err("Close failed: close post msg return is %d\n", ret);
--- a/drivers/hv/channel_mgmt.c
+++ b/drivers/hv/channel_mgmt.c
@@ -229,7 +229,8 @@ static void vmbus_process_rescind_offer(
memset(&msg, 0, sizeof(struct vmbus_channel_relid_released));
msg.child_relid = channel->offermsg.child_relid;
msg.header.msgtype = CHANNELMSG_RELID_RELEASED;
- vmbus_post_msg(&msg, sizeof(struct vmbus_channel_relid_released));
+ vmbus_post_msg(&msg, sizeof(struct vmbus_channel_relid_released),
+ true);

if (channel->target_cpu != smp_processor_id())
smp_call_function_single(channel->target_cpu,
@@ -771,8 +772,8 @@ int vmbus_request_offers(void)
msg->msgtype = CHANNELMSG_REQUESTOFFERS;


- ret = vmbus_post_msg(msg,
- sizeof(struct vmbus_channel_message_header));
+ ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_message_header),
+ true);
if (ret != 0) {
pr_err("Unable to request offers - %d\n", ret);

--- a/drivers/hv/connection.c
+++ b/drivers/hv/connection.c
@@ -94,7 +94,8 @@ static int vmbus_negotiate_version(struc
spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags);

ret = vmbus_post_msg(msg,
- sizeof(struct vmbus_channel_initiate_contact));
+ sizeof(struct vmbus_channel_initiate_contact),
+ true);
if (ret != 0) {
spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags);
list_del(&msginfo->msglistentry);
@@ -413,7 +414,7 @@ void vmbus_on_event(unsigned long data)
/*
* vmbus_post_msg - Send a msg on the vmbus's message connection
*/
-int vmbus_post_msg(void *buffer, size_t buflen)
+int vmbus_post_msg(void *buffer, size_t buflen, bool can_sleep)
{
union hv_connection_id conn_id;
int ret = 0;
@@ -428,7 +429,7 @@ int vmbus_post_msg(void *buffer, size_t
* insufficient resources. Retry the operation a couple of
* times before giving up.
*/
- while (retries < 20) {
+ while (retries < 100) {
ret = hv_post_message(conn_id, 1, buffer, buflen);

switch (ret) {
@@ -451,8 +452,14 @@ int vmbus_post_msg(void *buffer, size_t
}

retries++;
- udelay(usec);
- if (usec < 2048)
+ if (can_sleep && usec > 1000)
+ msleep(usec / 1000);
+ else if (usec < MAX_UDELAY_MS * 1000)
+ udelay(usec);
+ else
+ mdelay(usec / 1000);
+
+ if (usec < 256000)
usec *= 2;
}
return ret;
--- a/drivers/hv/hyperv_vmbus.h
+++ b/drivers/hv/hyperv_vmbus.h
@@ -672,7 +672,7 @@ void vmbus_free_channels(void);

int vmbus_connect(void);

-int vmbus_post_msg(void *buffer, size_t buflen);
+int vmbus_post_msg(void *buffer, size_t buflen, bool can_sleep);

int vmbus_set_event(struct vmbus_channel *channel);


2017-06-01 16:41:09

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 027/212] ext4: avoid deadlock when expanding inode size

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Jan Kara <[email protected]>

commit 2e81a4eeedcaa66e35f58b81e0755b87057ce392 upstream.

When we need to move xattrs into external xattr block, we call
ext4_xattr_block_set() from ext4_expand_extra_isize_ea(). That may end
up calling ext4_mark_inode_dirty() again which will recurse back into
the inode expansion code leading to deadlocks.

Protect from recursion using EXT4_STATE_NO_EXPAND inode flag and move
its management into ext4_expand_extra_isize_ea() since its manipulation
is safe there (due to xattr_sem) from possible races with
ext4_xattr_set_handle() which plays with it as well.

