* [PATCH 3.16 000/305] 3.16.37-rc1 review
@ 2016-08-13 17:42 Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 227/305] Fix reconnect to not defer smb3 session reconnect long after socket reconnect Ben Hutchings
` (305 more replies)
0 siblings, 306 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm
This is the start of the stable review cycle for the 3.16.37 release.
There are 305 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
As I've accumulated an unusually long patch series, I'm allowing a
longer time for review. Responses should be made by Sat Aug 20
00:00:00 UTC 2016. Anything received after that time might be too
late.
A combined patch relative to 3.16.36 will be posted as an additional
response to this. A shortlog and diffstat can be found below.
Ben.
-------------
AceLan Kao (1):
ALSA: hda - Fix headset mic detection problem for Dell machine
[f90d83b301701026b2e4c437a3613f377f63290e]
Adrian Hunter (1):
mmc: mmc: Fix partition switch timeout for some eMMCs
[1c447116d017a98c90f8f71c8c5a611e0aa42178]
Al Viro (2):
fix d_walk()/non-delayed __d_free() race
[3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085]
make nfs_atomic_open() call d_drop() on all ->open_context() errors.
[d20cb71dbf3487f24549ede1a8e2d67579b4632e]
Alan Stern (1):
USB: don't free bandwidth_mutex too early
[ab2a4bf83902c170d29ba130a8abb5f9d90559e1]
Alex Deucher (1):
drm/radeon: fix asic initialization for virtualized environments
[05082b8bbd1a0ffc74235449c4b8930a8c240f85]
Alex Williamson (2):
iommu/vt-d: Improve fault handler error messages
[a0fe14d7dcf5db2f101b4fe8689ecabb255ab7d3]
iommu/vt-d: Ratelimit fault handler
[c43fce4eebae257ca413733690e2076757282093]
Alexey Brodkin (1):
arc: unwind: warn only once if DW2_UNWIND is disabled
[9bd54517ee86cb164c734f72ea95aeba4804f10b]
Andreas Gruenbacher (1):
posix_acl: Add set_posix_acl
[485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f]
Andreas Werner (1):
mcb: Fixed bar number assignment for the gdd
[f75564d343010b025301d9548f2304f48eb25f01]
Andrew F. Davis (1):
regmap: cache: Fix typo in cache_bypass parameter description
[267c85860308d36bc163c5573308cd024f659d7c]
Andrew Goodbody (2):
usb: musb: Ensure rx reinit occurs for shared_fifo endpoints
[f3eec0cf784e0d6c47822ca6b66df3d5812af7e6]
usb: musb: Stop bulk endpoint while queue is rotated
[7b2c17f829545df27a910e8d82e133c21c9a8c9c]
Andrey Grodzovsky (1):
xen/pciback: Fix conf_space read/write overlap check.
[02ef871ecac290919ea0c783d05da7eedeffc10e]
Andrey Ryabinin (1):
kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w
[57675cb976eff977aefb428e68e4e0236d48a9ff]
Andy Lutomirski (1):
uvc: Forward compat ioctls to their handlers directly
[a44323e2a8f342848bb77e8e04fcd85fcb91b3b4]
Anthony Romano (1):
tmpfs: don't undo fallocate past its last page
[b9b4bb26af017dbe930cd4df7f9b2fc3a0497bfe]
Arnd Bergmann (4):
crypto: public_key: select CRYPTO_AKCIPHER
[bad6a185b4d6f81d0ed2b6e4c16307969f160b95]
driver-core: use 'dev' argument in dev_dbg_ratelimited stub
[1f62ff34a90471d1b735bac2c79e894afc7c59bc]
gcov: disable tree-loop-im to reduce stack usage
[c87bf431448b404a6ef5fbabd74c0e3e42157a7f]
kbuild: move -Wunused-const-variable to W=1 warning level
[c9c6837d39311b0cc14cdbe7c18e815ab44aefb1]
Artem Bityutskiy (1):
UBI: do propagate positive error codes up
[0e707ae79ba357d60b8a36025ec8968e5020d827]
Ashutosh Dixit (1):
misc: mic: Fix for double fetch security bug in VOP driver
[9bf292bfca94694a721449e3fd752493856710f6]
Bartlomiej Zolnierkiewicz (1):
blk-mq: fix undefined behaviour in order_to_size()
[b3a834b1596ac668df206aa2bb1f191c31f5f5e4]
Ben Dooks (1):
gpio: bcm-kona: fix bcm_kona_gpio_reset() warnings
[b66b2a0adf0e48973b582e055758b9907a7eee7c]
Ben Hutchings (3):
USB: quirks: Fix entries on wrong list in 3.16.y
[not upstream; fixes stable-specific bug]
batman-adv: Fix double-put of vlan object
[baceced93274ff2f846eae991664f9094425ffa8]
nfsd: check permissions when setting ACLs
[999653786df6954a31044528ac3f7a5dadca08f4]
Ben Skeggs (1):
drm/nouveau/fbcon: fix out-of-bounds memory accesses
[f045f459d925138fe7d6193a8c86406bda7e49da]
Bernhard Thaler (1):
Revert "netfilter: ensure number of counters is >0 in do_replace()"
[d26e2c9ffa385dd1b646f43c1397ba12af9ed431]
Bin Liu (1):
usb: gadget: fix spinlock dead lock in gadgetfs
[d246dcb2331c5783743720e6510892eb1d2801d9]
Bjorn Helgaas (2):
PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive()
[ca620723d4ff9ea7ed484eab46264c3af871b9ae]
alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO
[c20e128030caf0537d5e906753eac1c28fefdb75]
Bob Copeland (1):
mac80211: mesh: flush mesh paths unconditionally
[fe7a7c57629e8dcbc0e297363a9b2366d67a6dc5]
Borislav Petkov (1):
x86/amd_nb: Fix boot crash on non-AMD systems
[1ead852dd88779eda12cb09cc894a03d9abfe1ec]
Brian Bloniarz (1):
Fix OpenSSH pty regression on close
[0f40fbbcc34e093255a2b2d70b6b0fb48c3f39aa]
Brian King (1):
ipr: Clear interrupt on croc/crocodile when running with LSI
[54e430bbd490e18ab116afa4cd90dcc45787b3df]
Brian Norris (1):
UBI: fix missing brace control flow
[b388e6a7a6ba988998ddd83919ae8d3debf1a13d]
Cameron Gutman (1):
Input: xpad - prevent spurious input from wired Xbox 360 controllers
[1ff5fa3c6732f08e01ae12f12286d4728c9e4d86]
Catalin Marinas (2):
arm64: Ensure pmd_present() returns false after pmd_mknotpresent()
[5bb1cc0ff9a6b68871970737e6c4c16919928d8b]
arm64: Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks
[e47b020a323d1b2a7b1e9aac86e99eae19463630]
Catalin Vasile (1):
crypto: caam - fix caam_jr_alloc() ret code
[e930c765ca5c6b039cd22ebfb4504ea7b5dab43d]
Chris Wilson (1):
drm/i915: Prevent machine death on Ivybridge context switching
[e9135c4f08d9acb0f3da3ad2643b669dee3217c2]
Christophe JAILLET (1):
ALSA: echoaudio: Fix memory allocation
[9c6795a9b3cbb56a9fbfaf43909c5c22999ba317]
Chuck Lever (1):
sunrpc: Update RPCBIND_MAXNETIDLEN
[4b9c7f9db9a003f5c342184dc4401c1b7f2efb39]
Crestez Dan Leonard (1):
iio: Fix error handling in iio_trigger_attach_poll_func
[99543823357966ac938d9a310947e731b67338e6]
Cyril Bur (1):
powerpc/tm: Always reclaim in start_thread() for exec() class syscalls
[8e96a87c5431c256feb65bcfc5aec92d9f7839b6]
Dan Carpenter (8):
ACPI / sysfs: fix error code in get_status()
[f18ebc211e259d4f591e39e74b2aa2de226c9a1d]
ALSA: compress: fix an integer overflow check
[6217e5ede23285ddfee10d2e4ba0cc2d4c046205]
KEYS: potential uninitialized variable
[38327424b40bcebe2de92d07312c89360ac9229a]
[media] cx23885: uninitialized variable in cx23885_av_work_handler()
[60587bd0680507f48ae3a7360983228fd207de8a]
i40e: fix an uninitialized variable bug
[1c306f7f62a38ee5f05f0ee994dfe82d654cf47c]
mfd: lp8788-irq: Uninitialized variable in irq handler
[22aab38e7b59fd79ce1045006be69a9abab58e5a]
qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag()
[5b4d10f5e0369ed79434593b7cd8e85eebbe473f]
usb: f_fs: off by one bug in _ffs_func_bind()
[0015f9156092d07b3ec06d37d014328419d5832e]
Daniel (1):
Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address
[0888d5f3c0f183ea6177355752ada433d370ac89]
Daniel Borkmann (1):
ipv6, token: allow for clearing the current device token
[47e27d5e92c46a3a62d4dfd8895b1ddb8613f531]
Daniel Lezcano (1):
cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter()
[e7387da52028b072489c45efeb7a916c0205ebd2]
Dave Chinner (3):
xfs: fix inode validity check in xfs_iflush_cluster
[51b07f30a71c27405259a0248206ed4e22adbee2]
xfs: skip stale inodes in xfs_iflush_cluster
[7d3aa7fe970791f1a674b14572a411accf2f4d4e]
xfs: xfs_iflush_cluster fails to abort on error
[b1438f477934f5a4d5a44df26f3079a7575d5946]
Dave Gerlach (1):
cpuidle: Indicate when a device has been unregistered
[c998c07836f985b24361629dc98506ec7893e7a0]
Dave Jones (1):
netfilter: ensure number of counters is >0 in do_replace()
[1086bbe97a074844188c6c988fa0b1a98c3ccbb9]
Dmitry Torokhov (1):
Input: elantech - add more IC body types to the list
[226ba707744a51acb4244724e09caacb1d96aed9]
Dotan Barak (1):
IB/mlx4: Fix memory leak if QP creation failed
[5b420d9cf7382c6e1512e96e02d18842d272049c]
Edward Cree (1):
sfc: on MC reset, clear PIO buffer linkage in TXQs
[c0795bf64cba4d1b796fdc5b74b33772841ed1bb]
Eli Cohen (1):
IB/mlx5: Fix post send fence logic
[c9b254955b9f8814966f5dabd34c39d0e0a2b437]
Emmanouil Maroudas (1):
EDAC: Increment correct counter in edac_inc_ue_error()
[993f88f1cc7f0879047ff353e824e5cc8f10adfc]
Erez Shitrit (2):
IB/IPoIB: Don't update neigh validity for unresolved entries
[61c78eea9516a921799c17b4c20558e2aa780fd3]
IB/IPoIB: Fix race between ipoib_remove_one to sysfs functions
[198b12f77084244d310888dd5d643083cb5c2aa1]
Eric Dumazet (4):
bonding: prevent out of bound accesses
[f87fda00b6ed232a817c655b8d179b48bde8fdbe]
net_sched: fix pfifo_head_drop behavior vs backlog
[6c0d54f1897d229748d4f41ef919078db6db2123]
netem: fix a use after free
[21de12ee5568fd1aec47890c72967abf791ac80a]
tcp: make challenge acks less predictable
[75ff39ccc1bd5d3c455b6822ab09e533c551f758]
Eric Sandeen (1):
xfs: disallow rw remount on fs with unknown ro-compat features
[d0a58e833931234c44e515b5b8bede32bd4e6eed]
Eric W. Biederman (1):
mnt: fs_fully_visible test the proper mount for MNT_LOCKED
[d71ed6c930ac7d8f88f3cef6624a7e826392d61f]
Ewan D. Milne (1):
scsi: Add QEMU CD-ROM to VPD Inquiry Blacklist
[fbd83006e3e536fcb103228d2422ea63129ccb03]
Florian Fainelli (5):
MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200
[cbbda6e7c9c3e4532bd70a73ff9d5e6655c894dc]
net: bcmsysport: Device stats are unsigned long
[016eb55157166132b094e53434748cae35e18455]
net: bgmac: Remove superflous netif_carrier_on()
[3894396e64994f31c3ef5c7e6f63dded0593e567]
net: bgmac: Start transmit queue in bgmac_open
[c3897f2a69e54dd113fc9abd2daf872e5b495798]
net: phy: Manage fixed PHY address space using IDA
[69fc58a57e56bf5e39b48809aefffdaa1b04c945]
Florian Westphal (17):
batman-adv: fix skb deref after free
[63d443efe8be2c1d02b30d7e4edeb9aa085352b3]
netfilter: arp_tables: simplify translate_compat_table args
[8dddd32756f6fe8e4e82a63361119b7e2384e02f]
netfilter: ip6_tables: simplify translate_compat_table args
[329a0807124f12fe1c8032f95d8a8eb47047fb0e]
netfilter: ip_tables: simplify translate_compat_table args
[7d3f843eed29222254c9feab481f55175a1afcc9]
netfilter: x_tables: add and use xt_check_entry_offsets
[7d35812c3214afa5b37a675113555259cfd67b98]
netfilter: x_tables: add compat version of xt_check_entry_offsets
[fc1221b3a163d1386d1052184202d5dc50d302d1]
netfilter: x_tables: assert minimum target size
[a08e4e190b866579896c09af59b3bdca821da2cd]
netfilter: x_tables: check for bogus target offset
[ce683e5f9d045e5d67d1312a42b359cb2ab2a13c]
netfilter: x_tables: check standard target size too
[7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44]
netfilter: x_tables: do compat validation via translate_table
[09d9686047dbbe1cf4faa558d3ecc4aae2046054]
netfilter: x_tables: don't move to non-existent next rule
[f24e230d257af1ad7476c6e81a8dc3127a74204e]
netfilter: x_tables: don't reject valid target size on some architectures
[7b7eba0f3515fca3296b8881d583f7c1042f5226]
netfilter: x_tables: introduce and use xt_copy_counters_from_user
[d7591f0c41ce3e67600a982bab6989ef0f07b3ce]
netfilter: x_tables: kill check_entry helper
[aa412ba225dd3bc36d404c28cdc3d674850d80d0]
netfilter: x_tables: validate all offsets and sizes in a rule
[13631bfc604161a9d69cd68991dff8603edd66f9]
netfilter: x_tables: validate targets of jumps
[36472341017529e2b12573093cc0f68719300997]
netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
[0188346f21e6546498c2a0f84888797ad4063fc5]
Gavin Shan (1):
powerpc/pseries: Fix PCI config address for DDW
[8a934efe94347eee843aeea65bdec8077a79e259]
Geert Uytterhoeven (3):
char: Drop bogus dependency of DEVPORT on !M68K
[309124e2648d668a0c23539c5078815660a4a850]
serial: doc: Re-add paragraph documenting uart_console_write()
[d124fd3bb36ceb40438f10c897ce642386b74b72]
serial: doc: Un-document non-existing uart_write_console()
[834392a7d92677ff2bdc1c709b1171ee585b55c9]
Gregor Boirie (1):
iio:st_pressure: fix sampling gains (bring inline with ABI)
[d43a41152f8e9e4c0d19850884d1fada076dee10]
Guilherme G. Piccoli (1):
powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism
[8445a87f7092bc8336ea1305be9306f26b846d93]
H. Peter Anvin (1):
x86, build: copy ldlinux.c32 to image.iso
[9c77679cadb118c0aa99e6f88533d91765a131ba]
Hannes Frederic Sowa (1):
ipv6: fix endianness error in icmpv6_err
[dcb94b88c09ce82a80e188d49bcffdc83ba215a6]
Hans de Goede (3):
USB: xhci: Add broken streams quirk for Frescologic device id 1009
[d95815ba6a0f287213118c136e64d8c56daeaeab]
usb: quirks: Add no-lpm quirk for Acer C120 LED Projector
[32cb0b37098f4beeff5ad9e325f11b42a6ede56c]
usb: quirks: Fix sorting
[81099f97bd31e25ff2719a435b1860fc3876122f]
Hari Bathini (1):
powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel
[8ed8ab40047a570fdd8043a40c104a57248dd3fd]
Hariprasad S (1):
RDMA/iw_cxgb4: Always wake up waiter in c4iw_peer_abort_intr()
[093108cb3640844cfdabb0f506fa6b592b64272d]
Heiko Carstens (1):
s390/vmem: fix identity mapping
[c34a69059d7876e0793eb410deedfb08ccb22b02]
Heinrich Schuchardt (3):
ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile
[fc5c796e12511a7c027b5a4438719dde2f796208]
ARM: dts: kirkwood: add kirkwood-nsa320.dtb to Makefile
[9ec423ed62b8278412400fae6c064edb6ce1bb51]
usb: gadget: avoid exposing kernel stack
[ffeee83aa0461992e8a99a59db2df31933e60362]
Helge Deller (1):
parisc: Fix pagefault crash in unaligned __get_user() call
[8b78f260887df532da529f225c49195d18fef36b]
Herbert Xu (1):
netlink: Fix dump skb leak/double free
[92964c79b357efd980812c4de5c1fd2ec8bb5520]
Honggang Li (1):
RDMA/cxgb3: device driver frees DMA memory with different size
[0de4cbb3dddca35ecd06b95918f38439c9c6401f]
Hugh Dickins (1):
tmpfs: fix regression hang in fallocate undo
[7f556567036cb7f89aabe2f0954b08566b4efb53]
Hui Wang (1):
ALSA: hda - Fix headset mic detection problem for one Dell machine
[86c72d1ce91d804e4fa8d90b316a89597dd220f1]
Itai Handler (1):
drm/gma500: Fix possible out of bounds read
[7ccca1d5bf69fdd1d3c5fcf84faf1659a6e0ad11]
James Bottomley (1):
scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands
[a621bac3044ed6f7ec5fa0326491b2d4838bfa93]
James Hogan (5):
MIPS: Avoid using unwind_stack() with usermode
[d2941a975ac745c607dfb590e92bb30bc352dad9]
MIPS: Don't unwind to user mode with EVA
[a816b306c62195b7c43c92cb13330821a96bdc27]
MIPS: Fix siginfo.h to use strict posix types
[5daebc477da4dfeb31ae193d83084def58fd2697]
MIPS: KVM: Fix timer IRQ race when freezing timer
[4355c44f063d3de4f072d796604c7f4ba4085cc3]
MIPS: KVM: Fix timer IRQ race when writing CP0_Compare
[b45bacd2d048f405c7760e5cc9b60dd67708734f]
James Morse (1):
KVM: arm/arm64: Stop leaking vcpu pid references
[591d215afcc2f94e8e2c69a63c924c044677eb31]
Jan Beulich (3):
xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7
[6f2d9d99213514360034c6d52d2c3919290b3504]
xenbus: don't BUG() on user mode induced condition
[0beef634b86a1350c31da5fcc2992f0d7c8a622b]
xenbus: don't bail early from xenbus_dev_request_and_reply()
[7469be95a487319514adce2304ad2af3553d2fc9]
Jan Kara (2):
ext4: fix data exposure after a crash
[06bd3c36a733ac27962fea7d6f47168841376824]
ext4: fix oops on corrupted filesystem
[74177f55b70e2f2be770dd28684dd6d17106a4ba]
Jann Horn (1):
proc: prevent stacking filesystems on top
[e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9]
Jason Gunthorpe (1):
IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
[8c5122e45a10a9262f872b53f151a592e870f905]
Jason Wang (1):
tuntap: correctly wake up process during uninit
[addf8fc4acb1cf79492ac64966f07178793cb3d7]
Jeff Mahoney (1):
ecryptfs: don't allow mmap when the lower fs doesn't support it
[f0fe970df3838c202ef6c07a4c2b36838ef0a88b]
Jerome Marchand (2):
cifs: dynamic allocation of ntlmssp blob
[b8da344b74c822e966c6d19d6b2321efe82c5d97]
cifs: use CIFS_MAX_DOMAINNAME_LEN when converting the domain name
[202d772ba02b1deb8835a631cd8255943d1906a0]
Jiri Slaby (4):
Bluetooth: vhci: fix open_timeout vs. hdev race
[373a32c848ae3a1c03618517cce85f9211a6facf]
Bluetooth: vhci: purge unhandled skbs
[13407376b255325fa817798800117a839f3aa055]
base: make module_create_drivers_dir race-free
[7e1b1fc4dabd6ec8e28baa0708866e13fa93c9b3]
tty: vt, return error when con_startup fails
[6798df4c5fe0a7e6d2065cf79649a794e5ba7114]
Johan Hovold (5):
USB: serial: io_edgeport: fix memory leaks in attach error path
[c5c0c55598cefc826d6cfb0a417eeaee3631715c]
USB: serial: io_edgeport: fix memory leaks in probe error path
[c8d62957d450cc1a22ce3242908709fe367ddc8e]
USB: serial: keyspan: fix use-after-free in probe error path
[35be1a71d70775e7bd7e45fa6d2897342ff4c9d2]
USB: serial: mxuport: fix use-after-free in probe error path
[9e45284984096314994777f27e1446dfbfd2f0d7]
USB: serial: quatech2: fix use-after-free in probe error path
[028c49f5e02a257c94129cd815f7c8485f51d4ef]
Johannes Thumshirn (2):
Revert "scsi: fix soft lockup in scsi_remove_target() on module removal"
[305c2e71b3d733ec065cb716c76af7d554bd5571]
scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
[f05795d3d771f30a7bdc3a138bf714b06d42aa95]
Joseph Salisbury (1):
ath5k: Change led pin configuration for compaq c700 laptop
[7b9bc799a445aea95f64f15e0083cb19b5789abe]
Joshua Kinard (1):
MIPS: Adjust set_pte() SMP fix to handle R10000_LLSC_WAR
[128639395b2ceacc6a56a0141d0261012bfe04d3]
Jouni Malinen (1):
mac80211: Fix mesh estab_plinks counting in STA removal case
[126e7557328a1cd576be4fca95b133a2695283ff]
Julien Grall (1):
arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str
[f228b494e56d949be8d8ea09d4f973d1979201bf]
Kamal Heib (1):
net/mlx4_en: Fix the return value of a failure in VLAN VID add/kill
[93c098af09455ea7bdc6f0f6b08f6ac14fa06cf4]
Kangjie Lu (6):
ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
[cec8f96e49d9be372fdb0c3836dcf31ec71e457e]
ALSA: timer: Fix leak in events via snd_timer_user_ccallback
[9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6]
ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
[e4ec8cc8039a7063e24204299b462bd1383184a5]
USB: usbfs: fix potential infoleak in devio
[681fef8380eb818c0b845fca5d2ab1dcbab114ee]
rds: fix an infoleak in rds_inc_info_copy
[4116def2337991b39919f3b448326e21c40e0dbb]
tipc: fix an infoleak in tipc_nl_compat_link_dump
[5d2be1422e02ccd697ccfcd45c85b4a26e6178e2]
Kirill A. Shutemov (1):
UBIFS: Implement ->migratepage()
[4ac1c17b2044a1b4b2fbed74451947e905fc2992]
Krzysztof Kozlowski (1):
crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks
[79152e8d085fd64484afd473ef6830b45518acba]
Lars Persson (1):
MIPS: Fix race condition in lazy cache flushing.
[4d46a67a3eb827ccf1125959936fd51ba318dabc]
Lei Liu (2):
USB: serial: option: add even more ZTE device ids
[74d2a91aec97ab832790c9398d320413ad185321]
USB: serial: option: add more ZTE device ids
[f0d09463c59c2d764a6c6d492cbe6d2c77f27153]
Linus Walleij (2):
crypto: ux500 - memmove the right size
[19ced623db2fe91604d69f7d86b03144c5107739]
iio: accel: kxsd9: fix the usage of spi_w8r8()
[0c1f91b98552da49d9d8eed32b3132a58d2f4598]
Luis de Bethencourt (1):
staging: iio: accel: fix error check
[ef3149eb3ddb7f9125e11c90f8330e371b55cffd]
Luke Dashjr (1):
btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl
[4c63c2454eff996c5e27991221106eb511f7db38]
Lyude (3):
drm/fb_helper: Fix references to dev->mode_config.num_connector
[255f0e7c418ad95a4baeda017ae6182ba9b3c423]
drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config()
[14a3842a1d5945067d1dd0788f314e14d5b18e5b]
drm/i915/ilk: Don't disable SSC source if it's in use
[476490a945e1f0f6bd58e303058d2d8ca93a974c]
Majd Dibbiny (2):
net/mlx5: Fix masking of reserved bits in XRCD number
[9cd3411c42c5d5ba55d6e745edfe7df53c1ffa41]
net/mlx5: Fix the size of modify QP mailbox
[418f8399a8bedf376ec13eb01088f04a76ebdd6f]
Manfred Schlaegl (1):
Input: pwm-beeper - fix - scheduling while atomic
[f49cf3b8b4c841457244c461c66186a719e13bcc]
Mans Rullgard (1):
ata: sata_dwc_460ex: remove incorrect locking
[55e610cdd28c0ad3dce0652030c0296d549673f3]
Marc Zyngier (1):
arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables
[d4b9e0790aa764c0b01e18d4e8d33e93ba36d51f]
Marek Szyprowski (2):
ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
[330d12764e15f6e3e94ff34cda29db96d2589c24]
crypto: s5p-sss - fix incorrect usage of scatterlists api
[d1497977fecb9acce05988d6322ad415ef93bb39]
Mark Bloch (2):
IB/IWPM: Fix a potential skb leak
[5ed935e861a4cbf2158ad3386d6d26edd60d2658]
IB/core: Fix a potential array overrun in CMA and SA agent
[2fa2d4fb1166d1ef35f0aacac6165d53ab1b89c7]
Mark Brown (3):
iio:ad7266: Fix broken regulator error handling
[6b7f4e25f3309f106a5c7ff42c8231494cf285d3]
iio:ad7266: Fix probe deferral for vref
[68b356eb3d9f5e38910fb62e22a78e2a18d544ae]
iio:ad7266: Fix support for optional regulators
[e5511c816e5ac4909bdd38e85ac344e2b9b8e984]
Martin Schwidefsky (2):
s390/sclp_ctl: fix potential information leak with /dev/sclp
[532c34b5fbf1687df63b3fcd5b2846312ac943c6]
s390: fix test_fp_ctl inline assembly contraints
[bcf4dd5f9ee096bd1510f838dd4750c35df4e38b]
Martin Willi (1):
mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL
[62397da50bb20a6b812c949ef465d7e69fe54bb6]
Masami Hiramatsu (1):
kprobes/x86: Clear TF bit in fault on single-stepping
[dcfc47248d3f7d28df6f531e6426b933de94370d]
Matt Gumbel (1):
mmc: longer timeout for long read time quirk
[32ecd320db39bcb007679ed42f283740641b81ea]
Matt Ranostay (3):
iio: proximity: as3935: correct IIO_CHAN_INFO_RAW output
[5138806f16c74c7cb8ac3e408a859c79eb7c9567]
iio: proximity: as3935: fix buffer stack trashing
[37b1ba2c68cfbe37f5f45bb91bcfaf2b016ae6a1]
iio: proximity: as3935: remove triggered buffer processing
[7d0643634ea567969bf3f3ed6193a9d6fc75653b]
Matthias Schiffer (1):
MIPS: ath79: make bootconsole wait for both THRE and TEMT
[f5b556c94c8490d42fea79d7b4ae0ecbc291e69d]
Michael Ellerman (2):
powerpc/mm/hash64: Factor out hash preload psize check
[8bbc9b7b001eaab8abf7e9e24edf1bb285c8d825]
powerpc/mm/hash64: Fix subpage protection with 4K HPTE config
[aac55d7573c5d46ed9a62818d5d3e69dd2060105]
Michael Neuling (1):
powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0
[190ce8693c23eae09ba5f303a83bf2fbeb6478b1]
Michal Suchanek (2):
spi: sun4i: fix FIFO limit
[6d9fe44bd73d567d04d3a68a2d2fa521ab9532f2]
spi: sunxi: fix transfer timeout
[719bd6542044efd9b338a53dba1bef45f40ca169]
Miklos Szeredi (1):
fs: limit filesystem stacking depth
[69c433ed2ecd2d3264efd7afec4439524b319121]
Mikulas Patocka (2):
hpfs: fix remount failure when there are no options changed
[44d51706b4685f965cd32acde3fe0fcc1e6198e8]
hpfs: implement the show_options method
[037369b872940cd923835a0a589763180c4a36bc]
Mohamad Haj Yahia (2):
net/mlx5: Add timeout handle to commands with callback
[65ee67084589c1783a74b4a4a5db38d7264ec8b5]
net/mlx5: Fix potential deadlock in command mode change
[9cba4ebcf374c3772f6eb61f2d065294b2451b49]
Naveen N. Rao (2):
perf tools: Fix perf regs mask generation
[f47822078dece7189cad0a5f472f148e5e916736]
powerpc/bpf/jit: Disable classic BPF JIT on ppc64le
[844e3be47693f92a108cb1fb3b0606bf25e9c7a6]
Noa Osherovich (2):
IB/mlx5: Fix returned values of query QP
[0540d8148d419bf769e5aa99c77027febd8922f0]
IB/mlx5: Return PORT_ERR in Active to Initializing tranisition
[2788cf3bd90af3791c3195c52391bcf34fa67b40]
Oleg Nesterov (1):
wait/ptrace: assume __WALL if the child is traced
[bf959931ddb88c4e4366e96dd22e68fa0db9527c]
Oliver Hartkopp (1):
can: fix oops caused by wrong rtnl dellink usage
[25e1ed6e64f52a692ba3191c4fde650aab3ecc07]
Oliver Neukum (1):
HID: elo: kill not flush the work
[ed596a4a88bd161f868ccba078557ee7ede8a6ef]
Olivier Sobrie (1):
Input: pwm-beeper - remove useless call to pwm_config()
[d1b12075ffa808dce33dd46b7ad035bebf8da215]
Omar Sandoval (1):
block: fix use-after-free in sys_ioprio_get()
[8ba8682107ee2ca3347354e018865d8e1967c5f4]
Pali Rohár (1):
hwmon: (dell-smm) Restrict fan control and serial number to CAP_SYS_ADMIN by default
[7613663cc186f8f3c50279390ddc60286758001c]
Paolo Bonzini (2):
KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi
[c622a3c21ede892e370b56e1ceb9eb28f8bbda6b]
KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS
[d14bdb553f9196169f003058ae1cdabe514470e6]
Paul Burton (2):
MIPS: fix read_msa_* & write_msa_* functions on non-MSA toolchains
[70dff4d90aab40326d1d06a331e2b07eae99d067]
MIPS: math-emu: Fix jalr emulation when rd == $0
[ab4a92e66741b35ca12f8497896bafbe579c28a1]
Paul Mackerras (2):
KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures
[f024ee098476a3e620232e4a78cfac505f121245]
KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE
[93d17397e4e2182fdaad503e2f9da46202c0f1c3]
Paul Moore (1):
audit: fix a double fetch in audit_log_single_execve_arg()
[43761473c254b45883a64441dd0bc85a42f3645c]
Peter Hurley (1):
Revert "tty: Fix pty master poll() after slave closes v2"
[2ce3c10c0c3e0d418c1a7a4c838319ba42c75388]
Peter Zijlstra (1):
sched/preempt: Fix preempt_count manipulations
[2e636d5e66c35dfcbaf617aa8fa963f6847478fe]
Ping Cheng (1):
Input: wacom_w8001 - w8001_MAX_LENGTH should be 13
[12afb34400eb2b301f06b2aa3535497d14faee59]
Prarit Bhargava (2):
PCI: Disable all BAR sizing for devices with non-compliant BARs
[ad67b437f187ea818b2860524d10f878fadfdd99]
x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
[da77b67195de1c65bef4908fa29967c4d0af2da2]
Rafael J. Wysocki (3):
ACPI / processor: Avoid reserving IO regions too early
[86314751c7945fa0c67f459beeda2e7c610ca429]
PM / sleep: Handle failures in device_suspend_late() consistently
[3a17fb329da68cb00558721aff876a80bba2fdb9]
x86/power/64: Fix kernel text mapping corruption during image restoration
[65c0554b73c920023cc8998802e508b798113b46]
Raghava Aditya Renukunta (2):
aacraid: Fix for aac_command_thread hang
[fc4bf75ea300a5e62a2419f89dd0e22189dd7ab7]
aacraid: Relinquish CPU during timeout wait
[07beca2be24cc710461c0b131832524c9ee08910]
Richard Weinberger (3):
UBI: Fix static volume checks when Fastmap is used
[1900149c835ab5b48bea31a823ea5e5a401fb560]
mm: Export migrate_page_move_mapping and migrate_page_copy
[1118dce773d84f39ebd51a9fe7261f9169cb056e]
ubi: Make recover_peb power cut aware
[972228d87445dc46c0a01f5f3de673ac017626f7]
Ricky Liang (1):
Input: uinput - handle compat ioctl for UI_SET_PHYS
[affa80bd97f7ca282d1faa91667b3ee9e4c590e6]
Roger Quadros (1):
mfd: omap-usb-tll: Fix scheduling while atomic BUG
[b49b927f16acee626c56a1af4ab4cb062f75b5df]
Ross Lagerwall (1):
xen/events: Don't move disabled irqs
[f0f393877c71ad227d36705d61d1e4062bc29cf5]
Russell Currey (1):
powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge
[871e178e0f2c4fa788f694721a10b4758d494ce1]
Russell King (1):
ARM: fix PTRACE_SETVFPREGS on SMP systems
[e2dfb4b880146bfd4b6aa8e138c0205407cebbaf]
Sachin Prabhu (1):
cifs: Create dedicated keyring for spnego operations
[b74cb9a80268be5c80cf4c87c74debf0ff2129ac]
Sai Gurrappadi (1):
cpufreq: Fix GOV_LIMITS handling for the userspace governor
[e43e94c1eda76dabd686ddf6f7825f54d747b310]
Schemmel Hans-Christoph (1):
USB: serial: option: add support for Cinterion PH8 and AHxx
[444f94e9e625f6ec6bbe2cb232a6451c637f35a3]
Scott Bauer (1):
HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
[93a2001bdfd5376c3dc2158653034c20392d15c5]
Sebastien Ocquidant (1):
memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
[8f50b8e57442d28e41bb736c173d8a2490549a82]
Sergei Shtylyov (1):
of: irq: fix of_irq_get[_byname]() kernel-doc
[3993546646baf1dab5f5c4f7d9bb58f2046fd1c1]
Shaokun Zhang (1):
arm64: mm: remove page_mapping check in __sync_icache_dcache
[20c27a4270c775d7ed661491af8ac03264d60fc6]
Simon Wunderlich (1):
batman-adv: replace WARN with rate limited output on non-existing VLAN
[0b3dd7dfb81ad8af53791ea2bb64b83bac1b7d32]
Srinivas Pandruvada (1):
cpufreq: intel_pstate: Fix ->set_policy() interface for no_turbo
[983e600e88835f0321d1a0ea06f52d48b7b5a544]
Stefan Metzmacher (4):
fs/cifs: correctly to anonymous authentication for the LANMAN authentication
[fa8f3a354bb775ec586e4475bcb07f7dece97e0c]
fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication
[777f69b8d26bf35ade4a76b08f203c11e048365d]
fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication
[1a967d6c9b39c226be1b45f13acd4d8a5ab3dc44]
fs/cifs: correctly to anonymous authentication via NTLMSSP
[cfda35d98298131bf38fbad3ce4cd5ecb3cf18db]
Steinar H. Gunderson (1):
usb: dwc3: exynos: Fix deferred probing storm.