Signed-off-by: Jan Kara <[email protected]>
Signed-off-by: Theodore Ts'o <[email protected]>
[bwh: Backported to 3.16: adjust context[
Signed-off-by: Ben Hutchings <[email protected]>
---
fs/ext4/inode.c | 2 --
fs/ext4/xattr.c | 19 +++++++++++++------
2 files changed, 13 insertions(+), 8 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5062,8 +5062,6 @@ int ext4_mark_inode_dirty(handle_t *hand
sbi->s_want_extra_isize,
iloc, handle);
if (ret) {
- ext4_set_inode_state(inode,
- EXT4_STATE_NO_EXPAND);
if (mnt_count !=
le16_to_cpu(sbi->s_es->s_mnt_count)) {
ext4_warning(inode->i_sb,
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1277,11 +1277,13 @@ int ext4_expand_extra_isize_ea(struct in
int s_min_extra_isize = le16_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_min_extra_isize);

down_write(&EXT4_I(inode)->xattr_sem);
+ /*
+ * Set EXT4_STATE_NO_EXPAND to avoid recursion when marking inode dirty
+ */
+ ext4_set_inode_state(inode, EXT4_STATE_NO_EXPAND);
retry:
- if (EXT4_I(inode)->i_extra_isize >= new_extra_isize) {
- up_write(&EXT4_I(inode)->xattr_sem);
- return 0;
- }
+ if (EXT4_I(inode)->i_extra_isize >= new_extra_isize)
+ goto out;

header = IHDR(inode, raw_inode);
entry = IFIRST(header);
@@ -1306,8 +1308,7 @@ retry:
(void *)header, total_ino,
inode->i_sb->s_blocksize);
EXT4_I(inode)->i_extra_isize = new_extra_isize;
- error = 0;
- goto cleanup;
+ goto out;
}

/*
@@ -1467,6 +1468,8 @@ retry:
kfree(bs);
}
brelse(bh);
+out:
+ ext4_clear_inode_state(inode, EXT4_STATE_NO_EXPAND);
up_write(&EXT4_I(inode)->xattr_sem);
return 0;

@@ -1478,6 +1481,10 @@ cleanup:
kfree(is);
kfree(bs);
brelse(bh);
+ /*
+ * We deliberately leave EXT4_STATE_NO_EXPAND set here since inode
+ * size expansion failed.
+ */
up_write(&EXT4_I(inode)->xattr_sem);
return error;
}

2017-06-01 16:41:39

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 018/212] samples/seccomp: fix 64-bit comparison macros

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Mathias Svensson <[email protected]>

commit 916cafdc95843fb9af5fd5f83ca499d75473d107 upstream.

There were some bugs in the JNE64 and JLT64 comparision macros. This fixes
them, improves comments, and cleans up the file while we are at it.

Reported-by: Stephen Röttger <[email protected]>
Signed-off-by: Mathias Svensson <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: James Morris <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
samples/seccomp/bpf-helper.h | 125 +++++++++++++++++++++++++------------------
1 file changed, 72 insertions(+), 53 deletions(-)

--- a/samples/seccomp/bpf-helper.h
+++ b/samples/seccomp/bpf-helper.h
@@ -138,7 +138,7 @@ union arg64 {
#define ARG_32(idx) \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(idx))

-/* Loads hi into A and lo in X */
+/* Loads lo into M[0] and hi into M[1] and A */
#define ARG_64(idx) \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(idx)), \
BPF_STMT(BPF_ST, 0), /* lo -> M[0] */ \
@@ -153,88 +153,107 @@ union arg64 {
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (value), 1, 0), \
jt

-/* Checks the lo, then swaps to check the hi. A=lo,X=hi */
+#define JA32(value, jt) \
+ BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, (value), 0, 1), \
+ jt
+
+#define JGE32(value, jt) \
+ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (value), 0, 1), \
+ jt
+
+#define JGT32(value, jt) \
+ BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (value), 0, 1), \
+ jt
+
+#define JLE32(value, jt) \
+ BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (value), 1, 0), \
+ jt
+
+#define JLT32(value, jt) \
+ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (value), 1, 0), \
+ jt
+
+/*
+ * All the JXX64 checks assume lo is saved in M[0] and hi is saved in both
+ * A and M[1]. This invariant is kept by restoring A if necessary.
+ */
#define JEQ64(lo, hi, jt) \
+ /* if (hi != arg.hi) goto NOMATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 5), \
BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
+ /* if (lo != arg.lo) goto NOMATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (lo), 0, 2), \
- BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
+ BPF_STMT(BPF_LD+BPF_MEM, 1), \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
+ BPF_STMT(BPF_LD+BPF_MEM, 1)