[4879efb34f7d49235fac334d76d9c6a77a021413]
Steve Capper (1):
ARM: 8579/1: mm: Fix definition of pmd_mknotpresent
[56530f5d2ddc9b9fade7ef8db9cb886e9dc689b5]
Steve French (2):
Fix reconnect to not defer smb3 session reconnect long after socket reconnect
[4fcd1813e6404dd4420c7d12fb483f9320f0bf93]
remove directory incorrectly tries to set delete on close on non-empty directories
[897fba1172d637d344f009d700f7eb8a1fa262f1]
Steven Rostedt (3):
ring-buffer: Prevent overflow of size in ring_buffer_resize()
[59643d1535eb220668692a5359de22545af579f6]
ring-buffer: Use long for nr_pages to avoid overflow failures
[9b94a8fba501f38368aef6ac1b30e7335252a220]
tracing: Handle NULL formats in hold_module_trace_bprintk_format()
[70c8217acd4383e069fe1898bbad36ea4fcdbdcc]
Suman Anna (1):
ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence
[c20c8f750d9f8f8617f07ee2352d3ff560e66bc2]
Sven Eckelmann (6):
batman-adv: Clean up untagged vlan when destroying via rtnl-link
[420cb1b764f9169c5d2601b4af90e4a1702345ee]
batman-adv: Fix ICMP RR ethernet access after skb_linearize
[3b55e4422087f9f7b241031d758a0c65584e4297]
batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
[d285f52cc0f23564fd61976d43fd5b991b4828f6]
batman-adv: Fix memory leak on tt add with invalid vlan
[fd7dec25a18f495e50d2040398fd263836ff3b28]
batman-adv: Fix unexpected free of bcast_own on add_if error
[f7dcdf5fdbe8fec7670d8f65a5db595c98e0ecab]
batman-adv: Fix use-after-free/double-free of tt_req_node
[9c4604a298e0a9807eaf2cd912d1ebf24d98fbeb]
Takashi Iwai (4):
ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
[62db7152c924e4c060e42b34a69cd39658e8a0dc]
ALSA: dummy: Fix a use-after-free at closing
[d5dbbe6569481bf12dcbe3e12cff72c5f78d272c]
ALSA: timer: Fix negative queue usage by racy accesses
[3fa6993fef634e05d200d141a85df0b044572364]
Bluetooth: vhci: Fix race at creating hci device
[c7c999cb18da88a881e10e07f0724ad0bfaff770]
Tariq Toukan (1):
net/mlx4_core: Fix access to uninitialized index
[2bb07e155bb3e0c722c806723f737cf8020961ef]
Theodore Ts'o (2):
ext4: clean up error handling when orphan list is corrupted
[7827a7f6ebfcb7f388dc47fddd48567a314701ba]
ext4: fix hang when processing corrupted orphaned inode list
[c9eb13a9105e2e418f72e46a2b6da3f49e696902]
Thomas Huth (2):
powerpc: Fix definition of SIAR and SDAR registers
[d23fac2b27d94aeb7b65536a50d32bfdc21fe01e]
powerpc: Use privileged SPR number for MMCR2
[8dd75ccb571f3c92c48014b3dabd3d51a115ab41]
Thomas Petazzoni (1):
usb: xhci-plat: properly handle probe deferral for devm_clk_get()
[de95c40d5beaa47f6dc8fe9ac4159b4672b51523]
Thor Thayer (1):
can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access
[427460c83cdf55069eee49799a0caef7dde8df69]
Tom Lendacky (1):
crypto: ccp - Fix AES XTS error for request sizes above 4096
[ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1]
Tomáš Trnka (1):
sunrpc: fix stripping of padded MIC tokens
[c0cb8bf3a8e4bd82e640862cdd8891400405cb89]
Tony Lindgren (1):
pinctrl: single: Fix missing flush of posted write for a wakeirq
[0ac3c0a4025f41748a083bdd4970cb3ede802b15]
Torsten Hilbrich (1):
fs/nilfs2: fix potential underflow in call to crc32_le
[63d2f95d63396059200c391ca87161897b99e74a]
Trond Myklebust (1):
NFS: Fix another OPEN_DOWNGRADE bug
[e547f2628327fec6afd2e03b46f113f614cca05b]
Ulf Hansson (1):
PM / Runtime: Fix error path in pm_runtime_force_resume()
[0ae3aeefabbeef26294e7a349b51f1c761d46c9f]
Ursula Braun (1):
qeth: delete napi struct when removing a qeth device
[7831b4ff0d926e0deeaabef9db8800ed069a2757]
Vik Heyndrickx (1):
sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems
[20878232c52329f92423d27a60e48b6a6389e0dd]
Ville Syrjälä (2):
dma-debug: avoid spinlock recursion when disabling dma-debug
[3017cd63f26fc655d56875aaf497153ba60e9edf]
drm/i915: Don't leave old junk in ilk active watermarks on readout
[15606534bf0a65d8a74a90fd57b8712d147dbca6]
Vineet Gupta (1):
ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame)
[f52e126cc7476196f44f3c313b7d9f0699a881fc]
WANG Cong (2):
net_sched: introduce qdisc_replace() helper
[86a7996cc8a078793670d82ed97d5a99bb4e8496]
net_sched: update hierarchical backlog too
[2ccccf5fb43ff62b2b96cc58d95fc0b3596516e4]
Wang Yanqing (1):
rtlwifi: Fix logic error in enter/exit power-save mode
[873ffe154ae074c46ed2d72dbd9a2a99f06f55b4]
Wei Fang (1):
scsi: fix race between simultaneous decrements of ->host_failed
[72d8c36ec364c82bf1bf0c64dfa1041cfaf139f7]
Will Deacon (2):
ARM: 8578/1: mm: ensure pmd_present only checks the valid bit
[624531886987f0f1b5d01fb598034d039198e090]
irqchip/gic: Ensure ordering between read of INTACK and shared data
[f86c4fbd930ff6fecf3d8a1c313182bd0f49f496]
William Breathitt Gray (1):
isa: Call isa_bus_init before dependent ISA bus drivers register
[32a5a0c047343b11f581f663a2309cf43d13466f]
Wolfgang Grandegger (1):
can: at91_can: RX queue could get stuck at high bus load
[43200a4480cbbe660309621817f54cbb93907108]
Wolfram Sang (1):
of: fix autoloading due to broken modalias with no 'compatible'
[b3c0a4dab7e35a9b6d69c0415641d2280fdefb2b]
Xiubo Li (1):
kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
[caf1ff26e1aa178133df68ac3d40815fed2187d9]
Xypron.Glpk@Gmx.De (1):
net: ehea: avoid null pointer dereference
[1740c29a46b30a2f157afc473156f157e599d4c2]
Yishai Hadas (3):
IB/mlx4: Fix error flow when sending mads under SRIOV
[a6100603a4a87fc436199362bdb81cb849faaf6e]
IB/mlx4: Fix the SQ size of an RC QP
[f2940e2c76bb554a7fbdd28ca5b90904117a9e96]
IB/mlx4: Verify port number in flow steering create flow
[5533c18ab02b17a7f2ac11908e2d97d4b421617d]
Yuchung Cheng (1):
tcp: record TLP and ER timer stats in v6 stats
[ce3cf4ec0305919fc69a972f6c2b2efd35d36abc]
.../ABI/testing/sysfs-bus-iio-proximity-as3935 | 2 +-
Documentation/scsi/scsi_eh.txt | 8 +-
Documentation/serial/driver | 2 +-
Makefile | 11 +-
arch/alpha/kernel/pci-sysfs.c | 4 +-
arch/arc/Makefile | 2 -
arch/arc/kernel/stacktrace.c | 2 +-
arch/arm/boot/dts/Makefile | 2 +
arch/arm/boot/dts/exynos4210-trats.dts | 2 +
arch/arm/include/asm/pgtable-2level.h | 1 +
arch/arm/include/asm/pgtable-3level.h | 8 +-
arch/arm/include/asm/pgtable.h | 1 -
arch/arm/kernel/ptrace.c | 2 +-
arch/arm/kvm/arm.c | 1 +
arch/arm/kvm/mmu.c | 17 +-
arch/arm/mach-omap2/gpmc.c | 2 +-
arch/arm/mach-omap2/omap_hwmod.c | 12 +-
arch/arm64/include/asm/elf.h | 4 +-
arch/arm64/include/asm/pgtable-hwdef.h | 1 -
arch/arm64/include/asm/pgtable.h | 4 +-
arch/arm64/kernel/setup.c | 11 +-
arch/arm64/mm/flush.c | 4 -
arch/mips/ath79/early_printk.c | 6 +-
arch/mips/include/asm/cacheflush.h | 38 +-
arch/mips/include/asm/kvm_host.h | 2 +-
arch/mips/include/asm/msa.h | 8 +-
arch/mips/include/asm/pgtable.h | 45 +-
arch/mips/include/uapi/asm/siginfo.h | 18 +-
arch/mips/kernel/bmips_vec.S | 9 +-
arch/mips/kernel/process.c | 2 +-
arch/mips/kernel/traps.c | 2 +-
arch/mips/kvm/kvm_mips_emul.c | 89 ++--
arch/mips/kvm/kvm_trap_emul.c | 2 +-
arch/mips/math-emu/cp1emu.c | 8 +-
arch/mips/mm/cache.c | 12 +
arch/parisc/kernel/unaligned.c | 10 +-
arch/powerpc/Kconfig | 2 +-
arch/powerpc/include/asm/reg.h | 6 +-
arch/powerpc/kernel/exceptions-64s.S | 16 +-
arch/powerpc/kernel/process.c | 10 +
arch/powerpc/kernel/tm.S | 61 ++-
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 462 +++++++++++----------
arch/powerpc/mm/hash_utils_64.c | 29 +-
arch/powerpc/platforms/pseries/eeh_pseries.c | 51 ++-
arch/powerpc/platforms/pseries/iommu.c | 24 +-
arch/s390/include/asm/switch_to.h | 2 +-
arch/s390/mm/vmem.c | 2 +-
arch/x86/boot/Makefile | 3 +
arch/x86/kernel/amd_nb.c | 4 +-
arch/x86/kernel/kprobes/core.c | 12 +
arch/x86/kvm/x86.c | 5 +
arch/x86/pci/fixup.c | 7 +
arch/x86/power/hibernate_64.c | 97 ++++-
arch/x86/power/hibernate_asm_64.S | 55 ++-
block/blk-mq.c | 2 +-
block/ioprio.c | 2 +
crypto/asymmetric_keys/Kconfig | 1 +
drivers/acpi/acpi_processor.c | 9 -
drivers/acpi/processor_throttling.c | 9 +
drivers/acpi/sysfs.c | 7 +-
drivers/ata/libata-eh.c | 2 +-
drivers/ata/sata_dwc_460ex.c | 4 +-
drivers/base/isa.c | 2 +-
drivers/base/module.c | 8 +-
drivers/base/power/main.c | 5 +-
drivers/base/power/runtime.c | 9 +-
drivers/base/regmap/regcache.c | 2 +-
drivers/bluetooth/hci_vhci.c | 28 +-
drivers/char/Kconfig | 1 -
drivers/char/i8k.c | 19 +-
drivers/cpufreq/cpufreq_userspace.c | 43 +-
drivers/cpufreq/intel_pstate.c | 7 +-
drivers/cpuidle/cpuidle.c | 4 +-
drivers/crypto/caam/jr.c | 2 +-
drivers/crypto/ccp/ccp-crypto-aes-xts.c | 17 +-
drivers/crypto/s5p-sss.c | 61 ++-
drivers/crypto/ux500/hash/hash_core.c | 4 +-
drivers/edac/edac_mc.c | 2 +-
drivers/gpio/gpio-bcm-kona.c | 4 +-
drivers/gpu/drm/drm_fb_helper.c | 5 +-
drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c | 2 +-
drivers/gpu/drm/i915/i915_gem_context.c | 14 +-
drivers/gpu/drm/i915/intel_display.c | 48 ++-
drivers/gpu/drm/i915/intel_fbdev.c | 6 +-
drivers/gpu/drm/i915/intel_pm.c | 2 +
drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 +
drivers/gpu/drm/nouveau/nv04_fbcon.c | 7 +-
drivers/gpu/drm/nouveau/nv50_fbcon.c | 6 +-
drivers/gpu/drm/nouveau/nvc0_fbcon.c | 6 +-
drivers/gpu/drm/radeon/radeon_device.c | 21 +
drivers/hid/hid-elo.c | 2 +-
drivers/hid/usbhid/hiddev.c | 10 +-
drivers/iio/accel/kxsd9.c | 4 +-
drivers/iio/adc/ad7266.c | 7 +-
drivers/iio/industrialio-trigger.c | 23 +-
drivers/iio/pressure/st_pressure_core.c | 80 ++--
drivers/iio/proximity/as3935.c | 17 +-
drivers/infiniband/core/cma.c | 3 +-
drivers/infiniband/core/iwpm_util.c | 1 +
drivers/infiniband/hw/cxgb3/cxio_hal.c | 2 +-
drivers/infiniband/hw/cxgb4/cm.c | 12 +-
drivers/infiniband/hw/mlx4/ah.c | 2 +-
drivers/infiniband/hw/mlx4/mad.c | 24 +-
drivers/infiniband/hw/mlx4/main.c | 3 +
drivers/infiniband/hw/mlx4/qp.c | 6 +-
drivers/infiniband/hw/mlx5/main.c | 5 +-
drivers/infiniband/hw/mlx5/qp.c | 21 +-
drivers/infiniband/ulp/ipoib/ipoib.h | 1 +
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 4 +
drivers/infiniband/ulp/ipoib/ipoib_main.c | 7 +-
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 6 +
drivers/input/joystick/xpad.c | 4 +
drivers/input/misc/pwm-beeper.c | 70 +++-
drivers/input/misc/uinput.c | 6 +
drivers/input/mouse/elantech.c | 8 +-
drivers/input/touchscreen/wacom_w8001.c | 2 +-
drivers/iommu/dmar.c | 47 ++-
drivers/irqchip/irq-gic.c | 8 +
drivers/mcb/mcb-parse.c | 2 +-
drivers/media/pci/cx23885/cx23885-av.c | 2 +-
drivers/media/usb/uvc/uvc_v4l2.c | 39 +-
drivers/mfd/lp8788-irq.c | 2 +-
drivers/mfd/omap-usb-tll.c | 13 +-
drivers/misc/mic/host/mic_virtio.c | 5 +
drivers/mmc/card/block.c | 5 +-
drivers/mmc/core/core.c | 4 +-
drivers/mmc/core/mmc.c | 7 +
drivers/mtd/ubi/eba.c | 42 +-
drivers/mtd/ubi/fastmap.c | 1 +
drivers/mtd/ubi/ubi.h | 2 +
drivers/net/bonding/bond_3ad.c | 13 +-
drivers/net/bonding/bond_alb.c | 7 +-
drivers/net/bonding/bonding.h | 3 +
drivers/net/can/at91_can.c | 5 +-
drivers/net/can/c_can/c_can.c | 38 +-
drivers/net/can/dev.c | 6 +
drivers/net/ethernet/broadcom/bcmsysport.c | 2 +-
drivers/net/ethernet/broadcom/bgmac.c | 2 +-
drivers/net/ethernet/ibm/ehea/ehea_main.c | 9 +-
drivers/net/ethernet/intel/i40e/i40e_hmc.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 18 +-
drivers/net/ethernet/mellanox/mlx4/mcg.c | 4 +-
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 123 +++---
drivers/net/ethernet/mellanox/mlx5/core/qp.c | 2 +-
drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +-
drivers/net/ethernet/sfc/ef10.c | 16 +
drivers/net/phy/fixed.c | 22 +-
drivers/net/tun.c | 6 +-
drivers/net/wireless/ath/ath5k/led.c | 2 +-
drivers/net/wireless/mac80211_hwsim.c | 1 +
drivers/net/wireless/rtlwifi/base.c | 4 +-
drivers/of/irq.c | 19 +-
drivers/pci/pci-sysfs.c | 7 +-
drivers/pci/probe.c | 6 +-
drivers/pinctrl/pinctrl-single.c | 3 +
drivers/s390/char/sclp_ctl.c | 12 +-
drivers/s390/net/qeth_l2_main.c | 1 +
drivers/s390/net/qeth_l3_main.c | 1 +
drivers/scsi/aacraid/commsup.c | 12 +-
drivers/scsi/ipr.c | 1 +
drivers/scsi/scsi_devinfo.c | 1 +
drivers/scsi/scsi_error.c | 4 +-
drivers/scsi/scsi_lib.c | 7 +-
drivers/scsi/scsi_scan.c | 1 +
drivers/scsi/scsi_sysfs.c | 6 +-
drivers/spi/spi-sun4i.c | 23 +-
drivers/spi/spi-sun6i.c | 10 +-
drivers/staging/iio/accel/sca3000_core.c | 2 +-
drivers/tty/n_tty.c | 17 +-
drivers/tty/vt/vt.c | 5 +-
drivers/usb/core/devio.c | 9 +-
drivers/usb/core/hcd.c | 14 +-
drivers/usb/core/quirks.c | 27 +-
drivers/usb/dwc3/dwc3-exynos.c | 19 +-
drivers/usb/gadget/f_fs.c | 12 +-
drivers/usb/gadget/f_uac2.c | 1 +
drivers/usb/gadget/inode.c | 17 +-
drivers/usb/host/xhci-pci.c | 5 +
drivers/usb/host/xhci-plat.c | 3 +
drivers/usb/musb/musb_host.c | 21 +-
drivers/usb/serial/io_edgeport.c | 56 ++-
drivers/usb/serial/keyspan.c | 4 +
drivers/usb/serial/mxuport.c | 10 +
drivers/usb/serial/option.c | 155 ++++++-
drivers/usb/serial/quatech2.c | 1 +
drivers/xen/events/events_base.c | 6 +-
drivers/xen/xen-acpi-processor.c | 35 +-
drivers/xen/xen-pciback/conf_space.c | 6 +-
drivers/xen/xenbus/xenbus_dev_frontend.c | 14 +-
drivers/xen/xenbus/xenbus_xs.c | 3 -
fs/btrfs/ctree.h | 1 +
fs/btrfs/file.c | 2 +-
fs/btrfs/inode.c | 2 +-
fs/btrfs/ioctl.c | 21 +
fs/cifs/cifs_spnego.c | 67 +++
fs/cifs/cifsfs.c | 4 +-
fs/cifs/cifsproto.h | 2 +
fs/cifs/connect.c | 4 +-
fs/cifs/ntlmssp.h | 2 +-
fs/cifs/sess.c | 210 ++++++----
fs/cifs/smb2glob.h | 1 +
fs/cifs/smb2inode.c | 8 +-
fs/cifs/smb2pdu.c | 53 ++-
fs/cifs/smb2proto.h | 2 +
fs/dcache.c | 5 +-
fs/ecryptfs/file.c | 15 +-
fs/ecryptfs/main.c | 7 +
fs/ext4/ialloc.c | 55 ++-
fs/ext4/inode.c | 23 +-
fs/ext4/namei.c | 2 +-
fs/hpfs/super.c | 42 +-
fs/namespace.c | 2 +-
fs/nfs/dir.c | 2 +-
fs/nfs/nfs4proc.c | 5 +-
fs/nfsd/nfs2acl.c | 20 +-
fs/nfsd/nfs3acl.c | 16 +-
fs/nfsd/nfs4acl.c | 16 +-
fs/nilfs2/the_nilfs.c | 2 +-
fs/posix_acl.c | 38 +-
fs/proc/root.c | 7 +
fs/ubifs/file.c | 24 ++
fs/xfs/xfs_inode.c | 26 +-
fs/xfs/xfs_super.c | 10 +
include/asm-generic/preempt.h | 4 +-
include/linux/device.h | 7 +-
include/linux/fs.h | 11 +
include/linux/mlx5/driver.h | 1 +
include/linux/mlx5/qp.h | 2 +
include/linux/netfilter/x_tables.h | 12 +-
include/linux/sunrpc/msg_prot.h | 4 +-
include/net/codel.h | 4 +
include/net/sch_generic.h | 20 +-
include/scsi/scsi_device.h | 1 +
kernel/auditsc.c | 335 ++++++++-------
kernel/exit.c | 29 +-
kernel/sched/core.c | 6 +-
kernel/sched/proc.c | 11 +-
kernel/trace/ring_buffer.c | 35 +-
kernel/trace/trace_printk.c | 7 +-
lib/dma-debug.c | 2 +-
mm/migrate.c | 2 +
mm/shmem.c | 8 +-
net/batman-adv/bat_iv_ogm.c | 9 +-
net/batman-adv/routing.c | 5 +-
net/batman-adv/soft-interface.c | 9 +
net/batman-adv/translation-table.c | 52 ++-
net/batman-adv/types.h | 2 +
net/bridge/br_multicast.c | 4 +
net/bridge/br_private.h | 25 +-
net/ipv4/netfilter/arp_tables.c | 296 +++++--------
net/ipv4/netfilter/ip_tables.c | 322 ++++----------
net/ipv4/tcp_input.c | 13 +-
net/ipv6/addrconf.c | 10 +-
net/ipv6/icmp.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 317 ++++----------
net/ipv6/tcp_ipv6.c | 4 +-
net/mac80211/mesh.c | 11 +-
net/netfilter/x_tables.c | 245 ++++++++++-
net/netlink/af_netlink.c | 7 +-
net/rds/recv.c | 2 +
net/sched/sch_api.c | 8 +-
net/sched/sch_cbq.c | 12 +-
net/sched/sch_choke.c | 6 +-
net/sched/sch_codel.c | 10 +-
net/sched/sch_drr.c | 9 +-
net/sched/sch_dsmark.c | 8 +-
net/sched/sch_fifo.c | 4 +
net/sched/sch_fq.c | 4 +-
net/sched/sch_fq_codel.c | 17 +-
net/sched/sch_hfsc.c | 9 +-
net/sched/sch_hhf.c | 10 +-
net/sched/sch_htb.c | 19 +-
net/sched/sch_multiq.c | 16 +-
net/sched/sch_netem.c | 21 +-
net/sched/sch_pie.c | 5 +-
net/sched/sch_prio.c | 15 +-
net/sched/sch_qfq.c | 9 +-
net/sched/sch_red.c | 10 +-
net/sched/sch_sfb.c | 10 +-
net/sched/sch_sfq.c | 16 +-
net/sched/sch_tbf.c | 15 +-
net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
net/tipc/node.c | 3 +-
scripts/Makefile.extrawarn | 1 +
scripts/mod/file2alias.c | 2 +-
security/keys/key.c | 2 +-
sound/core/compress_offload.c | 2 +-
sound/core/timer.c | 5 +-
sound/drivers/dummy.c | 1 +
sound/pci/au88x0/au88x0_core.c | 5 +-
sound/pci/echoaudio/echoaudio.c | 4 +-
sound/pci/hda/patch_realtek.c | 7 +
tools/perf/util/perf_regs.c | 8 +-
virt/kvm/irqchip.c | 2 +-
virt/kvm/kvm_main.c | 2 +-
295 files changed, 3442 insertions(+), 2297 deletions(-)
--
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
- Albert Einstein
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 259/305] x86/power/64: Fix kernel text mapping corruption during image restoration
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (88 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 130/305] hpfs: implement the show_options method Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 030/305] btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl Ben Hutchings
` (215 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Logan Gunthorpe, Kees Cook, Rafael J. Wysocki
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
commit 65c0554b73c920023cc8998802e508b798113b46 upstream.
Logan Gunthorpe reports that hibernation stopped working reliably for
him after commit ab76f7b4ab23 (x86/mm: Set NX on gap between __ex_table
and rodata).
That turns out to be a consequence of a long-standing issue with the
64-bit image restoration code on x86, which is that the temporary
page tables set up by it to avoid page tables corruption when the
last bits of the image kernel's memory contents are copied into
their original page frames re-use the boot kernel's text mapping,
but that mapping may very well get corrupted just like any other
part of the page tables. Of course, if that happens, the final
jump to the image kernel's entry point will go to nowhere.
The exact reason why commit ab76f7b4ab23 matters here is that it
sometimes causes a PMD of a large page to be split into PTEs
that are allocated dynamically and get corrupted during image
restoration as described above.
To fix that issue note that the code copying the last bits of the
image kernel's memory contents to the page frames occupied by them
previoulsy doesn't use the kernel text mapping, because it runs from
a special page covered by the identity mapping set up for that code
from scratch. Hence, the kernel text mapping is only needed before
that code starts to run and then it will only be used just for the
final jump to the image kernel's entry point.
Accordingly, the temporary page tables set up in swsusp_arch_resume()
on x86-64 need to contain the kernel text mapping too. That mapping
is only going to be used for the final jump to the image kernel, so
it only needs to cover the image kernel's entry point, because the
first thing the image kernel does after getting control back is to
switch over to its own original page tables. Moreover, the virtual
address of the image kernel's entry point in that mapping has to be
the same as the one mapped by the image kernel's page tables.
With that in mind, modify the x86-64's arch_hibernation_header_save()
and arch_hibernation_header_restore() routines to pass the physical
address of the image kernel's entry point (in addition to its virtual
address) to the boot kernel (a small piece of assembly code involved
in passing the entry point's virtual address to the image kernel is
not necessary any more after that, so drop it). Update RESTORE_MAGIC
too to reflect the image header format change.
Next, in set_up_temporary_mappings(), use the physical and virtual
addresses of the image kernel's entry point passed in the image
header to set up a minimum kernel text mapping (using memory pages
that won't be overwritten by the image kernel's memory contents) that
will map those addresses to each other as appropriate.
This makes the concern about the possible corruption of the original
boot kernel text mapping go away and if the the minimum kernel text
mapping used for the final jump marks the image kernel's entry point
memory as executable, the jump to it is guaraneed to succeed.
Fixes: ab76f7b4ab23 (x86/mm: Set NX on gap between __ex_table and rodata)
Link: http://marc.info/?l=linux-pm&m=146372852823760&w=2
Reported-by: Logan Gunthorpe <logang@deltatee.com>
Reported-and-tested-by: Borislav Petkov <bp@suse.de>
Tested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/power/hibernate_64.c | 97 ++++++++++++++++++++++++++++++++++-----
arch/x86/power/hibernate_asm_64.S | 55 ++++++++++------------
2 files changed, 109 insertions(+), 43 deletions(-)
--- a/arch/x86/power/hibernate_64.c
+++ b/arch/x86/power/hibernate_64.c
@@ -19,6 +19,7 @@
#include <asm/mtrr.h>
#include <asm/sections.h>
#include <asm/suspend.h>
+#include <asm/tlbflush.h>
/* Defined in hibernate_asm_64.S */
extern asmlinkage __visible int restore_image(void);
@@ -28,6 +29,7 @@ extern asmlinkage __visible int restore_
* kernel's text (this value is passed in the image header).
*/
unsigned long restore_jump_address __visible;
+unsigned long jump_address_phys;
/*
* Value of the cr3 register from before the hibernation (this value is passed
@@ -37,7 +39,43 @@ unsigned long restore_cr3 __visible;
pgd_t *temp_level4_pgt __visible;
-void *relocated_restore_code __visible;
+unsigned long relocated_restore_code __visible;
+
+static int set_up_temporary_text_mapping(void)
+{
+ pmd_t *pmd;
+ pud_t *pud;
+
+ /*
+ * The new mapping only has to cover the page containing the image
+ * kernel's entry point (jump_address_phys), because the switch over to
+ * it is carried out by relocated code running from a page allocated
+ * specifically for this purpose and covered by the identity mapping, so
+ * the temporary kernel text mapping is only needed for the final jump.
+ * Moreover, in that mapping the virtual address of the image kernel's
+ * entry point must be the same as its virtual address in the image
+ * kernel (restore_jump_address), so the image kernel's
+ * restore_registers() code doesn't find itself in a different area of
+ * the virtual address space after switching over to the original page
+ * tables used by the image kernel.
+ */
+ pud = (pud_t *)get_safe_page(GFP_ATOMIC);
+ if (!pud)
+ return -ENOMEM;
+
+ pmd = (pmd_t *)get_safe_page(GFP_ATOMIC);
+ if (!pmd)
+ return -ENOMEM;
+
+ set_pmd(pmd + pmd_index(restore_jump_address),
+ __pmd((jump_address_phys & PMD_MASK) | __PAGE_KERNEL_LARGE_EXEC));
+ set_pud(pud + pud_index(restore_jump_address),
+ __pud(__pa(pmd) | _KERNPG_TABLE));
+ set_pgd(temp_level4_pgt + pgd_index(restore_jump_address),
+ __pgd(__pa(pud) | _KERNPG_TABLE));
+
+ return 0;
+}
static void *alloc_pgt_page(void *context)
{
@@ -59,9 +97,10 @@ static int set_up_temporary_mappings(voi
if (!temp_level4_pgt)
return -ENOMEM;
- /* It is safe to reuse the original kernel mapping */
- set_pgd(temp_level4_pgt + pgd_index(__START_KERNEL_map),
- init_level4_pgt[pgd_index(__START_KERNEL_map)]);
+ /* Prepare a temporary mapping for the kernel text */
+ result = set_up_temporary_text_mapping();
+ if (result)
+ return result;
/* Set up the direct mapping from scratch */
for (i = 0; i < nr_pfn_mapped; i++) {
@@ -78,19 +117,50 @@ static int set_up_temporary_mappings(voi
return 0;
}
+static int relocate_restore_code(void)
+{
+ pgd_t *pgd;
+ pud_t *pud;
+
+ relocated_restore_code = get_safe_page(GFP_ATOMIC);
+ if (!relocated_restore_code)
+ return -ENOMEM;
+
+ memcpy((void *)relocated_restore_code, &core_restore_code, PAGE_SIZE);
+
+ /* Make the page containing the relocated code executable */
+ pgd = (pgd_t *)__va(read_cr3()) + pgd_index(relocated_restore_code);
+ pud = pud_offset(pgd, relocated_restore_code);
+ if (pud_large(*pud)) {
+ set_pud(pud, __pud(pud_val(*pud) & ~_PAGE_NX));
+ } else {
+ pmd_t *pmd = pmd_offset(pud, relocated_restore_code);
+
+ if (pmd_large(*pmd)) {
+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_NX));
+ } else {
+ pte_t *pte = pte_offset_kernel(pmd, relocated_restore_code);
+
+ set_pte(pte, __pte(pte_val(*pte) & ~_PAGE_NX));
+ }
+ }
+ __flush_tlb_all();
+
+ return 0;
+}
+
int swsusp_arch_resume(void)
{
int error;
/* We have got enough memory and from now on we cannot recover */
- if ((error = set_up_temporary_mappings()))
+ error = set_up_temporary_mappings();
+ if (error)
return error;
- relocated_restore_code = (void *)get_safe_page(GFP_ATOMIC);
- if (!relocated_restore_code)
- return -ENOMEM;
- memcpy(relocated_restore_code, &core_restore_code,
- &restore_registers - &core_restore_code);
+ error = relocate_restore_code();
+ if (error)
+ return error;
restore_image();
return 0;
@@ -109,11 +179,12 @@ int pfn_is_nosave(unsigned long pfn)
struct restore_data_record {
unsigned long jump_address;
+ unsigned long jump_address_phys;
unsigned long cr3;
unsigned long magic;
};
-#define RESTORE_MAGIC 0x0123456789ABCDEFUL
+#define RESTORE_MAGIC 0x123456789ABCDEF0UL
/**
* arch_hibernation_header_save - populate the architecture specific part
@@ -126,7 +197,8 @@ int arch_hibernation_header_save(void *a
if (max_size < sizeof(struct restore_data_record))
return -EOVERFLOW;
- rdr->jump_address = restore_jump_address;
+ rdr->jump_address = (unsigned long)&restore_registers;
+ rdr->jump_address_phys = __pa_symbol(&restore_registers);
rdr->cr3 = restore_cr3;
rdr->magic = RESTORE_MAGIC;
return 0;
@@ -142,6 +214,7 @@ int arch_hibernation_header_restore(void
struct restore_data_record *rdr = addr;
restore_jump_address = rdr->jump_address;
+ jump_address_phys = rdr->jump_address_phys;
restore_cr3 = rdr->cr3;
return (rdr->magic == RESTORE_MAGIC) ? 0 : -EINVAL;
}
--- a/arch/x86/power/hibernate_asm_64.S
+++ b/arch/x86/power/hibernate_asm_64.S
@@ -42,9 +42,6 @@ ENTRY(swsusp_arch_suspend)
pushfq
popq pt_regs_flags(%rax)
- /* save the address of restore_registers */
- movq $restore_registers, %rax
- movq %rax, restore_jump_address(%rip)
/* save cr3 */
movq %cr3, %rax
movq %rax, restore_cr3(%rip)
@@ -53,31 +50,34 @@ ENTRY(swsusp_arch_suspend)
ret
ENTRY(restore_image)
- /* switch to temporary page tables */
- movq $__PAGE_OFFSET, %rdx
- movq temp_level4_pgt(%rip), %rax
- subq %rdx, %rax
- movq %rax, %cr3
- /* Flush TLB */
- movq mmu_cr4_features(%rip), %rax
- movq %rax, %rdx
- andq $~(X86_CR4_PGE), %rdx
- movq %rdx, %cr4; # turn off PGE
- movq %cr3, %rcx; # flush TLB
- movq %rcx, %cr3;
- movq %rax, %cr4; # turn PGE back on
-
/* prepare to jump to the image kernel */
- movq restore_jump_address(%rip), %rax
- movq restore_cr3(%rip), %rbx
+ movq restore_jump_address(%rip), %r8
+ movq restore_cr3(%rip), %r9
+
+ /* prepare to switch to temporary page tables */
+ movq temp_level4_pgt(%rip), %rax
+ movq mmu_cr4_features(%rip), %rbx
/* prepare to copy image data to their original locations */
movq restore_pblist(%rip), %rdx
+
+ /* jump to relocated restore code */
movq relocated_restore_code(%rip), %rcx
jmpq *%rcx
/* code below has been relocated to a safe page */
ENTRY(core_restore_code)
+ /* switch to temporary page tables */
+ movq $__PAGE_OFFSET, %rcx
+ subq %rcx, %rax
+ movq %rax, %cr3
+ /* flush TLB */
+ movq %rbx, %rcx
+ andq $~(X86_CR4_PGE), %rcx
+ movq %rcx, %cr4; # turn off PGE
+ movq %cr3, %rcx; # flush TLB
+ movq %rcx, %cr3;
+ movq %rbx, %cr4; # turn PGE back on
loop:
testq %rdx, %rdx
jz done
@@ -92,23 +92,16 @@ loop:
/* progress to the next pbe */
movq pbe_next(%rdx), %rdx
jmp loop
+
done:
/* jump to the restore_registers address from the image header */
- jmpq *%rax
- /*
- * NOTE: This assumes that the boot kernel's text mapping covers the
- * image kernel's page containing restore_registers and the address of
- * this page is the same as in the image kernel's text mapping (it
- * should always be true, because the text mapping is linear, starting
- * from 0, and is supposed to cover the entire kernel text for every
- * kernel).
- *
- * code below belongs to the image kernel
- */
+ jmpq *%r8
+ /* code below belongs to the image kernel */
+ .align PAGE_SIZE
ENTRY(restore_registers)
/* go back to the original page tables */
- movq %rbx, %cr3
+ movq %r9, %cr3
/* Flush TLB, including "global" things (vmalloc) */
movq mmu_cr4_features(%rip), %rax
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 270/305] xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (18 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 178/305] usb: musb: Stop bulk endpoint while queue is rotated Ben Hutchings
` (285 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Beulich, David Vrabel, Jan Beulich
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <JBeulich@suse.com>
commit 6f2d9d99213514360034c6d52d2c3919290b3504 upstream.
As of Xen 4.7 PV CPUID doesn't expose either of CPUID[1].ECX[7] and
CPUID[0x80000007].EDX[7] anymore, causing the driver to fail to load on
both Intel and AMD systems. Doing any kind of hardware capability
checks in the driver as a prerequisite was wrong anyway: With the
hypervisor being in charge, all such checking should be done by it. If
ACPI data gets uploaded despite some missing capability, the hypervisor
is free to ignore part or all of that data.
Ditch the entire check_prereq() function, and do the only valid check
(xen_initial_domain()) in the caller in its place.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/xen-acpi-processor.c | 35 +++--------------------------------
1 file changed, 3 insertions(+), 32 deletions(-)
--- a/drivers/xen/xen-acpi-processor.c
+++ b/drivers/xen/xen-acpi-processor.c
@@ -423,36 +423,7 @@ upload:
return 0;
}
-static int __init check_prereq(void)
-{
- struct cpuinfo_x86 *c = &cpu_data(0);
-
- if (!xen_initial_domain())
- return -ENODEV;
-
- if (!acpi_gbl_FADT.smi_command)
- return -ENODEV;
- if (c->x86_vendor == X86_VENDOR_INTEL) {
- if (!cpu_has(c, X86_FEATURE_EST))
- return -ENODEV;
-
- return 0;
- }
- if (c->x86_vendor == X86_VENDOR_AMD) {
- /* Copied from powernow-k8.h, can't include ../cpufreq/powernow
- * as we get compile warnings for the static functions.
- */
-#define CPUID_FREQ_VOLT_CAPABILITIES 0x80000007
-#define USE_HW_PSTATE 0x00000080
- u32 eax, ebx, ecx, edx;
- cpuid(CPUID_FREQ_VOLT_CAPABILITIES, &eax, &ebx, &ecx, &edx);
- if ((edx & USE_HW_PSTATE) != USE_HW_PSTATE)
- return -ENODEV;
- return 0;
- }
- return -ENODEV;
-}
/* acpi_perf_data is a pointer to percpu data. */
static struct acpi_processor_performance __percpu *acpi_perf_data;
@@ -509,10 +480,10 @@ struct notifier_block xen_acpi_processor
static int __init xen_acpi_processor_init(void)
{
unsigned int i;
- int rc = check_prereq();
+ int rc;
- if (rc)
- return rc;
+ if (!xen_initial_domain())
+ return -ENODEV;
nr_acpi_bits = get_max_acpi_id() + 1;
acpi_ids_done = kcalloc(BITS_TO_LONGS(nr_acpi_bits), sizeof(unsigned long), GFP_KERNEL);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 005/305] ath5k: Change led pin configuration for compaq c700 laptop
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (71 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 181/305] ARM: 8578/1: mm: ensure pmd_present only checks the valid bit Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 196/305] kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES Ben Hutchings
` (232 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Joseph Salisbury, Kalle Valo
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Salisbury <joseph.salisbury@canonical.com>
commit 7b9bc799a445aea95f64f15e0083cb19b5789abe upstream.
BugLink: http://bugs.launchpad.net/bugs/972604
Commit 09c9bae26b0d3c9472cb6ae45010460a2cee8b8d ("ath5k: add led pin
configuration for compaq c700 laptop") added a pin configuration for the Compaq
c700 laptop. However, the polarity of the led pin is reversed. It should be
red for wifi off and blue for wifi on, but it is the opposite. This bug was
reported in the following bug report:
http://pad.lv/972604
Fixes: 09c9bae26b0d3c9472cb6ae45010460a2cee8b8d ("ath5k: add led pin configuration for compaq c700 laptop")
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/ath/ath5k/led.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath5k/led.c
+++ b/drivers/net/wireless/ath/ath5k/led.c
@@ -77,7 +77,7 @@ static DEFINE_PCI_DEVICE_TABLE(ath5k_led
/* HP Compaq CQ60-206US (ddreggors@jumptv.com) */
{ ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137a), ATH_LED(3, 1) },
/* HP Compaq C700 (nitrousnrg@gmail.com) */
- { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137b), ATH_LED(3, 1) },
+ { ATH_SDEVICE(PCI_VENDOR_ID_HP, 0x0137b), ATH_LED(3, 0) },
/* LiteOn AR5BXB63 (magooz@salug.it) */
{ ATH_SDEVICE(PCI_VENDOR_ID_ATHEROS, 0x3067), ATH_LED(3, 0) },
/* IBM-specific AR5212 (all others) */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 133/305] powerpc: Use privileged SPR number for MMCR2
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (132 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 001/305] regmap: cache: Fix typo in cache_bypass parameter description Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 290/305] netfilter: x_tables: add and use xt_check_entry_offsets Ben Hutchings
` (171 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Thomas Huth, Paul Mackerras, Michael Ellerman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Huth <thuth@redhat.com>
commit 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 upstream.
We are already using the privileged versions of MMCR0, MMCR1
and MMCRA in the kernel, so for MMCR2, we should better use
the privileged versions, too, to be consistent.
Fixes: 240686c13687 ("powerpc: Initialise PMU related regs on Power8")
Suggested-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Acked-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/include/asm/reg.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/include/asm/reg.h
+++ b/arch/powerpc/include/asm/reg.h
@@ -704,7 +704,7 @@
#define MMCR0_FCWAIT 0x00000002UL /* freeze counter in WAIT state */
#define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */
#define SPRN_MMCR1 798
-#define SPRN_MMCR2 769
+#define SPRN_MMCR2 785
#define SPRN_MMCRA 0x312
#define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */
#define MMCRA_SDAR_DCACHE_MISS 0x40000000UL
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 281/305] rds: fix an infoleak in rds_inc_info_copy
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (63 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 055/305] MIPS: Adjust set_pte() SMP fix to handle R10000_LLSC_WAR Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 246/305] Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address Ben Hutchings
` (240 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Santosh Shilimkar, Kangjie Lu, Kangjie Lu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kangjie Lu <kangjielu@gmail.com>
commit 4116def2337991b39919f3b448326e21c40e0dbb upstream.
The last field "flags" of object "minfo" is not initialized.
Copying this object out may leak kernel stack data.
Assign 0 to it to avoid leak.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/rds/recv.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -543,5 +543,7 @@ void rds_inc_info_copy(struct rds_incomi
minfo.fport = inc->i_hdr.h_dport;
}
+ minfo.flags = 0;
+
rds_info_copy(iter, &minfo, sizeof(minfo));
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 224/305] ALSA: dummy: Fix a use-after-free at closing
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (253 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 218/305] IB/mlx4: Fix memory leak if QP creation failed Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 078/305] ring-buffer: Prevent overflow of size in ring_buffer_resize() Ben Hutchings
` (50 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Vyukov, Takashi Iwai
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit d5dbbe6569481bf12dcbe3e12cff72c5f78d272c upstream.
syzkaller fuzzer spotted a potential use-after-free case in snd-dummy
driver when hrtimer is used as backend:
> ==================================================================
> BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68
> Read of size 8 by task syz-executor/8984
> =============================================================================
> BUG kmalloc-192 (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------
>
> Disabling lock debugging due to kernel taint
> INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446705582212484632
> ....
> [< none >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464
> ....
> INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1
> [< none >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481
> ....
> Call Trace:
> [<ffffffff8179e59e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333
> [< inline >] rb_set_parent include/linux/rbtree_augmented.h:111
> [< inline >] __rb_erase_augmented include/linux/rbtree_augmented.h:218
> [<ffffffff82ca5787>] rb_erase+0x1b17/0x2010 lib/rbtree.c:427
> [<ffffffff82cb02e8>] timerqueue_del+0x78/0x170 lib/timerqueue.c:86
> [<ffffffff814d0c80>] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903
> [< inline >] remove_hrtimer kernel/time/hrtimer.c:945
> [<ffffffff814d23da>] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046
> [<ffffffff814d2742>] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066
> [<ffffffff85420531>] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417
> [<ffffffff854228bf>] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507
> [<ffffffff85392170>] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106
> [<ffffffff85391b26>] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956
> [<ffffffff85391e01>] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974
> [< inline >] snd_pcm_stop sound/core/pcm_native.c:1139
> [<ffffffff8539754d>] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784
> [<ffffffff8539d3be>] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805
> [<ffffffff8539ee91>] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976
> [<ffffffff8539f2ec>] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020
> [<ffffffff853d9a44>] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693
> [<ffffffff853da27d>] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483
> .....
A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which
is called certainly before other blocking ops.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/drivers/dummy.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/drivers/dummy.c
+++ b/sound/drivers/dummy.c
@@ -422,6 +422,7 @@ static int dummy_hrtimer_stop(struct snd
static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm)
{
+ hrtimer_cancel(&dpcm->timer);
tasklet_kill(&dpcm->tasklet);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 201/305] hwmon: (dell-smm) Restrict fan control and serial number to CAP_SYS_ADMIN by default
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (280 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 298/305] netfilter: arp_tables: simplify translate_compat_table args Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 233/305] iio:ad7266: Fix support for optional regulators Ben Hutchings
` (23 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mario Limonciello, Guenter Roeck, Pali Rohár
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali.rohar@gmail.com>
commit 7613663cc186f8f3c50279390ddc60286758001c upstream.
For security reasons ordinary user must not be able to control fan speed
via /proc/i8k by default. Some malicious software running under "nobody"
user could be able to turn fan off and cause HW problems. So this patch
changes default value of "restricted" parameter to 1.
Also restrict reading of DMI_PRODUCT_SERIAL from /proc/i8k via "restricted"
parameter. It is because non root user cannot read DMI_PRODUCT_SERIAL from
sysfs file /sys/class/dmi/id/product_serial.
Old non secure behaviour of file /proc/i8k can be achieved by loading this
module with "restricted" parameter set to 0.
Note that this patch has effects only for kernels compiled with CONFIG_I8K
and only for file /proc/i8k. Hwmon interface provided by this driver was
not changed and root access for setting fan speed was needed also before.
Reported-by: Mario Limonciello <Mario_Limonciello@dell.com>
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/i8k.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
--- a/drivers/char/i8k.c
+++ b/drivers/char/i8k.c
@@ -62,6 +62,7 @@
static DEFINE_MUTEX(i8k_mutex);
static char bios_version[4];
+static char bios_machineid[16];
static struct device *i8k_hwmon_dev;
static u32 i8k_hwmon_flags;
static int i8k_fan_mult;
@@ -85,13 +86,13 @@ static bool ignore_dmi;
module_param(ignore_dmi, bool, 0);
MODULE_PARM_DESC(ignore_dmi, "Continue probing hardware even if DMI data does not match");
-static bool restricted;
+static bool restricted = true;
module_param(restricted, bool, 0);
-MODULE_PARM_DESC(restricted, "Allow fan control if SYS_ADMIN capability set");
+MODULE_PARM_DESC(restricted, "Restrict fan control and serial number to CAP_SYS_ADMIN (default: 1)");
static bool power_status;
module_param(power_status, bool, 0600);
-MODULE_PARM_DESC(power_status, "Report power status in /proc/i8k");
+MODULE_PARM_DESC(power_status, "Report power status in /proc/i8k (default: 0)");
static int fan_mult = I8K_FAN_MULT;
module_param(fan_mult, int, 0);
@@ -350,9 +351,11 @@ i8k_ioctl_unlocked(struct file *fp, unsi
break;
case I8K_MACHINE_ID:
- memset(buff, 0, 16);
- strlcpy(buff, i8k_get_dmi_data(DMI_PRODUCT_SERIAL),
- sizeof(buff));
+ if (restricted && !capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+ memset(buff, 0, sizeof(buff));
+ strlcpy(buff, bios_machineid, sizeof(buff));
break;
case I8K_FN_STATUS:
@@ -469,7 +472,7 @@ static int i8k_proc_show(struct seq_file
return seq_printf(seq, "%s %s %s %d %d %d %d %d %d %d\n",
I8K_PROC_FMT,
bios_version,
- i8k_get_dmi_data(DMI_PRODUCT_SERIAL),
+ (restricted && !capable(CAP_SYS_ADMIN)) ? "-1" : bios_machineid,
cpu_temp,
left_fan, right_fan, left_speed, right_speed,
ac_power, fn_key);
@@ -765,6 +768,8 @@ static int __init i8k_probe(void)
strlcpy(bios_version, i8k_get_dmi_data(DMI_BIOS_VERSION),
sizeof(bios_version));
+ strlcpy(bios_machineid, i8k_get_dmi_data(DMI_PRODUCT_SERIAL),
+ sizeof(bios_machineid));
/*
* Get SMM Dell signature
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 053/305] MIPS: Don't unwind to user mode with EVA
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (218 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 023/305] PM / Runtime: Fix error path in pm_runtime_force_resume() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 238/305] USB: don't free bandwidth_mutex too early Ben Hutchings
` (85 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, linux-mips, Leonid Yegoshin, James Hogan, Ralf Baechle
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit a816b306c62195b7c43c92cb13330821a96bdc27 upstream.
When unwinding through IRQs and exceptions, the unwinding only continues
if the PC is a kernel text address, however since EVA it is possible for
user and kernel address ranges to overlap, potentially allowing
unwinding to continue to user mode if the user PC happens to be in the
kernel text address range.
Adjust the check to also ensure that the register state from before the
exception is actually running in kernel mode, i.e. !user_mode(regs).
I don't believe any harm can come of this problem, since the PC is only
output, the stack pointer is checked to ensure it resides within the
task's stack page before it is dereferenced in search of the return
address, and the return address register is similarly only output (if
the PC is in a leaf function or the beginning of a non-leaf function).
However unwind_stack() is only meant for unwinding kernel code, so to be
correct the unwind should stop there.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/11700/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/process.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -489,7 +489,7 @@ unsigned long notrace unwind_stack_by_ad
*sp + sizeof(*regs) <= stack_page + THREAD_SIZE - 32) {
regs = (struct pt_regs *)*sp;
pc = regs->cp0_epc;
- if (__kernel_text_address(pc)) {
+ if (!user_mode(regs) && __kernel_text_address(pc)) {
*sp = regs->regs[29];
*ra = regs->regs[31];
return pc;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 277/305] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (295 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 162/305] mfd: omap-usb-tll: Fix scheduling while atomic BUG Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 184/305] drm/radeon: fix asic initialization for virtualized environments Ben Hutchings
` (8 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kangjie Lu, Takashi Iwai, Kangjie Lu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kangjie Lu <kangjielu@gmail.com>
commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e upstream.
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1750,6 +1750,7 @@ static int snd_timer_user_params(struct
if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
if (tu->tread) {
struct snd_timer_tread tread;
+ memset(&tread, 0, sizeof(tread));
tread.event = SNDRV_TIMER_EVENT_EARLY;
tread.tstamp.tv_sec = 0;
tread.tstamp.tv_nsec = 0;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 078/305] ring-buffer: Prevent overflow of size in ring_buffer_resize()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (254 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 224/305] ALSA: dummy: Fix a use-after-free at closing Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 120/305] RDMA/cxgb3: device driver frees DMA memory with different size Ben Hutchings
` (49 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steven Rostedt (Red Hat)
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit 59643d1535eb220668692a5359de22545af579f6 upstream.
If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.
Here's the details:
# echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb
tracing_entries_write() processes this and converts kb to bytes.
18014398509481980 << 10 = 18446744073709547520
and this is passed to ring_buffer_resize() as unsigned long size.
size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
Where DIV_ROUND_UP(a, b) is (a + b - 1)/b
BUF_PAGE_SIZE is 4080 and here
18446744073709547520 + 4080 - 1 = 18446744073709551599
where 18446744073709551599 is still smaller than 2^64
2^64 - 18446744073709551599 = 17
But now 18446744073709551599 / 4080 = 4521260802379792
and size = size * 4080 = 18446744073709551360
This is checked to make sure its still greater than 2 * 4080,
which it is.
Then we convert to the number of buffer pages needed.
nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)
but this time size is 18446744073709551360 and
2^64 - (18446744073709551360 + 4080 - 1) = -3823
Thus it overflows and the resulting number is less than 4080, which makes
3823 / 4080 = 0
an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.
There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.
Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/trace/ring_buffer.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -1694,14 +1694,13 @@ int ring_buffer_resize(struct ring_buffe
!cpumask_test_cpu(cpu_id, buffer->cpumask))
return size;
- size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
- size *= BUF_PAGE_SIZE;
+ nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
/* we need a minimum of two pages */
- if (size < BUF_PAGE_SIZE * 2)
- size = BUF_PAGE_SIZE * 2;
+ if (nr_pages < 2)
+ nr_pages = 2;
- nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
+ size = nr_pages * BUF_PAGE_SIZE;
/*
* Don't succeed if resizing is disabled, as a reader might be
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 173/305] USB: quirks: Fix entries on wrong list in 3.16.y
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (269 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 002/305] ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 021/305] Bluetooth: vhci: Fix race at creating hci device Ben Hutchings
` (34 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
Commits ddbe1fca0bcb ("USB: Add device quirk for ASUS T100 Base
Station keyboard") and e5dff0e80463 ("USB: Add OTG PET device to TPL")
were wrongly backported to 3.16.y. The original commits added to
usb_quirk_list but the backported versions added to
usb_interface_quirk_list.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -188,6 +188,14 @@ static const struct usb_device_id usb_qu
/* USB3503 */
{ USB_DEVICE(0x0424, 0x3503), .driver_info = USB_QUIRK_RESET_RESUME },
+ /* ASUS Base Station(T100) */
+ { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
+ USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+
+ /* Protocol and OTG Electrical Test Device */
+ { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
+ USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+
/* Blackmagic Design Intensity Shuttle */
{ USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM },
@@ -202,14 +210,6 @@ static const struct usb_device_id usb_in
{ USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0),
.driver_info = USB_QUIRK_RESET_RESUME },
- /* ASUS Base Station(T100) */
- { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
- USB_QUIRK_IGNORE_REMOTE_WAKEUP },
-
- /* Protocol and OTG Electrical Test Device */
- { USB_DEVICE(0x1a0a, 0x0200), .driver_info =
- USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
-
{ } /* terminating entry must be last */
};
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 214/305] IB/mlx5: Fix post send fence logic
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (122 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 095/305] fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 147/305] mnt: fs_fully_visible test the proper mount for MNT_LOCKED Ben Hutchings
` (181 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky, Eli Cohen, Doug Ledford
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eli Cohen <eli@mellanox.com>
commit c9b254955b9f8814966f5dabd34c39d0e0a2b437 upstream.
If the caller specified IB_SEND_FENCE in the send flags of the work
request and no previous work request stated that the successive one
should be fenced, the work request would be executed without a fence.
This could result in RDMA read or atomic operations failure due to a MR
being invalidated. Fix this by adding the mlx5 enumeration for fencing
RDMA/atomic operations and fix the logic to apply this.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Eli Cohen <eli@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx5/qp.c | 7 ++++---
include/linux/mlx5/qp.h | 1 +
2 files changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -2419,10 +2419,11 @@ static u8 get_fence(u8 fence, struct ib_
return MLX5_FENCE_MODE_SMALL_AND_FENCE;
else
return fence;
-
- } else {
- return 0;
+ } else if (unlikely(wr->send_flags & IB_SEND_FENCE)) {
+ return MLX5_FENCE_MODE_FENCE;
}
+
+ return 0;
}
static int begin_wqe(struct mlx5_ib_qp *qp, void **seg,
--- a/include/linux/mlx5/qp.h
+++ b/include/linux/mlx5/qp.h
@@ -140,6 +140,7 @@ enum {
enum {
MLX5_FENCE_MODE_NONE = 0 << 5,
MLX5_FENCE_MODE_INITIATOR_SMALL = 1 << 5,
+ MLX5_FENCE_MODE_FENCE = 2 << 5,
MLX5_FENCE_MODE_STRONG_ORDERING = 3 << 5,
MLX5_FENCE_MODE_SMALL_AND_FENCE = 4 << 5,
};
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 149/305] IB/mlx5: Return PORT_ERR in Active to Initializing tranisition
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (272 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 093/305] fs/cifs: correctly to anonymous authentication for the LANMAN authentication Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 129/305] hpfs: fix remount failure when there are no options changed Ben Hutchings
` (31 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Doug Ledford, Noa Osherovich, Leon Romanovsky
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Noa Osherovich <noaos@mellanox.com>
commit 2788cf3bd90af3791c3195c52391bcf34fa67b40 upstream.
FW port-change events are fired on Active <-> non Active port state
transitions only.
When the port state changes from Active to Initializing (Active ->
Down -> Initializing), a single event is fired.
The HCA transitions from Down to Initializing unless prevented from
doing so, hence the driver should also propagate events when the port
state is Initializing to consumers so they'll be aware that the port
is no longer Active and act accordingly.
Fixes: e126ba97dba9e ('mlx5: Add driver for Mellanox Connect-IB...')
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx5/main.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -1002,14 +1002,11 @@ static void mlx5_ib_event(struct mlx5_co
break;
case MLX5_DEV_EVENT_PORT_DOWN:
+ case MLX5_DEV_EVENT_PORT_INITIALIZED:
ibev.event = IB_EVENT_PORT_ERR;
port = *(u8 *)data;
break;
- case MLX5_DEV_EVENT_PORT_INITIALIZED:
- /* not used by ULPs */
- return;
-
case MLX5_DEV_EVENT_LID_CHANGE:
ibev.event = IB_EVENT_LID_CHANGE;
port = *(u8 *)data;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 075/305] MIPS: Fix race condition in lazy cache flushing.
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (142 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 293/305] netfilter: x_tables: add compat version of xt_check_entry_offsets Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 105/305] crypto: public_key: select CRYPTO_AKCIPHER Ben Hutchings
` (161 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ralf Baechle, Lars Persson, linux-mips, Lars Persson, paul.burton
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lars Persson <lars.persson@axis.com>
commit 4d46a67a3eb827ccf1125959936fd51ba318dabc upstream.
The lazy cache flushing implemented in the MIPS kernel suffers from a
race condition that is exposed by do_set_pte() in mm/memory.c.
A pre-condition is a file-system that writes to the page from the CPU
in its readpage method and then calls flush_dcache_page(). One example
is ubifs. Another pre-condition is that the dcache flush is postponed
in __flush_dcache_page().
Upon a page fault for an executable mapping not existing in the
page-cache, the following will happen:
1. Write to the page
2. flush_dcache_page
3. flush_icache_page
4. set_pte_at
5. update_mmu_cache (commits the flush of a dcache-dirty page)
Between steps 4 and 5 another thread can hit the same page and it will
encounter a valid pte. Because the data still is in the L1 dcache the CPU
will fetch stale data from L2 into the icache and execute garbage.
This fix moves the commit of the cache flush to step 3 to close the
race window. It also reduces the amount of flushes on non-executable
mappings because we never enter __flush_dcache_page() for non-aliasing
CPUs.
Regressions can occur in drivers that mistakenly relies on the
flush_dcache_page() in get_user_pages() for DMA operations.
[ralf@linux-mips.org: Folded in patch 9346 to fix highmem issue.]
Signed-off-by: Lars Persson <larper@axis.com>
Cc: linux-mips@linux-mips.org
Cc: paul.burton@imgtec.com
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/9346/
Patchwork: https://patchwork.linux-mips.org/patch/9738/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/cacheflush.h | 38 +++++++++++++++++++++++---------------
arch/mips/mm/cache.c | 12 ++++++++++++
2 files changed, 35 insertions(+), 15 deletions(-)
--- a/arch/mips/include/asm/cacheflush.h
+++ b/arch/mips/include/asm/cacheflush.h
@@ -29,6 +29,20 @@
* - flush_icache_all() flush the entire instruction cache
* - flush_data_cache_page() flushes a page from the data cache
*/
+
+ /*
+ * This flag is used to indicate that the page pointed to by a pte
+ * is dirty and requires cleaning before returning it to the user.
+ */
+#define PG_dcache_dirty PG_arch_1
+
+#define Page_dcache_dirty(page) \
+ test_bit(PG_dcache_dirty, &(page)->flags)
+#define SetPageDcacheDirty(page) \
+ set_bit(PG_dcache_dirty, &(page)->flags)
+#define ClearPageDcacheDirty(page) \
+ clear_bit(PG_dcache_dirty, &(page)->flags)
+
extern void (*flush_cache_all)(void);
extern void (*__flush_cache_all)(void);
extern void (*flush_cache_mm)(struct mm_struct *mm);
@@ -37,13 +51,15 @@ extern void (*flush_cache_range)(struct
unsigned long start, unsigned long end);
extern void (*flush_cache_page)(struct vm_area_struct *vma, unsigned long page, unsigned long pfn);
extern void __flush_dcache_page(struct page *page);
+extern void __flush_icache_page(struct vm_area_struct *vma, struct page *page);
#define ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE 1
static inline void flush_dcache_page(struct page *page)
{
- if (cpu_has_dc_aliases || !cpu_has_ic_fills_f_dc)
+ if (cpu_has_dc_aliases)
__flush_dcache_page(page);
-
+ else if (!cpu_has_ic_fills_f_dc)
+ SetPageDcacheDirty(page);
}
#define flush_dcache_mmap_lock(mapping) do { } while (0)
@@ -61,6 +77,11 @@ static inline void flush_anon_page(struc
static inline void flush_icache_page(struct vm_area_struct *vma,
struct page *page)
{
+ if (!cpu_has_ic_fills_f_dc && (vma->vm_flags & VM_EXEC) &&
+ Page_dcache_dirty(page)) {
+ __flush_icache_page(vma, page);
+ ClearPageDcacheDirty(page);
+ }
}
extern void (*flush_icache_range)(unsigned long start, unsigned long end);
@@ -95,19 +116,6 @@ extern void (*flush_icache_all)(void);
extern void (*local_flush_data_cache_page)(void * addr);
extern void (*flush_data_cache_page)(unsigned long addr);
-/*
- * This flag is used to indicate that the page pointed to by a pte
- * is dirty and requires cleaning before returning it to the user.
- */
-#define PG_dcache_dirty PG_arch_1
-
-#define Page_dcache_dirty(page) \
- test_bit(PG_dcache_dirty, &(page)->flags)
-#define SetPageDcacheDirty(page) \
- set_bit(PG_dcache_dirty, &(page)->flags)
-#define ClearPageDcacheDirty(page) \
- clear_bit(PG_dcache_dirty, &(page)->flags)
-
/* Run kernel code uncached, useful for cache probing functions. */
unsigned long run_uncached(void *func);
--- a/arch/mips/mm/cache.c
+++ b/arch/mips/mm/cache.c
@@ -119,6 +119,18 @@ void __flush_anon_page(struct page *page
EXPORT_SYMBOL(__flush_anon_page);
+void __flush_icache_page(struct vm_area_struct *vma, struct page *page)
+{
+ unsigned long addr;
+
+ if (PageHighMem(page))
+ return;
+
+ addr = (unsigned long) page_address(page);
+ flush_data_cache_page(addr);
+}
+EXPORT_SYMBOL_GPL(__flush_icache_page);
+
void __update_cache(struct vm_area_struct *vma, unsigned long address,
pte_t pte)
{
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 284/305] s390/sclp_ctl: fix potential information leak with /dev/sclp
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (38 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 060/305] USB: serial: quatech2: fix use-after-free in probe error path Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 119/305] UBI: Fix static volume checks when Fastmap is used Ben Hutchings
` (265 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michael Holzheu, Martin Schwidefsky, Pengfei Wang
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream.
The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
retrieve the sclp request from user space. The first copy_from_user
fetches the length of the request which is stored in the first two
bytes of the request. The second copy_from_user gets the complete
sclp request, but this copies the length field a second time.
A malicious user may have changed the length in the meantime.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/char/sclp_ctl.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/s390/char/sclp_ctl.c
+++ b/drivers/s390/char/sclp_ctl.c
@@ -56,6 +56,7 @@ static int sclp_ctl_ioctl_sccb(void __us
{
struct sclp_ctl_sccb ctl_sccb;
struct sccb_header *sccb;
+ unsigned long copied;
int rc;
if (copy_from_user(&ctl_sccb, user_area, sizeof(ctl_sccb)))
@@ -65,14 +66,15 @@ static int sclp_ctl_ioctl_sccb(void __us
sccb = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
if (!sccb)
return -ENOMEM;
- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sizeof(*sccb))) {
+ copied = PAGE_SIZE -
+ copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), PAGE_SIZE);
+ if (offsetof(struct sccb_header, length) +
+ sizeof(sccb->length) > copied || sccb->length > copied) {
rc = -EFAULT;
goto out_free;
}
- if (sccb->length > PAGE_SIZE || sccb->length < 8)
- return -EINVAL;
- if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sccb->length)) {
- rc = -EFAULT;
+ if (sccb->length < 8) {
+ rc = -EINVAL;
goto out_free;
}
rc = sclp_sync_request(ctl_sccb.cmdw, sccb);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 234/305] iio:ad7266: Fix probe deferral for vref
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (234 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 101/305] batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 089/305] sched/preempt: Fix preempt_count manipulations Ben Hutchings
` (69 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jonathan Cameron, Mark Brown
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
commit 68b356eb3d9f5e38910fb62e22a78e2a18d544ae upstream.
Currently the ad7266 driver treats any failure to get vref as though the
regulator were not present but this means that if probe deferral is
triggered the driver will act as though the regulator were not present.
Instead only use the internal reference if we explicitly got -ENODEV which
is what is returned for absent regulators.
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/adc/ad7266.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iio/adc/ad7266.c
+++ b/drivers/iio/adc/ad7266.c
@@ -408,6 +408,9 @@ static int ad7266_probe(struct spi_devic
st->vref_mv = ret / 1000;
} else {
+ /* Any other error indicates that the regulator does exist */
+ if (PTR_ERR(st->reg) != -ENODEV)
+ return PTR_ERR(st->reg);
/* Use internal reference */
st->vref_mv = 2500;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 151/305] IB/IPoIB: Don't update neigh validity for unresolved entries
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (256 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 120/305] RDMA/cxgb3: device driver frees DMA memory with different size Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 022/305] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel Ben Hutchings
` (47 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Doug Ledford, Erez Shitrit, Leon Romanovsky
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Erez Shitrit <erezsh@mellanox.com>
commit 61c78eea9516a921799c17b4c20558e2aa780fd3 upstream.
ipoib_neigh_get unconditionally updates the "alive" variable member on
any packet send. This prevents the neighbor garbage collection from
cleaning out a dead neighbor entry if we are still queueing packets
for it. If the queue for this neighbor is full, then don't update the
alive timestamp. That way the neighbor can time out even if packets
are still being queued as long as none of them are being sent.
Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup in xmit path")
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib_main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -884,7 +884,9 @@ struct ipoib_neigh *ipoib_neigh_get(stru
neigh = NULL;
goto out_unlock;
}
- neigh->alive = jiffies;
+
+ if (likely(skb_queue_len(&neigh->queue) < IPOIB_MAX_PATH_REC_QUEUE))
+ neigh->alive = jiffies;
goto out_unlock;
}
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 278/305] ALSA: timer: Fix leak in events via snd_timer_user_ccallback
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (40 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 119/305] UBI: Fix static volume checks when Fastmap is used Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 222/305] cifs: dynamic allocation of ntlmssp blob Ben Hutchings
` (263 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Kangjie Lu, Kangjie Lu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kangjie Lu <kangjielu@gmail.com>
commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6 upstream.
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1251,6 +1251,7 @@ static void snd_timer_user_ccallback(str
tu->tstamp = *tstamp;
if ((tu->filter & (1 << event)) == 0 || !tu->tread)
return;
+ memset(&r1, 0, sizeof(r1));
r1.event = event;
r1.tstamp = *tstamp;
r1.val = resolution;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 108/305] Input: uinput - handle compat ioctl for UI_SET_PHYS
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (220 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 238/305] USB: don't free bandwidth_mutex too early Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 182/305] ARM: 8579/1: mm: Fix definition of pmd_mknotpresent Ben Hutchings
` (83 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ricky Liang, Dmitry Torokhov
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ricky Liang <jcliang@chromium.org>
commit affa80bd97f7ca282d1faa91667b3ee9e4c590e6 upstream.
When running a 32-bit userspace on a 64-bit kernel, the UI_SET_PHYS
ioctl needs to be treated with special care, as it has the pointer
size encoded in the command.
Signed-off-by: Ricky Liang <jcliang@chromium.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/misc/uinput.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -886,9 +886,15 @@ static long uinput_ioctl(struct file *fi
}
#ifdef CONFIG_COMPAT
+
+#define UI_SET_PHYS_COMPAT _IOW(UINPUT_IOCTL_BASE, 108, compat_uptr_t)
+
static long uinput_compat_ioctl(struct file *file,
unsigned int cmd, unsigned long arg)
{
+ if (cmd == UI_SET_PHYS_COMPAT)
+ cmd = UI_SET_PHYS;
+
return uinput_ioctl_handler(file, cmd, arg, compat_ptr(arg));
}
#endif
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 282/305] KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (84 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 200/305] isa: Call isa_bus_init before dependent ISA bus drivers register Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 044/305] USB: serial: option: add more ZTE device ids Ben Hutchings
` (219 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paul Mackerras
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Mackerras <paulus@ozlabs.org>
commit f024ee098476a3e620232e4a78cfac505f121245 upstream.
This moves the transactional memory state save and restore sequences
out of the guest entry/exit paths into separate procedures. This is
so that these sequences can be used in going into and out of nap
in a subsequent patch.
The only code changes here are (a) saving and restore LR on the
stack, since these new procedures get called with a bl instruction,
(b) explicitly saving r1 into the PACA instead of assuming that
HSTATE_HOST_R1(r13) is already set, and (c) removing an unnecessary
and redundant setting of MSR[TM] that should have been removed by
commit 9d4d0bdd9e0a ("KVM: PPC: Book3S HV: Add transactional memory
support", 2013-09-24) but wasn't.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
[bwh: Backported to 3.16: include dots in subroutine names]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 449 +++++++++++++++++---------------
1 file changed, 237 insertions(+), 212 deletions(-)
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -628,112 +628,8 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S)
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
BEGIN_FTR_SECTION
- b skip_tm
-END_FTR_SECTION_IFCLR(CPU_FTR_TM)
-
- /* Turn on TM/FP/VSX/VMX so we can restore them. */
- mfmsr r5
- li r6, MSR_TM >> 32
- sldi r6, r6, 32
- or r5, r5, r6
- ori r5, r5, MSR_FP
- oris r5, r5, (MSR_VEC | MSR_VSX)@h
- mtmsrd r5
-
- /*
- * The user may change these outside of a transaction, so they must
- * always be context switched.
- */
- ld r5, VCPU_TFHAR(r4)
- ld r6, VCPU_TFIAR(r4)
- ld r7, VCPU_TEXASR(r4)
- mtspr SPRN_TFHAR, r5
- mtspr SPRN_TFIAR, r6
- mtspr SPRN_TEXASR, r7
-
- ld r5, VCPU_MSR(r4)
- rldicl. r5, r5, 64 - MSR_TS_S_LG, 62
- beq skip_tm /* TM not active in guest */
-
- /* Make sure the failure summary is set, otherwise we'll program check
- * when we trechkpt. It's possible that this might have been not set
- * on a kvmppc_set_one_reg() call but we shouldn't let this crash the
- * host.
- */
- oris r7, r7, (TEXASR_FS)@h
- mtspr SPRN_TEXASR, r7
-
- /*
- * We need to load up the checkpointed state for the guest.
- * We need to do this early as it will blow away any GPRs, VSRs and
- * some SPRs.
- */
-
- mr r31, r4
- addi r3, r31, VCPU_FPRS_TM
- bl .load_fp_state
- addi r3, r31, VCPU_VRS_TM
- bl .load_vr_state
- mr r4, r31
- lwz r7, VCPU_VRSAVE_TM(r4)
- mtspr SPRN_VRSAVE, r7
-
- ld r5, VCPU_LR_TM(r4)
- lwz r6, VCPU_CR_TM(r4)
- ld r7, VCPU_CTR_TM(r4)
- ld r8, VCPU_AMR_TM(r4)
- ld r9, VCPU_TAR_TM(r4)
- mtlr r5
- mtcr r6
- mtctr r7
- mtspr SPRN_AMR, r8
- mtspr SPRN_TAR, r9
-
- /*
- * Load up PPR and DSCR values but don't put them in the actual SPRs
- * till the last moment to avoid running with userspace PPR and DSCR for
- * too long.
- */
- ld r29, VCPU_DSCR_TM(r4)
- ld r30, VCPU_PPR_TM(r4)
-
- std r2, PACATMSCRATCH(r13) /* Save TOC */
-
- /* Clear the MSR RI since r1, r13 are all going to be foobar. */
- li r5, 0
- mtmsrd r5, 1
-
- /* Load GPRs r0-r28 */
- reg = 0
- .rept 29
- ld reg, VCPU_GPRS_TM(reg)(r31)
- reg = reg + 1
- .endr
-
- mtspr SPRN_DSCR, r29
- mtspr SPRN_PPR, r30
-
- /* Load final GPRs */
- ld 29, VCPU_GPRS_TM(29)(r31)
- ld 30, VCPU_GPRS_TM(30)(r31)
- ld 31, VCPU_GPRS_TM(31)(r31)
-
- /* TM checkpointed state is now setup. All GPRs are now volatile. */
- TRECHKPT
-
- /* Now let's get back the state we need. */
- HMT_MEDIUM
- GET_PACA(r13)
- ld r29, HSTATE_DSCR(r13)
- mtspr SPRN_DSCR, r29
- ld r4, HSTATE_KVM_VCPU(r13)
- ld r1, HSTATE_HOST_R1(r13)
- ld r2, PACATMSCRATCH(r13)
-
- /* Set the MSR RI since we have our registers back. */
- li r5, MSR_RI
- mtmsrd r5, 1
-skip_tm:
+ bl kvmppc_restore_tm
+END_FTR_SECTION_IFSET(CPU_FTR_TM)
#endif
/* Load guest PMU registers */
@@ -824,12 +720,6 @@ BEGIN_FTR_SECTION
/* Skip next section on POWER7 or PPC970 */
b 8f
END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_207S)
- /* Turn on TM so we can access TFHAR/TFIAR/TEXASR */
- mfmsr r8
- li r0, 1
- rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG
- mtmsrd r8
-
/* Load up POWER8-specific registers */
ld r5, VCPU_IAMR(r4)
lwz r6, VCPU_PSPB(r4)
@@ -1350,106 +1240,8 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_206)
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
BEGIN_FTR_SECTION
- b 2f
-END_FTR_SECTION_IFCLR(CPU_FTR_TM)
- /* Turn on TM. */
- mfmsr r8
- li r0, 1
- rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG
- mtmsrd r8
-
- ld r5, VCPU_MSR(r9)
- rldicl. r5, r5, 64 - MSR_TS_S_LG, 62
- beq 1f /* TM not active in guest. */
-
- li r3, TM_CAUSE_KVM_RESCHED
-
- /* Clear the MSR RI since r1, r13 are all going to be foobar. */
- li r5, 0
- mtmsrd r5, 1
-
- /* All GPRs are volatile at this point. */
- TRECLAIM(R3)
-
- /* Temporarily store r13 and r9 so we have some regs to play with */
- SET_SCRATCH0(r13)
- GET_PACA(r13)
- std r9, PACATMSCRATCH(r13)
- ld r9, HSTATE_KVM_VCPU(r13)
-
- /* Get a few more GPRs free. */
- std r29, VCPU_GPRS_TM(29)(r9)
- std r30, VCPU_GPRS_TM(30)(r9)
- std r31, VCPU_GPRS_TM(31)(r9)
-
- /* Save away PPR and DSCR soon so don't run with user values. */
- mfspr r31, SPRN_PPR
- HMT_MEDIUM
- mfspr r30, SPRN_DSCR
- ld r29, HSTATE_DSCR(r13)
- mtspr SPRN_DSCR, r29
-
- /* Save all but r9, r13 & r29-r31 */
- reg = 0
- .rept 29
- .if (reg != 9) && (reg != 13)
- std reg, VCPU_GPRS_TM(reg)(r9)
- .endif
- reg = reg + 1
- .endr
- /* ... now save r13 */
- GET_SCRATCH0(r4)
- std r4, VCPU_GPRS_TM(13)(r9)
- /* ... and save r9 */
- ld r4, PACATMSCRATCH(r13)
- std r4, VCPU_GPRS_TM(9)(r9)
-
- /* Reload stack pointer and TOC. */
- ld r1, HSTATE_HOST_R1(r13)
- ld r2, PACATOC(r13)
-
- /* Set MSR RI now we have r1 and r13 back. */
- li r5, MSR_RI
- mtmsrd r5, 1
-
- /* Save away checkpinted SPRs. */
- std r31, VCPU_PPR_TM(r9)
- std r30, VCPU_DSCR_TM(r9)
- mflr r5
- mfcr r6
- mfctr r7
- mfspr r8, SPRN_AMR
- mfspr r10, SPRN_TAR
- std r5, VCPU_LR_TM(r9)
- stw r6, VCPU_CR_TM(r9)
- std r7, VCPU_CTR_TM(r9)
- std r8, VCPU_AMR_TM(r9)
- std r10, VCPU_TAR_TM(r9)
-
- /* Restore r12 as trap number. */
- lwz r12, VCPU_TRAP(r9)
-
- /* Save FP/VSX. */
- addi r3, r9, VCPU_FPRS_TM
- bl .store_fp_state
- addi r3, r9, VCPU_VRS_TM
- bl .store_vr_state
- mfspr r6, SPRN_VRSAVE
- stw r6, VCPU_VRSAVE_TM(r9)
-1:
- /*
- * We need to save these SPRs after the treclaim so that the software
- * error code is recorded correctly in the TEXASR. Also the user may
- * change these outside of a transaction, so they must always be
- * context switched.
- */
- mfspr r5, SPRN_TFHAR
- mfspr r6, SPRN_TFIAR
- mfspr r7, SPRN_TEXASR
- std r5, VCPU_TFHAR(r9)
- std r6, VCPU_TFIAR(r9)
- std r7, VCPU_TEXASR(r9)
-2:
+ bl kvmppc_save_tm
+END_FTR_SECTION_IFSET(CPU_FTR_TM)
#endif
/* Increment yield count if they have a VPA */
@@ -2471,6 +2263,239 @@ END_FTR_SECTION_IFSET(CPU_FTR_ALTIVEC)
mr r4,r31
blr
+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+/*
+ * Save transactional state and TM-related registers.
+ * Called with r9 pointing to the vcpu struct.
+ * This can modify all checkpointed registers, but
+ * restores r1, r2 and r9 (vcpu pointer) before exit.
+ */
+kvmppc_save_tm:
+ mflr r0
+ std r0, PPC_LR_STKOFF(r1)
+
+ /* Turn on TM. */
+ mfmsr r8
+ li r0, 1
+ rldimi r8, r0, MSR_TM_LG, 63-MSR_TM_LG
+ mtmsrd r8
+
+ ld r5, VCPU_MSR(r9)
+ rldicl. r5, r5, 64 - MSR_TS_S_LG, 62
+ beq 1f /* TM not active in guest. */
+
+ std r1, HSTATE_HOST_R1(r13)
+ li r3, TM_CAUSE_KVM_RESCHED
+
+ /* Clear the MSR RI since r1, r13 are all going to be foobar. */
+ li r5, 0
+ mtmsrd r5, 1
+
+ /* All GPRs are volatile at this point. */
+ TRECLAIM(R3)
+
+ /* Temporarily store r13 and r9 so we have some regs to play with */
+ SET_SCRATCH0(r13)
+ GET_PACA(r13)
+ std r9, PACATMSCRATCH(r13)
+ ld r9, HSTATE_KVM_VCPU(r13)
+
+ /* Get a few more GPRs free. */
+ std r29, VCPU_GPRS_TM(29)(r9)
+ std r30, VCPU_GPRS_TM(30)(r9)
+ std r31, VCPU_GPRS_TM(31)(r9)
+
+ /* Save away PPR and DSCR soon so don't run with user values. */
+ mfspr r31, SPRN_PPR
+ HMT_MEDIUM
+ mfspr r30, SPRN_DSCR
+ ld r29, HSTATE_DSCR(r13)
+ mtspr SPRN_DSCR, r29
+
+ /* Save all but r9, r13 & r29-r31 */
+ reg = 0
+ .rept 29
+ .if (reg != 9) && (reg != 13)
+ std reg, VCPU_GPRS_TM(reg)(r9)
+ .endif
+ reg = reg + 1
+ .endr
+ /* ... now save r13 */
+ GET_SCRATCH0(r4)
+ std r4, VCPU_GPRS_TM(13)(r9)
+ /* ... and save r9 */
+ ld r4, PACATMSCRATCH(r13)
+ std r4, VCPU_GPRS_TM(9)(r9)
+
+ /* Reload stack pointer and TOC. */
+ ld r1, HSTATE_HOST_R1(r13)
+ ld r2, PACATOC(r13)
+
+ /* Set MSR RI now we have r1 and r13 back. */
+ li r5, MSR_RI
+ mtmsrd r5, 1
+
+ /* Save away checkpinted SPRs. */
+ std r31, VCPU_PPR_TM(r9)
+ std r30, VCPU_DSCR_TM(r9)
+ mflr r5
+ mfcr r6
+ mfctr r7
+ mfspr r8, SPRN_AMR
+ mfspr r10, SPRN_TAR
+ std r5, VCPU_LR_TM(r9)
+ stw r6, VCPU_CR_TM(r9)
+ std r7, VCPU_CTR_TM(r9)
+ std r8, VCPU_AMR_TM(r9)
+ std r10, VCPU_TAR_TM(r9)
+
+ /* Restore r12 as trap number. */
+ lwz r12, VCPU_TRAP(r9)
+
+ /* Save FP/VSX. */
+ addi r3, r9, VCPU_FPRS_TM
+ bl .store_fp_state
+ addi r3, r9, VCPU_VRS_TM
+ bl .store_vr_state
+ mfspr r6, SPRN_VRSAVE
+ stw r6, VCPU_VRSAVE_TM(r9)
+1:
+ /*
+ * We need to save these SPRs after the treclaim so that the software
+ * error code is recorded correctly in the TEXASR. Also the user may
+ * change these outside of a transaction, so they must always be
+ * context switched.
+ */
+ mfspr r5, SPRN_TFHAR
+ mfspr r6, SPRN_TFIAR
+ mfspr r7, SPRN_TEXASR
+ std r5, VCPU_TFHAR(r9)
+ std r6, VCPU_TFIAR(r9)
+ std r7, VCPU_TEXASR(r9)
+
+ ld r0, PPC_LR_STKOFF(r1)
+ mtlr r0
+ blr
+
+/*
+ * Restore transactional state and TM-related registers.
+ * Called with r4 pointing to the vcpu struct.
+ * This potentially modifies all checkpointed registers.
+ * It restores r1, r2, r4 from the PACA.
+ */
+kvmppc_restore_tm:
+ mflr r0
+ std r0, PPC_LR_STKOFF(r1)
+
+ /* Turn on TM/FP/VSX/VMX so we can restore them. */
+ mfmsr r5
+ li r6, MSR_TM >> 32
+ sldi r6, r6, 32
+ or r5, r5, r6
+ ori r5, r5, MSR_FP
+ oris r5, r5, (MSR_VEC | MSR_VSX)@h
+ mtmsrd r5
+
+ /*
+ * The user may change these outside of a transaction, so they must
+ * always be context switched.
+ */
+ ld r5, VCPU_TFHAR(r4)
+ ld r6, VCPU_TFIAR(r4)
+ ld r7, VCPU_TEXASR(r4)
+ mtspr SPRN_TFHAR, r5
+ mtspr SPRN_TFIAR, r6
+ mtspr SPRN_TEXASR, r7
+
+ ld r5, VCPU_MSR(r4)
+ rldicl. r5, r5, 64 - MSR_TS_S_LG, 62
+ beqlr /* TM not active in guest */
+ std r1, HSTATE_HOST_R1(r13)
+
+ /* Make sure the failure summary is set, otherwise we'll program check
+ * when we trechkpt. It's possible that this might have been not set
+ * on a kvmppc_set_one_reg() call but we shouldn't let this crash the
+ * host.
+ */
+ oris r7, r7, (TEXASR_FS)@h
+ mtspr SPRN_TEXASR, r7
+
+ /*
+ * We need to load up the checkpointed state for the guest.
+ * We need to do this early as it will blow away any GPRs, VSRs and
+ * some SPRs.
+ */
+
+ mr r31, r4
+ addi r3, r31, VCPU_FPRS_TM
+ bl .load_fp_state
+ addi r3, r31, VCPU_VRS_TM
+ bl .load_vr_state
+ mr r4, r31
+ lwz r7, VCPU_VRSAVE_TM(r4)
+ mtspr SPRN_VRSAVE, r7
+
+ ld r5, VCPU_LR_TM(r4)
+ lwz r6, VCPU_CR_TM(r4)
+ ld r7, VCPU_CTR_TM(r4)
+ ld r8, VCPU_AMR_TM(r4)
+ ld r9, VCPU_TAR_TM(r4)
+ mtlr r5
+ mtcr r6
+ mtctr r7
+ mtspr SPRN_AMR, r8
+ mtspr SPRN_TAR, r9
+
+ /*
+ * Load up PPR and DSCR values but don't put them in the actual SPRs
+ * till the last moment to avoid running with userspace PPR and DSCR for
+ * too long.