#define JNE64(lo, hi, jt) \
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 5, 0), \
- BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
+ /* if (hi != arg.hi) goto MATCH; */ \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 3), \
+ BPF_STMT(BPF_LD+BPF_MEM, 0), \
+ /* if (lo != arg.lo) goto MATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (lo), 2, 0), \
- BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
+ BPF_STMT(BPF_LD+BPF_MEM, 1), \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define JA32(value, jt) \
- BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, (value), 0, 1), \
- jt
+ BPF_STMT(BPF_LD+BPF_MEM, 1)

#define JA64(lo, hi, jt) \
+ /* if (hi & arg.hi) goto MATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, (hi), 3, 0), \
- BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
+ BPF_STMT(BPF_LD+BPF_MEM, 0), \
+ /* if (lo & arg.lo) goto MATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, (lo), 0, 2), \
- BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
+ BPF_STMT(BPF_LD+BPF_MEM, 1), \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define JGE32(value, jt) \
- BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (value), 0, 1), \
- jt
+ BPF_STMT(BPF_LD+BPF_MEM, 1)

-#define JLT32(value, jt) \
- BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (value), 1, 0), \
- jt
-
-/* Shortcut checking if hi > arg.hi. */
#define JGE64(lo, hi, jt) \
+ /* if (hi > arg.hi) goto MATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (hi), 4, 0), \
+ /* if (hi != arg.hi) goto NOMATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 5), \
- BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
+ BPF_STMT(BPF_LD+BPF_MEM, 0), \
+ /* if (lo >= arg.lo) goto MATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (lo), 0, 2), \
- BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
+ BPF_STMT(BPF_LD+BPF_MEM, 1), \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define JLT64(lo, hi, jt) \
- BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (hi), 0, 4), \
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 5), \
- BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
- BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (lo), 2, 0), \
- BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
- jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define JGT32(value, jt) \
- BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (value), 0, 1), \
- jt
-
-#define JLE32(value, jt) \
- BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (value), 1, 0), \
- jt
+ BPF_STMT(BPF_LD+BPF_MEM, 1)

-/* Check hi > args.hi first, then do the GE checking */
#define JGT64(lo, hi, jt) \
+ /* if (hi > arg.hi) goto MATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (hi), 4, 0), \
+ /* if (hi != arg.hi) goto NOMATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 5), \
- BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
+ BPF_STMT(BPF_LD+BPF_MEM, 0), \
+ /* if (lo > arg.lo) goto MATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (lo), 0, 2), \
- BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
+ BPF_STMT(BPF_LD+BPF_MEM, 1), \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
+ BPF_STMT(BPF_LD+BPF_MEM, 1)

#define JLE64(lo, hi, jt) \
- BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (hi), 6, 0), \
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 3), \
- BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
+ /* if (hi < arg.hi) goto MATCH; */ \
+ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (hi), 0, 4), \
+ /* if (hi != arg.hi) goto NOMATCH; */ \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 5), \
+ BPF_STMT(BPF_LD+BPF_MEM, 0), \
+ /* if (lo <= arg.lo) goto MATCH; */ \
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, (lo), 2, 0), \
- BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
+ BPF_STMT(BPF_LD+BPF_MEM, 1), \
+ jt, \
+ BPF_STMT(BPF_LD+BPF_MEM, 1)
+
+#define JLT64(lo, hi, jt) \
+ /* if (hi < arg.hi) goto MATCH; */ \
+ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (hi), 0, 4), \
+ /* if (hi != arg.hi) goto NOMATCH; */ \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 5), \
+ BPF_STMT(BPF_LD+BPF_MEM, 0), \
+ /* if (lo < arg.lo) goto MATCH; */ \
+ BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, (lo), 2, 0), \
+ BPF_STMT(BPF_LD+BPF_MEM, 1), \
jt, \
- BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
+ BPF_STMT(BPF_LD+BPF_MEM, 1)

#define LOAD_SYSCALL_NR \
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \

2017-06-01 15:44:28

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 001/212] mm/huge_memory.c: fix up "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" backport

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michal Hocko <[email protected]>

This is a stable follow up fix for an incorrect backport. The issue is
not present in the upstream kernel.