+ */
+ ld r29, VCPU_DSCR_TM(r4)
+ ld r30, VCPU_PPR_TM(r4)
+
+ std r2, PACATMSCRATCH(r13) /* Save TOC */
+
+ /* Clear the MSR RI since r1, r13 are all going to be foobar. */
+ li r5, 0
+ mtmsrd r5, 1
+
+ /* Load GPRs r0-r28 */
+ reg = 0
+ .rept 29
+ ld reg, VCPU_GPRS_TM(reg)(r31)
+ reg = reg + 1
+ .endr
+
+ mtspr SPRN_DSCR, r29
+ mtspr SPRN_PPR, r30
+
+ /* Load final GPRs */
+ ld 29, VCPU_GPRS_TM(29)(r31)
+ ld 30, VCPU_GPRS_TM(30)(r31)
+ ld 31, VCPU_GPRS_TM(31)(r31)
+
+ /* TM checkpointed state is now setup. All GPRs are now volatile. */
+ TRECHKPT
+
+ /* Now let's get back the state we need. */
+ HMT_MEDIUM
+ GET_PACA(r13)
+ ld r29, HSTATE_DSCR(r13)
+ mtspr SPRN_DSCR, r29
+ ld r4, HSTATE_KVM_VCPU(r13)
+ ld r1, HSTATE_HOST_R1(r13)
+ ld r2, PACATMSCRATCH(r13)
+
+ /* Set the MSR RI since we have our registers back. */
+ li r5, MSR_RI
+ mtmsrd r5, 1
+
+ ld r0, PPC_LR_STKOFF(r1)
+ mtlr r0
+ blr
+#endif
+
/*
* We come here if we get any exception or interrupt while we are
* executing host real mode code while in guest MMU context.
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 019/305] Revert "scsi: fix soft lockup in scsi_remove_target() on module removal"
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (169 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 038/305] Fix OpenSSH pty regression on close Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 302/305] netfilter: x_tables: do compat validation via translate_table Ben Hutchings
` (134 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hannes Reinecke, Ewan D. Milne, Johannes Thumshirn,
Martin K. Petersen
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <jthumshirn@suse.de>
commit 305c2e71b3d733ec065cb716c76af7d554bd5571 upstream.
Now that we've done a more comprehensive fix with the intermediate
target state we can remove the previous hack introduced with commit
90a88d6ef88e ("scsi: fix soft lockup in scsi_remove_target() on module
removal").
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/scsi_sysfs.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1148,19 +1148,17 @@ static void __scsi_remove_target(struct
void scsi_remove_target(struct device *dev)
{
struct Scsi_Host *shost = dev_to_shost(dev->parent);
- struct scsi_target *starget, *last_target = NULL;
+ struct scsi_target *starget;
unsigned long flags;
restart:
spin_lock_irqsave(shost->host_lock, flags);
list_for_each_entry(starget, &shost->__targets, siblings) {
if (starget->state == STARGET_DEL ||
- starget->state == STARGET_REMOVE ||
- starget == last_target)
+ starget->state == STARGET_REMOVE)
continue;
if (starget->dev.parent == dev || &starget->dev == dev) {
kref_get(&starget->reap_ref);
- last_target = starget;
starget->state = STARGET_REMOVE;
spin_unlock_irqrestore(shost->host_lock, flags);
__scsi_remove_target(starget);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 180/305] scsi: fix race between simultaneous decrements of ->host_failed
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (93 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 165/305] iio: proximity: as3935: fix buffer stack trashing Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 008/305] xfs: disallow rw remount on fs with unknown ro-compat features Ben Hutchings
` (210 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Wei Fang, Martin K. Petersen, James Bottomley
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <fangwei1@huawei.com>
commit 72d8c36ec364c82bf1bf0c64dfa1041cfaf139f7 upstream.
sas_ata_strategy_handler() adds the works of the ata error handler to
system_unbound_wq. This workqueue asynchronously runs work items, so the
ata error handler will be performed concurrently on different CPUs. In
this case, ->host_failed will be decreased simultaneously in
scsi_eh_finish_cmd() on different CPUs, and become abnormal.
It will lead to permanently inequality between ->host_failed and
->host_busy, and scsi error handler thread won't start running. IO
errors after that won't be handled.
Since all scmds must have been handled in the strategy handler, just
remove the decrement in scsi_eh_finish_cmd() and zero ->host_busy after
the strategy handler to fix this race.
Fixes: 50824d6c5657 ("[SCSI] libsas: async ata-eh")
Signed-off-by: Wei Fang <fangwei1@huawei.com>
Reviewed-by: James Bottomley <jejb@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/scsi/scsi_eh.txt | 8 ++++++--
drivers/ata/libata-eh.c | 2 +-
drivers/scsi/scsi_error.c | 4 +++-
3 files changed, 10 insertions(+), 4 deletions(-)
--- a/Documentation/scsi/scsi_eh.txt
+++ b/Documentation/scsi/scsi_eh.txt
@@ -263,19 +263,23 @@ scmd->allowed.
3. scmd recovered
ACTION: scsi_eh_finish_cmd() is invoked to EH-finish scmd
- - shost->host_failed--
- clear scmd->eh_eflags
- scsi_setup_cmd_retry()
- move from local eh_work_q to local eh_done_q
LOCKING: none
+ CONCURRENCY: at most one thread per separate eh_work_q to
+ keep queue manipulation lockless
4. EH completes
ACTION: scsi_eh_flush_done_q() retries scmds or notifies upper
- layer of failure.
+ layer of failure. May be called concurrently but must have
+ a no more than one thread per separate eh_work_q to
+ manipulate the queue locklessly
- scmd is removed from eh_done_q and scmd->eh_entry is cleared
- if retry is necessary, scmd is requeued using
scsi_queue_insert()
- otherwise, scsi_finish_command() is invoked for scmd
+ - zero shost->host_failed
LOCKING: queue or finish function performs appropriate locking
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -605,7 +605,7 @@ void ata_scsi_error(struct Scsi_Host *ho
ata_scsi_port_error_handler(host, ap);
/* finish or retry handled scmd's and clean up */
- WARN_ON(host->host_failed || !list_empty(&eh_work_q));
+ WARN_ON(!list_empty(&eh_work_q));
DPRINTK("EXIT\n");
}
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -1115,7 +1115,6 @@ static int scsi_eh_action(struct scsi_cm
*/
void scsi_eh_finish_cmd(struct scsi_cmnd *scmd, struct list_head *done_q)
{
- scmd->device->host->host_failed--;
scmd->eh_eflags = 0;
list_move_tail(&scmd->eh_entry, done_q);
}
@@ -2198,6 +2197,9 @@ int scsi_error_handler(void *data)
else
scsi_unjam_host(shost);
+ /* All scmds have been handled */
+ shost->host_failed = 0;
+
/*
* Note - if the above fails completely, the action is to take
* individual devices offline and flush the queue of any
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 101/305] batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (233 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 047/305] ACPI / sysfs: fix error code in get_status() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 234/305] iio:ad7266: Fix probe deferral for vref Ben Hutchings
` (70 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Antonio Quartulli, Marek Lindner, Sven Eckelmann
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven.eckelmann@open-mesh.com>
commit d285f52cc0f23564fd61976d43fd5b991b4828f6 upstream.
The undefined behavior sanatizer detected an signed integer overflow in a
setup with near perfect link quality
UBSAN: Undefined behaviour in net/batman-adv/bat_iv_ogm.c:1246:25
signed integer overflow:
8713350 * 255 cannot be represented in type 'int'
The problems happens because the calculation of mixed unsigned and signed
integers resulted in an integer multiplication.
batadv_ogm_packet::tq (u8 255)
* tq_own (u8 255)
* tq_asym_penalty (int 134; max 255)
* tq_iface_penalty (int 255; max 255)
The tq_iface_penalty, tq_asym_penalty and inv_asym_penalty can just be
changed to unsigned int because they are not expected to become negative.
Fixes: c039876892e3 ("batman-adv: add WiFi penalty")
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/bat_iv_ogm.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -1134,9 +1134,10 @@ static int batadv_iv_ogm_calc_tq(struct
uint8_t total_count;
uint8_t orig_eq_count, neigh_rq_count, neigh_rq_inv, tq_own;
unsigned int neigh_rq_inv_cube, neigh_rq_max_cube;
- int tq_asym_penalty, inv_asym_penalty, if_num, ret = 0;
+ int if_num, ret = 0;
+ unsigned int tq_asym_penalty, inv_asym_penalty;
unsigned int combined_tq;
- int tq_iface_penalty;
+ unsigned int tq_iface_penalty;
/* find corresponding one hop neighbor */
rcu_read_lock();
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 203/305] can: at91_can: RX queue could get stuck at high bus load
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (243 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 174/305] usb: quirks: Fix sorting Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 271/305] ecryptfs: don't allow mmap when the lower fs doesn't support it Ben Hutchings
` (60 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Wolfgang Grandegger, Amr Bekhit, Marc Kleine-Budde
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wolfgang Grandegger <wg@grandegger.com>
commit 43200a4480cbbe660309621817f54cbb93907108 upstream.
At high bus load it could happen that "at91_poll()" enters with all RX
message boxes filled up. If then at the end the "quota" is exceeded as
well, "rx_next" will not be reset to the first RX mailbox and hence the
interrupts remain disabled.
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
Tested-by: Amr Bekhit <amrbekhit@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/at91_can.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/can/at91_can.c
+++ b/drivers/net/can/at91_can.c
@@ -734,9 +734,10 @@ static int at91_poll_rx(struct net_devic
/* upper group completed, look again in lower */
if (priv->rx_next > get_mb_rx_low_last(priv) &&
- quota > 0 && mb > get_mb_rx_last(priv)) {
+ mb > get_mb_rx_last(priv)) {
priv->rx_next = get_mb_rx_first(priv);
- goto again;
+ if (quota > 0)
+ goto again;
}
return received;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 082/305] i40e: fix an uninitialized variable bug
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (42 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 222/305] cifs: dynamic allocation of ntlmssp blob Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 007/305] iommu/vt-d: Improve fault handler error messages Ben Hutchings
` (261 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Jeff Kirsher, Andrew Bowers
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 1c306f7f62a38ee5f05f0ee994dfe82d654cf47c upstream.
We removed this initialization but it is required. Let's put it back.
Fixes: 895106a577c4 ('i40e: trivial fixes')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/intel/i40e/i40e_hmc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/i40e/i40e_hmc.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_hmc.c
@@ -49,7 +49,7 @@ i40e_status i40e_add_sd_table_entry(stru
struct i40e_hmc_sd_entry *sd_entry;
bool dma_mem_alloc_done = false;
struct i40e_dma_mem mem;
- i40e_status ret_code;
+ i40e_status ret_code = I40E_SUCCESS;
u64 alloc_len;
if (NULL == hmc_info->sd_table.sd_entry) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 022/305] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (257 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 151/305] IB/IPoIB: Don't update neigh validity for unresolved entries Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 216/305] IB/mlx4: Fix error flow when sending mads under SRIOV Ben Hutchings
` (46 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hari Bathini, Michael Ellerman, Mahesh Salgaonkar
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hari Bathini <hbathini@linux.vnet.ibm.com>
commit 8ed8ab40047a570fdd8043a40c104a57248dd3fd upstream.
Some of the interrupt vectors on 64-bit POWER server processors are only
32 bytes long (8 instructions), which is not enough for the full
first-level interrupt handler. For these we need to branch to an
out-of-line (OOL) handler. But when we are running a relocatable kernel,
interrupt vectors till __end_interrupts marker are copied down to real
address 0x100. So, branching to labels (ie. OOL handlers) outside this
section must be handled differently (see LOAD_HANDLER()), considering
relocatable kernel, which would need at least 4 instructions.
However, branching from interrupt vector means that we corrupt the
CFAR (come-from address register) on POWER7 and later processors as
mentioned in commit 1707dd16. So, EXCEPTION_PROLOG_0 (6 instructions)
that contains the part up to the point where the CFAR is saved in the
PACA should be part of the short interrupt vectors before we branch out
to OOL handlers.
But as mentioned already, there are interrupt vectors on 64-bit POWER
server processors that are only 32 bytes long (like vectors 0x4f00,
0x4f20, etc.), which cannot accomodate the above two cases at the same
time owing to space constraint. Currently, in these interrupt vectors,
we simply branch out to OOL handlers, without using LOAD_HANDLER(),
which leaves us vulnerable when running a relocatable kernel (eg. kdump
case). While this has been the case for sometime now and kdump is used
widely, we were fortunate not to see any problems so far, for three
reasons:
1. In almost all cases, production kernel (relocatable) is used for
kdump as well, which would mean that crashed kernel's OOL handler
would be at the same place where we end up branching to, from short
interrupt vector of kdump kernel.
2. Also, OOL handler was unlikely the reason for crash in almost all
the kdump scenarios, which meant we had a sane OOL handler from
crashed kernel that we branched to.
3. On most 64-bit POWER server processors, page size is large enough
that marking interrupt vector code as executable (see commit
429d2e83) leads to marking OOL handler code from crashed kernel,
that sits right below interrupt vector code from kdump kernel, as
executable as well.
Let us fix this by moving the __end_interrupts marker down past OOL
handlers to make sure that we also copy OOL handlers to real address
0x100 when running a relocatable kernel.
This fix has been tested successfully in kdump scenario, on an LPAR with
4K page size by using different default/production kernel and kdump
kernel.
Also tested by manually corrupting the OOL handlers in the first kernel
and then kdump'ing, and then causing the OOL handlers to fire - mpe.
Fixes: c1fb6816fb1b ("powerpc: Add relocation on exception vector handlers")
Signed-off-by: Hari Bathini <hbathini@linux.vnet.ibm.com>
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/exceptions-64s.S | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
--- a/arch/powerpc/kernel/exceptions-64s.S
+++ b/arch/powerpc/kernel/exceptions-64s.S
@@ -965,11 +965,6 @@ hv_facility_unavailable_relon_trampoline
#endif
STD_RELON_EXCEPTION_PSERIES(0x5700, 0x1700, altivec_assist)
- /* Other future vectors */
- .align 7
- .globl __end_interrupts
-__end_interrupts:
-
.align 7
system_call_entry_direct:
#if defined(CONFIG_RELOCATABLE)
@@ -1323,6 +1318,17 @@ __end_handlers:
STD_RELON_EXCEPTION_PSERIES_OOL(0xf60, facility_unavailable)
STD_RELON_EXCEPTION_HV_OOL(0xf80, hv_facility_unavailable)
+ /*
+ * The __end_interrupts marker must be past the out-of-line (OOL)
+ * handlers, so that they are copied to real address 0x100 when running
+ * a relocatable kernel. This ensures they can be reached from the short
+ * trampoline handlers (like 0x4f00, 0x4f20, etc.) which branch
+ * directly, without using LOAD_HANDLER().
+ */
+ .align 7
+ .globl __end_interrupts
+__end_interrupts:
+
#if defined(CONFIG_PPC_PSERIES) || defined(CONFIG_PPC_POWERNV)
/*
* Data area reserved for FWNMI option.
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 116/305] xen/events: Don't move disabled irqs
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (140 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 126/305] Input: pwm-beeper - remove useless call to pwm_config() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 293/305] netfilter: x_tables: add compat version of xt_check_entry_offsets Ben Hutchings
` (163 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Boris Ostrovsky, Ross Lagerwall, David Vrabel
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ross Lagerwall <ross.lagerwall@citrix.com>
commit f0f393877c71ad227d36705d61d1e4062bc29cf5 upstream.
Commit ff1e22e7a638 ("xen/events: Mask a moving irq") open-coded
irq_move_irq() but left out checking if the IRQ is disabled. This broke
resuming from suspend since it tries to move a (disabled) irq without
holding the IRQ's desc->lock. Fix it by adding in a check for disabled
IRQs.
The resulting stacktrace was:
kernel BUG at /build/linux-UbQGH5/linux-4.4.0/kernel/irq/migration.c:31!
invalid opcode: 0000 [#1] SMP
Modules linked in: xenfs xen_privcmd ...
CPU: 0 PID: 9 Comm: migration/0 Not tainted 4.4.0-22-generic #39-Ubuntu
Hardware name: Xen HVM domU, BIOS 4.6.1-xs125180 05/04/2016
task: ffff88003d75ee00 ti: ffff88003d7bc000 task.ti: ffff88003d7bc000
RIP: 0010:[<ffffffff810e26e2>] [<ffffffff810e26e2>] irq_move_masked_irq+0xd2/0xe0
RSP: 0018:ffff88003d7bfc50 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff88003d40ba00 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000100 RDI: ffff88003d40bad8
RBP: ffff88003d7bfc68 R08: 0000000000000000 R09: ffff88003d000000
R10: 0000000000000000 R11: 000000000000023c R12: ffff88003d40bad0
R13: ffffffff81f3a4a0 R14: 0000000000000010 R15: 00000000ffffffff
FS: 0000000000000000(0000) GS:ffff88003da00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd4264de624 CR3: 0000000037922000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff88003d40ba38 0000000000000024 0000000000000000 ffff88003d7bfca0
ffffffff814c8d92 00000010813ef89d 00000000805ea732 0000000000000009
0000000000000024 ffff88003cc39b80 ffff88003d7bfce0 ffffffff814c8f66
Call Trace:
[<ffffffff814c8d92>] eoi_pirq+0xb2/0xf0
[<ffffffff814c8f66>] __startup_pirq+0xe6/0x150
[<ffffffff814ca659>] xen_irq_resume+0x319/0x360
[<ffffffff814c7e75>] xen_suspend+0xb5/0x180
[<ffffffff81120155>] multi_cpu_stop+0xb5/0xe0
[<ffffffff811200a0>] ? cpu_stop_queue_work+0x80/0x80
[<ffffffff811203d0>] cpu_stopper_thread+0xb0/0x140
[<ffffffff810a94e6>] ? finish_task_switch+0x76/0x220
[<ffffffff810ca731>] ? __raw_callee_save___pv_queued_spin_unlock+0x11/0x20
[<ffffffff810a3935>] smpboot_thread_fn+0x105/0x160
[<ffffffff810a3830>] ? sort_range+0x30/0x30
[<ffffffff810a0588>] kthread+0xd8/0xf0
[<ffffffff810a04b0>] ? kthread_create_on_node+0x1e0/0x1e0
[<ffffffff8182568f>] ret_from_fork+0x3f/0x70
[<ffffffff810a04b0>] ? kthread_create_on_node+0x1e0/0x1e0
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/events/events_base.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -486,7 +486,8 @@ static void eoi_pirq(struct irq_data *da
if (!VALID_EVTCHN(evtchn))
return;
- if (unlikely(irqd_is_setaffinity_pending(data))) {
+ if (unlikely(irqd_is_setaffinity_pending(data)) &&
+ likely(!irqd_irq_disabled(data))) {
int masked = test_and_set_mask(evtchn);
clear_evtchn(evtchn);
@@ -1372,7 +1373,8 @@ static void ack_dynirq(struct irq_data *
if (!VALID_EVTCHN(evtchn))
return;
- if (unlikely(irqd_is_setaffinity_pending(data))) {
+ if (unlikely(irqd_is_setaffinity_pending(data)) &&
+ likely(!irqd_irq_disabled(data))) {
int masked = test_and_set_mask(evtchn);
clear_evtchn(evtchn);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 199/305] IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (275 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 300/305] netfilter: ip6_tables: simplify translate_compat_table args Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 248/305] ipr: Clear interrupt on croc/crocodile when running with LSI Ben Hutchings
` (28 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jason Gunthorpe, Doug Ledford
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
commit 8c5122e45a10a9262f872b53f151a592e870f905 upstream.
When this code was reworked for IBoE support the order of assignments
for the sl_tclass_flowlabel got flipped around resulting in
TClass & FlowLabel being permanently set to 0 in the packet headers.
This breaks IB routers that rely on these headers, but only affects
kernel users - libmlx4 does this properly for user space.
Fixes: fa417f7b520e ("IB/mlx4: Add support for IBoE")
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/ah.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx4/ah.c
+++ b/drivers/infiniband/hw/mlx4/ah.c
@@ -46,6 +46,7 @@ static struct ib_ah *create_ib_ah(struct
ah->av.ib.port_pd = cpu_to_be32(to_mpd(pd)->pdn | (ah_attr->port_num << 24));
ah->av.ib.g_slid = ah_attr->src_path_bits;
+ ah->av.ib.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 28);
if (ah_attr->ah_flags & IB_AH_GRH) {
ah->av.ib.g_slid |= 0x80;
ah->av.ib.gid_index = ah_attr->grh.sgid_index;
@@ -63,7 +64,6 @@ static struct ib_ah *create_ib_ah(struct
!(1 << ah->av.ib.stat_rate & dev->caps.stat_rate_support))
--ah->av.ib.stat_rate;
}
- ah->av.ib.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 28);
return &ah->ibah;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 049/305] arm64: Ensure pmd_present() returns false after pmd_mknotpresent()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (164 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 265/305] net: bcmsysport: Device stats are unsigned long Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 063/305] gcov: disable tree-loop-im to reduce stack usage Ben Hutchings
` (139 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Will Deacon, Catalin Marinas
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Catalin Marinas <catalin.marinas@arm.com>
commit 5bb1cc0ff9a6b68871970737e6c4c16919928d8b upstream.
Currently, pmd_present() only checks for a non-zero value, returning
true even after pmd_mknotpresent() (which only clears the type bits).
This patch converts pmd_present() to using pte_present(), similar to the
other pmd_*() checks. As a side effect, it will return true for
PROT_NONE mappings, though they are not yet used by the kernel with
transparent huge pages.
For consistency, also change pmd_mknotpresent() to only clear the
PMD_SECT_VALID bit, even though the PMD_TABLE_BIT is already 0 for block
mappings (no functional change). The unused PMD_SECT_PROT_NONE
definition is removed as transparent huge pages use the pte page prot
values.
Fixes: 9c7e535fcc17 ("arm64: mm: Route pmd thp functions through pte equivalents")
Reviewed-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/include/asm/pgtable-hwdef.h | 1 -
arch/arm64/include/asm/pgtable.h | 4 ++--
2 files changed, 2 insertions(+), 3 deletions(-)
--- a/arch/arm64/include/asm/pgtable-hwdef.h
+++ b/arch/arm64/include/asm/pgtable-hwdef.h
@@ -45,7 +45,6 @@
* Section
*/
#define PMD_SECT_VALID (_AT(pmdval_t, 1) << 0)
-#define PMD_SECT_PROT_NONE (_AT(pmdval_t, 1) << 58)
#define PMD_SECT_USER (_AT(pmdval_t, 1) << 6) /* AP[1] */
#define PMD_SECT_RDONLY (_AT(pmdval_t, 1) << 7) /* AP[2] */
#define PMD_SECT_S (_AT(pmdval_t, 3) << 8)
--- a/arch/arm64/include/asm/pgtable.h
+++ b/arch/arm64/include/asm/pgtable.h
@@ -250,6 +250,7 @@ static inline pmd_t pte_pmd(pte_t pte)
#define pmd_trans_splitting(pmd) pte_special(pmd_pte(pmd))
#endif
+#define pmd_present(pmd) pte_present(pmd_pte(pmd))
#define pmd_young(pmd) pte_young(pmd_pte(pmd))
#define pmd_wrprotect(pmd) pte_pmd(pte_wrprotect(pmd_pte(pmd)))
#define pmd_mksplitting(pmd) pte_pmd(pte_mkspecial(pmd_pte(pmd)))
@@ -257,7 +258,7 @@ static inline pmd_t pte_pmd(pte_t pte)
#define pmd_mkwrite(pmd) pte_pmd(pte_mkwrite(pmd_pte(pmd)))
#define pmd_mkdirty(pmd) pte_pmd(pte_mkdirty(pmd_pte(pmd)))
#define pmd_mkyoung(pmd) pte_pmd(pte_mkyoung(pmd_pte(pmd)))
-#define pmd_mknotpresent(pmd) (__pmd(pmd_val(pmd) & ~PMD_TYPE_MASK))
+#define pmd_mknotpresent(pmd) (__pmd(pmd_val(pmd) & ~PMD_SECT_VALID))
#define __HAVE_ARCH_PMD_WRITE
#define pmd_write(pmd) pte_write(pmd_pte(pmd))
@@ -294,7 +295,6 @@ extern pgprot_t phys_mem_access_prot(str
unsigned long size, pgprot_t vma_prot);
#define pmd_none(pmd) (!pmd_val(pmd))
-#define pmd_present(pmd) (pmd_val(pmd))
#define pmd_bad(pmd) (!(pmd_val(pmd) & 2))
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 166/305] iio:st_pressure: fix sampling gains (bring inline with ABI)
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (246 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 261/305] bonding: prevent out of bound accesses Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 189/305] ipv6: fix endianness error in icmpv6_err Ben Hutchings
` (57 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jonathan Cameron, Gregor Boirie
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gregor Boirie <gregor.boirie@parrot.com>
commit d43a41152f8e9e4c0d19850884d1fada076dee10 upstream.
Temperature channels report scaled samples in Celsius although expected as
milli degree Celsius in Documentation/ABI/testing/sysfs-bus-iio.
Gains are not implemented at all for LPS001WP pressure and temperature
channels.
This patch ensures that proper offsets and scales are exposed to userpace
for both pressure and temperature channels.
Also fix a NULL pointer exception when userspace reads content of sysfs
scale attribute when gains are not defined.
Signed-off-by: Gregor Boirie <gregor.boirie@parrot.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
[bwh: Backported to 3.16:
- Adjust context
- In st_press_read_raw() use pdata instead of press_data]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/pressure/st_pressure_core.c | 80 ++++++++++++++++++++-------------
1 file changed, 50 insertions(+), 30 deletions(-)
--- a/drivers/iio/pressure/st_pressure_core.c
+++ b/drivers/iio/pressure/st_pressure_core.c
@@ -28,15 +28,21 @@
#include <linux/iio/common/st_sensors.h>
#include "st_pressure.h"
+#define MCELSIUS_PER_CELSIUS 1000
+
+/* Default pressure sensitivity */
#define ST_PRESS_LSB_PER_MBAR 4096UL
#define ST_PRESS_KPASCAL_NANO_SCALE (100000000UL / \
ST_PRESS_LSB_PER_MBAR)
+
+/* Default temperature sensitivity */
#define ST_PRESS_LSB_PER_CELSIUS 480UL
-#define ST_PRESS_CELSIUS_NANO_SCALE (1000000000UL / \
- ST_PRESS_LSB_PER_CELSIUS)
+#define ST_PRESS_MILLI_CELSIUS_OFFSET 42500UL
+
#define ST_PRESS_NUMBER_DATA_CHANNELS 1
/* FULLSCALE */
+#define ST_PRESS_FS_AVL_1100MB 1100
#define ST_PRESS_FS_AVL_1260MB 1260
#define ST_PRESS_1_OUT_XL_ADDR 0x28
@@ -54,18 +60,20 @@
#define ST_PRESS_LPS331AP_PW_MASK 0x80
#define ST_PRESS_LPS331AP_FS_ADDR 0x23
#define ST_PRESS_LPS331AP_FS_MASK 0x30
-#define ST_PRESS_LPS331AP_FS_AVL_1260_VAL 0x00
-#define ST_PRESS_LPS331AP_FS_AVL_1260_GAIN ST_PRESS_KPASCAL_NANO_SCALE
-#define ST_PRESS_LPS331AP_FS_AVL_TEMP_GAIN ST_PRESS_CELSIUS_NANO_SCALE
#define ST_PRESS_LPS331AP_BDU_ADDR 0x20
#define ST_PRESS_LPS331AP_BDU_MASK 0x04
#define ST_PRESS_LPS331AP_DRDY_IRQ_ADDR 0x22
#define ST_PRESS_LPS331AP_DRDY_IRQ_INT1_MASK 0x04
#define ST_PRESS_LPS331AP_DRDY_IRQ_INT2_MASK 0x20
#define ST_PRESS_LPS331AP_MULTIREAD_BIT true
-#define ST_PRESS_LPS331AP_TEMP_OFFSET 42500
/* CUSTOM VALUES FOR LPS001WP SENSOR */
+
+/* LPS001WP pressure resolution */
+#define ST_PRESS_LPS001WP_LSB_PER_MBAR 16UL
+/* LPS001WP temperature resolution */
+#define ST_PRESS_LPS001WP_LSB_PER_CELSIUS 64UL
+
#define ST_PRESS_LPS001WP_WAI_EXP 0xba
#define ST_PRESS_LPS001WP_ODR_ADDR 0x20
#define ST_PRESS_LPS001WP_ODR_MASK 0x30
@@ -74,6 +82,8 @@
#define ST_PRESS_LPS001WP_ODR_AVL_13HZ_VAL 0x03
#define ST_PRESS_LPS001WP_PW_ADDR 0x20
#define ST_PRESS_LPS001WP_PW_MASK 0x40
+#define ST_PRESS_LPS001WP_FS_AVL_PRESS_GAIN \
+ (100000000UL / ST_PRESS_LPS001WP_LSB_PER_MBAR)
#define ST_PRESS_LPS001WP_BDU_ADDR 0x20
#define ST_PRESS_LPS001WP_BDU_MASK 0x04
#define ST_PRESS_LPS001WP_MULTIREAD_BIT true
@@ -90,18 +100,12 @@
#define ST_PRESS_LPS25H_ODR_AVL_25HZ_VAL 0x04
#define ST_PRESS_LPS25H_PW_ADDR 0x20
#define ST_PRESS_LPS25H_PW_MASK 0x80
-#define ST_PRESS_LPS25H_FS_ADDR 0x00
-#define ST_PRESS_LPS25H_FS_MASK 0x00
-#define ST_PRESS_LPS25H_FS_AVL_1260_VAL 0x00
-#define ST_PRESS_LPS25H_FS_AVL_1260_GAIN ST_PRESS_KPASCAL_NANO_SCALE
-#define ST_PRESS_LPS25H_FS_AVL_TEMP_GAIN ST_PRESS_CELSIUS_NANO_SCALE
#define ST_PRESS_LPS25H_BDU_ADDR 0x20
#define ST_PRESS_LPS25H_BDU_MASK 0x04
#define ST_PRESS_LPS25H_DRDY_IRQ_ADDR 0x23
#define ST_PRESS_LPS25H_DRDY_IRQ_INT1_MASK 0x01
#define ST_PRESS_LPS25H_DRDY_IRQ_INT2_MASK 0x10
#define ST_PRESS_LPS25H_MULTIREAD_BIT true
-#define ST_PRESS_LPS25H_TEMP_OFFSET 42500
#define ST_PRESS_LPS25H_OUT_XL_ADDR 0x28
#define ST_TEMP_LPS25H_OUT_L_ADDR 0x2b
@@ -153,7 +157,9 @@ static const struct iio_chan_spec st_pre
.storagebits = 16,
.endianness = IIO_LE,
},
- .info_mask_separate = BIT(IIO_CHAN_INFO_RAW),
+ .info_mask_separate =
+ BIT(IIO_CHAN_INFO_RAW) |
+ BIT(IIO_CHAN_INFO_SCALE),
.modified = 0,
},
{
@@ -169,7 +175,7 @@ static const struct iio_chan_spec st_pre
},
.info_mask_separate =
BIT(IIO_CHAN_INFO_RAW) |
- BIT(IIO_CHAN_INFO_OFFSET),
+ BIT(IIO_CHAN_INFO_SCALE),
.modified = 0,
},
IIO_CHAN_SOFT_TIMESTAMP(1)
@@ -203,11 +209,14 @@ static const struct st_sensors st_press_
.addr = ST_PRESS_LPS331AP_FS_ADDR,
.mask = ST_PRESS_LPS331AP_FS_MASK,
.fs_avl = {
+ /*
+ * Pressure and temperature sensitivity values
+ * as defined in table 3 of LPS331AP datasheet.
+ */
[0] = {
.num = ST_PRESS_FS_AVL_1260MB,
- .value = ST_PRESS_LPS331AP_FS_AVL_1260_VAL,
- .gain = ST_PRESS_LPS331AP_FS_AVL_1260_GAIN,
- .gain2 = ST_PRESS_LPS331AP_FS_AVL_TEMP_GAIN,
+ .gain = ST_PRESS_KPASCAL_NANO_SCALE,
+ .gain2 = ST_PRESS_LSB_PER_CELSIUS,
},
},
},
@@ -246,7 +255,17 @@ static const struct st_sensors st_press_
.value_off = ST_SENSORS_DEFAULT_POWER_OFF_VALUE,
},
.fs = {
- .addr = 0,
+ .fs_avl = {
+ /*
+ * Pressure and temperature resolution values
+ * as defined in table 3 of LPS001WP datasheet.
+ */
+ [0] = {
+ .num = ST_PRESS_FS_AVL_1100MB,
+ .gain = ST_PRESS_LPS001WP_FS_AVL_PRESS_GAIN,
+ .gain2 = ST_PRESS_LPS001WP_LSB_PER_CELSIUS,
+ },
+ },
},
.bdu = {
.addr = ST_PRESS_LPS001WP_BDU_ADDR,
@@ -282,14 +301,15 @@ static const struct st_sensors st_press_
.value_off = ST_SENSORS_DEFAULT_POWER_OFF_VALUE,
},
.fs = {
- .addr = ST_PRESS_LPS25H_FS_ADDR,
- .mask = ST_PRESS_LPS25H_FS_MASK,
.fs_avl = {
+ /*
+ * Pressure and temperature sensitivity values
+ * as defined in table 3 of LPS25H datasheet.
+ */
[0] = {
.num = ST_PRESS_FS_AVL_1260MB,
- .value = ST_PRESS_LPS25H_FS_AVL_1260_VAL,
- .gain = ST_PRESS_LPS25H_FS_AVL_1260_GAIN,
- .gain2 = ST_PRESS_LPS25H_FS_AVL_TEMP_GAIN,
+ .gain = ST_PRESS_KPASCAL_NANO_SCALE,
+ .gain2 = ST_PRESS_LSB_PER_CELSIUS,
},
},
},
@@ -322,26 +342,26 @@ static int st_press_read_raw(struct iio_
return IIO_VAL_INT;
case IIO_CHAN_INFO_SCALE:
- *val = 0;
-
switch (ch->type) {
case IIO_PRESSURE:
+ *val = 0;
*val2 = pdata->current_fullscale->gain;
- break;
+ return IIO_VAL_INT_PLUS_NANO;
case IIO_TEMP:
+ *val = MCELSIUS_PER_CELSIUS;
*val2 = pdata->current_fullscale->gain2;
- break;
+ return IIO_VAL_FRACTIONAL;
default:
err = -EINVAL;
goto read_error;
}
- return IIO_VAL_INT_PLUS_NANO;
case IIO_CHAN_INFO_OFFSET:
switch (ch->type) {
case IIO_TEMP:
- *val = 425;
- *val2 = 10;
+ *val = ST_PRESS_MILLI_CELSIUS_OFFSET *
+ pdata->current_fullscale->gain2;
+ *val2 = MCELSIUS_PER_CELSIUS;
break;
default:
err = -EINVAL;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 155/305] cpufreq: intel_pstate: Fix ->set_policy() interface for no_turbo
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (31 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 081/305] IB/core: Fix a potential array overrun in CMA and SA agent Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 028/305] alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO Ben Hutchings
` (272 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rafael J. Wysocki, Srinivas Pandruvada
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
commit 983e600e88835f0321d1a0ea06f52d48b7b5a544 upstream.
When turbo is disabled, the ->set_policy() interface is broken.
For example, when turbo is disabled and cpuinfo.max = 2900000 (full
max turbo frequency), setting the limits results in frequency less
than the requested one:
Set 1000000 KHz results in 0700000 KHz
Set 1500000 KHz results in 1100000 KHz
Set 2000000 KHz results in 1500000 KHz
This is because the limits->max_perf fraction is calculated using
the max turbo frequency as the reference, but when the max P-State is
capped in intel_pstate_get_min_max(), the reference is not the max
turbo P-State. This results in reducing max P-State.
One option is to always use max turbo as reference for calculating
limits. But this will not be correct. By definition the intel_pstate
sysfs limits, shows percentage of available performance. So when
BIOS has disabled turbo, the available performance is max non turbo.
So the max_perf_pct should still show 100%.
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
[ rjw : Subject & changelog, rewrite in fewer lines of code ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[bwh: Backported to 3.16:
- limits is a perf_limits structure, not a pointer to it
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/cpufreq/intel_pstate.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -877,8 +877,11 @@ static int intel_pstate_cpu_init(struct
/* cpuinfo and default policy values */
policy->cpuinfo.min_freq = cpu->pstate.min_pstate * cpu->pstate.scaling;
- policy->cpuinfo.max_freq =
- cpu->pstate.turbo_pstate * cpu->pstate.scaling;
+ update_turbo_state();
+ policy->cpuinfo.max_freq = limits.turbo_disabled ?
+ cpu->pstate.max_pstate : cpu->pstate.turbo_pstate;
+ policy->cpuinfo.max_freq *= cpu->pstate.scaling;
+
policy->cpuinfo.transition_latency = CPUFREQ_ETERNAL;
cpumask_set_cpu(policy->cpu, policy->cpus);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 240/305] ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame)
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (91 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 153/305] tcp: record TLP and ER timer stats in v6 stats Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 165/305] iio: proximity: as3935: fix buffer stack trashing Ben Hutchings
` (212 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Vineet Gupta
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <vgupta@synopsys.com>
commit f52e126cc7476196f44f3c313b7d9f0699a881fc upstream.
With recent binutils update to support dwarf CFI pseudo-ops in gas, we
now get .eh_frame vs. .debug_frame. Although the call frame info is
exactly the same in both, the CIE differs, which the current kernel
unwinder can't cope with.
This broke both the kernel unwinder as well as loadable modules (latter
because of a new unhandled relo R_ARC_32_PCREL from .rela.eh_frame in
the module loader)
The ideal solution would be to switch unwinder to .eh_frame.
For now however we can make do by just ensureing .debug_frame is
generated by removing -fasynchronous-unwind-tables
.eh_frame generated with -gdwarf-2 -fasynchronous-unwind-tables
.debug_frame generated with -gdwarf-2
Fixes STAR 9001058196
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/Makefile | 2 --
1 file changed, 2 deletions(-)
--- a/arch/arc/Makefile
+++ b/arch/arc/Makefile
@@ -35,8 +35,6 @@ cflags-$(atleast_gcc44) += -fsection-a
cflags-$(CONFIG_ARC_HAS_LLSC) += -mlock
cflags-$(CONFIG_ARC_HAS_SWAPE) += -mswape
cflags-$(CONFIG_ARC_HAS_RTSC) += -mrtsc
-cflags-$(CONFIG_ARC_DW2_UNWIND) += -fasynchronous-unwind-tables
-
# By default gcc 4.8 generates dwarf4 which kernel unwinder can't grok
ifeq ($(atleast_gcc48),y)
cflags-$(CONFIG_ARC_DW2_UNWIND) += -gdwarf-2
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 069/305] powerpc/mm/hash64: Factor out hash preload psize check
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (213 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 061/305] MIPS: KVM: Fix timer IRQ race when freezing timer Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 195/305] base: make module_create_drivers_dir race-free Ben Hutchings
` (90 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Ellerman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
commit 8bbc9b7b001eaab8abf7e9e24edf1bb285c8d825 upstream.
Currently we have a check in hash_preload() against the psize, which is
only included when CONFIG_PPC_MM_SLICES is enabled. We want to expand
this check in a subsequent patch, so factor it out to allow that. As a
bonus it removes the #ifdef in the C code.
Unfortunately we can't put this in the existing CONFIG_PPC_MM_SLICES
block because it would require a forward declaration.