Miroslav has noticed the following splat when testing my 3.2 forward
port of 8310d48b125d ("mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for
thp") to 3.12:

BUG: Bad page state in process a.out pfn:26400
page:ffffea000085e000 count:0 mapcount:1 mapping: (null) index:0x7f049d600
page flags: 0x1fffff80108018(uptodate|dirty|head|swapbacked)
page dumped because: nonzero mapcount
[iii]
CPU: 2 PID: 5926 Comm: a.out Tainted: G E 3.12.61-0-default #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
0000000000000000 ffffffff81515830 ffffea000085e000 ffffffff81800ad7
ffffffff815118a5 ffffea000085e000 0000000000000000 000fffff80000000
ffffffff81140f18 fff000007c000000 ffffea000085e000 0000000000000009
Call Trace:
[<ffffffff8100475d>] dump_trace+0x7d/0x2d0
[<ffffffff81004a44>] show_stack_log_lvl+0x94/0x170
[<ffffffff81005ce1>] show_stack+0x21/0x50
[<ffffffff81515830>] dump_stack+0x5d/0x78
[<ffffffff815118a5>] bad_page.part.67+0xe8/0x102
[<ffffffff81140f18>] free_pages_prepare+0x198/0x1b0
[<ffffffff81141275>] __free_pages_ok+0x15/0xd0
[<ffffffff8116444c>] __access_remote_vm+0x7c/0x1e0
[<ffffffff81205afb>] mem_rw.isra.13+0x14b/0x1a0
[<ffffffff811a3b18>] vfs_write+0xb8/0x1e0
[<ffffffff811a469b>] SyS_pwrite64+0x6b/0xa0
[<ffffffff81523b49>] system_call_fastpath+0x16/0x1b
[<00007f049da18573>] 0x7f049da18572

The problem is that the original 3.2 backport didn't return NULL page on
the FOLL_COW page and so the page got reused.

Reported-and-tested-by: Miroslav Beneš <[email protected]>
Signed-off-by: Michal Hocko <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
mm/huge_memory.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1226,7 +1226,7 @@ struct page *follow_trans_huge_pmd(struc
VM_BUG_ON_PAGE(!PageHead(page), page);

if (flags & FOLL_WRITE && !can_follow_write_pmd(*pmd, page, flags))
- goto out;
+ return NULL;

if (flags & FOLL_TOUCH) {
pmd_t _pmd;

2017-06-01 16:42:08

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 003/212] adm80211: return an error if adm8211_alloc_rings() fails

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit c705a6b3aa7804d7bc6660183f51e510c61dc807 upstream.

We accidentally return success when adm8211_alloc_rings() fails but we
should preserve the error code.

Fixes: cc0b88cf5ecf ("[PATCH] Add adm8211 802.11b wireless driver")
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <[email protected]>
---
drivers/net/wireless/adm8211.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/adm8211.c
+++ b/drivers/net/wireless/adm8211.c
@@ -1843,7 +1843,8 @@ static int adm8211_probe(struct pci_dev
priv->rx_ring_size = rx_ring_size;
priv->tx_ring_size = tx_ring_size;

- if (adm8211_alloc_rings(dev)) {
+ err = adm8211_alloc_rings(dev);
+ if (err) {
printk(KERN_ERR "%s (adm8211): Cannot allocate TX/RX ring\n",
pci_name(pdev));
goto err_iounmap;

2017-06-01 16:42:07

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 008/212] MIPS: Fix get_frame_info() handling of microMIPS function size

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Paul Burton <[email protected]>

commit b6c7a324df37bf05ef7a2c1580683cf10d082d97 upstream.

get_frame_info() is meant to iterate over up to the first 128
instructions within a function, but for microMIPS kernels it will not
reach that many instructions unless the function is 512 bytes long since
we calculate the maximum number of instructions to check by dividing the
function length by the 4 byte size of a union mips_instruction. In
microMIPS kernels this won't do since instructions are variable length.

Fix this by instead checking whether the pointer to the current
instruction has reached the end of the function, and use max_insns as a
simple constant to check the number of iterations against.

Signed-off-by: Paul Burton <[email protected]>
Fixes: 34c2f668d0f6 ("MIPS: microMIPS: Add unaligned access support.")
Cc: Leonid Yegoshin <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/14530/
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
---
arch/mips/kernel/process.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)

--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -321,9 +321,9 @@ static inline int is_sp_move_ins(union m
static int get_frame_info(struct mips_frame_info *info)
{
bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS);
- union mips_instruction insn, *ip;
- unsigned max_insns = info->func_size / sizeof(union mips_instruction);
- unsigned i;
+ union mips_instruction insn, *ip, *ip_end;
+ const unsigned int max_insns = 128;
+ unsigned int i;

info->pc_offset = -1;
info->frame_size = 0;
@@ -332,11 +332,9 @@ static int get_frame_info(struct mips_fr
if (!ip)
goto err;

- if (max_insns == 0)
- max_insns = 128U; /* unknown function size */
- max_insns = min(128U, max_insns);
+ ip_end = (void *)ip + info->func_size;

- for (i = 0; i < max_insns; i++, ip++) {
+ for (i = 0; i < max_insns && ip < ip_end; i++, ip++) {
if (is_mmips && mm_insn_16bit(ip->halfword[0])) {
insn.halfword[0] = 0;
insn.halfword[1] = ip->halfword[0];

2017-06-01 16:43:20

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 005/212] rtlwifi: Fix alignment issues

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Ping-Ke Shih <[email protected]>

commit 40b368af4b750863b2cb66a3a9513241db2f0793 upstream.

The addresses of Wlan NIC registers are natural alignment, but some
drivers have bugs. These are evident on platforms that need natural
alignment to access registers. This change contains the following:
1. Function _rtl8821ae_dbi_read() is used to read one byte from DBI,
thus it should use rtl_read_byte().
2. Register 0x4C7 of 8192ee is single byte.

Signed-off-by: Ping-Ke Shih <[email protected]>
Signed-off-by: Larry Finger <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/staging/rtl8192ee/rtl8192ee/hw.c
+++ b/drivers/staging/rtl8192ee/rtl8192ee/hw.c
@@ -1006,7 +1006,7 @@ static void _rtl92ee_hw_configure(struct
rtl_write_word(rtlpriv, REG_SIFS_TRX, 0x100a);

/* Note Data sheet don't define */
- rtl_write_word(rtlpriv, 0x4C7, 0x80);
+ rtl_write_byte(rtlpriv, 0x4C7, 0x80);

rtl_write_byte(rtlpriv, REG_RX_PKT_LIMIT, 0x20);

--- a/drivers/staging/rtl8821ae/rtl8821ae/hw.c
+++ b/drivers/staging/rtl8821ae/rtl8821ae/hw.c
@@ -1098,7 +1098,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl
}
if (0 == tmp) {
read_addr = REG_DBI_RDATA + addr % 4;
- ret = rtl_read_word(rtlpriv, read_addr);
+ ret = rtl_read_byte(rtlpriv, read_addr);
}
return ret;
}

2017-06-01 15:44:23

by Ben Hutchings

[permalink] [raw]
Subject: [PATCH 3.16 004/212] iio: st_pressure: Fix data sign

3.16.44-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Marcin Niestroj <[email protected]>

commit 1b211d48abaa0e12e6e6177c0316ff55d11fdfce upstream.

Datasheet of each device (lps331ap, lps25h, lps001wp, lps22hb) says that
the pressure and temperature data is a 2's complement.