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/mm/hash_utils_64.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
--- a/arch/powerpc/mm/hash_utils_64.c
+++ b/arch/powerpc/mm/hash_utils_64.c
@@ -1196,6 +1196,22 @@ bail:
}
EXPORT_SYMBOL_GPL(hash_page);
+#ifdef CONFIG_PPC_MM_SLICES
+static bool should_hash_preload(struct mm_struct *mm, unsigned long ea)
+{
+ /* We only prefault standard pages for now */
+ if (unlikely(get_slice_psize(mm, ea) != mm->context.user_psize))
+ return false;
+
+ return true;
+}
+#else
+static bool should_hash_preload(struct mm_struct *mm, unsigned long ea)
+{
+ return true;
+}
+#endif
+
void hash_preload(struct mm_struct *mm, unsigned long ea,
unsigned long access, unsigned long trap)
{
@@ -1208,11 +1224,8 @@ void hash_preload(struct mm_struct *mm,
BUG_ON(REGION_ID(ea) != USER_REGION_ID);
-#ifdef CONFIG_PPC_MM_SLICES
- /* We only prefault standard pages for now */
- if (unlikely(get_slice_psize(mm, ea) != mm->context.user_psize))
+ if (!should_hash_preload(mm, ea))
return;
-#endif
DBG_LOW("hash_preload(mm=%p, mm->pgdir=%p, ea=%016lx, access=%lx,"
" trap=%lx\n", mm, mm->pgd, ea, access, trap);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 044/305] USB: serial: option: add more ZTE device ids
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (85 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 282/305] KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 026/305] crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks Ben Hutchings
` (218 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, lei liu, Johan Hovold, Greg Kroah-Hartman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: lei liu <liu.lei78@zte.com.cn>
commit f0d09463c59c2d764a6c6d492cbe6d2c77f27153 upstream.
More ZTE device ids.
Signed-off-by: lei liu <liu.lei78@zte.com.cn>
[properly sort them - gregkh]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 75 ++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 74 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1629,7 +1629,79 @@ static const struct usb_device_id option
.driver_info = (kernel_ulong_t)&net_intf3_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0178, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)&net_intf3_blacklist },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffe9, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff42, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff43, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff44, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff45, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff46, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff47, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff48, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff49, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4a, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4b, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4c, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4d, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4e, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff4f, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff50, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff51, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff52, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff53, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff54, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff55, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff56, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff57, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff58, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff59, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5a, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5b, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5c, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5d, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5e, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff5f, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff60, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff61, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff62, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff63, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff64, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff65, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff66, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff67, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff68, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff69, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6a, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6b, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6c, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6d, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6e, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff6f, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff70, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff71, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff72, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff73, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff74, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff75, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff76, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff77, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff78, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff79, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7a, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7b, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7c, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7d, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7e, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff7f, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff80, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff81, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff82, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff83, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff84, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff85, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff86, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff87, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff88, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff89, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff8a, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff8b, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff8c, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff8d, 0xff, 0xff, 0xff) },
@@ -1640,6 +1712,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff92, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff93, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff94, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffe9, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_CDMA_TECH, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_AC2726, 0xff, 0xff, 0xff) },
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 186/305] spi: sunxi: fix transfer timeout
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (302 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 127/305] Input: pwm-beeper - fix - scheduling while atomic Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 141/305] KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi Ben Hutchings
2016-08-13 20:43 ` [PATCH 3.16 000/305] 3.16.37-rc1 review Guenter Roeck
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Brown, Maxime Ripard, Michal Suchanek
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Suchanek <hramrach@gmail.com>
commit 719bd6542044efd9b338a53dba1bef45f40ca169 upstream.
The trasfer timeout is fixed at 1000 ms. Reading a 4Mbyte flash over
1MHz SPI bus takes way longer than that. Calculate the timeout from the
actual time the transfer is supposed to take and multiply by 2 for good
measure.
Signed-off-by: Michal Suchanek <hramrach@gmail.com>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/spi/spi-sun4i.c | 10 +++++++++-
drivers/spi/spi-sun6i.c | 10 +++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -170,6 +170,7 @@ static int sun4i_spi_transfer_one(struct
{
struct sun4i_spi *sspi = spi_master_get_devdata(master);
unsigned int mclk_rate, div, timeout;
+ unsigned int start, end, tx_time;
unsigned int tx_len = 0;
int ret = 0;
u32 reg;
@@ -286,9 +287,16 @@ static int sun4i_spi_transfer_one(struct
reg = sun4i_spi_read(sspi, SUN4I_CTL_REG);
sun4i_spi_write(sspi, SUN4I_CTL_REG, reg | SUN4I_CTL_XCH);
+ tx_time = max(tfr->len * 8 * 2 / (tfr->speed_hz / 1000), 100U);
+ start = jiffies;
timeout = wait_for_completion_timeout(&sspi->done,
- msecs_to_jiffies(1000));
+ msecs_to_jiffies(tx_time));
+ end = jiffies;
if (!timeout) {
+ dev_warn(&master->dev,
+ "%s: timeout transferring %u bytes@%iHz for %i(%i)ms",
+ dev_name(&spi->dev), tfr->len, tfr->speed_hz,
+ jiffies_to_msecs(end - start), tx_time);
ret = -ETIMEDOUT;
goto out;
}
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -160,6 +160,7 @@ static int sun6i_spi_transfer_one(struct
{
struct sun6i_spi *sspi = spi_master_get_devdata(master);
unsigned int mclk_rate, div, timeout;
+ unsigned int start, end, tx_time;
unsigned int tx_len = 0;
int ret = 0;
u32 reg;
@@ -269,9 +270,16 @@ static int sun6i_spi_transfer_one(struct
reg = sun6i_spi_read(sspi, SUN6I_TFR_CTL_REG);
sun6i_spi_write(sspi, SUN6I_TFR_CTL_REG, reg | SUN6I_TFR_CTL_XCH);
+ tx_time = max(tfr->len * 8 * 2 / (tfr->speed_hz / 1000), 100U);
+ start = jiffies;
timeout = wait_for_completion_timeout(&sspi->done,
- msecs_to_jiffies(1000));
+ msecs_to_jiffies(tx_time));
+ end = jiffies;
if (!timeout) {
+ dev_warn(&master->dev,
+ "%s: timeout transferring %u bytes@%iHz for %i(%i)ms",
+ dev_name(&spi->dev), tfr->len, tfr->speed_hz,
+ jiffies_to_msecs(end - start), tx_time);
ret = -ETIMEDOUT;
goto out;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 301/305] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (108 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 140/305] ARM: fix PTRACE_SETVFPREGS on SMP systems Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 169/305] usb: gadget: fix spinlock dead lock in gadgetfs Ben Hutchings
` (195 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Westphal, Pablo Neira Ayuso
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 0188346f21e6546498c2a0f84888797ad4063fc5 upstream.
Always returned 0.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/netfilter/x_tables.h | 2 +-
net/ipv4/netfilter/arp_tables.c | 17 +++++------------
net/ipv4/netfilter/ip_tables.c | 26 +++++++++-----------------
net/ipv6/netfilter/ip6_tables.c | 27 +++++++++------------------
net/netfilter/x_tables.c | 5 ++---
5 files changed, 26 insertions(+), 51 deletions(-)
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -425,7 +425,7 @@ void xt_compat_init_offsets(u_int8_t af,
int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
int xt_compat_match_offset(const struct xt_match *match);
-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
+void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
unsigned int *size);
int xt_compat_match_to_user(const struct xt_entry_match *m,
void __user **dstptr, unsigned int *size);
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1301,7 +1301,7 @@ out:
return ret;
}
-static int
+static void
compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
unsigned int *size,
struct xt_table_info *newinfo, unsigned char *base)
@@ -1310,9 +1310,8 @@ compat_copy_entry_from_user(struct compa
struct xt_target *target;
struct arpt_entry *de;
unsigned int origsize;
- int ret, h;
+ int h;
- ret = 0;
origsize = *size;
de = (struct arpt_entry *)*dstptr;
memcpy(de, e, sizeof(struct arpt_entry));
@@ -1333,7 +1332,6 @@ compat_copy_entry_from_user(struct compa
if ((unsigned char *)de - base < newinfo->underflow[h])
newinfo->underflow[h] -= origsize - *size;
}
- return ret;
}
static int translate_compat_table(struct xt_table_info **pinfo,
@@ -1412,16 +1410,11 @@ static int translate_compat_table(struct
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
size = compatr->size;
- xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = compat_copy_entry_from_user(iter0, &pos, &size,
- newinfo, entry1);
- if (ret != 0)
- break;
- }
+ xt_entry_foreach(iter0, entry0, compatr->size)
+ compat_copy_entry_from_user(iter0, &pos, &size,
+ newinfo, entry1);
xt_compat_flush_offsets(NFPROTO_ARP);
xt_compat_unlock(NFPROTO_ARP);
- if (ret)
- goto free_newinfo;
ret = -ELOOP;
if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1565,7 +1565,7 @@ release_matches:
return ret;
}
-static int
+static void
compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
unsigned int *size,
struct xt_table_info *newinfo, unsigned char *base)
@@ -1574,10 +1574,9 @@ compat_copy_entry_from_user(struct compa
struct xt_target *target;
struct ipt_entry *de;
unsigned int origsize;
- int ret, h;
+ int h;
struct xt_entry_match *ematch;
- ret = 0;
origsize = *size;
de = (struct ipt_entry *)*dstptr;
memcpy(de, e, sizeof(struct ipt_entry));
@@ -1586,11 +1585,9 @@ compat_copy_entry_from_user(struct compa
*dstptr += sizeof(struct ipt_entry);
*size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
- xt_ematch_foreach(ematch, e) {
- ret = xt_compat_match_from_user(ematch, dstptr, size);
- if (ret != 0)
- return ret;
- }
+ xt_ematch_foreach(ematch, e)
+ xt_compat_match_from_user(ematch, dstptr, size);
+
de->target_offset = e->target_offset - (origsize - *size);
t = compat_ipt_get_target(e);
target = t->u.kernel.target;
@@ -1603,7 +1600,6 @@ compat_copy_entry_from_user(struct compa
if ((unsigned char *)de - base < newinfo->underflow[h])
newinfo->underflow[h] -= origsize - *size;
}
- return ret;
}
static int
@@ -1719,16 +1715,12 @@ translate_compat_table(struct net *net,
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
size = compatr->size;
- xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = compat_copy_entry_from_user(iter0, &pos, &size,
- newinfo, entry1);
- if (ret != 0)
- break;
- }
+ xt_entry_foreach(iter0, entry0, compatr->size)
+ compat_copy_entry_from_user(iter0, &pos, &size,
+ newinfo, entry1);
+
xt_compat_flush_offsets(AF_INET);
xt_compat_unlock(AF_INET);
- if (ret)
- goto free_newinfo;
ret = -ELOOP;
if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1578,7 +1578,7 @@ release_matches:
return ret;
}
-static int
+static void
compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
unsigned int *size,
struct xt_table_info *newinfo, unsigned char *base)
@@ -1586,10 +1586,9 @@ compat_copy_entry_from_user(struct compa
struct xt_entry_target *t;
struct ip6t_entry *de;
unsigned int origsize;
- int ret, h;
+ int h;
struct xt_entry_match *ematch;
- ret = 0;
origsize = *size;
de = (struct ip6t_entry *)*dstptr;
memcpy(de, e, sizeof(struct ip6t_entry));
@@ -1598,11 +1597,9 @@ compat_copy_entry_from_user(struct compa
*dstptr += sizeof(struct ip6t_entry);
*size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
- xt_ematch_foreach(ematch, e) {
- ret = xt_compat_match_from_user(ematch, dstptr, size);
- if (ret != 0)
- return ret;
- }
+ xt_ematch_foreach(ematch, e)
+ xt_compat_match_from_user(ematch, dstptr, size);
+
de->target_offset = e->target_offset - (origsize - *size);
t = compat_ip6t_get_target(e);
xt_compat_target_from_user(t, dstptr, size);
@@ -1614,7 +1611,6 @@ compat_copy_entry_from_user(struct compa
if ((unsigned char *)de - base < newinfo->underflow[h])
newinfo->underflow[h] -= origsize - *size;
}
- return ret;
}
static int compat_check_entry(struct ip6t_entry *e, struct net *net,
@@ -1729,17 +1725,12 @@ translate_compat_table(struct net *net,
}
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
- size = compatr->size;
- xt_entry_foreach(iter0, entry0, compatr->size) {
- ret = compat_copy_entry_from_user(iter0, &pos, &size,
- newinfo, entry1);
- if (ret != 0)
- break;
- }
+ xt_entry_foreach(iter0, entry0, compatr->size)
+ compat_copy_entry_from_user(iter0, &pos, &size,
+ newinfo, entry1);
+
xt_compat_flush_offsets(AF_INET6);
xt_compat_unlock(AF_INET6);
- if (ret)
- goto free_newinfo;
ret = -ELOOP;
if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -545,8 +545,8 @@ int xt_compat_match_offset(const struct
}
EXPORT_SYMBOL_GPL(xt_compat_match_offset);
-int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
- unsigned int *size)
+void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
+ unsigned int *size)
{
const struct xt_match *match = m->u.kernel.match;
struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
@@ -568,7 +568,6 @@ int xt_compat_match_from_user(struct xt_
*size += off;
*dstptr += msize;
- return 0;
}
EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 248/305] ipr: Clear interrupt on croc/crocodile when running with LSI
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (276 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 199/305] IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 003/305] ARM: dts: kirkwood: add kirkwood-nsa320.dtb to Makefile Ben Hutchings
` (27 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin K. Petersen, Benjamin Herrenschmidt, Brian King
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Brian King <brking@linux.vnet.ibm.com>
commit 54e430bbd490e18ab116afa4cd90dcc45787b3df upstream.
If we fall back to using LSI on the Croc or Crocodile chip we need to
clear the interrupt so we don't hang the system.
Tested-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/ipr.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -9753,6 +9753,7 @@ static int ipr_probe_ioa(struct pci_dev
ioa_cfg->intr_flag = IPR_USE_MSI;
else {
ioa_cfg->intr_flag = IPR_USE_LSI;
+ ioa_cfg->clear_isr = 1;
ioa_cfg->nvectors = 1;
dev_info(&pdev->dev, "Cannot enable MSI.\n");
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 077/305] ring-buffer: Use long for nr_pages to avoid overflow failures
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (197 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 250/305] net: phy: Manage fixed PHY address space using IDA Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 223/305] HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands Ben Hutchings
` (106 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Hao Qin, Steven Rostedt (Red Hat)
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit 9b94a8fba501f38368aef6ac1b30e7335252a220 upstream.
The size variable to change the ring buffer in ftrace is a long. The
nr_pages used to update the ring buffer based on the size is int. On 64 bit
machines this can cause an overflow problem.
For example, the following will cause the ring buffer to crash:
# cd /sys/kernel/debug/tracing
# echo 10 > buffer_size_kb
# echo 8556384240 > buffer_size_kb
Then you get the warning of:
WARNING: CPU: 1 PID: 318 at kernel/trace/ring_buffer.c:1527 rb_update_pages+0x22f/0x260
Which is:
RB_WARN_ON(cpu_buffer, nr_removed);
Note each ring buffer page holds 4080 bytes.
This is because:
1) 10 causes the ring buffer to have 3 pages.
(10kb requires 3 * 4080 pages to hold)
2) (2^31 / 2^10 + 1) * 4080 = 8556384240
The value written into buffer_size_kb is shifted by 10 and then passed
to ring_buffer_resize(). 8556384240 * 2^10 = 8761737461760
3) The size passed to ring_buffer_resize() is then divided by BUF_PAGE_SIZE
which is 4080. 8761737461760 / 4080 = 2147484672
4) nr_pages is subtracted from the current nr_pages (3) and we get:
2147484669. This value is saved in a signed integer nr_pages_to_update
5) 2147484669 is greater than 2^31 but smaller than 2^32, a signed int
turns into the value of -2147482627
6) As the value is a negative number, in update_pages_handler() it is
negated and passed to rb_remove_pages() and 2147482627 pages will
be removed, which is much larger than 3 and it causes the warning
because not all the pages asked to be removed were removed.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=118001
Fixes: 7a8e76a3829f1 ("tracing: unified trace buffer")
Reported-by: Hao Qin <QEver.cn@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/trace/ring_buffer.c | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -466,7 +466,7 @@ struct ring_buffer_per_cpu {
raw_spinlock_t reader_lock; /* serialize readers */
arch_spinlock_t lock;
struct lock_class_key lock_key;
- unsigned int nr_pages;
+ unsigned long nr_pages;
struct list_head *pages;
struct buffer_page *head_page; /* read from head */
struct buffer_page *tail_page; /* write to tail */
@@ -486,7 +486,7 @@ struct ring_buffer_per_cpu {
u64 write_stamp;
u64 read_stamp;
/* ring buffer pages to update, > 0 to add, < 0 to remove */
- int nr_pages_to_update;
+ long nr_pages_to_update;
struct list_head new_pages; /* new pages to add */
struct work_struct update_pages_work;
struct completion update_done;
@@ -1165,10 +1165,10 @@ static int rb_check_pages(struct ring_bu
return 0;
}
-static int __rb_allocate_pages(int nr_pages, struct list_head *pages, int cpu)
+static int __rb_allocate_pages(long nr_pages, struct list_head *pages, int cpu)
{
- int i;
struct buffer_page *bpage, *tmp;
+ long i;
for (i = 0; i < nr_pages; i++) {
struct page *page;
@@ -1205,7 +1205,7 @@ free_pages:
}
static int rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer,
- unsigned nr_pages)
+ unsigned long nr_pages)
{
LIST_HEAD(pages);
@@ -1230,7 +1230,7 @@ static int rb_allocate_pages(struct ring
}
static struct ring_buffer_per_cpu *
-rb_allocate_cpu_buffer(struct ring_buffer *buffer, int nr_pages, int cpu)
+rb_allocate_cpu_buffer(struct ring_buffer *buffer, long nr_pages, int cpu)
{
struct ring_buffer_per_cpu *cpu_buffer;
struct buffer_page *bpage;
@@ -1330,8 +1330,9 @@ struct ring_buffer *__ring_buffer_alloc(
struct lock_class_key *key)
{
struct ring_buffer *buffer;
+ long nr_pages;
int bsize;
- int cpu, nr_pages;
+ int cpu;
/* keep it in its own cache line */
buffer = kzalloc(ALIGN(sizeof(*buffer), cache_line_size()),
@@ -1457,12 +1458,12 @@ static inline unsigned long rb_page_writ
}
static int
-rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
+rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages)
{
struct list_head *tail_page, *to_remove, *next_page;
struct buffer_page *to_remove_page, *tmp_iter_page;
struct buffer_page *last_page, *first_page;
- unsigned int nr_removed;
+ unsigned long nr_removed;
unsigned long head_bit;
int page_entries;
@@ -1679,7 +1680,7 @@ int ring_buffer_resize(struct ring_buffe
int cpu_id)
{
struct ring_buffer_per_cpu *cpu_buffer;
- unsigned nr_pages;
+ unsigned long nr_pages;
int cpu, err = 0;
/*
@@ -4669,8 +4670,9 @@ static int rb_cpu_notify(struct notifier
struct ring_buffer *buffer =
container_of(self, struct ring_buffer, cpu_notify);
long cpu = (long)hcpu;
- int cpu_i, nr_pages_same;
- unsigned int nr_pages;
+ long nr_pages_same;
+ int cpu_i;
+ unsigned long nr_pages;
switch (action) {
case CPU_UP_PREPARE:
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 183/305] crypto: ux500 - memmove the right size
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (99 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 229/305] fs/nilfs2: fix potential underflow in call to crc32_le Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 106/305] net: ehea: avoid null pointer dereference Ben Hutchings
` (204 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Joakim Bech, Linus Walleij, Herbert Xu, David Binderman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 19ced623db2fe91604d69f7d86b03144c5107739 upstream.
The hash buffer is really HASH_BLOCK_SIZE bytes, someone
must have thought that memmove takes n*u32 words by mistake.
Tests work as good/bad as before after this patch.
Cc: Joakim Bech <joakim.bech@linaro.org>
Reported-by: David Binderman <linuxdev.baldrick@gmail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/ux500/hash/hash_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/crypto/ux500/hash/hash_core.c
+++ b/drivers/crypto/ux500/hash/hash_core.c
@@ -797,7 +797,7 @@ static int hash_process_data(struct hash
&device_data->state);
memmove(req_ctx->state.buffer,
device_data->state.buffer,
- HASH_BLOCK_SIZE / sizeof(u32));
+ HASH_BLOCK_SIZE);
if (ret) {
dev_err(device_data->dev,
"%s: hash_resume_state() failed!\n",
@@ -848,7 +848,7 @@ static int hash_process_data(struct hash
memmove(device_data->state.buffer,
req_ctx->state.buffer,
- HASH_BLOCK_SIZE / sizeof(u32));
+ HASH_BLOCK_SIZE);
if (ret) {
dev_err(device_data->dev, "%s: hash_save_state() failed!\n",
__func__);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 119/305] UBI: Fix static volume checks when Fastmap is used
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (39 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 284/305] s390/sclp_ctl: fix potential information leak with /dev/sclp Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 278/305] ALSA: timer: Fix leak in events via snd_timer_user_ccallback Ben Hutchings
` (264 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Richard Weinberger, Ezequiel Garcia
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 1900149c835ab5b48bea31a823ea5e5a401fb560 upstream.
Ezequiel reported that he's facing UBI going into read-only
mode after power cut. It turned out that this behavior happens
only when updating a static volume is interrupted and Fastmap is
used.
A possible trace can look like:
ubi0 warning: ubi_io_read_vid_hdr [ubi]: no VID header found at PEB 2323, only 0xFF bytes
ubi0 warning: ubi_eba_read_leb [ubi]: switch to read-only mode
CPU: 0 PID: 833 Comm: ubiupdatevol Not tainted 4.6.0-rc2-ARCH #4
Hardware name: SAMSUNG ELECTRONICS CO., LTD. 300E4C/300E5C/300E7C/NP300E5C-AD8AR, BIOS P04RAP 10/15/2012
0000000000000286 00000000eba949bd ffff8800c45a7b38 ffffffff8140d841
ffff8801964be000 ffff88018eaa4800 ffff8800c45a7bb8 ffffffffa003abf6
ffffffff850e2ac0 8000000000000163 ffff8801850e2ac0 ffff8801850e2ac0
Call Trace:
[<ffffffff8140d841>] dump_stack+0x63/0x82
[<ffffffffa003abf6>] ubi_eba_read_leb+0x486/0x4a0 [ubi]
[<ffffffffa00453b3>] ubi_check_volume+0x83/0xf0 [ubi]
[<ffffffffa0039d97>] ubi_open_volume+0x177/0x350 [ubi]
[<ffffffffa00375d8>] vol_cdev_open+0x58/0xb0 [ubi]
[<ffffffff8124b08e>] chrdev_open+0xae/0x1d0
[<ffffffff81243bcf>] do_dentry_open+0x1ff/0x300
[<ffffffff8124afe0>] ? cdev_put+0x30/0x30
[<ffffffff81244d36>] vfs_open+0x56/0x60
[<ffffffff812545f4>] path_openat+0x4f4/0x1190
[<ffffffff81256621>] do_filp_open+0x91/0x100
[<ffffffff81263547>] ? __alloc_fd+0xc7/0x190
[<ffffffff812450df>] do_sys_open+0x13f/0x210
[<ffffffff812451ce>] SyS_open+0x1e/0x20
[<ffffffff81a99e32>] entry_SYSCALL_64_fastpath+0x1a/0xa4
UBI checks static volumes for data consistency and reads the
whole volume upon first open. If the volume is found erroneous
users of UBI cannot read from it, but another volume update is
possible to fix it. The check is performed by running
ubi_eba_read_leb() on every allocated LEB of the volume.
For static volumes ubi_eba_read_leb() computes the checksum of all
data stored in a LEB. To verify the computed checksum it has to read
the LEB's volume header which stores the original checksum.
If the volume header is not found UBI treats this as fatal internal
error and switches to RO mode. If the UBI device was attached via a
full scan the assumption is correct, the volume header has to be
present as it had to be there while scanning to get known as mapped.
If the attach operation happened via Fastmap the assumption is no
longer correct. When attaching via Fastmap UBI learns the mapping
table from Fastmap's snapshot of the system state and not via a full
scan. It can happen that a LEB got unmapped after a Fastmap was
written to the flash. Then UBI can learn the LEB still as mapped and
accessing it returns only 0xFF bytes. As UBI is not a FTL it is
allowed to have mappings to empty PEBs, it assumes that the layer
above takes care of LEB accounting and referencing.
UBIFS does so using the LEB property tree (LPT).
For static volumes UBI blindly assumes that all LEBs are present and
therefore special actions have to be taken.
The described situation can happen when updating a static volume is
interrupted, either by a user or a power cut.
The volume update code first unmaps all LEBs of a volume and then
writes LEB by LEB. If the sequence of operations is interrupted UBI
detects this either by the absence of LEBs, no volume header present
at scan time, or corrupted payload, detected via checksum.
In the Fastmap case the former method won't trigger as no scan
happened and UBI automatically thinks all LEBs are present.
Only by reading data from a LEB it detects that the volume header is
missing and incorrectly treats this as fatal error.
To deal with the situation ubi_eba_read_leb() from now on checks
whether we attached via Fastmap and handles the absence of a
volume header like a data corruption error.
This way interrupted static volume updates will correctly get detected
also when Fastmap is used.
Reported-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Tested-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/ubi/eba.c | 21 +++++++++++++++++++--
drivers/mtd/ubi/fastmap.c | 1 +
drivers/mtd/ubi/ubi.h | 2 ++
3 files changed, 22 insertions(+), 2 deletions(-)
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -426,8 +426,25 @@ retry:
pnum, vol_id, lnum);
err = -EBADMSG;
} else {
- err = -EINVAL;
- ubi_ro_mode(ubi);
+ /*
+ * Ending up here in the non-Fastmap case
+ * is a clear bug as the VID header had to
+ * be present at scan time to have it referenced.
+ * With fastmap the story is more complicated.
+ * Fastmap has the mapping info without the need
+ * of a full scan. So the LEB could have been
+ * unmapped, Fastmap cannot know this and keeps
+ * the LEB referenced.
+ * This is valid and works as the layer above UBI
+ * has to do bookkeeping about used/referenced
+ * LEBs in any case.
+ */
+ if (ubi->fast_attach) {
+ err = -EBADMSG;
+ } else {
+ err = -EINVAL;
+ ubi_ro_mode(ubi);
+ }
}
}
goto out_free;
--- a/drivers/mtd/ubi/fastmap.c
+++ b/drivers/mtd/ubi/fastmap.c
@@ -1070,6 +1070,7 @@ int ubi_scan_fastmap(struct ubi_device *
ubi_msg("fastmap pool size: %d", ubi->fm_pool.max_size);
ubi_msg("fastmap WL pool size: %d", ubi->fm_wl_pool.max_size);
ubi->fm_disabled = 0;
+ ubi->fast_attach = 1;
ubi_free_vid_hdr(ubi, vh);
kfree(ech);
--- a/drivers/mtd/ubi/ubi.h
+++ b/drivers/mtd/ubi/ubi.h
@@ -426,6 +426,7 @@ struct ubi_debug_info {
* @fm_size: fastmap size in bytes
* @fm_sem: allows ubi_update_fastmap() to block EBA table changes
* @fm_work: fastmap work queue
+ * @fast_attach: non-zero if UBI was attached by fastmap
*
* @used: RB-tree of used physical eraseblocks
* @erroneous: RB-tree of erroneous used physical eraseblocks
@@ -531,6 +532,7 @@ struct ubi_device {
void *fm_buf;
size_t fm_size;
struct work_struct fm_work;
+ int fast_attach;
/* Wear-leveling sub-system's stuff */
struct rb_root used;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 211/305] powerpc/bpf/jit: Disable classic BPF JIT on ppc64le
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (161 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 066/305] irqchip/gic: Ensure ordering between read of INTACK and shared data Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 018/305] scsi: Add intermediate STARGET_REMOVE state to scsi_target_state Ben Hutchings
` (142 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thadeu Lima de Souza Cascardo, Naveen N. Rao, Michael Ellerman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
commit 844e3be47693f92a108cb1fb3b0606bf25e9c7a6 upstream.
Classic BPF JIT was never ported completely to work on little endian
powerpc. However, it can be enabled and will crash the system when used.
As such, disable use of BPF JIT on ppc64le.
Fixes: 7c105b63bd98 ("powerpc: Add CONFIG_CPU_LITTLE_ENDIAN kernel config option.")
Reported-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[bwh: Backported to 3.16: config symbol is BPF_JIT and also depends on PPC64]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -124,7 +124,7 @@ config PPC
select IRQ_FORCED_THREADING
select HAVE_RCU_TABLE_FREE if SMP
select HAVE_SYSCALL_TRACEPOINTS
- select HAVE_BPF_JIT if PPC64
+ select HAVE_BPF_JIT if PPC64 && CPU_BIG_ENDIAN
select HAVE_ARCH_JUMP_LABEL
select ARCH_HAVE_NMI_SAFE_CMPXCHG
select GENERIC_SMP_IDLE_THREAD
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 074/305] powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (46 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 204/305] tracing: Handle NULL formats in hold_module_trace_bprintk_format() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 208/305] ubi: Make recover_peb power cut aware Ben Hutchings
` (257 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Guilherme G. Piccoli, Gavin Shan, Michael Ellerman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Guilherme G. Piccoli" <gpiccoli@linux.vnet.ibm.com>
commit 8445a87f7092bc8336ea1305be9306f26b846d93 upstream.
Commit 39baadbf36ce ("powerpc/eeh: Remove eeh information from pci_dn")
changed the pci_dn struct by removing its EEH-related members.
As part of this clean-up, DDW mechanism was modified to read the device
configuration address from eeh_dev struct.
As a consequence, now if we disable EEH mechanism on kernel command-line
for example, the DDW mechanism will fail, generating a kernel oops by
dereferencing a NULL pointer (which turns to be the eeh_dev pointer).
This patch just changes the configuration address calculation on DDW
functions to a manual calculation based on pci_dn members instead of
using eeh_dev-based address.
No functional changes were made. This was tested on pSeries, both
in PHyp and qemu guest.
Fixes: 39baadbf36ce ("powerpc/eeh: Remove eeh information from pci_dn")
Reviewed-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/platforms/pseries/iommu.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
--- a/arch/powerpc/platforms/pseries/iommu.c
+++ b/arch/powerpc/platforms/pseries/iommu.c
@@ -826,7 +826,8 @@ machine_arch_initcall(pseries, find_exis
static int query_ddw(struct pci_dev *dev, const u32 *ddw_avail,
struct ddw_query_response *query)
{
- struct eeh_dev *edev;
+ struct device_node *dn;
+ struct pci_dn *pdn;
u32 cfg_addr;
u64 buid;
int ret;
@@ -837,11 +838,10 @@ static int query_ddw(struct pci_dev *dev
* Retrieve them from the pci device, not the node with the
* dma-window property
*/
- edev = pci_dev_to_eeh_dev(dev);
- cfg_addr = edev->config_addr;
- if (edev->pe_config_addr)
- cfg_addr = edev->pe_config_addr;
- buid = edev->phb->buid;
+ dn = pci_device_to_OF_node(dev);
+ pdn = PCI_DN(dn);
+ buid = pdn->phb->buid;
+ cfg_addr = (pdn->busno << 8) | pdn->devfn;
ret = rtas_call(ddw_avail[0], 3, 5, (u32 *)query,
cfg_addr, BUID_HI(buid), BUID_LO(buid));
@@ -855,7 +855,8 @@ static int create_ddw(struct pci_dev *de
struct ddw_create_response *create, int page_shift,
int window_shift)
{
- struct eeh_dev *edev;
+ struct device_node *dn;
+ struct pci_dn *pdn;
u32 cfg_addr;
u64 buid;
int ret;
@@ -866,11 +867,10 @@ static int create_ddw(struct pci_dev *de
* Retrieve them from the pci device, not the node with the
* dma-window property
*/
- edev = pci_dev_to_eeh_dev(dev);
- cfg_addr = edev->config_addr;
- if (edev->pe_config_addr)
- cfg_addr = edev->pe_config_addr;
- buid = edev->phb->buid;
+ dn = pci_device_to_OF_node(dev);
+ pdn = PCI_DN(dn);
+ buid = pdn->phb->buid;
+ cfg_addr = (pdn->busno << 8) | pdn->devfn;
do {
/* extra outputs are LIOBN and dma-addr (hi, lo) */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 068/305] kbuild: move -Wunused-const-variable to W=1 warning level
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (182 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 221/305] cifs: use CIFS_MAX_DOMAINNAME_LEN when converting the domain name Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 098/305] cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() Ben Hutchings
` (121 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Olof Johansson, Michal Marek, Arnd Bergmann, Lee Jones
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit c9c6837d39311b0cc14cdbe7c18e815ab44aefb1 upstream.
gcc-6 started warning by default about variables that are not
used anywhere and that are marked 'const', generating many
false positives in an allmodconfig build, e.g.:
arch/arm/mach-davinci/board-da830-evm.c:282:20: warning: 'da830_evm_emif25_pins' defined but not used [-Wunused-const-variable=]
arch/arm/plat-omap/dmtimer.c:958:34: warning: 'omap_timer_match' defined but not used [-Wunused-const-variable=]
drivers/bluetooth/hci_bcm.c:625:39: warning: 'acpi_bcm_default_gpios' defined but not used [-Wunused-const-variable=]
drivers/char/hw_random/omap-rng.c:92:18: warning: 'reg_map_omap4' defined but not used [-Wunused-const-variable=]
drivers/devfreq/exynos/exynos5_bus.c:381:32: warning: 'exynos5_busfreq_int_pm' defined but not used [-Wunused-const-variable=]
drivers/dma/mv_xor.c:1139:34: warning: 'mv_xor_dt_ids' defined but not used [-Wunused-const-variable=]
This is similar to the existing -Wunused-but-set-variable warning
that was added in an earlier release and that we disable by default
now and only enable when W=1 is set, so it makes sense to do
the same here. Once we have eliminated the majority of the
warnings for both, we can put them back into the default list.
We probably want this in backport kernels as well, to allow building
them with gcc-6 without introducing extra warnings.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Olof Johansson <olof@lixom.net>
Acked-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Michal Marek <mmarek@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Makefile | 5 +++--
scripts/Makefile.extrawarn | 1 +
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -671,9 +671,10 @@ KBUILD_CFLAGS += $(call cc-disable-warni
KBUILD_CFLAGS += $(call cc-option, -mno-global-merge,)
else
-# This warning generated too much noise in a regular build.
-# Use make W=1 to enable this warning (see scripts/Makefile.build)
+# These warnings generated too much noise in a regular build.
+# Use make W=1 to enable them (see scripts/Makefile.build)
KBUILD_CFLAGS += $(call cc-disable-warning, unused-but-set-variable)
+KBUILD_CFLAGS += $(call cc-disable-warning, unused-const-variable)
endif
ifdef CONFIG_FRAME_POINTER
--- a/scripts/Makefile.extrawarn
+++ b/scripts/Makefile.extrawarn
@@ -24,6 +24,7 @@ warning-1 += $(call cc-option, -Wmissing
warning-1 += -Wold-style-definition
warning-1 += $(call cc-option, -Wmissing-include-dirs)
warning-1 += $(call cc-option, -Wunused-but-set-variable)
+warning-1 += $(call cc-option, -Wunused-const-variable)
warning-1 += $(call cc-disable-warning, missing-field-initializers)
# Clang
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 051/305] MIPS: Fix siginfo.h to use strict posix types
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (249 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 029/305] crypto: s5p-sss - fix incorrect usage of scatterlists api Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 107/305] cifs: Create dedicated keyring for spnego operations Ben Hutchings
` (54 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Hogan, Ralf Baechle, Christopher Ferris, linux-mips
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 5daebc477da4dfeb31ae193d83084def58fd2697 upstream.
Commit 85efde6f4e0d ("make exported headers use strict posix types")
changed the asm-generic siginfo.h to use the __kernel_* types, and
commit 3a471cbc081b ("remove __KERNEL_STRICT_NAMES") make the internal
types accessible only to the kernel, but the MIPS implementation hasn't
been updated to match.
Switch to proper types now so that the exported asm/siginfo.h won't
produce quite so many compiler errors when included alone by a user
program.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Christopher Ferris <cferris@google.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/12477/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/uapi/asm/siginfo.h | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/arch/mips/include/uapi/asm/siginfo.h
+++ b/arch/mips/include/uapi/asm/siginfo.h
@@ -48,13 +48,13 @@ typedef struct siginfo {
/* kill() */
struct {
- pid_t _pid; /* sender's pid */
+ __kernel_pid_t _pid; /* sender's pid */
__ARCH_SI_UID_T _uid; /* sender's uid */
} _kill;
/* POSIX.1b timers */
struct {
- timer_t _tid; /* timer id */
+ __kernel_timer_t _tid; /* timer id */
int _overrun; /* overrun count */
char _pad[sizeof( __ARCH_SI_UID_T) - sizeof(int)];
sigval_t _sigval; /* same as below */
@@ -63,26 +63,26 @@ typedef struct siginfo {
/* POSIX.1b signals */
struct {
- pid_t _pid; /* sender's pid */
+ __kernel_pid_t _pid; /* sender's pid */
__ARCH_SI_UID_T _uid; /* sender's uid */
sigval_t _sigval;
} _rt;
/* SIGCHLD */
struct {
- pid_t _pid; /* which child */
+ __kernel_pid_t _pid; /* which child */
__ARCH_SI_UID_T _uid; /* sender's uid */
int _status; /* exit code */
- clock_t _utime;
- clock_t _stime;
+ __kernel_clock_t _utime;
+ __kernel_clock_t _stime;
} _sigchld;
/* IRIX SIGCHLD */
struct {
- pid_t _pid; /* which child */
- clock_t _utime;
+ __kernel_pid_t _pid; /* which child */
+ __kernel_clock_t _utime;
int _status; /* exit code */
- clock_t _stime;
+ __kernel_clock_t _stime;
} _irix_sigchld;
/* SIGILL, SIGFPE, SIGSEGV, SIGBUS */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 205/305] arm64: mm: remove page_mapping check in __sync_icache_dcache
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (207 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 260/305] x86/amd_nb: Fix boot crash on non-AMD systems Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 086/305] x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs Ben Hutchings
` (96 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Catalin Marinas, Will Deacon, Mark Rutland, Shaokun Zhang
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shaokun Zhang <zhangshaokun@hisilicon.com>
commit 20c27a4270c775d7ed661491af8ac03264d60fc6 upstream.
__sync_icache_dcache unconditionally skips the cache maintenance for
anonymous pages, under the assumption that flushing is only required in
the presence of D-side aliases [see 7249b79f6b4cc ("arm64: Do not flush
the D-cache for anonymous pages")].
Unfortunately, this breaks migration of anonymous pages holding
self-modifying code, where userspace cannot be reasonably expected to
reissue maintenance instructions in response to a migration.
This patch fixes the problem by removing the broken page_mapping(page)
check from the cache syncing code, otherwise we may end up fetching and
executing stale instructions from the PoU.
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/mm/flush.c | 4 ----
1 file changed, 4 deletions(-)
--- a/arch/arm64/mm/flush.c
+++ b/arch/arm64/mm/flush.c
@@ -74,10 +74,6 @@ void __sync_icache_dcache(pte_t pte, uns
{
struct page *page = pte_page(pte);
- /* no flushing needed for anonymous pages */
- if (!page_mapping(page))
- return;
-
if (!test_and_set_bit(PG_dcache_clean, &page->flags)) {
__flush_dcache_area(page_address(page),
PAGE_SIZE << compound_order(page));
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 073/305] sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (56 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 012/305] cpuidle: Indicate when a device has been unregistered Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 283/305] KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE Ben Hutchings
` (247 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra (Intel),
Damien Wyart, Ingo Molnar, Vik Heyndrickx, Linus Torvalds,
Thomas Gleixner, Mike Galbraith, Doug Smythies
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vik Heyndrickx <vik.heyndrickx@veribox.net>
commit 20878232c52329f92423d27a60e48b6a6389e0dd upstream.