I'm sending this the slow way, as negative pressures on these are pretty
unusual and the nature of the fixing of multiple device introduction patches
will make it hard to apply to older kernels - Jonathan.

Fixes: 217494e5b780 ("iio:pressure: Add STMicroelectronics pressures driver")
Fixes: 2f5effcbd097 ("iio: pressure-core: st: Expand and rename LPS331AP's channel descriptor")
Fixes: 7885a8ce6800 ("iio: pressure: st: Add support for new LPS001WP pressure sensor")
Fixes: e039e2f5b4da ("iio:st_pressure:initial lps22hb sensor support")
Signed-off-by: Marcin Niestroj <[email protected]>
Reviewed-by: Linus Walleij <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
[bwh: Backported to 3.16: drop change in st_press_lps22hb_channels]
Signed-off-by: Ben Hutchings <[email protected]>
---
--- a/drivers/iio/pressure/st_pressure_core.c
+++ b/drivers/iio/pressure/st_pressure_core.c
@@ -116,7 +116,7 @@ static const struct iio_chan_spec st_pre
.address = ST_PRESS_1_OUT_XL_ADDR,
.scan_index = ST_SENSORS_SCAN_X,
.scan_type = {
- .sign = 'u',
+ .sign = 's',
.realbits = 24,
.storagebits = 24,
.endianness = IIO_LE,
@@ -131,7 +131,7 @@ static const struct iio_chan_spec st_pre
.address = ST_TEMP_1_OUT_L_ADDR,
.scan_index = -1,
.scan_type = {
- .sign = 'u',
+ .sign = 's',
.realbits = 16,
.storagebits = 16,
.endianness = IIO_LE,
@@ -152,7 +152,7 @@ static const struct iio_chan_spec st_pre
.address = ST_PRESS_LPS001WP_OUT_L_ADDR,
.scan_index = ST_SENSORS_SCAN_X,
.scan_type = {
- .sign = 'u',
+ .sign = 's',
.realbits = 16,
.storagebits = 16,
.endianness = IIO_LE,
@@ -168,7 +168,7 @@ static const struct iio_chan_spec st_pre
.address = ST_TEMP_LPS001WP_OUT_L_ADDR,
.scan_index = -1,
.scan_type = {
- .sign = 'u',
+ .sign = 's',
.realbits = 16,
.storagebits = 16,
.endianness = IIO_LE,

2017-06-01 16:44:38

by Sven Eckelmann

[permalink] [raw]
Subject: Re: [PATCH 3.16 144/212] batman-adv: Fix double free during fragment merge error

On Donnerstag, 1. Juni 2017 16:43:16 CEST Ben Hutchings wrote:
> 3.16.44-rc1 review patch. If anyone has any objections, please let me know.

It looks to me like there are problems with this backport. The surrounding
code has to be adjusted slightly further to avoid additional problems.

> ------------------
>
> From: Sven Eckelmann <[email protected]>
>
> commit 248e23b50e2da0753f3b5faa068939cbe9f8a75a upstream.
>
> The function batadv_frag_skb_buffer was supposed not to consume the skbuff
> on errors. This was followed in the helper function
> batadv_frag_insert_packet when the skb would potentially be inserted in the
> fragment queue. But it could happen that the next helper function
> batadv_frag_merge_packets would try to merge the fragments and fail. This
> results in a kfree_skb of all the enqueued fragments (including the just
> inserted one). batadv_recv_frag_packet would detect the error in
> batadv_frag_skb_buffer and try to free the skb again.
>
> The behavior of batadv_frag_skb_buffer (and its helper
> batadv_frag_insert_packet) must therefore be changed to always consume the
> skbuff to have a common behavior and avoid the double kfree_skb.
>
> Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
> Signed-off-by: Sven Eckelmann <[email protected]>
> Signed-off-by: Simon Wunderlich <[email protected]>
> [bwh: Backported to 3.16: adjust context]
> Signed-off-by: Ben Hutchings <[email protected]>
> ---
> net/batman-adv/fragmentation.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)