Systems show a minimal load average of 0.00, 0.01, 0.05 even when they
have no load at all.
Uptime and /proc/loadavg on all systems with kernels released during the
last five years up until kernel version 4.6-rc5, show a 5- and 15-minute
minimum loadavg of 0.01 and 0.05 respectively. This should be 0.00 on
idle systems, but the way the kernel calculates this value prevents it
from getting lower than the mentioned values.
Likewise but not as obviously noticeable, a fully loaded system with no
processes waiting, shows a maximum 1/5/15 loadavg of 1.00, 0.99, 0.95
(multiplied by number of cores).
Once the (old) load becomes 93 or higher, it mathematically can never
get lower than 93, even when the active (load) remains 0 forever.
This results in the strange 0.00, 0.01, 0.05 uptime values on idle
systems. Note: 93/2048 = 0.0454..., which rounds up to 0.05.
It is not correct to add a 0.5 rounding (=1024/2048) here, since the
result from this function is fed back into the next iteration again,
so the result of that +0.5 rounding value then gets multiplied by
(2048-2037), and then rounded again, so there is a virtual "ghost"
load created, next to the old and active load terms.
By changing the way the internally kept value is rounded, that internal
value equivalent now can reach 0.00 on idle, and 1.00 on full load. Upon
increasing load, the internally kept load value is rounded up, when the
load is decreasing, the load value is rounded down.
The modified code was tested on nohz=off and nohz kernels. It was tested
on vanilla kernel 4.6-rc5 and on centos 7.1 kernel 3.10.0-327. It was
tested on single, dual, and octal cores system. It was tested on virtual
hosts and bare hardware. No unwanted effects have been observed, and the
problems that the patch intended to fix were indeed gone.
Tested-by: Damien Wyart <damien.wyart@free.fr>
Signed-off-by: Vik Heyndrickx <vik.heyndrickx@veribox.net>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Doug Smythies <dsmythies@telus.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 0f004f5a696a ("sched: Cure more NO_HZ load average woes")
Link: http://lkml.kernel.org/r/e8d32bff-d544-7748-72b5-3c86cc71f09f@veribox.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/proc.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/kernel/sched/proc.c
+++ b/kernel/sched/proc.c
@@ -104,10 +104,13 @@ long calc_load_fold_active(struct rq *th
static unsigned long
calc_load(unsigned long load, unsigned long exp, unsigned long active)
{
- load *= exp;
- load += active * (FIXED_1 - exp);
- load += 1UL << (FSHIFT - 1);
- return load >> FSHIFT;
+ unsigned long newload;
+
+ newload = load * exp + active * (FIXED_1 - exp);
+ if (active >= load)
+ newload += FIXED_1-1;
+
+ return newload / FIXED_1;
}
#ifdef CONFIG_NO_HZ_COMMON
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 252/305] batman-adv: replace WARN with rate limited output on non-existing VLAN
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (73 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 196/305] kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 206/305] pinctrl: single: Fix missing flush of posted write for a wakeirq Ben Hutchings
` (230 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Sven Eckelmann, Simon Wunderlich, Marek Lindner
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Simon Wunderlich <sw@simonwunderlich.de>
commit 0b3dd7dfb81ad8af53791ea2bb64b83bac1b7d32 upstream.
If a VLAN tagged frame is received and the corresponding VLAN is not
configured on the soft interface, it will splat a WARN on every packet
received. This is a quite annoying behaviour for some scenarios, e.g. if
bat0 is bridged with eth0, and there are arbitrary VLAN tagged frames
from Ethernet coming in without having any VLAN configuration on bat0.
The code should probably create vlan objects on the fly and
transparently transport these VLAN-tagged Ethernet frames, but until
this is done, at least the WARN splat should be replaced by a rate
limited output.
Fixes: 354136bcc3c4 ("batman-adv: fix kernel crash due to missing NULL checks")
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/translation-table.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -576,8 +576,10 @@ bool batadv_tt_local_add(struct net_devi
/* increase the refcounter of the related vlan */
vlan = batadv_softif_vlan_get(bat_priv, vid);
- if (WARN(!vlan, "adding TT local entry %pM to non-existent VLAN %d",
- addr, BATADV_PRINT_VID(vid))) {
+ if (!vlan) {
+ net_ratelimited_function(batadv_info, soft_iface,
+ "adding TT local entry %pM to non-existent VLAN %d\n",
+ addr, BATADV_PRINT_VID(vid));
kfree(tt_local);
tt_local = NULL;
goto out;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 059/305] USB: serial: mxuport: fix use-after-free in probe error path
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (137 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 062/305] MIPS: KVM: Fix timer IRQ race when writing CP0_Compare Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 139/305] drm/nouveau/fbcon: fix out-of-bounds memory accesses Ben Hutchings
` (166 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Johan Hovold
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9e45284984096314994777f27e1446dfbfd2f0d7 upstream.
The interface read and event URBs are submitted in attach, but were
never explicitly unlinked by the driver. Instead the URBs would have
been killed by usb-serial core on disconnect.
In case of a late probe error (e.g. due to failed minor allocation),
disconnect is never called and we could end up with active URBs for an
unbound interface. This in turn could lead to deallocated memory being
dereferenced in the completion callbacks.
Fixes: ee467a1f2066 ("USB: serial: add Moxa UPORT 12XX/14XX/16XX
driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/mxuport.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/usb/serial/mxuport.c
+++ b/drivers/usb/serial/mxuport.c
@@ -1263,6 +1263,15 @@ static int mxuport_attach(struct usb_ser
return 0;
}
+static void mxuport_release(struct usb_serial *serial)
+{
+ struct usb_serial_port *port0 = serial->port[0];
+ struct usb_serial_port *port1 = serial->port[1];
+
+ usb_serial_generic_close(port1);
+ usb_serial_generic_close(port0);
+}
+
static int mxuport_open(struct tty_struct *tty, struct usb_serial_port *port)
{
struct mxuport_port *mxport = usb_get_serial_port_data(port);
@@ -1365,6 +1374,7 @@ static struct usb_serial_driver mxuport_
.probe = mxuport_probe,
.port_probe = mxuport_port_probe,
.attach = mxuport_attach,
+ .release = mxuport_release,
.calc_num_ports = mxuport_calc_num_ports,
.open = mxuport_open,
.close = mxuport_close,
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 065/305] s390/vmem: fix identity mapping
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (125 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 175/305] usb: quirks: Add no-lpm quirk for Acer C120 LED Projector Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 280/305] tipc: fix an infoleak in tipc_nl_compat_link_dump Ben Hutchings
` (178 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Martin Schwidefsky, Heiko Carstens
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <heiko.carstens@de.ibm.com>
commit c34a69059d7876e0793eb410deedfb08ccb22b02 upstream.
The identity mapping is suboptimal for the last 2GB frame. The mapping
will be established with a mix of 4KB and 1MB mappings instead of a
single 2GB mapping.
This happens because of a off-by-one bug introduced with
commit 50be63450728 ("s390/mm: Convert bootmem to memblock").
Currently the identity mapping looks like this:
0x0000000080000000-0x0000000180000000 4G PUD RW
0x0000000180000000-0x00000001fff00000 2047M PMD RW
0x00000001fff00000-0x0000000200000000 1M PTE RW
With the bug fixed it looks like this:
0x0000000080000000-0x0000000200000000 6G PUD RW
Fixes: 50be63450728 ("s390/mm: Convert bootmem to memblock")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/mm/vmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/s390/mm/vmem.c
+++ b/arch/s390/mm/vmem.c
@@ -380,7 +380,7 @@ void __init vmem_map_init(void)
ro_end = (unsigned long)&_eshared & PAGE_MASK;
for_each_memblock(memory, reg) {
start = reg->base;
- end = reg->base + reg->size - 1;
+ end = reg->base + reg->size;
if (start >= ro_end || end <= ro_start)
vmem_add_mem(start, end - start, 0);
else if (start >= ro_start && end <= ro_end)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 241/305] arc: unwind: warn only once if DW2_UNWIND is disabled
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 227/305] Fix reconnect to not defer smb3 session reconnect long after socket reconnect Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 016/305] ipv6, token: allow for clearing the current device token Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 020/305] serial: doc: Re-add paragraph documenting uart_console_write() Ben Hutchings
` (302 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alexey Brodkin, Vineet Gupta, Alexey Brodkin
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
commit 9bd54517ee86cb164c734f72ea95aeba4804f10b upstream.
If CONFIG_ARC_DW2_UNWIND is disabled every time arc_unwind_core()
gets called following message gets printed in debug console:
----------------->8---------------
CONFIG_ARC_DW2_UNWIND needs to be enabled
----------------->8---------------
That message makes sense if user indeed wants to see a backtrace or
get nice function call-graphs in perf but what if user disabled
unwinder for the purpose? Why pollute his debug console?
So instead we'll warn user about possibly missing feature once and
let him decide if that was what he or she really wanted.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arc/kernel/stacktrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arc/kernel/stacktrace.c
+++ b/arch/arc/kernel/stacktrace.c
@@ -131,7 +131,7 @@ arc_unwind_core(struct task_struct *tsk,
* prelogue is setup (callee regs saved and then fp set and not other
* way around
*/
- pr_warn("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
+ pr_warn_once("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
return 0;
#endif
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 250/305] net: phy: Manage fixed PHY address space using IDA
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (196 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 006/305] iommu/vt-d: Ratelimit fault handler Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 077/305] ring-buffer: Use long for nr_pages to avoid overflow failures Ben Hutchings
` (107 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Fainelli, David S. Miller
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 69fc58a57e56bf5e39b48809aefffdaa1b04c945 upstream.
If we have a system which uses fixed PHY devices and calls
fixed_phy_register() then fixed_phy_unregister() we can exhaust the
number of fixed PHYs available after a while, since we keep incrementing
the variable phy_fixed_addr, but we never decrement it.
This patch fixes that by converting the fixed PHY allocation to using
IDA, which takes care of the allocation/dealloaction of the PHY
addresses for us.
Fixes: a75951217472 ("net: phy: extend fixed driver with fixed_phy_register()")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Adjust filename, context
- fixed_phy_register() returns an integer, not a pointer/error]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/phy/fixed.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
--- a/drivers/net/phy/fixed.c
+++ b/drivers/net/phy/fixed.c
@@ -22,6 +22,7 @@
#include <linux/err.h>
#include <linux/slab.h>
#include <linux/of.h>
+#include <linux/idr.h>
#define MII_REGS_NUM 29
@@ -204,6 +205,8 @@ err_regs:
}
EXPORT_SYMBOL_GPL(fixed_phy_add);
+static DEFINE_IDA(phy_fixed_ida);
+
void fixed_phy_del(int phy_addr)
{
struct fixed_mdio_bus *fmb = &platform_fmb;
@@ -213,15 +216,13 @@ void fixed_phy_del(int phy_addr)
if (fp->addr == phy_addr) {
list_del(&fp->node);
kfree(fp);
+ ida_simple_remove(&phy_fixed_ida, phy_addr);
return;
}
}
}
EXPORT_SYMBOL_GPL(fixed_phy_del);
-static int phy_fixed_addr;
-static DEFINE_SPINLOCK(phy_fixed_addr_lock);
-
int fixed_phy_register(unsigned int irq,
struct fixed_phy_status *status,
struct device_node *np)
@@ -232,17 +233,15 @@ int fixed_phy_register(unsigned int irq,
int ret;
/* Get the next available PHY address, up to PHY_MAX_ADDR */
- spin_lock(&phy_fixed_addr_lock);
- if (phy_fixed_addr == PHY_MAX_ADDR) {
- spin_unlock(&phy_fixed_addr_lock);
- return -ENOSPC;
- }
- phy_addr = phy_fixed_addr++;
- spin_unlock(&phy_fixed_addr_lock);
+ phy_addr = ida_simple_get(&phy_fixed_ida, 0, PHY_MAX_ADDR, GFP_KERNEL);
+ if (phy_addr < 0)
+ return phy_addr;
ret = fixed_phy_add(irq, phy_addr, status);
- if (ret < 0)
+ if (ret < 0) {
+ ida_simple_remove(&phy_fixed_ida, phy_addr);
return ret;
+ }
phy = get_phy_device(fmb->mii_bus, phy_addr, false);
if (!phy || IS_ERR(phy)) {
@@ -317,6 +316,7 @@ static void __exit fixed_mdio_bus_exit(v
list_del(&fp->node);
kfree(fp);
}
+ ida_destroy(&phy_fixed_ida);
}
module_exit(fixed_mdio_bus_exit);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 215/305] IB/mlx4: Fix the SQ size of an RC QP
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (226 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 288/305] netfilter: x_tables: don't move to non-existent next rule Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 212/305] can: fix oops caused by wrong rtnl dellink usage Ben Hutchings
` (77 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Jack Morgenstein, Yishai Hadas,
Doug Ledford, Eran Ben Elisha
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yishai Hadas <yishaih@mellanox.com>
commit f2940e2c76bb554a7fbdd28ca5b90904117a9e96 upstream.
When calculating the required size of an RC QP send queue, leave
enough space for masked atomic operations, which require more space than
"regular" atomic operation.
Fixes: 6fa8f719844b ("IB/mlx4: Add support for masked atomic operations")
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Reviewed-by: Jack Morgenstein <jackm@mellanox.co.il>
Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/qp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -361,7 +361,7 @@ static int send_wqe_overhead(enum mlx4_i
sizeof (struct mlx4_wqe_raddr_seg);
case MLX4_IB_QPT_RC:
return sizeof (struct mlx4_wqe_ctrl_seg) +
- sizeof (struct mlx4_wqe_atomic_seg) +
+ sizeof (struct mlx4_wqe_masked_atomic_seg) +
sizeof (struct mlx4_wqe_raddr_seg);
case MLX4_IB_QPT_SMI:
case MLX4_IB_QPT_GSI:
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 257/305] qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (22 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 305/305] Revert "netfilter: ensure number of counters is >0 in do_replace()" Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 035/305] ext4: clean up error handling when orphan list is corrupted Ben Hutchings
` (281 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, David S. Miller
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 5b4d10f5e0369ed79434593b7cd8e85eebbe473f upstream.
There is a static checker warning here "warn: mask and shift to zero"
and the code sets "ring" to zero every time. From looking at how
QLCNIC_FETCH_RING_ID() is used in qlcnic_83xx_process_rcv_ring() the
qlcnic_83xx_hndl() should be removed.
Fixes: 4be41e92f7c6 ('qlcnic: 83xx data path routines')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c
@@ -2198,7 +2198,7 @@ void qlcnic_83xx_process_rcv_ring_diag(s
if (!opcode)
return;
- ring = QLCNIC_FETCH_RING_ID(qlcnic_83xx_hndl(sts_data[0]));
+ ring = QLCNIC_FETCH_RING_ID(sts_data[0]);
qlcnic_83xx_process_rcv_diag(adapter, ring, sts_data);
desc = &sds_ring->desc_head[consumer];
desc->status_desc_data[0] = cpu_to_le64(STATUS_OWNER_PHANTOM);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 124/305] dma-debug: avoid spinlock recursion when disabling dma-debug
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (286 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 207/305] net/mlx4_en: Fix the return value of a failure in VLAN VID add/kill Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 244/305] net: bgmac: Remove superflous netif_carrier_on() Ben Hutchings
` (17 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, Ville Syrjälä
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit 3017cd63f26fc655d56875aaf497153ba60e9edf upstream.
With netconsole (at least) the pr_err("... disablingn") call can
recurse back into the dma-debug code, where it'll try to grab
free_entries_lock again. Avoid the problem by doing the printk after
dropping the lock.
Link: http://lkml.kernel.org/r/1463678421-18683-1-git-send-email-ville.syrjala@linux.intel.com
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
lib/dma-debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/dma-debug.c
+++ b/lib/dma-debug.c
@@ -646,9 +646,9 @@ static struct dma_debug_entry *dma_entry
spin_lock_irqsave(&free_entries_lock, flags);
if (list_empty(&free_entries)) {
- pr_err("DMA-API: debugging out of memory - disabling\n");
global_disable = true;
spin_unlock_irqrestore(&free_entries_lock, flags);
+ pr_err("DMA-API: debugging out of memory - disabling\n");
return NULL;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 039/305] char: Drop bogus dependency of DEVPORT on !M68K
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (79 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 132/305] powerpc: Fix definition of SIAR and SDAR registers Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 249/305] powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0 Ben Hutchings
` (224 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Geert Uytterhoeven, Al Stone
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert@linux-m68k.org>
commit 309124e2648d668a0c23539c5078815660a4a850 upstream.
According to full-history-linux commit d3794f4fa7c3edc3 ("[PATCH] M68k
update (part 25)"), port operations are allowed on m68k if CONFIG_ISA is
defined.
However, commit 153dcc54df826d2f ("[PATCH] mem driver: fix conditional
on isa i/o support") accidentally changed an "||" into an "&&",
disabling it completely on m68k. This logic was retained when
introducing the DEVPORT symbol in commit 4f911d64e04a44c4 ("Make
/dev/port conditional on config symbol").
Drop the bogus dependency on !M68K to fix this.
Fixes: 153dcc54df826d2f ("[PATCH] mem driver: fix conditional on isa i/o support")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Al Stone <ahs3@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/Kconfig | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/char/Kconfig
+++ b/drivers/char/Kconfig
@@ -575,7 +575,6 @@ config TELCLOCK
config DEVPORT
bool
- depends on !M68K
depends on ISA || PCI
default y
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 251/305] batman-adv: Fix memory leak on tt add with invalid vlan
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (263 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 237/305] make nfs_atomic_open() call d_drop() on all ->open_context() errors Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 048/305] ext4: fix oops on corrupted filesystem Ben Hutchings
` (40 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Sven Eckelmann
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit fd7dec25a18f495e50d2040398fd263836ff3b28 upstream.
The object tt_local is allocated with kmalloc and not initialized when the
function batadv_tt_local_add checks for the vlan. But this function can
only cleanup the object when the (not yet initialized) reference counter of
the object is 1. This is unlikely and thus the object would leak when the
vlan could not be found.
Instead the uninitialized object tt_local has to be freed manually and the
pointer has to set to NULL to avoid calling the function which would try to
decrement the reference counter of the not existing object.
CID: 1316518
Fixes: 354136bcc3c4 ("batman-adv: fix kernel crash due to missing NULL checks")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/translation-table.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -577,8 +577,11 @@ bool batadv_tt_local_add(struct net_devi
/* increase the refcounter of the related vlan */
vlan = batadv_softif_vlan_get(bat_priv, vid);
if (WARN(!vlan, "adding TT local entry %pM to non-existent VLAN %d",
- addr, BATADV_PRINT_VID(vid)))
+ addr, BATADV_PRINT_VID(vid))) {
+ kfree(tt_local);
+ tt_local = NULL;
goto out;
+ }
batadv_dbg(BATADV_DBG_TT, bat_priv,
"Creating new local tt entry: %pM (vid: %d, ttvn: %d)\n",
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 046/305] cpufreq: Fix GOV_LIMITS handling for the userspace governor
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (228 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 212/305] can: fix oops caused by wrong rtnl dellink usage Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 285/305] audit: fix a double fetch in audit_log_single_execve_arg() Ben Hutchings
` (75 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sai Gurrappadi, Viresh Kumar, Rafael J. Wysocki
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sai Gurrappadi <sgurrappadi@nvidia.com>
commit e43e94c1eda76dabd686ddf6f7825f54d747b310 upstream.
Currently, the userspace governor only updates frequency on GOV_LIMITS
if policy->cur falls outside policy->{min/max}. However, it is also
necessary to update current frequency on GOV_LIMITS to match the user
requested value if it can be achieved within the new policy->{max/min}.
This was previously the behaviour in the governor until commit d1922f0
("cpufreq: Simplify userspace governor") which incorrectly assumed that
policy->cur == user requested frequency via scaling_setspeed. This won't
be true if the user requested frequency falls outside policy->{min/max}.
Ex: a temporary thermal cap throttled the user requested frequency.
Fix this by storing the user requested frequency in a seperate variable.
The governor will then try to achieve this request on every GOV_LIMITS
change.
Fixes: d1922f02562f (cpufreq: Simplify userspace governor)
Signed-off-by: Sai Gurrappadi <sgurrappadi@nvidia.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/cpufreq/cpufreq_userspace.c | 43 ++++++++++++++++++++++++++++++++-----
1 file changed, 38 insertions(+), 5 deletions(-)
--- a/drivers/cpufreq/cpufreq_userspace.c
+++ b/drivers/cpufreq/cpufreq_userspace.c
@@ -17,6 +17,7 @@
#include <linux/init.h>
#include <linux/module.h>
#include <linux/mutex.h>
+#include <linux/slab.h>
static DEFINE_PER_CPU(unsigned int, cpu_is_managed);
static DEFINE_MUTEX(userspace_mutex);
@@ -31,6 +32,7 @@ static DEFINE_MUTEX(userspace_mutex);
static int cpufreq_set(struct cpufreq_policy *policy, unsigned int freq)
{
int ret = -EINVAL;
+ unsigned int *setspeed = policy->governor_data;
pr_debug("cpufreq_set for cpu %u, freq %u kHz\n", policy->cpu, freq);
@@ -38,6 +40,8 @@ static int cpufreq_set(struct cpufreq_po
if (!per_cpu(cpu_is_managed, policy->cpu))
goto err;
+ *setspeed = freq;
+
ret = __cpufreq_driver_target(policy, freq, CPUFREQ_RELATION_L);
err:
mutex_unlock(&userspace_mutex);
@@ -49,19 +53,45 @@ static ssize_t show_speed(struct cpufreq
return sprintf(buf, "%u\n", policy->cur);
}
+static int cpufreq_userspace_policy_init(struct cpufreq_policy *policy)
+{
+ unsigned int *setspeed;
+
+ setspeed = kzalloc(sizeof(*setspeed), GFP_KERNEL);
+ if (!setspeed)
+ return -ENOMEM;
+
+ policy->governor_data = setspeed;
+ return 0;
+}
+
static int cpufreq_governor_userspace(struct cpufreq_policy *policy,
unsigned int event)
{
+ unsigned int *setspeed = policy->governor_data;
unsigned int cpu = policy->cpu;
int rc = 0;
+ if (event == CPUFREQ_GOV_POLICY_INIT)
+ return cpufreq_userspace_policy_init(policy);
+
+ if (!setspeed)
+ return -EINVAL;
+
switch (event) {
+ case CPUFREQ_GOV_POLICY_EXIT:
+ mutex_lock(&userspace_mutex);
+ policy->governor_data = NULL;
+ kfree(setspeed);
+ mutex_unlock(&userspace_mutex);
+ break;
case CPUFREQ_GOV_START:
BUG_ON(!policy->cur);
pr_debug("started managing cpu %u\n", cpu);
mutex_lock(&userspace_mutex);
per_cpu(cpu_is_managed, cpu) = 1;
+ *setspeed = policy->cur;
mutex_unlock(&userspace_mutex);
break;
case CPUFREQ_GOV_STOP:
@@ -69,20 +99,23 @@ static int cpufreq_governor_userspace(st
mutex_lock(&userspace_mutex);
per_cpu(cpu_is_managed, cpu) = 0;
+ *setspeed = 0;
mutex_unlock(&userspace_mutex);
break;
case CPUFREQ_GOV_LIMITS:
mutex_lock(&userspace_mutex);
- pr_debug("limit event for cpu %u: %u - %u kHz, currently %u kHz\n",
- cpu, policy->min, policy->max,
- policy->cur);
+ pr_debug("limit event for cpu %u: %u - %u kHz, currently %u kHz, last set to %u kHz\n",
+ cpu, policy->min, policy->max, policy->cur, *setspeed);
- if (policy->max < policy->cur)
+ if (policy->max < *setspeed)
__cpufreq_driver_target(policy, policy->max,
CPUFREQ_RELATION_H);
- else if (policy->min > policy->cur)
+ else if (policy->min > *setspeed)
__cpufreq_driver_target(policy, policy->min,
CPUFREQ_RELATION_L);
+ else
+ __cpufreq_driver_target(policy, *setspeed,
+ CPUFREQ_RELATION_L);
mutex_unlock(&userspace_mutex);
break;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 045/305] USB: serial: option: add even more ZTE device ids
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (48 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 208/305] ubi: Make recover_peb power cut aware Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 015/305] [media] cx23885: uninitialized variable in cx23885_av_work_handler() Ben Hutchings
` (255 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Lei Liu, lei liu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lei Liu <lei35151@163.com>
commit 74d2a91aec97ab832790c9398d320413ad185321 upstream.
Add even more ZTE device ids.
Signed-off-by: lei liu <liu.lei78@zte.com.cn>
[johan: rebase and replace commit message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 54 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1712,6 +1712,60 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff92, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff93, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff94, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xff9f, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa0, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa1, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa2, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa3, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa4, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa5, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa6, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa7, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa8, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffa9, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffaa, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffab, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffac, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffae, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffaf, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb0, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb1, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb2, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb3, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb4, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb5, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb6, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb7, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb8, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffb9, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffba, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffbb, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffbc, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffbd, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffbe, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffbf, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc0, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc1, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc2, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc3, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc4, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc5, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc6, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc7, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc8, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffc9, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffca, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffcb, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffcc, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffcd, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffce, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffcf, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd0, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd1, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd2, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd3, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd4, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffd5, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0xffe9, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_CDMA_TECH, 0xff, 0xff, 0xff) },
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 033/305] aacraid: Fix for aac_command_thread hang
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (144 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 105/305] crypto: public_key: select CRYPTO_AKCIPHER Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 157/305] gpio: bcm-kona: fix bcm_kona_gpio_reset() warnings Ben Hutchings
` (159 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Raghava Aditya Renukunta, Johannes Thumshirn, Martin K. Petersen
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
commit fc4bf75ea300a5e62a2419f89dd0e22189dd7ab7 upstream.
Typically under error conditions, it is possible for aac_command_thread()
to miss the wakeup from kthread_stop() and go back to sleep, causing it
to hang aac_shutdown.
In the observed scenario, the adapter is not functioning correctly and so
aac_fib_send() never completes (or time-outs depending on how it was
called). Shortly after aac_command_thread() starts it performs
aac_fib_send(SendHostTime) which hangs. When aac_probe_one
/aac_get_adapter_info send time outs, kthread_stop is called which breaks
the command thread out of it's hang.
The code will still go back to sleep in schedule_timeout() without
checking kthread_should_stop() so it causes aac_probe_one to hang until
the schedule_timeout() which is 30 minutes.
Fixed by: Adding another kthread_should_stop() before schedule_timeout()
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/aacraid/commsup.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -1921,6 +1921,10 @@ int aac_command_thread(void *data)
if (difference <= 0)
difference = 1;
set_current_state(TASK_INTERRUPTIBLE);
+
+ if (kthread_should_stop())
+ break;
+
schedule_timeout(difference);
if (kthread_should_stop())
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 129/305] hpfs: fix remount failure when there are no options changed
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (273 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 149/305] IB/mlx5: Return PORT_ERR in Active to Initializing tranisition Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 300/305] netfilter: ip6_tables: simplify translate_compat_table args Ben Hutchings
` (30 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Mikulas Patocka, Mikulas Patocka
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mikulas@twibright.com>
commit 44d51706b4685f965cd32acde3fe0fcc1e6198e8 upstream.
Commit ce657611baf9 ("hpfs: kstrdup() out of memory handling") checks if
the kstrdup function returns NULL due to out-of-memory condition.
However, if we are remounting a filesystem with no change to
filesystem-specific options, the parameter data is NULL. In this case,
kstrdup returns NULL (because it was passed NULL parameter), although no
out of memory condition exists. The mount syscall then fails with
ENOMEM.
This patch fixes the bug. We fail with ENOMEM only if data is non-NULL.
The patch also changes the call to replace_mount_options - if we didn't
pass any filesystem-specific options, we don't call
replace_mount_options (thus we don't erase existing reported options).
Fixes: ce657611baf9 ("hpfs: kstrdup() out of memory handling")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/hpfs/super.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -428,7 +428,7 @@ static int hpfs_remount_fs(struct super_
struct hpfs_sb_info *sbi = hpfs_sb(s);
char *new_opts = kstrdup(data, GFP_KERNEL);
- if (!new_opts)
+ if (data && !new_opts)
return -ENOMEM;
sync_filesystem(s);
@@ -466,7 +466,8 @@ static int hpfs_remount_fs(struct super_
if (!(*flags & MS_RDONLY)) mark_dirty(s, 1);
- replace_mount_options(s, new_opts);
+ if (new_opts)
+ replace_mount_options(s, new_opts);
hpfs_unlock(s);
return 0;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 264/305] block: fix use-after-free in sys_ioprio_get()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (204 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 041/305] USB: serial: option: add support for Cinterion PH8 and AHxx Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 085/305] net/mlx4_core: Fix access to uninitialized index Ben Hutchings
` (99 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jens Axboe, Dmitry Vyukov, Omar Sandoval
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Omar Sandoval <osandov@fb.com>
commit 8ba8682107ee2ca3347354e018865d8e1967c5f4 upstream.
get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:
#define _GNU_SOURCE
#include <assert.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/wait.h>
int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;
/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);
nproc = sysconf(_SC_NPROCESSORS_ONLN);
for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
return 0;
}
This gets us KASAN dumps like this:
[ 35.526914] ==================================================================
[ 35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[ 35.530009] Read of size 2 by task ioprio-gpf/363
[ 35.530009] =============================================================================
[ 35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[ 35.530009] -----------------------------------------------------------------------------
[ 35.530009] Disabling lock debugging due to kernel taint
[ 35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[ 35.530009] ___slab_alloc+0x55d/0x5a0
[ 35.530009] __slab_alloc.isra.20+0x2b/0x40
[ 35.530009] kmem_cache_alloc_node+0x84/0x200
[ 35.530009] create_task_io_context+0x2b/0x370
[ 35.530009] get_task_io_context+0x92/0xb0
[ 35.530009] copy_process.part.8+0x5029/0x5660
[ 35.530009] _do_fork+0x155/0x7e0
[ 35.530009] SyS_clone+0x19/0x20
[ 35.530009] do_syscall_64+0x195/0x3a0
[ 35.530009] return_from_SYSCALL_64+0x0/0x6a
[ 35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[ 35.530009] __slab_free+0x27b/0x3d0
[ 35.530009] kmem_cache_free+0x1fb/0x220
[ 35.530009] put_io_context+0xe7/0x120
[ 35.530009] put_io_context_active+0x238/0x380
[ 35.530009] exit_io_context+0x66/0x80
[ 35.530009] do_exit+0x158e/0x2b90
[ 35.530009] do_group_exit+0xe5/0x2b0
[ 35.530009] SyS_exit_group+0x1d/0x20
[ 35.530009] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[ 35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[ 35.530009] ==================================================================
Fix it by grabbing the task lock while we poke at the io_context.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
block/ioprio.c | 2 ++
1 file changed, 2 insertions(+)
--- a/block/ioprio.c
+++ b/block/ioprio.c
@@ -149,8 +149,10 @@ static int get_task_ioprio(struct task_s
if (ret)
goto out;
ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
+ task_lock(p);
if (p->io_context)
ret = p->io_context->ioprio;
+ task_unlock(p);
out:
return ret;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 302/305] netfilter: x_tables: do compat validation via translate_table
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (170 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 019/305] Revert "scsi: fix soft lockup in scsi_remove_target() on module removal" Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 209/305] mm: Export migrate_page_move_mapping and migrate_page_copy Ben Hutchings
` (133 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Florian Westphal
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 09d9686047dbbe1cf4faa558d3ecc4aae2046054 upstream.
This looks like refactoring, but its also a bug fix.
Problem is that the compat path (32bit iptables, 64bit kernel) lacks a few
sanity tests that are done in the normal path.
For example, we do not check for underflows and the base chain policies.
While its possible to also add such checks to the compat path, its more
copy&pastry, for instance we cannot reuse check_underflow() helper as
e->target_offset differs in the compat case.
Other problem is that it makes auditing for validation errors harder; two
places need to be checked and kept in sync.
At a high level 32 bit compat works like this:
1- initial pass over blob:
validate match/entry offsets, bounds checking
lookup all matches and targets
do bookkeeping wrt. size delta of 32/64bit structures
assign match/target.u.kernel pointer (points at kernel
implementation, needed to access ->compatsize etc.)
2- allocate memory according to the total bookkeeping size to
contain the translated ruleset
3- second pass over original blob:
for each entry, copy the 32bit representation to the newly allocated
memory. This also does any special match translations (e.g.
adjust 32bit to 64bit longs, etc).
4- check if ruleset is free of loops (chase all jumps)
5-first pass over translated blob:
call the checkentry function of all matches and targets.
The alternative implemented by this patch is to drop steps 3&4 from the
compat process, the translation is changed into an intermediate step
rather than a full 1:1 translate_table replacement.
In the 2nd pass (step #3), change the 64bit ruleset back to a kernel
representation, i.e. put() the kernel pointer and restore ->u.user.name .
This gets us a 64bit ruleset that is in the format generated by a 64bit
iptables userspace -- we can then use translate_table() to get the
'native' sanity checks.
This has two drawbacks:
1. we re-validate all the match and target entry structure sizes even
though compat translation is supposed to never generate bogus offsets.
2. we put and then re-lookup each match and target.
THe upside is that we get all sanity tests and ruleset validations
provided by the normal path and can remove some duplicated compat code.
iptables-restore time of autogenerated ruleset with 300k chains of form
-A CHAIN0001 -m limit --limit 1/s -j CHAIN0002
-A CHAIN0002 -m limit --limit 1/s -j CHAIN0003
shows no noticeable differences in restore times:
old: 0m30.796s
new: 0m31.521s
64bit: 0m25.674s
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: deleted code is a little different]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1225,19 +1225,17 @@ static inline void compat_release_entry(
module_put(t->u.kernel.target->me);
}
-static inline int
+static int
check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
struct xt_table_info *newinfo,
unsigned int *size,
const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
- const unsigned int *underflows)
+ const unsigned char *limit)
{
struct xt_entry_target *t;
struct xt_target *target;
unsigned int entry_offset;
- int ret, off, h;
+ int ret, off;
duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
@@ -1282,17 +1280,6 @@ check_compat_entry_size_and_hooks(struct
if (ret)
goto release_target;
- /* Check hooks & underflows */
- for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
- if ((unsigned char *)e - base == hook_entries[h])
- newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h])
- newinfo->underflow[h] = underflows[h];
- }
-
- /* Clear counters and comefrom */
- memset(&e->counters, 0, sizeof(e->counters));
- e->comefrom = 0;
return 0;
release_target:
@@ -1342,7 +1329,7 @@ static int translate_compat_table(struct
struct xt_table_info *newinfo, *info;
void *pos, *entry0, *entry1;
struct compat_arpt_entry *iter0;
- struct arpt_entry *iter1;
+ struct arpt_replace repl;
unsigned int size;
int ret = 0;
@@ -1351,12 +1338,6 @@ static int translate_compat_table(struct
size = compatr->size;
info->number = compatr->num_entries;
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
- info->hook_entry[i] = 0xFFFFFFFF;
- info->underflow[i] = 0xFFFFFFFF;
- }
-
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(NFPROTO_ARP);
@@ -1365,9 +1346,7 @@ static int translate_compat_table(struct
xt_entry_foreach(iter0, entry0, compatr->size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0,
- entry0 + compatr->size,
- compatr->hook_entry,
- compatr->underflow);
+ entry0 + compatr->size);
if (ret != 0)
goto out_unlock;
++j;
@@ -1380,23 +1359,6 @@ static int translate_compat_table(struct
goto out_unlock;
}
- /* Check hooks all assigned */
- for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
- /* Only hooks which are valid */
- if (!(compatr->valid_hooks & (1 << i)))
- continue;
- if (info->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, info->hook_entry[i]);
- goto out_unlock;
- }
- if (info->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, info->underflow[i]);
- goto out_unlock;
- }
- }
-
ret = -ENOMEM;
newinfo = xt_alloc_table_info(size);
if (!newinfo)
@@ -1413,51 +1375,24 @@ static int translate_compat_table(struct
xt_entry_foreach(iter0, entry0, compatr->size)
compat_copy_entry_from_user(iter0, &pos, &size,
newinfo, entry1);
+
+ /* all module references in entry0 are now gone */
+
xt_compat_flush_offsets(NFPROTO_ARP);
xt_compat_unlock(NFPROTO_ARP);
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
- goto free_newinfo;
-
- i = 0;
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = check_target(iter1, compatr->name);
- if (ret != 0)
- break;
- ++i;
- if (strcmp(arpt_get_target(iter1)->u.user.name,
- XT_ERROR_TARGET) == 0)
- ++newinfo->stacksize;
- }
- if (ret) {
- /*
- * The first i matches need cleanup_entry (calls ->destroy)
- * because they had called ->check already. The other j-i
- * entries need only release.
- */
- int skip = i;
- j -= i;
- xt_entry_foreach(iter0, entry0, newinfo->size) {
- if (skip-- > 0)
- continue;
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- if (i-- == 0)
- break;
- cleanup_entry(iter1);
- }
- xt_free_table_info(newinfo);
- return ret;
+ memcpy(&repl, compatr, sizeof(*compatr));
+ for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
+ repl.hook_entry[i] = newinfo->hook_entry[i];
+ repl.underflow[i] = newinfo->underflow[i];
}
- /* And one copy for every other CPU */
- for_each_possible_cpu(i)
- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
- memcpy(newinfo->entries[i], entry1, newinfo->size);
+ repl.num_counters = 0;
+ repl.counters = NULL;
+ repl.size = newinfo->size;
+ ret = translate_table(newinfo, entry1, &repl);
+ if (ret)
+ goto free_newinfo;
*pinfo = newinfo;
*pentry0 = entry1;
@@ -1466,17 +1401,16 @@ static int translate_compat_table(struct
free_newinfo:
xt_free_table_info(newinfo);
-out:
+ return ret;
+out_unlock:
+ xt_compat_flush_offsets(NFPROTO_ARP);
+ xt_compat_unlock(NFPROTO_ARP);
xt_entry_foreach(iter0, entry0, compatr->size) {
if (j-- == 0)
break;
compat_release_entry(iter0);
}
return ret;
-out_unlock:
- xt_compat_flush_offsets(NFPROTO_ARP);
- xt_compat_unlock(NFPROTO_ARP);
- goto out;
}
static int compat_do_replace(struct net *net, void __user *user,
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1480,16 +1480,14 @@ check_compat_entry_size_and_hooks(struct
struct xt_table_info *newinfo,
unsigned int *size,
const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
- const unsigned int *underflows)
+ const unsigned char *limit)
{
struct xt_entry_match *ematch;
struct xt_entry_target *t;
struct xt_target *target;
unsigned int entry_offset;
unsigned int j;
- int ret, off, h;
+ int ret, off;
duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
@@ -1541,17 +1539,6 @@ check_compat_entry_size_and_hooks(struct
if (ret)
goto out;
- /* Check hooks & underflows */
- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- if ((unsigned char *)e - base == hook_entries[h])
- newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h])
- newinfo->underflow[h] = underflows[h];
- }
-
- /* Clear counters and comefrom */
- memset(&e->counters, 0, sizeof(e->counters));
- e->comefrom = 0;
return 0;
out:
@@ -1594,6 +1581,7 @@ compat_copy_entry_from_user(struct compa
xt_compat_target_from_user(t, dstptr, size);
de->next_offset = e->next_offset - (origsize - *size);
+
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
if ((unsigned char *)de - base < newinfo->hook_entry[h])
newinfo->hook_entry[h] -= origsize - *size;
@@ -1603,41 +1591,6 @@ compat_copy_entry_from_user(struct compa
}
static int
-compat_check_entry(struct ipt_entry *e, struct net *net, const char *name)
-{
- struct xt_entry_match *ematch;
- struct xt_mtchk_param mtpar;
- unsigned int j;
- int ret = 0;
-
- j = 0;
- mtpar.net = net;
- mtpar.table = name;
- mtpar.entryinfo = &e->ip;
- mtpar.hook_mask = e->comefrom;
- mtpar.family = NFPROTO_IPV4;
- xt_ematch_foreach(ematch, e) {
- ret = check_match(ematch, &mtpar);
- if (ret != 0)
- goto cleanup_matches;
- ++j;
- }
-
- ret = check_target(e, net, name);
- if (ret)
- goto cleanup_matches;
- return 0;
-
- cleanup_matches:
- xt_ematch_foreach(ematch, e) {
- if (j-- == 0)
- break;
- cleanup_match(ematch, net);
- }
- return ret;
-}
-
-static int
translate_compat_table(struct net *net,
struct xt_table_info **pinfo,
void **pentry0,
@@ -1647,7 +1600,7 @@ translate_compat_table(struct net *net,
struct xt_table_info *newinfo, *info;
void *pos, *entry0, *entry1;
struct compat_ipt_entry *iter0;
- struct ipt_entry *iter1;
+ struct ipt_replace repl;
unsigned int size;
int ret;
@@ -1656,12 +1609,6 @@ translate_compat_table(struct net *net,
size = compatr->size;
info->number = compatr->num_entries;
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- info->hook_entry[i] = 0xFFFFFFFF;
- info->underflow[i] = 0xFFFFFFFF;
- }
-
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(AF_INET);
@@ -1670,9 +1617,7 @@ translate_compat_table(struct net *net,
xt_entry_foreach(iter0, entry0, compatr->size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0,
- entry0 + compatr->size,
- compatr->hook_entry,
- compatr->underflow);
+ entry0 + compatr->size);
if (ret != 0)
goto out_unlock;
++j;
@@ -1685,23 +1630,6 @@ translate_compat_table(struct net *net,
goto out_unlock;
}
- /* Check hooks all assigned */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- /* Only hooks which are valid */
- if (!(compatr->valid_hooks & (1 << i)))
- continue;
- if (info->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, info->hook_entry[i]);
- goto out_unlock;
- }
- if (info->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, info->underflow[i]);
- goto out_unlock;
- }
- }
-
ret = -ENOMEM;
newinfo = xt_alloc_table_info(size);
if (!newinfo)
@@ -1709,8 +1637,8 @@ translate_compat_table(struct net *net,
newinfo->number = compatr->num_entries;
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = info->hook_entry[i];
- newinfo->underflow[i] = info->underflow[i];
+ newinfo->hook_entry[i] = compatr->hook_entry[i];
+ newinfo->underflow[i] = compatr->underflow[i];
}
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
@@ -1719,51 +1647,29 @@ translate_compat_table(struct net *net,
compat_copy_entry_from_user(iter0, &pos, &size,
newinfo, entry1);
+ /* all module references in entry0 are now gone.
+ * entry1/newinfo contains a 64bit ruleset that looks exactly as
+ * generated by 64bit userspace.
+ *
+ * Call standard translate_table() to validate all hook_entrys,
+ * underflows, check for loops, etc.
+ */
xt_compat_flush_offsets(AF_INET);
xt_compat_unlock(AF_INET);
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
- goto free_newinfo;
+ memcpy(&repl, compatr, sizeof(*compatr));
- i = 0;
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = compat_check_entry(iter1, net, compatr->name);
- if (ret != 0)
- break;
- ++i;
- if (strcmp(ipt_get_target(iter1)->u.user.name,
- XT_ERROR_TARGET) == 0)
- ++newinfo->stacksize;
- }
- if (ret) {
- /*
- * The first i matches need cleanup_entry (calls ->destroy)
- * because they had called ->check already. The other j-i
- * entries need only release.
- */
- int skip = i;
- j -= i;
- xt_entry_foreach(iter0, entry0, newinfo->size) {
- if (skip-- > 0)
- continue;
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- if (i-- == 0)
- break;
- cleanup_entry(iter1, net);
- }
- xt_free_table_info(newinfo);
- return ret;
+ for (i = 0; i < NF_INET_NUMHOOKS; i++) {
+ repl.hook_entry[i] = newinfo->hook_entry[i];
+ repl.underflow[i] = newinfo->underflow[i];
}
- /* And one copy for every other CPU */
- for_each_possible_cpu(i)
- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
- memcpy(newinfo->entries[i], entry1, newinfo->size);
+ repl.num_counters = 0;
+ repl.counters = NULL;
+ repl.size = newinfo->size;
+ ret = translate_table(net, newinfo, entry1, &repl);
+ if (ret)
+ goto free_newinfo;
*pinfo = newinfo;
*pentry0 = entry1;
@@ -1772,17 +1678,16 @@ translate_compat_table(struct net *net,
free_newinfo:
xt_free_table_info(newinfo);
-out:
+ return ret;
+out_unlock:
+ xt_compat_flush_offsets(AF_INET);
+ xt_compat_unlock(AF_INET);
xt_entry_foreach(iter0, entry0, compatr->size) {
if (j-- == 0)
break;
compat_release_entry(iter0);
}
return ret;
-out_unlock:
- xt_compat_flush_offsets(AF_INET);
- xt_compat_unlock(AF_INET);
- goto out;
}
static int
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1492,16 +1492,14 @@ check_compat_entry_size_and_hooks(struct
struct xt_table_info *newinfo,
unsigned int *size,
const unsigned char *base,
- const unsigned char *limit,
- const unsigned int *hook_entries,
- const unsigned int *underflows)
+ const unsigned char *limit)
{
struct xt_entry_match *ematch;
struct xt_entry_target *t;
struct xt_target *target;
unsigned int entry_offset;
unsigned int j;
- int ret, off, h;
+ int ret, off;
duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
@@ -1554,17 +1552,6 @@ check_compat_entry_size_and_hooks(struct
if (ret)
goto out;
- /* Check hooks & underflows */
- for (h = 0; h < NF_INET_NUMHOOKS; h++) {
- if ((unsigned char *)e - base == hook_entries[h])
- newinfo->hook_entry[h] = hook_entries[h];
- if ((unsigned char *)e - base == underflows[h])
- newinfo->underflow[h] = underflows[h];
- }
-
- /* Clear counters and comefrom */
- memset(&e->counters, 0, sizeof(e->counters));
- e->comefrom = 0;
return 0;
out:
@@ -1613,41 +1600,6 @@ compat_copy_entry_from_user(struct compa
}
}
-static int compat_check_entry(struct ip6t_entry *e, struct net *net,
- const char *name)
-{
- unsigned int j;
- int ret = 0;
- struct xt_mtchk_param mtpar;
- struct xt_entry_match *ematch;
-
- j = 0;
- mtpar.net = net;
- mtpar.table = name;
- mtpar.entryinfo = &e->ipv6;
- mtpar.hook_mask = e->comefrom;
- mtpar.family = NFPROTO_IPV6;
- xt_ematch_foreach(ematch, e) {
- ret = check_match(ematch, &mtpar);
- if (ret != 0)
- goto cleanup_matches;
- ++j;
- }
-
- ret = check_target(e, net, name);
- if (ret)
- goto cleanup_matches;
- return 0;
-
- cleanup_matches:
- xt_ematch_foreach(ematch, e) {
- if (j-- == 0)
- break;
- cleanup_match(ematch, net);
- }
- return ret;
-}
-
static int
translate_compat_table(struct net *net,
struct xt_table_info **pinfo,
@@ -1658,7 +1610,7 @@ translate_compat_table(struct net *net,
struct xt_table_info *newinfo, *info;
void *pos, *entry0, *entry1;
struct compat_ip6t_entry *iter0;
- struct ip6t_entry *iter1;
+ struct ip6t_replace repl;
unsigned int size;
int ret = 0;
@@ -1667,12 +1619,6 @@ translate_compat_table(struct net *net,
size = compatr->size;
info->number = compatr->num_entries;
- /* Init all hooks to impossible value. */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- info->hook_entry[i] = 0xFFFFFFFF;
- info->underflow[i] = 0xFFFFFFFF;
- }
-
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(AF_INET6);
@@ -1681,9 +1627,7 @@ translate_compat_table(struct net *net,
xt_entry_foreach(iter0, entry0, compatr->size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0,
- entry0 + compatr->size,
- compatr->hook_entry,
- compatr->underflow);
+ entry0 + compatr->size);
if (ret != 0)
goto out_unlock;
++j;
@@ -1696,23 +1640,6 @@ translate_compat_table(struct net *net,
goto out_unlock;
}
- /* Check hooks all assigned */
- for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- /* Only hooks which are valid */
- if (!(compatr->valid_hooks & (1 << i)))
- continue;
- if (info->hook_entry[i] == 0xFFFFFFFF) {
- duprintf("Invalid hook entry %u %u\n",
- i, info->hook_entry[i]);
- goto out_unlock;
- }
- if (info->underflow[i] == 0xFFFFFFFF) {
- duprintf("Invalid underflow %u %u\n",
- i, info->underflow[i]);
- goto out_unlock;
- }
- }
-
ret = -ENOMEM;
newinfo = xt_alloc_table_info(size);
if (!newinfo)
@@ -1720,60 +1647,33 @@ translate_compat_table(struct net *net,
newinfo->number = compatr->num_entries;
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
- newinfo->hook_entry[i] = info->hook_entry[i];
- newinfo->underflow[i] = info->underflow[i];
+ newinfo->hook_entry[i] = compatr->hook_entry[i];
+ newinfo->underflow[i] = compatr->underflow[i];
}
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
+ size = compatr->size;
xt_entry_foreach(iter0, entry0, compatr->size)
compat_copy_entry_from_user(iter0, &pos, &size,
newinfo, entry1);
+ /* all module references in entry0 are now gone. */
xt_compat_flush_offsets(AF_INET6);
xt_compat_unlock(AF_INET6);
- ret = -ELOOP;
- if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
- goto free_newinfo;
+ memcpy(&repl, compatr, sizeof(*compatr));
- i = 0;
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = compat_check_entry(iter1, net, compatr->name);
- if (ret != 0)
- break;
- ++i;
- if (strcmp(ip6t_get_target(iter1)->u.user.name,
- XT_ERROR_TARGET) == 0)
- ++newinfo->stacksize;
- }
- if (ret) {
- /*
- * The first i matches need cleanup_entry (calls ->destroy)
- * because they had called ->check already. The other j-i
- * entries need only release.
- */
- int skip = i;
- j -= i;
- xt_entry_foreach(iter0, entry0, newinfo->size) {
- if (skip-- > 0)
- continue;
- if (j-- == 0)
- break;
- compat_release_entry(iter0);
- }
- xt_entry_foreach(iter1, entry1, newinfo->size) {
- if (i-- == 0)
- break;
- cleanup_entry(iter1, net);
- }
- xt_free_table_info(newinfo);
- return ret;
+ for (i = 0; i < NF_INET_NUMHOOKS; i++) {
+ repl.hook_entry[i] = newinfo->hook_entry[i];
+ repl.underflow[i] = newinfo->underflow[i];
}
- /* And one copy for every other CPU */
- for_each_possible_cpu(i)
- if (newinfo->entries[i] && newinfo->entries[i] != entry1)
- memcpy(newinfo->entries[i], entry1, newinfo->size);
+ repl.num_counters = 0;
+ repl.counters = NULL;
+ repl.size = newinfo->size;
+ ret = translate_table(net, newinfo, entry1, &repl);
+ if (ret)
+ goto free_newinfo;
*pinfo = newinfo;
*pentry0 = entry1;
@@ -1782,17 +1682,16 @@ translate_compat_table(struct net *net,
free_newinfo:
xt_free_table_info(newinfo);
-out:
+ return ret;
+out_unlock:
+ xt_compat_flush_offsets(AF_INET6);
+ xt_compat_unlock(AF_INET6);
xt_entry_foreach(iter0, entry0, compatr->size) {
if (j-- == 0)
break;
compat_release_entry(iter0);
}
return ret;
-out_unlock:
- xt_compat_flush_offsets(AF_INET6);
- xt_compat_unlock(AF_INET6);
- goto out;
}
static int
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -552,6 +552,7 @@ void xt_compat_match_from_user(struct xt
struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
int pad, off = xt_compat_match_offset(match);
u_int16_t msize = cm->u.user.match_size;
+ char name[sizeof(m->u.user.name)];
m = *dstptr;
memcpy(m, cm, sizeof(*cm));
@@ -565,6 +566,9 @@ void xt_compat_match_from_user(struct xt
msize += off;
m->u.user.match_size = msize;
+ strlcpy(name, match->name, sizeof(name));
+ module_put(match->me);
+ strncpy(m->u.user.name, name, sizeof(m->u.user.name));
*size += off;
*dstptr += msize;
@@ -782,6 +786,7 @@ void xt_compat_target_from_user(struct x
struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
int pad, off = xt_compat_target_offset(target);
u_int16_t tsize = ct->u.user.target_size;
+ char name[sizeof(t->u.user.name)];
t = *dstptr;
memcpy(t, ct, sizeof(*ct));
@@ -795,6 +800,9 @@ void xt_compat_target_from_user(struct x
tsize += off;
t->u.user.target_size = tsize;
+ strlcpy(name, target->name, sizeof(name));
+ module_put(target->me);
+ strncpy(t->u.user.name, name, sizeof(t->u.user.name));
*size += off;
*dstptr += tsize;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 174/305] usb: quirks: Fix sorting
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (242 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 299/305] netfilter: ip_tables: simplify translate_compat_table args Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 203/305] can: at91_can: RX queue could get stuck at high bus load Ben Hutchings
` (61 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Hans de Goede
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 81099f97bd31e25ff2719a435b1860fc3876122f upstream.
Properly sort all the entries by vendor id.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/quirks.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -44,6 +44,9 @@ static const struct usb_device_id usb_qu
/* Creative SB Audigy 2 NX */
{ USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME },
+ /* USB3503 */
+ { USB_DEVICE(0x0424, 0x3503), .driver_info = USB_QUIRK_RESET_RESUME },
+
/* Microsoft Wireless Laser Mouse 6000 Receiver */
{ USB_DEVICE(0x045e, 0x00e1), .driver_info = USB_QUIRK_RESET_RESUME },
@@ -167,6 +170,10 @@ static const struct usb_device_id usb_qu
/* MAYA44USB sound device */
{ USB_DEVICE(0x0a92, 0x0091), .driver_info = USB_QUIRK_RESET_RESUME },
+ /* ASUS Base Station(T100) */
+ { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
+ USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+
/* Action Semiconductor flash disk */
{ USB_DEVICE(0x10d6, 0x2200), .driver_info =
USB_QUIRK_STRING_FETCH_255 },
@@ -182,16 +189,6 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x1908, 0x1315), .driver_info =
USB_QUIRK_HONOR_BNUMINTERFACES },
- /* INTEL VALUE SSD */
- { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
-
- /* USB3503 */
- { USB_DEVICE(0x0424, 0x3503), .driver_info = USB_QUIRK_RESET_RESUME },
-
- /* ASUS Base Station(T100) */
- { USB_DEVICE(0x0b05, 0x17e0), .driver_info =
- USB_QUIRK_IGNORE_REMOTE_WAKEUP },
-
/* Protocol and OTG Electrical Test Device */
{ USB_DEVICE(0x1a0a, 0x0200), .driver_info =
USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
@@ -202,6 +199,9 @@ static const struct usb_device_id usb_qu
/* Blackmagic Design UltraStudio SDI */
{ USB_DEVICE(0x1edb, 0xbd4f), .driver_info = USB_QUIRK_NO_LPM },
+ /* INTEL VALUE SSD */
+ { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
+
{ } /* terminating entry must be last */
};
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 037/305] Revert "tty: Fix pty master poll() after slave closes v2"
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (240 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 235/305] powerpc/tm: Always reclaim in start_thread() for exec() class syscalls Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 299/305] netfilter: ip_tables: simplify translate_compat_table args Ben Hutchings
` (63 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Francesco Ruggeri, Peter Hurley
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Hurley <peter@hurleysoftware.com>
commit 2ce3c10c0c3e0d418c1a7a4c838319ba42c75388 upstream.
This reverts commit c4dc304677e8d566572c4738d95c48be150c6606.
This fix is superseded by commit 52bce7f8d4fc633c9a9d0646eef58ba6ae9a3b73,
'pty, n_tty: Simplify input processing on final close'.
The final close now waits for input processing to complete before
destroying the pty, so poll() does not need to special case this
condition.
Cc: Francesco Ruggeri <fruggeri@arista.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/n_tty.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2465,17 +2465,12 @@ static unsigned int n_tty_poll(struct tt
poll_wait(file, &tty->read_wait, wait);
poll_wait(file, &tty->write_wait, wait);
- if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
- mask |= POLLHUP;
if (input_available_p(tty, 1))
mask |= POLLIN | POLLRDNORM;
- else if (mask & POLLHUP) {
- tty_flush_to_ldisc(tty);
- if (input_available_p(tty, 1))
- mask |= POLLIN | POLLRDNORM;
- }
if (tty->packet && tty->link->ctrl_status)
mask |= POLLPRI | POLLIN | POLLRDNORM;
+ if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
+ mask |= POLLHUP;
if (tty_hung_up_p(file))
mask |= POLLHUP;
if (!(mask & (POLLHUP | POLLIN | POLLRDNORM))) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 226/305] nfsd: check permissions when setting ACLs
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (60 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 058/305] USB: serial: keyspan: fix use-after-free in probe error path Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 291/305] netfilter: x_tables: kill check_entry helper Ben Hutchings
` (243 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Sinquin, Christoph Hellwig, J. Bruce Fields, Al Viro
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit 999653786df6954a31044528ac3f7a5dadca08f4 upstream.
Use set_posix_acl, which includes proper permission checks, instead of
calling ->set_acl directly. Without this anyone may be able to grant
themselves permissions to a file by setting the ACL.
Lock the inode to make the new checks atomic with respect to set_acl.
(Also, nfsd was the only caller of set_acl not locking the inode, so I
suspect this may fix other races.)
This also simplifies the code, and ensures our ACLs are checked by
posix_acl_valid.
The permission checks and the inode locking were lost with commit
4ac7249e, which changed nfsd to use the set_acl inode operation directly
instead of going through xattr handlers.
Reported-by: David Sinquin <david@sinquin.eu>
[agreunba@redhat.com: use set_posix_acl]
Fixes: 4ac7249e
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
[carnil: backport for 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfsd/nfs2acl.c | 20 ++++++++++----------
fs/nfsd/nfs3acl.c | 16 +++++++---------
fs/nfsd/nfs4acl.c | 16 ++++++++--------
3 files changed, 25 insertions(+), 27 deletions(-)
--- a/fs/nfsd/nfs2acl.c
+++ b/fs/nfsd/nfs2acl.c
@@ -104,22 +104,21 @@ static __be32 nfsacld_proc_setacl(struct
goto out;
inode = fh->fh_dentry->d_inode;
- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
- error = -EOPNOTSUPP;
- goto out_errno;
- }
error = fh_want_write(fh);
if (error)
goto out_errno;
- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
+ fh_lock(fh);
+
+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
if (error)
- goto out_drop_write;
- error = inode->i_op->set_acl(inode, argp->acl_default,
- ACL_TYPE_DEFAULT);
+ goto out_drop_lock;
+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
if (error)
- goto out_drop_write;
+ goto out_drop_lock;
+
+ fh_unlock(fh);
fh_drop_write(fh);
@@ -131,7 +130,8 @@ out:
posix_acl_release(argp->acl_access);
posix_acl_release(argp->acl_default);
return nfserr;
-out_drop_write:
+out_drop_lock:
+ fh_unlock(fh);
fh_drop_write(fh);
out_errno:
nfserr = nfserrno(error);
--- a/fs/nfsd/nfs3acl.c
+++ b/fs/nfsd/nfs3acl.c
@@ -95,22 +95,20 @@ static __be32 nfsd3_proc_setacl(struct s
goto out;
inode = fh->fh_dentry->d_inode;
- if (!IS_POSIXACL(inode) || !inode->i_op->set_acl) {
- error = -EOPNOTSUPP;
- goto out_errno;
- }
error = fh_want_write(fh);
if (error)
goto out_errno;
- error = inode->i_op->set_acl(inode, argp->acl_access, ACL_TYPE_ACCESS);
+ fh_lock(fh);
+
+ error = set_posix_acl(inode, ACL_TYPE_ACCESS, argp->acl_access);
if (error)
- goto out_drop_write;
- error = inode->i_op->set_acl(inode, argp->acl_default,
- ACL_TYPE_DEFAULT);
+ goto out_drop_lock;
+ error = set_posix_acl(inode, ACL_TYPE_DEFAULT, argp->acl_default);
-out_drop_write:
+out_drop_lock:
+ fh_unlock(fh);
fh_drop_write(fh);
out_errno:
nfserr = nfserrno(error);
--- a/fs/nfsd/nfs4acl.c
+++ b/fs/nfsd/nfs4acl.c
@@ -822,9 +822,6 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
dentry = fhp->fh_dentry;
inode = dentry->d_inode;
- if (!inode->i_op->set_acl || !IS_POSIXACL(inode))
- return nfserr_attrnotsupp;
-
if (S_ISDIR(inode->i_mode))
flags = NFS4_ACL_DIR;
@@ -834,16 +831,19 @@ nfsd4_set_nfs4_acl(struct svc_rqst *rqst
if (host_error < 0)
goto out_nfserr;
- host_error = inode->i_op->set_acl(inode, pacl, ACL_TYPE_ACCESS);
+ fh_lock(fhp);
+
+ host_error = set_posix_acl(inode, ACL_TYPE_ACCESS, pacl);
if (host_error < 0)
- goto out_release;
+ goto out_drop_lock;
if (S_ISDIR(inode->i_mode)) {
- host_error = inode->i_op->set_acl(inode, dpacl,
- ACL_TYPE_DEFAULT);
+ host_error = set_posix_acl(inode, ACL_TYPE_DEFAULT, dpacl);
}
-out_release:
+out_drop_lock:
+ fh_unlock(fhp);
+
posix_acl_release(pacl);
posix_acl_release(dpacl);
out_nfserr:
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 195/305] base: make module_create_drivers_dir race-free
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (214 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 069/305] powerpc/mm/hash64: Factor out hash preload psize check Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 164/305] iio: proximity: as3935: remove triggered buffer processing Ben Hutchings
` (89 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Jiri Slaby
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
commit 7e1b1fc4dabd6ec8e28baa0708866e13fa93c9b3 upstream.
Modules which register drivers via standard path (driver_register) in
parallel can cause a warning:
WARNING: CPU: 2 PID: 3492 at ../fs/sysfs/dir.c:31 sysfs_warn_dup+0x62/0x80
sysfs: cannot create duplicate filename '/module/saa7146/drivers'
Modules linked in: hexium_gemini(+) mxb(+) ...
...
Call Trace:
...
[<ffffffff812e63a2>] sysfs_warn_dup+0x62/0x80
[<ffffffff812e6487>] sysfs_create_dir_ns+0x77/0x90
[<ffffffff8140f2c4>] kobject_add_internal+0xb4/0x340
[<ffffffff8140f5b8>] kobject_add+0x68/0xb0
[<ffffffff8140f631>] kobject_create_and_add+0x31/0x70
[<ffffffff8157a703>] module_add_driver+0xc3/0xd0
[<ffffffff8155e5d4>] bus_add_driver+0x154/0x280
[<ffffffff815604c0>] driver_register+0x60/0xe0
[<ffffffff8145bed0>] __pci_register_driver+0x60/0x70
[<ffffffffa0273e14>] saa7146_register_extension+0x64/0x90 [saa7146]
[<ffffffffa0033011>] hexium_init_module+0x11/0x1000 [hexium_gemini]
...
As can be (mostly) seen, driver_register causes this call sequence:
-> bus_add_driver
-> module_add_driver
-> module_create_drivers_dir
The last one creates "drivers" directory in /sys/module/<...>. When
this is done in parallel, the directory is attempted to be created
twice at the same time.
This can be easily reproduced by loading mxb and hexium_gemini in
parallel:
while :; do
modprobe mxb &
modprobe hexium_gemini
wait
rmmod mxb hexium_gemini saa7146_vv saa7146
done
saa7146 calls pci_register_driver for both mxb and hexium_gemini,
which means /sys/module/saa7146/drivers is to be created for both of
them.
Fix this by a new mutex in module_create_drivers_dir which makes the
test-and-create "drivers" dir atomic.
I inverted the condition and removed 'return' to avoid multiple
unlocks or a goto.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Fixes: fe480a2675ed (Modules: only add drivers/ direcory if needed)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/base/module.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/base/module.c
+++ b/drivers/base/module.c
@@ -24,10 +24,12 @@ static char *make_driver_name(struct dev
static void module_create_drivers_dir(struct module_kobject *mk)
{
- if (!mk || mk->drivers_dir)
- return;
+ static DEFINE_MUTEX(drivers_dir_mutex);
- mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj);
+ mutex_lock(&drivers_dir_mutex);
+ if (mk && !mk->drivers_dir)
+ mk->drivers_dir = kobject_create_and_add("drivers", &mk->kobj);
+ mutex_unlock(&drivers_dir_mutex);
}
void module_add_driver(struct module *mod, struct device_driver *drv)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 086/305] x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (208 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 205/305] arm64: mm: remove page_mapping check in __sync_icache_dcache Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 154/305] of: fix autoloading due to broken modalias with no 'compatible' Ben Hutchings
` (95 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Bjorn Helgaas, H. Peter Anvin, Prarit Bhargava,
Ingo Molnar, Thomas Gleixner, Andi Kleen
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Prarit Bhargava <prarit@redhat.com>
commit da77b67195de1c65bef4908fa29967c4d0af2da2 upstream.
Commit b894157145e4 ("x86/PCI: Mark Broadwell-EP Home Agent & PCU as having
non-compliant BARs") marked Home Agent 0 & PCU has having non-compliant
BARs. Home Agent 1 also has non-compliant BARs.
Mark Home Agent 1 as having non-compliant BARs so the PCI core doesn't
touch them.
The problem with these devices is documented in the Xeon v4 specification
update:
BDF2 PCI BARs in the Home Agent Will Return Non-Zero Values
During Enumeration
Problem: During system initialization the Operating System may access
the standard PCI BARs (Base Address Registers). Due to
this erratum, accesses to the Home Agent BAR registers (Bus
1; Device 18; Function 0,4; Offsets (0x14-0x24) will return
non-zero values.
Implication: The operating system may issue a warning. Intel has not
observed any functional failures due to this erratum.
Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
Fixes: b894157145e4 ("x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs")
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Thomas Gleixner <tglx@linutronix.de>
CC: Ingo Molnar <mingo@redhat.com>
CC: "H. Peter Anvin" <hpa@zytor.com>
CC: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/pci/fixup.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/arch/x86/pci/fixup.c
+++ b/arch/x86/pci/fixup.c
@@ -554,9 +554,16 @@ static void twinhead_reserve_killing_zon
}
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone);
+/*
+ * Broadwell EP Home Agent BARs erroneously return non-zero values when read.
+ *
+ * See http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v4-spec-update.html
+ * entry BDF2.
+ */
static void pci_bdwep_bar(struct pci_dev *dev)
{
dev->non_compliant_bars = 1;
}
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6f60, pci_bdwep_bar);
DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_bdwep_bar);
DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_bdwep_bar);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 031/305] arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (115 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 004/305] serial: doc: Un-document non-existing uart_write_console() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 158/305] net/mlx5: Fix the size of modify QP mailbox Ben Hutchings
` (188 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Christoffer Dall, Marc Zyngier
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <marc.zyngier@arm.com>
commit d4b9e0790aa764c0b01e18d4e8d33e93ba36d51f upstream.
The ARM architecture mandates that when changing a page table entry
from a valid entry to another valid entry, an invalid entry is first
written, TLB invalidated, and only then the new entry being written.
The current code doesn't respect this, directly writing the new
entry and only then invalidating TLBs. Let's fix it up.
Reported-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/kvm/mmu.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
--- a/arch/arm/kvm/mmu.c
+++ b/arch/arm/kvm/mmu.c
@@ -682,11 +682,14 @@ static int stage2_set_pmd_huge(struct kv
VM_BUG_ON(pmd_present(*pmd) && pmd_pfn(*pmd) != pmd_pfn(*new_pmd));
old_pmd = *pmd;
- kvm_set_pmd(pmd, *new_pmd);
- if (pmd_present(old_pmd))
+ if (pmd_present(old_pmd)) {
+ pmd_clear(pmd);
kvm_tlb_flush_vmid_ipa(kvm, addr);
- else
+ } else {
get_page(virt_to_page(pmd));
+ }
+
+ kvm_set_pmd(pmd, *new_pmd);
return 0;
}
@@ -723,12 +726,14 @@ static int stage2_set_pte(struct kvm *kv
/* Create 2nd stage page table mapping - Level 3 */
old_pte = *pte;
- kvm_set_pte(pte, *new_pte);
- if (pte_present(old_pte))
+ if (pte_present(old_pte)) {
+ kvm_set_pte(pte, __pte(0));
kvm_tlb_flush_vmid_ipa(kvm, addr);
- else
+ } else {
get_page(virt_to_page(pte));
+ }
+ kvm_set_pte(pte, *new_pte);
return 0;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 185/305] spi: sun4i: fix FIFO limit
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (293 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 198/305] KEYS: potential uninitialized variable Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 162/305] mfd: omap-usb-tll: Fix scheduling while atomic BUG Ben Hutchings
` (10 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michal Suchanek, Maxime Ripard, Mark Brown
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Suchanek <hramrach@gmail.com>
commit 6d9fe44bd73d567d04d3a68a2d2fa521ab9532f2 upstream.
When testing SPI without DMA I noticed that filling the FIFO on the
spi controller causes timeout.
Always leave room for one byte in the FIFO.
Signed-off-by: Michal Suchanek <hramrach@gmail.com>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/spi/spi-sun4i.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -176,7 +176,10 @@ static int sun4i_spi_transfer_one(struct
/* We don't support transfer larger than the FIFO */
if (tfr->len > SUN4I_FIFO_DEPTH)
- return -EINVAL;
+ return -EMSGSIZE;
+
+ if (tfr->tx_buf && tfr->len >= SUN4I_FIFO_DEPTH)
+ return -EMSGSIZE;
reinit_completion(&sspi->done);
sspi->tx_buf = tfr->tx_buf;
@@ -269,8 +272,12 @@ static int sun4i_spi_transfer_one(struct
sun4i_spi_write(sspi, SUN4I_BURST_CNT_REG, SUN4I_BURST_CNT(tfr->len));
sun4i_spi_write(sspi, SUN4I_XMIT_CNT_REG, SUN4I_XMIT_CNT(tx_len));
- /* Fill the TX FIFO */
- sun4i_spi_fill_fifo(sspi, SUN4I_FIFO_DEPTH);
+ /*
+ * Fill the TX FIFO
+ * Filling the FIFO fully causes timeout for some reason
+ * at least on spi2 on A10s
+ */
+ sun4i_spi_fill_fifo(sspi, SUN4I_FIFO_DEPTH - 1);
/* Enable the interrupts */
sun4i_spi_write(sspi, SUN4I_INT_CTL_REG, SUN4I_INT_CTL_TC);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 056/305] USB: serial: io_edgeport: fix memory leaks in attach error path
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (29 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 254/305] batman-adv: Fix double-put of vlan object Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 081/305] IB/core: Fix a potential array overrun in CMA and SA agent Ben Hutchings
` (274 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Johan Hovold
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c5c0c55598cefc826d6cfb0a417eeaee3631715c upstream.
Private data, URBs and buffers allocated for Epic devices during
attach were never released on errors (e.g. missing endpoints).
Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/io_edgeport.c | 39 ++++++++++++++++++++++++++++-----------
1 file changed, 28 insertions(+), 11 deletions(-)
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2856,14 +2856,16 @@ static int edge_startup(struct usb_seria
/* not set up yet, so do it now */
edge_serial->interrupt_read_urb =
usb_alloc_urb(0, GFP_KERNEL);
- if (!edge_serial->interrupt_read_urb)
- return -ENOMEM;
+ if (!edge_serial->interrupt_read_urb) {
+ response = -ENOMEM;
+ break;
+ }
edge_serial->interrupt_in_buffer =
kmalloc(buffer_size, GFP_KERNEL);
if (!edge_serial->interrupt_in_buffer) {
- usb_free_urb(edge_serial->interrupt_read_urb);
- return -ENOMEM;
+ response = -ENOMEM;
+ break;
}
edge_serial->interrupt_in_endpoint =
endpoint->bEndpointAddress;
@@ -2891,14 +2893,16 @@ static int edge_startup(struct usb_seria
/* not set up yet, so do it now */
edge_serial->read_urb =
usb_alloc_urb(0, GFP_KERNEL);
- if (!edge_serial->read_urb)
- return -ENOMEM;
+ if (!edge_serial->read_urb) {
+ response = -ENOMEM;
+ break;
+ }
edge_serial->bulk_in_buffer =
kmalloc(buffer_size, GFP_KERNEL);
if (!edge_serial->bulk_in_buffer) {
- usb_free_urb(edge_serial->read_urb);
- return -ENOMEM;
+ response = -ENOMEM;
+ break;
}
edge_serial->bulk_in_endpoint =
endpoint->bEndpointAddress;
@@ -2924,9 +2928,22 @@ static int edge_startup(struct usb_seria
}
}
- if (!interrupt_in_found || !bulk_in_found || !bulk_out_found) {
- dev_err(ddev, "Error - the proper endpoints were not found!\n");
- return -ENODEV;
+ if (response || !interrupt_in_found || !bulk_in_found ||
+ !bulk_out_found) {
+ if (!response) {
+ dev_err(ddev, "expected endpoints not found\n");
+ response = -ENODEV;
+ }
+
+ usb_free_urb(edge_serial->interrupt_read_urb);
+ kfree(edge_serial->interrupt_in_buffer);
+
+ usb_free_urb(edge_serial->read_urb);
+ kfree(edge_serial->bulk_in_buffer);
+
+ kfree(edge_serial);
+
+ return response;
}
/* start interrupt read for this edgeport this interrupt will
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 018/305] scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (162 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 211/305] powerpc/bpf/jit: Disable classic BPF JIT on ppc64le Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 265/305] net: bcmsysport: Device stats are unsigned long Ben Hutchings
` (141 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hannes Reinecke, Ewan D. Milne, Sergey Senozhatsky,
Johannes Thumshirn, James Bottomley, Martin K. Petersen
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Thumshirn <jthumshirn@suse.de>
commit f05795d3d771f30a7bdc3a138bf714b06d42aa95 upstream.
Add intermediate STARGET_REMOVE state to scsi_target_state to avoid
running into the BUG_ON() in scsi_target_reap(). The STARGET_REMOVE
state is only valid in the path from scsi_remove_target() to
scsi_target_destroy() indicating this target is going to be removed.
This re-fixes the problem introduced in commits bc3f02a795d3 ("[SCSI]
scsi_remove_target: fix softlockup regression on hot remove") and
40998193560d ("scsi: restart list search after unlock in
scsi_remove_target") in a more comprehensive way.
[mkp: Included James' fix for scsi_target_destroy()]
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Fixes: 40998193560dab6c3ce8d25f4fa58a23e252ef38
Reported-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Tested-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: James Bottomley <jejb@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/scsi_scan.c | 1 +
drivers/scsi/scsi_sysfs.c | 2 ++
include/scsi/scsi_device.h | 1 +
3 files changed, 4 insertions(+)
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -320,6 +320,7 @@ static void scsi_target_destroy(struct s
struct Scsi_Host *shost = dev_to_shost(dev->parent);
unsigned long flags;
+ BUG_ON(starget->state == STARGET_DEL);
starget->state = STARGET_DEL;
transport_destroy_device(dev);
spin_lock_irqsave(shost->host_lock, flags);
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -1155,11 +1155,13 @@ restart:
spin_lock_irqsave(shost->host_lock, flags);
list_for_each_entry(starget, &shost->__targets, siblings) {
if (starget->state == STARGET_DEL ||
+ starget->state == STARGET_REMOVE ||
starget == last_target)
continue;
if (starget->dev.parent == dev || &starget->dev == dev) {
kref_get(&starget->reap_ref);
last_target = starget;
+ starget->state = STARGET_REMOVE;
spin_unlock_irqrestore(shost->host_lock, flags);
__scsi_remove_target(starget);
scsi_target_reap(starget);
--- a/include/scsi/scsi_device.h
+++ b/include/scsi/scsi_device.h
@@ -264,6 +264,7 @@ struct scsi_dh_data {
enum scsi_target_state {
STARGET_CREATED = 1,
STARGET_RUNNING,
+ STARGET_REMOVE,
STARGET_DEL,
};
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 083/305] mmc: mmc: Fix partition switch timeout for some eMMCs
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (118 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 210/305] UBIFS: Implement ->migratepage() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 303/305] netfilter: x_tables: introduce and use xt_copy_counters_from_user Ben Hutchings
` (185 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Adrian Hunter, Ulf Hansson
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 1c447116d017a98c90f8f71c8c5a611e0aa42178 upstream.
Some eMMCs set the partition switch timeout too low.
Now typically eMMCs are considered a critical component (e.g. because
they store the root file system) and consequently are expected to be
reliable. Thus we can neglect the use case where eMMCs can't switch
reliably and we might want a lower timeout to facilitate speedy
recovery.
Although we could employ a quirk for the cards that are affected (if
we could identify them all), as described above, there is little
benefit to having a low timeout, so instead simply set a minimum
timeout.
The minimum is set to 300ms somewhat arbitrarily - the examples that
have been seen had a timeout of 10ms but were sometimes taking 60-70ms.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mmc/core/mmc.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -298,6 +298,9 @@ static void mmc_select_card_type(struct
card->mmc_avail_type = avail_type;
}
+/* Minimum partition switch timeout in milliseconds */
+#define MMC_MIN_PART_SWITCH_TIME 300
+
/*
* Decode extended CSD.
*/
@@ -362,6 +365,10 @@ static int mmc_read_ext_csd(struct mmc_c
/* EXT_CSD value is in units of 10ms, but we store in ms */
card->ext_csd.part_time = 10 * ext_csd[EXT_CSD_PART_SWITCH_TIME];
+ /* Some eMMC set the value too low so set a minimum */
+ if (card->ext_csd.part_time &&
+ card->ext_csd.part_time < MMC_MIN_PART_SWITCH_TIME)
+ card->ext_csd.part_time = MMC_MIN_PART_SWITCH_TIME;
/* Sleep / awake timeout in 100ns units */
if (sa_shift > 0 && sa_shift <= 0x17)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 041/305] USB: serial: option: add support for Cinterion PH8 and AHxx
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (203 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 286/305] tcp: make challenge acks less predictable Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 264/305] block: fix use-after-free in sys_ioprio_get() Ben Hutchings
` (100 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hans-Christoph Schemmel, Schemmel Hans-Christoph, Johan Hovold
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Schemmel Hans-Christoph <Hans-Christoph.Schemmel@gemalto.com>
commit 444f94e9e625f6ec6bbe2cb232a6451c637f35a3 upstream.
Added support for Gemalto's Cinterion PH8 and AHxx products
with 2 RmNet Interfaces and products with 1 RmNet + 1 USB Audio interface.
In addition some minor renaming and formatting.