It is not really easy to see but this change will introduce a new double free
for kernels older than v4.10. The relevant commit is b91a2543b4c1 ("batman-
adv: Consume skb in receive handlers"). This was discussed in following gluon
ticket https://github.com/freifunk-gluon/gluon/issues/1083 (just in case you
are interested about the details)

Following change must therefore be added to this patch on older kernels:

--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -961,6 +961,12 @@ int batadv_recv_frag_packet(struct sk_buff *skb,
batadv_inc_counter(bat_priv, BATADV_CNT_FRAG_RX);
batadv_add_counter(bat_priv, BATADV_CNT_FRAG_RX_BYTES, skb->len);

+ /* batadv_frag_skb_buffer will always consume the skb and
+ * the caller should therefore never try to free the
+ * skb after this point
+ */
+ ret = NET_RX_SUCCESS;
+
/* Add fragment to buffer and merge if possible. */
if (!batadv_frag_skb_buffer(&skb, orig_node_src))
goto out;

You can also remove the same instruction which appears later in this function.

Kind regards,
Sven


Attachments:
signature.asc (833.00 B)
This is a digitally signed message part.

2017-06-01 16:56:43

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.16 000/212] 3.16.44-rc1 review

This is the combined diff for 3.16.44-rc1 relative to 3.16.43.

Ben.

--
Ben Hutchings
The most exhausting thing in life is being insincere. - Anne Morrow
Lindberg


Attachments:
linux-3.16.44-rc1.patch (239.20 kB)
signature.asc (833.00 B)
This is a digitally signed message part
Download all attachments

2017-06-01 21:13:52

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 3.16 000/212] 3.16.44-rc1 review

On Thu, Jun 01, 2017 at 04:43:14PM +0100, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.44 release.
> There are 212 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Jun 03 16:00:00 UTC 2017.
> Anything received after that time might be too late.
>
Build results:
total: 136 pass: 136 fail: 0
Qemu test results:
total: 107 pass: 107 fail: 0

Details are available at http://kerneltests.org/builders.

Thanks,
Guenter

2017-06-03 19:49:14

by Ben Hutchings

[permalink] [raw]
Subject: Re: [PATCH 3.16 144/212] batman-adv: Fix double free during fragment merge error

On Thu, 2017-06-01 at 18:44 +0200, Sven Eckelmann wrote:
> On Donnerstag, 1. Juni 2017 16:43:16 CEST Ben Hutchings wrote:
> > 3.16.44-rc1 review patch.  If anyone has any objections, please let me know.
>
> It looks to me like there are problems with this backport. The surrounding 
> code has to be adjusted slightly further to avoid additional problems.

Thanks for the review.

[...]
> It is not really easy to see but this change will introduce a new double free 
> for kernels older than v4.10. The relevant commit is b91a2543b4c1 ("batman-
> adv: Consume skb in receive handlers"). This was discussed in following gluon 
> ticket https://github.com/freifunk-gluon/gluon/issues/1083 (just in case you 
> are interested about the details)
>
> Following change must therefore be added to this patch on older kernels:
>
>     --- a/net/batman-adv/routing.c
>     +++ b/net/batman-adv/routing.c
>     @@ -961,6 +961,12 @@ int batadv_recv_frag_packet(struct sk_buff *skb,
>       batadv_inc_counter(bat_priv, BATADV_CNT_FRAG_RX);
>       batadv_add_counter(bat_priv, BATADV_CNT_FRAG_RX_BYTES, skb->len);
>      
>     + /* batadv_frag_skb_buffer will always consume the skb and
>     +  * the caller should therefore never try to free the
>     +  * skb after this point
>     +  */
>     + ret = NET_RX_SUCCESS;
>     +
>       /* Add fragment to buffer and merge if possible. */
>       if (!batadv_frag_skb_buffer(&skb, orig_node_src))
>       goto out;
>
> You can also remove the same instruction which appears later in this function.

OK, I'll squash this into the patch.

Ben.

--
Ben Hutchings
Experience is directly proportional to the value of equipment
destroyed.
                                                         - Carolyn
Scheppner


Attachments:
signature.asc (833.00 B)
This is a digitally signed message part