Signed-off-by: Hans-Christoph Schemmel <hans-christoph.schemmel@gemalto.com>
[johan: sort current entries and trim trailing whitespace ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/option.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -377,18 +377,22 @@ static void option_instat_callback(struc
#define HAIER_PRODUCT_CE81B 0x10f8
#define HAIER_PRODUCT_CE100 0x2009
-/* Cinterion (formerly Siemens) products */
-#define SIEMENS_VENDOR_ID 0x0681
-#define CINTERION_VENDOR_ID 0x1e2d
+/* Gemalto's Cinterion products (formerly Siemens) */
+#define SIEMENS_VENDOR_ID 0x0681
+#define CINTERION_VENDOR_ID 0x1e2d
+#define CINTERION_PRODUCT_HC25_MDMNET 0x0040
#define CINTERION_PRODUCT_HC25_MDM 0x0047
-#define CINTERION_PRODUCT_HC25_MDMNET 0x0040
+#define CINTERION_PRODUCT_HC28_MDMNET 0x004A /* same for HC28J */
#define CINTERION_PRODUCT_HC28_MDM 0x004C
-#define CINTERION_PRODUCT_HC28_MDMNET 0x004A /* same for HC28J */
#define CINTERION_PRODUCT_EU3_E 0x0051
#define CINTERION_PRODUCT_EU3_P 0x0052
#define CINTERION_PRODUCT_PH8 0x0053
#define CINTERION_PRODUCT_AHXX 0x0055
#define CINTERION_PRODUCT_PLXX 0x0060
+#define CINTERION_PRODUCT_PH8_2RMNET 0x0082
+#define CINTERION_PRODUCT_PH8_AUDIO 0x0083
+#define CINTERION_PRODUCT_AHXX_2RMNET 0x0084
+#define CINTERION_PRODUCT_AHXX_AUDIO 0x0085
/* Olivetti products */
#define OLIVETTI_VENDOR_ID 0x0b3c
@@ -648,6 +652,10 @@ static const struct option_blacklist_inf
.reserved = BIT(1) | BIT(2) | BIT(3),
};
+static const struct option_blacklist_info cinterion_rmnet2_blacklist = {
+ .reserved = BIT(4) | BIT(5),
+};
+
static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) },
{ USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) },
@@ -1723,7 +1731,13 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX, 0xff) },
{ USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX),
.driver_info = (kernel_ulong_t)&net_intf4_blacklist },
- { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_2RMNET, 0xff),
+ .driver_info = (kernel_ulong_t)&cinterion_rmnet2_blacklist },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PH8_AUDIO, 0xff),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_2RMNET, 0xff) },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID, CINTERION_PRODUCT_AHXX_AUDIO, 0xff) },
+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) },
{ USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) },
{ USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) },
{ USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDMNET) },
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 040/305] driver-core: use 'dev' argument in dev_dbg_ratelimited stub
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (156 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 146/305] powerpc/pseries: Fix PCI config address for DDW Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 080/305] IB/IWPM: Fix a potential skb leak Ben Hutchings
` (147 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dmitry Torokhov, Andrew Lunn, Greg Kroah-Hartman, Arnd Bergmann
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 1f62ff34a90471d1b735bac2c79e894afc7c59bc upstream.
dev_dbg_ratelimited() is a macro that ignores its first argument when DEBUG is
not set, which can lead to unused variable warnings:
ethernet/mellanox/mlxsw/pci.c: In function 'mlxsw_pci_cqe_sdq_handle':
ethernet/mellanox/mlxsw/pci.c:646:18: warning: unused variable 'pdev' [-Wunused-variable]
ethernet/mellanox/mlxsw/pci.c: In function 'mlxsw_pci_cqe_rdq_handle':
ethernet/mellanox/mlxsw/pci.c:671:18: warning: unused variable 'pdev' [-Wunused-variable]
The macro already ensures that all its other arguments are silently
ignored by the compiler without triggering a warning, through the
use of the no_printk() macro, but the dev argument is not passed into
that.
This changes the definition to use the same trick as no_printk() with
an if(0) that leads the compiler to not evaluate the side-effects but
still see that 'dev' might not be unused.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Suggested-by: Andrew Lunn <andrew@lunn.ch>
Fixes: 6f586e663e3b ("driver-core: Shut up dev_dbg_reatelimited() without DEBUG")
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/device.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -1161,8 +1161,11 @@ do { \
dev_printk(KERN_DEBUG, dev, fmt, ##__VA_ARGS__); \
} while (0)
#else
-#define dev_dbg_ratelimited(dev, fmt, ...) \
- no_printk(KERN_DEBUG pr_fmt(fmt), ##__VA_ARGS__)
+#define dev_dbg_ratelimited(dev, fmt, ...) \
+do { \
+ if (0) \
+ dev_printk(KERN_DEBUG, dev, fmt, ##__VA_ARGS__); \
+} while (0)
#endif
#ifdef VERBOSE_DEBUG
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 206/305] pinctrl: single: Fix missing flush of posted write for a wakeirq
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (74 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 252/305] batman-adv: replace WARN with rate limited output on non-existing VLAN Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 202/305] can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access Ben Hutchings
` (229 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nishanth Menon, Linus Walleij, Tony Lindgren
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tony Lindgren <tony@atomide.com>
commit 0ac3c0a4025f41748a083bdd4970cb3ede802b15 upstream.
With many repeated suspend resume cycles, the pin specific wakeirq
may not always work on omaps. This is because the write to enable the
pin interrupt may not have reached the device over the interconnect
before suspend happens.
Let's fix the issue with a flush of posted write with a readback.
Reported-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pinctrl/pinctrl-single.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/pinctrl/pinctrl-single.c
+++ b/drivers/pinctrl/pinctrl-single.c
@@ -1632,6 +1632,9 @@ static inline void pcs_irq_set(struct pc
else
mask &= ~soc_mask;
pcs->write(mask, pcswi->reg);
+
+ /* flush posted write */
+ mask = pcs->read(pcswi->reg);
raw_spin_unlock(&pcs->lock);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 089/305] sched/preempt: Fix preempt_count manipulations
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (235 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 234/305] iio:ad7266: Fix probe deferral for vref Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 128/305] MIPS: fix read_msa_* & write_msa_* functions on non-MSA toolchains Ben Hutchings
` (68 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Thomas Gleixner, Vikram Mulukutla,
Peter Zijlstra, Ingo Molnar
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 2e636d5e66c35dfcbaf617aa8fa963f6847478fe upstream.
Vikram reported that his ARM64 compiler managed to 'optimize' away the
preempt_count manipulations in code like:
preempt_enable_no_resched();
put_user();
preempt_disable();
Irrespective of that fact that that is horrible code that should be
fixed for many reasons, it does highlight a deficiency in the generic
preempt_count manipulators. As it is never right to combine/elide
preempt_count manipulations like this.
Therefore sprinkle some volatile in the two generic accessors to
ensure the compiler is aware of the fact that the preempt_count is
observed outside of the regular program-order view and thus cannot be
optimized away like this.
x86; the only arch not using the generic code is not affected as we
do all this in asm in order to use the segment base per-cpu stuff.
Reported-by: Vikram Mulukutla <markivx@codeaurora.org>
Tested-by: Vikram Mulukutla <markivx@codeaurora.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: a787870924db ("sched, arch: Create asm/preempt.h")
Link: http://lkml.kernel.org/r/20160516131751.GH3205@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: use ACCESS_ONCE() instead of READ_ONCE()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/asm-generic/preempt.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/asm-generic/preempt.h
+++ b/include/asm-generic/preempt.h
@@ -7,10 +7,10 @@
static __always_inline int preempt_count(void)
{
- return current_thread_info()->preempt_count;
+ return ACCESS_ONCE(current_thread_info()->preempt_count);
}
-static __always_inline int *preempt_count_ptr(void)
+static __always_inline volatile int *preempt_count_ptr(void)
{
return ¤t_thread_info()->preempt_count;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 012/305] cpuidle: Indicate when a device has been unregistered
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (55 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 094/305] fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 073/305] sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems Ben Hutchings
` (248 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Rafael J. Wysocki, Daniel Lezcano, Dave Gerlach
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Gerlach <d-gerlach@ti.com>
commit c998c07836f985b24361629dc98506ec7893e7a0 upstream.
Currently the 'registered' member of the cpuidle_device struct is set
to 1 during cpuidle_register_device. In this same function there are
checks to see if the device is already registered to prevent duplicate
calls to register the device, but this value is never set to 0 even on
unregister of the device. Because of this, any attempt to call
cpuidle_register_device after a call to cpuidle_unregister_device will
fail which shouldn't be the case.
To prevent this, set registered to 0 when the device is unregistered.
Fixes: c878a52d3c7c (cpuidle: Check if device is already registered)
Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/cpuidle/cpuidle.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/cpuidle/cpuidle.c
+++ b/drivers/cpuidle/cpuidle.c
@@ -347,6 +347,8 @@ static void __cpuidle_unregister_device(
list_del(&dev->device_list);
per_cpu(cpuidle_devices, dev->cpu) = NULL;
module_put(drv->owner);
+
+ dev->registered = 0;
}
static void __cpuidle_device_init(struct cpuidle_device *dev)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 230/305] staging: iio: accel: fix error check
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (3 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 020/305] serial: doc: Re-add paragraph documenting uart_console_write() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 276/305] USB: usbfs: fix potential infoleak in devio Ben Hutchings
` (300 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Luis de Bethencourt, Jonathan Cameron
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Luis de Bethencourt <luisbg@osg.samsung.com>
commit ef3149eb3ddb7f9125e11c90f8330e371b55cffd upstream.
sca3000_read_ctrl_reg() returns a negative number on failure, check for
this instead of zero.
Signed-off-by: Luis de Bethencourt <luisbg@osg.samsung.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/iio/accel/sca3000_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/accel/sca3000_core.c
+++ b/drivers/staging/iio/accel/sca3000_core.c
@@ -619,7 +619,7 @@ static ssize_t sca3000_read_frequency(st
goto error_ret_mut;
ret = sca3000_read_ctrl_reg(st, SCA3000_REG_CTRL_SEL_OUT_CTRL);
mutex_unlock(&st->lock);
- if (ret)
+ if (ret < 0)
goto error_ret;
val = ret;
if (base_freq > 0)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 014/305] mfd: lp8788-irq: Uninitialized variable in irq handler
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (192 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 114/305] sunrpc: fix stripping of padded MIC tokens Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 242/305] s390: fix test_fp_ctl inline assembly contraints Ben Hutchings
` (111 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Milo Kim, Lee Jones, Dan Carpenter
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 22aab38e7b59fd79ce1045006be69a9abab58e5a upstream.
Instead to being true/false, the "handled" is true/uninitialized.
Presumably this doesn't cause that many problems in real life because
normally we handle the IRQ.
Fixes: eea6b7cc53aa ('mfd: Add lp8788 mfd driver')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Milo Kim <milo.kim@ti.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mfd/lp8788-irq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mfd/lp8788-irq.c
+++ b/drivers/mfd/lp8788-irq.c
@@ -110,7 +110,7 @@ static irqreturn_t lp8788_irq_handler(in
struct lp8788_irq_data *irqd = ptr;
struct lp8788 *lp = irqd->lp;
u8 status[NUM_REGS], addr, mask;
- bool handled;
+ bool handled = false;
int i;
if (lp8788_read_multi_bytes(lp, LP8788_INT_1, status, NUM_REGS))
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 169/305] usb: gadget: fix spinlock dead lock in gadgetfs
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (109 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 301/305] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 191/305] net_sched: update hierarchical backlog too Ben Hutchings
` (194 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Bin Liu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bin Liu <b-liu@ti.com>
commit d246dcb2331c5783743720e6510892eb1d2801d9 upstream.
[ 40.467381] =============================================
[ 40.473013] [ INFO: possible recursive locking detected ]
[ 40.478651] 4.6.0-08691-g7f3db9a #37 Not tainted
[ 40.483466] ---------------------------------------------
[ 40.489098] usb/733 is trying to acquire lock:
[ 40.493734] (&(&dev->lock)->rlock){-.....}, at: [<bf129288>] ep0_complete+0x18/0xdc [gadgetfs]
[ 40.502882]
[ 40.502882] but task is already holding lock:
[ 40.508967] (&(&dev->lock)->rlock){-.....}, at: [<bf12a420>] ep0_read+0x20/0x5e0 [gadgetfs]
[ 40.517811]
[ 40.517811] other info that might help us debug this:
[ 40.524623] Possible unsafe locking scenario:
[ 40.524623]
[ 40.530798] CPU0
[ 40.533346] ----
[ 40.535894] lock(&(&dev->lock)->rlock);
[ 40.540088] lock(&(&dev->lock)->rlock);
[ 40.544284]
[ 40.544284] *** DEADLOCK ***
[ 40.544284]
[ 40.550461] May be due to missing lock nesting notation
[ 40.550461]
[ 40.557544] 2 locks held by usb/733:
[ 40.561271] #0: (&f->f_pos_lock){+.+.+.}, at: [<c02a6114>] __fdget_pos+0x40/0x48
[ 40.569219] #1: (&(&dev->lock)->rlock){-.....}, at: [<bf12a420>] ep0_read+0x20/0x5e0 [gadgetfs]
[ 40.578523]
[ 40.578523] stack backtrace:
[ 40.583075] CPU: 0 PID: 733 Comm: usb Not tainted 4.6.0-08691-g7f3db9a #37
[ 40.590246] Hardware name: Generic AM33XX (Flattened Device Tree)
[ 40.596625] [<c010ffbc>] (unwind_backtrace) from [<c010c1bc>] (show_stack+0x10/0x14)
[ 40.604718] [<c010c1bc>] (show_stack) from [<c04207fc>] (dump_stack+0xb0/0xe4)
[ 40.612267] [<c04207fc>] (dump_stack) from [<c01886ec>] (__lock_acquire+0xf68/0x1994)
[ 40.620440] [<c01886ec>] (__lock_acquire) from [<c0189528>] (lock_acquire+0xd8/0x238)
[ 40.628621] [<c0189528>] (lock_acquire) from [<c06ad6b4>] (_raw_spin_lock_irqsave+0x38/0x4c)
[ 40.637440] [<c06ad6b4>] (_raw_spin_lock_irqsave) from [<bf129288>] (ep0_complete+0x18/0xdc [gadgetfs])
[ 40.647339] [<bf129288>] (ep0_complete [gadgetfs]) from [<bf10a728>] (musb_g_giveback+0x118/0x1b0 [musb_hdrc])
[ 40.657842] [<bf10a728>] (musb_g_giveback [musb_hdrc]) from [<bf108768>] (musb_g_ep0_queue+0x16c/0x188 [musb_hdrc])
[ 40.668772] [<bf108768>] (musb_g_ep0_queue [musb_hdrc]) from [<bf12a944>] (ep0_read+0x544/0x5e0 [gadgetfs])
[ 40.678963] [<bf12a944>] (ep0_read [gadgetfs]) from [<c0284470>] (__vfs_read+0x20/0x110)
[ 40.687414] [<c0284470>] (__vfs_read) from [<c0285324>] (vfs_read+0x88/0x114)
[ 40.694864] [<c0285324>] (vfs_read) from [<c0286150>] (SyS_read+0x44/0x9c)
[ 40.702051] [<c0286150>] (SyS_read) from [<c0107820>] (ret_fast_syscall+0x0/0x1c)
This is caused by the spinlock bug in ep0_read().
Fix the two other deadlock sources in gadgetfs_setup() too.
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/inode.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1010,8 +1010,11 @@ ep0_read (struct file *fd, char __user *
struct usb_ep *ep = dev->gadget->ep0;
struct usb_request *req = dev->req;
- if ((retval = setup_req (ep, req, 0)) == 0)
- retval = usb_ep_queue (ep, req, GFP_ATOMIC);
+ if ((retval = setup_req (ep, req, 0)) == 0) {
+ spin_unlock_irq (&dev->lock);
+ retval = usb_ep_queue (ep, req, GFP_KERNEL);
+ spin_lock_irq (&dev->lock);
+ }
dev->state = STATE_DEV_CONNECTED;
/* assume that was SET_CONFIGURATION */
@@ -1542,8 +1545,11 @@ delegate:
w_length);
if (value < 0)
break;
+
+ spin_unlock (&dev->lock);
value = usb_ep_queue (gadget->ep0, dev->req,
- GFP_ATOMIC);
+ GFP_KERNEL);
+ spin_lock (&dev->lock);
if (value < 0) {
clean_req (gadget->ep0, dev->req);
break;
@@ -1566,11 +1572,14 @@ delegate:
if (value >= 0 && dev->state != STATE_DEV_SETUP) {
req->length = value;
req->zero = value < w_length;
- value = usb_ep_queue (gadget->ep0, req, GFP_ATOMIC);
+
+ spin_unlock (&dev->lock);
+ value = usb_ep_queue (gadget->ep0, req, GFP_KERNEL);
if (value < 0) {
DBG (dev, "ep_queue --> %d\n", value);
req->status = 0;
}
+ return value;
}
/* device stalls when value < 0 */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 081/305] IB/core: Fix a potential array overrun in CMA and SA agent
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (30 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 056/305] USB: serial: io_edgeport: fix memory leaks in attach error path Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 155/305] cpufreq: intel_pstate: Fix ->set_policy() interface for no_turbo Ben Hutchings
` (273 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mark Bloch, Leon Romanovsky, Leon Romanovsky, Doug Ledford
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Bloch <markb@mellanox.com>
commit 2fa2d4fb1166d1ef35f0aacac6165d53ab1b89c7 upstream.
Fix array overrun when going over callback table.
In declaration of callback table, the max size isn't provided and
in registration phase, it is provided.
There is potential scenario where a new operation is added
and it is not supported by current client. The acceptance of
such operation by ib_netlink will cause to array overrun.
Fixes: 809d5fc9bf65 ("infiniband: pass rdma_cm module to netlink_dump_start")
Fixes: b493d91d333e ("iwcm: common code for port mapper")
Fixes: 2ca546b92a02 ("IB/sa: Route SA pathrecord query through netlink")
Signed-off-by: Mark Bloch <markb@mellanox.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16:
- Only cma.c needs to be fixed
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -3679,7 +3679,8 @@ static int __init cma_init(void)
if (ret)
goto err;
- if (ibnl_add_client(RDMA_NL_RDMA_CM, RDMA_NL_RDMA_CM_NUM_OPS, cma_cb_table))
+ if (ibnl_add_client(RDMA_NL_RDMA_CM, ARRAY_SIZE(cma_cb_table),
+ cma_cb_table))
printk(KERN_WARNING "RDMA CMA: failed to add netlink callback\n");
return 0;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 286/305] tcp: make challenge acks less predictable
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (202 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 017/305] drm/i915: Prevent machine death on Ivybridge context switching Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 041/305] USB: serial: option: add support for Cinterion PH8 and AHxx Ben Hutchings
` (101 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Yue Cao, Eric Dumazet, Neal Cardwell, Linus Torvalds,
David S. Miller, Yuchung Cheng
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 upstream.
Yue Cao claims that current host rate limiting of challenge ACKS
(RFC 5961) could leak enough information to allow a patient attacker
to hijack TCP sessions. He will soon provide details in an academic
paper.
This patch increases the default limit from 100 to 1000, and adds
some randomization so that the attacker can no longer hijack
sessions without spending a considerable amount of probes.
Based on initial analysis and patch from Linus.
Note that we also have per socket rate limiting, so it is tempting
to remove the host limit in the future.
v2: randomize the count of challenge acks per second, not the period.
Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
Reported-by: Yue Cao <ycao009@ucr.edu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Adjust context
- Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/tcp_input.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_most
EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
/* rfc5961 challenge ack rate limiting */
-int sysctl_tcp_challenge_ack_limit = 100;
+int sysctl_tcp_challenge_ack_limit = 1000;
int sysctl_tcp_stdurg __read_mostly;
int sysctl_tcp_rfc1337 __read_mostly;
@@ -3285,13 +3285,18 @@ static void tcp_send_challenge_ack(struc
/* unprotected vars, we dont care of overwrites */
static u32 challenge_timestamp;
static unsigned int challenge_count;
- u32 now = jiffies / HZ;
+ u32 count, now = jiffies / HZ;
if (now != challenge_timestamp) {
+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
+
challenge_timestamp = now;
- challenge_count = 0;
+ ACCESS_ONCE(challenge_count) =
+ half + prandom_u32_max(sysctl_tcp_challenge_ack_limit);
}
- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
+ count = ACCESS_ONCE(challenge_count);
+ if (count > 0) {
+ ACCESS_ONCE(challenge_count) = count - 1;
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
tcp_send_ack(sk);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 106/305] net: ehea: avoid null pointer dereference
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (100 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 183/305] crypto: ux500 - memmove the right size Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 177/305] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints Ben Hutchings
` (203 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, xypron.glpk, Thadeu Lima de Souza Cascardo
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "xypron.glpk@gmx.de" <xypron.glpk@gmx.de>
commit 1740c29a46b30a2f157afc473156f157e599d4c2 upstream.
ehea_get_port may return NULL. Do not dereference NULL value.
Fixes: 8c4877a4128e ("ehea: Use the standard logging functions")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@debian.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/ibm/ehea/ehea_main.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
+++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
@@ -1169,16 +1169,15 @@ static void ehea_parse_eqe(struct ehea_a
ec = EHEA_BMASK_GET(NEQE_EVENT_CODE, eqe);
portnum = EHEA_BMASK_GET(NEQE_PORTNUM, eqe);
port = ehea_get_port(adapter, portnum);
+ if (!port) {
+ netdev_err(NULL, "unknown portnum %x\n", portnum);
+ return;
+ }
dev = port->netdev;
switch (ec) {
case EHEA_EC_PORTSTATE_CHG: /* port state change */
- if (!port) {
- netdev_err(dev, "unknown portnum %x\n", portnum);
- break;
- }
-
if (EHEA_BMASK_GET(NEQE_PORT_UP, eqe)) {
if (!netif_carrier_ok(dev)) {
ret = ehea_sense_port_attr(port);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 200/305] isa: Call isa_bus_init before dependent ISA bus drivers register
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (83 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 213/305] xen/pciback: Fix conf_space read/write overlap check Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 282/305] KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures Ben Hutchings
` (220 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, William Breathitt Gray, Greg Kroah-Hartman, Rene Herman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: William Breathitt Gray <vilhelm.gray@gmail.com>
commit 32a5a0c047343b11f581f663a2309cf43d13466f upstream.
The isa_bus_init function must be called before drivers which utilize
the ISA bus driver are registered. A race condition for initilization
exists if device_initcall is used (the isa_bus_init callback is placed
in the same initcall level as dependent drivers which use module_init).
This patch ensures that isa_bus_init is called first by utilizing
postcore_initcall in favor of device_initcall.
Fixes: a5117ba7da37 ("[PATCH] Driver model: add ISA bus")
Cc: Rene Herman <rene.herman@keyaccess.nl>
Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/base/isa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/base/isa.c
+++ b/drivers/base/isa.c
@@ -180,4 +180,4 @@ static int __init isa_bus_init(void)
return error;
}
-device_initcall(isa_bus_init);
+postcore_initcall(isa_bus_init);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 287/305] misc: mic: Fix for double fetch security bug in VOP driver
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (153 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 239/305] ALSA: echoaudio: Fix memory allocation Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 135/305] mac80211: mesh: flush mesh paths unconditionally Ben Hutchings
` (150 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sudeep Dutt, Greg Kroah-Hartman, Ashutosh Dixit
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Dixit <ashutosh.dixit@intel.com>
commit 9bf292bfca94694a721449e3fd752493856710f6 upstream.
The MIC VOP driver does two successive reads from user space to read a
variable length data structure. Kernel memory corruption can result if
the data structure changes between the two reads. This patch disallows
the chance of this happening.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
Reported by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Sudeep Dutt <sudeep.dutt@intel.com>
Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- Adjust filename, context
- goto exit on failure]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/misc/mic/host/mic_virtio.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/misc/mic/host/mic_virtio.c
+++ b/drivers/misc/mic/host/mic_virtio.c
@@ -456,6 +456,11 @@ static int mic_copy_dp_entry(struct mic_
__func__, __LINE__, ret);
goto exit;
}
+ /* Ensure desc has not changed between the two reads */
+ if (memcmp(&dd, dd_config, sizeof(dd))) {
+ ret = -EINVAL;
+ goto exit;
+ }
vqconfig = mic_vq_config(dd_config);
for (i = 0; i < dd.num_vq; i++) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 043/305] tty: vt, return error when con_startup fails
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (25 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 013/305] ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 217/305] IB/mlx4: Verify port number in flow steering create flow Ben Hutchings
` (278 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jiri Slaby, Greg Kroah-Hartman, Dan Carpenter
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
commit 6798df4c5fe0a7e6d2065cf79649a794e5ba7114 upstream.
When csw->con_startup() fails in do_register_con_driver, we return no
error (i.e. 0). This was changed back in 2006 by commit 3e795de763.
Before that we used to return -ENODEV.
So fix the return value to be -ENODEV in that case again.
Fixes: 3e795de763 ("VT binding: Add binding/unbinding support for the VT console")
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: "Dan Carpenter" <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/vt/vt.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3591,9 +3591,10 @@ static int do_register_con_driver(const
goto err;
desc = csw->con_startup();
-
- if (!desc)
+ if (!desc) {
+ retval = -ENODEV;
goto err;
+ }
retval = -EINVAL;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 026/305] crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (86 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 044/305] USB: serial: option: add more ZTE device ids Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 130/305] hpfs: implement the show_options method Ben Hutchings
` (217 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Marek Szyprowski, Krzysztof Kozlowski, Herbert Xu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
commit 79152e8d085fd64484afd473ef6830b45518acba upstream.
The tcrypt testing module on Exynos5422-based Odroid XU3/4 board failed on
testing 8 kB size blocks:
$ sudo modprobe tcrypt sec=1 mode=500
testing speed of async ecb(aes) (ecb-aes-s5p) encryption
test 0 (128 bit key, 16 byte blocks): 21971 operations in 1 seconds (351536 bytes)
test 1 (128 bit key, 64 byte blocks): 21731 operations in 1 seconds (1390784 bytes)
test 2 (128 bit key, 256 byte blocks): 21932 operations in 1 seconds (5614592 bytes)
test 3 (128 bit key, 1024 byte blocks): 21685 operations in 1 seconds (22205440 bytes)
test 4 (128 bit key, 8192 byte blocks):
This was caused by a race issue of missed BRDMA_DONE ("Block cipher
Receiving DMA") interrupt. Device starts processing the data in DMA mode
immediately after setting length of DMA block: receiving (FCBRDMAL) or
transmitting (FCBTDMAL). The driver sets these lengths from interrupt
handler through s5p_set_dma_indata() function (or xxx_setdata()).
However the interrupt handler was first dealing with receive buffer
(dma-unmap old, dma-map new, set receive block length which starts the
operation), then with transmit buffer and finally was clearing pending
interrupts (FCINTPEND). Because of the time window between setting
receive buffer length and clearing pending interrupts, the operation on
receive buffer could end already and driver would miss new interrupt.
User manual for Exynos5422 confirms in example code that setting DMA
block lengths should be the last operation.
The tcrypt hang could be also observed in following blocked-task dmesg:
INFO: task modprobe:258 blocked for more than 120 seconds.
Not tainted 4.6.0-rc4-next-20160419-00005-g9eac8b7b7753-dirty #42
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
modprobe D c06b09d8 0 258 256 0x00000000
[<c06b09d8>] (__schedule) from [<c06b0f24>] (schedule+0x40/0xac)
[<c06b0f24>] (schedule) from [<c06b49f8>] (schedule_timeout+0x124/0x178)
[<c06b49f8>] (schedule_timeout) from [<c06b17fc>] (wait_for_common+0xb8/0x144)
[<c06b17fc>] (wait_for_common) from [<bf0013b8>] (test_acipher_speed+0x49c/0x740 [tcrypt])
[<bf0013b8>] (test_acipher_speed [tcrypt]) from [<bf003e8c>] (do_test+0x2240/0x30ec [tcrypt])
[<bf003e8c>] (do_test [tcrypt]) from [<bf008048>] (tcrypt_mod_init+0x48/0xa4 [tcrypt])
[<bf008048>] (tcrypt_mod_init [tcrypt]) from [<c010177c>] (do_one_initcall+0x3c/0x16c)
[<c010177c>] (do_one_initcall) from [<c0191ff0>] (do_init_module+0x5c/0x1ac)
[<c0191ff0>] (do_init_module) from [<c0185610>] (load_module+0x1a30/0x1d08)
[<c0185610>] (load_module) from [<c0185ab0>] (SyS_finit_module+0x8c/0x98)
[<c0185ab0>] (SyS_finit_module) from [<c01078c0>] (ret_fast_syscall+0x0/0x3c)
Fixes: a49e490c7a8a ("crypto: s5p-sss - add S5PV210 advanced crypto engine support")
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/s5p-sss.c | 53 +++++++++++++++++++++++++++++++++++-------------
1 file changed, 39 insertions(+), 14 deletions(-)
--- a/drivers/crypto/s5p-sss.c
+++ b/drivers/crypto/s5p-sss.c
@@ -313,43 +313,55 @@ static int s5p_set_indata(struct s5p_aes
return err;
}
-static void s5p_aes_tx(struct s5p_aes_dev *dev)
+/*
+ * Returns true if new transmitting (output) data is ready and its
+ * address+length have to be written to device (by calling
+ * s5p_set_dma_outdata()). False otherwise.
+ */
+static bool s5p_aes_tx(struct s5p_aes_dev *dev)
{
int err = 0;
+ bool ret = false;
s5p_unset_outdata(dev);
if (!sg_is_last(dev->sg_dst)) {
err = s5p_set_outdata(dev, sg_next(dev->sg_dst));
- if (err) {
+ if (err)
s5p_aes_complete(dev, err);
- return;
- }
-
- s5p_set_dma_outdata(dev, dev->sg_dst);
+ else
+ ret = true;
} else {
s5p_aes_complete(dev, err);
dev->busy = true;
tasklet_schedule(&dev->tasklet);
}
+
+ return ret;
}
-static void s5p_aes_rx(struct s5p_aes_dev *dev)
+/*
+ * Returns true if new receiving (input) data is ready and its
+ * address+length have to be written to device (by calling
+ * s5p_set_dma_indata()). False otherwise.
+ */
+static bool s5p_aes_rx(struct s5p_aes_dev *dev)
{
int err;
+ bool ret = false;
s5p_unset_indata(dev);
if (!sg_is_last(dev->sg_src)) {
err = s5p_set_indata(dev, sg_next(dev->sg_src));
- if (err) {
+ if (err)
s5p_aes_complete(dev, err);
- return;
- }
-
- s5p_set_dma_indata(dev, dev->sg_src);
+ else
+ ret = true;
}
+
+ return ret;
}
static irqreturn_t s5p_aes_interrupt(int irq, void *dev_id)
@@ -358,19 +370,32 @@ static irqreturn_t s5p_aes_interrupt(int
struct s5p_aes_dev *dev = platform_get_drvdata(pdev);
uint32_t status;
unsigned long flags;
+ bool set_dma_tx = false;
+ bool set_dma_rx = false;
spin_lock_irqsave(&dev->lock, flags);
if (irq == dev->irq_fc) {
status = SSS_READ(dev, FCINTSTAT);
if (status & SSS_FCINTSTAT_BRDMAINT)
- s5p_aes_rx(dev);
+ set_dma_rx = s5p_aes_rx(dev);
if (status & SSS_FCINTSTAT_BTDMAINT)
- s5p_aes_tx(dev);
+ set_dma_tx = s5p_aes_tx(dev);
SSS_WRITE(dev, FCINTPEND, status);
}
+ /*
+ * Writing length of DMA block (either receiving or transmitting)
+ * will start the operation immediately, so this should be done
+ * at the end (even after clearing pending interrupts to not miss the
+ * interrupt).
+ */
+ if (set_dma_tx)
+ s5p_set_dma_outdata(dev, dev->sg_dst);
+ if (set_dma_rx)
+ s5p_set_dma_indata(dev, dev->sg_src);
+
spin_unlock_irqrestore(&dev->lock, flags);
return IRQ_HANDLED;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 135/305] mac80211: mesh: flush mesh paths unconditionally
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (154 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 287/305] misc: mic: Fix for double fetch security bug in VOP driver Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 146/305] powerpc/pseries: Fix PCI config address for DDW Ben Hutchings
` (149 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johannes Berg, Fred Veldini, Bob Copeland
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bob Copeland <me@bobcopeland.com>
commit fe7a7c57629e8dcbc0e297363a9b2366d67a6dc5 upstream.
Currently, the mesh paths associated with a nexthop station are cleaned
up in the following code path:
__sta_info_destroy_part1
synchronize_net()
__sta_info_destroy_part2
-> cleanup_single_sta
-> mesh_sta_cleanup
-> mesh_plink_deactivate
-> mesh_path_flush_by_nexthop
However, there are a couple of problems here:
1) the paths aren't flushed at all if the MPM is running in userspace
(e.g. when using wpa_supplicant or authsae)
2) there is no synchronize_rcu between removing the path and readers
accessing the nexthop, which means the following race is possible:
CPU0 CPU1
~~~~ ~~~~
sta_info_destroy_part1()
synchronize_net()
rcu_read_lock()
mesh_nexthop_resolve()
mpath = mesh_path_lookup()
[...] -> mesh_path_flush_by_nexthop()
sta = rcu_dereference(
mpath->next_hop)
kfree(sta)
access sta <-- CRASH
Fix both of these by unconditionally flushing paths before destroying
the sta, and by adding a synchronize_net() after path flush to ensure
no active readers can still dereference the sta.
Fixes this crash:
[ 348.529295] BUG: unable to handle kernel paging request at 00020040
[ 348.530014] IP: [<f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
[ 348.530014] *pde = 00000000
[ 348.530014] Oops: 0000 [#1] PREEMPT
[ 348.530014] Modules linked in: drbg ansi_cprng ctr ccm ppp_generic slhc ipt_MASQUERADE nf_nat_masquerade_ipv4 8021q ]
[ 348.530014] CPU: 0 PID: 20597 Comm: wget Tainted: G O 4.6.0-rc5-wt=V1 #1
[ 348.530014] Hardware name: To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080016 11/07/2014
[ 348.530014] task: f64fa280 ti: f4f9c000 task.ti: f4f9c000
[ 348.530014] EIP: 0060:[<f929245d>] EFLAGS: 00010246 CPU: 0
[ 348.530014] EIP is at ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
[ 348.530014] EAX: f4ce63e0 EBX: 00000088 ECX: f3788416 EDX: 00020008
[ 348.530014] ESI: 00000000 EDI: 00000088 EBP: f6409a4c ESP: f6409a40
[ 348.530014] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 348.530014] CR0: 80050033 CR2: 00020040 CR3: 33190000 CR4: 00000690
[ 348.530014] Stack:
[ 348.530014] 00000000 f4ce63e0 f5f9bd80 f6409a64 f9291d80 0000ce67 f5d51e00 f4ce63e0
[ 348.530014] f3788416 f6409a80 f9291dc1 f4ce8320 f4ce63e0 f5d51e00 f4ce63e0 f4ce8320
[ 348.530014] f6409a98 f9277f6f 00000000 00000000 0000007c 00000000 f6409b2c f9278dd1
[ 348.530014] Call Trace:
[ 348.530014] [<f9291d80>] mesh_nexthop_lookup+0xbb/0xc8 [mac80211]
[ 348.530014] [<f9291dc1>] mesh_nexthop_resolve+0x34/0xd8 [mac80211]
[ 348.530014] [<f9277f6f>] ieee80211_xmit+0x92/0xc1 [mac80211]
[ 348.530014] [<f9278dd1>] __ieee80211_subif_start_xmit+0x807/0x83c [mac80211]
[ 348.530014] [<c04df012>] ? sch_direct_xmit+0xd7/0x1b3
[ 348.530014] [<c022a8c6>] ? __local_bh_enable_ip+0x5d/0x7b
[ 348.530014] [<f956870c>] ? nf_nat_ipv4_out+0x4c/0xd0 [nf_nat_ipv4]
[ 348.530014] [<f957e036>] ? iptable_nat_ipv4_fn+0xf/0xf [iptable_nat]
[ 348.530014] [<c04c6f45>] ? netif_skb_features+0x14d/0x30a
[ 348.530014] [<f9278e10>] ieee80211_subif_start_xmit+0xa/0xe [mac80211]
[ 348.530014] [<c04c769c>] dev_hard_start_xmit+0x1f8/0x267
[ 348.530014] [<c04c7261>] ? validate_xmit_skb.isra.120.part.121+0x10/0x253
[ 348.530014] [<c04defc6>] sch_direct_xmit+0x8b/0x1b3
[ 348.530014] [<c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
[ 348.530014] [<c04c7cfb>] dev_queue_xmit+0xa/0xc
[ 348.530014] [<f91bfc7a>] batadv_send_skb_packet+0xd6/0xec [batman_adv]
[ 348.530014] [<f91bfdc4>] batadv_send_unicast_skb+0x15/0x4a [batman_adv]
[ 348.530014] [<f91b5938>] batadv_dat_send_data+0x27e/0x310 [batman_adv]
[ 348.530014] [<f91c30b5>] ? batadv_tt_global_hash_find.isra.11+0x8/0xa [batman_adv]
[ 348.530014] [<f91b63f3>] batadv_dat_snoop_outgoing_arp_request+0x208/0x23d [batman_adv]
[ 348.530014] [<f91c0cd9>] batadv_interface_tx+0x206/0x385 [batman_adv]
[ 348.530014] [<c04c769c>] dev_hard_start_xmit+0x1f8/0x267
[ 348.530014] [<c04c7261>] ? validate_xmit_skb.isra.120.part.121+0x10/0x253
[ 348.530014] [<c04defc6>] sch_direct_xmit+0x8b/0x1b3
[ 348.530014] [<c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
[ 348.530014] [<f80cbd2a>] ? igb_xmit_frame+0x57/0x72 [igb]
[ 348.530014] [<c04c7cfb>] dev_queue_xmit+0xa/0xc
[ 348.530014] [<f843a326>] br_dev_queue_push_xmit+0xeb/0xfb [bridge]
[ 348.530014] [<f843a35f>] br_forward_finish+0x29/0x74 [bridge]
[ 348.530014] [<f843a23b>] ? deliver_clone+0x3b/0x3b [bridge]
[ 348.530014] [<f843a714>] __br_forward+0x89/0xe7 [bridge]
[ 348.530014] [<f843a336>] ? br_dev_queue_push_xmit+0xfb/0xfb [bridge]
[ 348.530014] [<f843a234>] deliver_clone+0x34/0x3b [bridge]
[ 348.530014] [<f843a68b>] ? br_flood+0x95/0x95 [bridge]
[ 348.530014] [<f843a66d>] br_flood+0x77/0x95 [bridge]
[ 348.530014] [<f843a809>] br_flood_forward+0x13/0x1a [bridge]
[ 348.530014] [<f843a68b>] ? br_flood+0x95/0x95 [bridge]
[ 348.530014] [<f843b877>] br_handle_frame_finish+0x392/0x3db [bridge]
[ 348.530014] [<c04e9b2b>] ? nf_iterate+0x2b/0x6b
[ 348.530014] [<f843baa6>] br_handle_frame+0x1e6/0x240 [bridge]
[ 348.530014] [<f843b4e5>] ? br_handle_local_finish+0x6a/0x6a [bridge]
[ 348.530014] [<c04c4ba0>] __netif_receive_skb_core+0x43a/0x66b
[ 348.530014] [<f843b8c0>] ? br_handle_frame_finish+0x3db/0x3db [bridge]
[ 348.530014] [<c023cea4>] ? resched_curr+0x19/0x37
[ 348.530014] [<c0240707>] ? check_preempt_wakeup+0xbf/0xfe
[ 348.530014] [<c0255dec>] ? ktime_get_with_offset+0x5c/0xfc
[ 348.530014] [<c04c4fc1>] __netif_receive_skb+0x47/0x55
[ 348.530014] [<c04c57ba>] netif_receive_skb_internal+0x40/0x5a
[ 348.530014] [<c04c61ef>] napi_gro_receive+0x3a/0x94
[ 348.530014] [<f80ce8d5>] igb_poll+0x6fd/0x9ad [igb]
[ 348.530014] [<c0242bd8>] ? swake_up_locked+0x14/0x26
[ 348.530014] [<c04c5d29>] net_rx_action+0xde/0x250
[ 348.530014] [<c022a743>] __do_softirq+0x8a/0x163
[ 348.530014] [<c022a6b9>] ? __hrtimer_tasklet_trampoline+0x19/0x19
[ 348.530014] [<c021100f>] do_softirq_own_stack+0x26/0x2c
[ 348.530014] <IRQ>
[ 348.530014] [<c022a957>] irq_exit+0x31/0x6f
[ 348.530014] [<c0210eb2>] do_IRQ+0x8d/0xa0
[ 348.530014] [<c058152c>] common_interrupt+0x2c/0x40
[ 348.530014] Code: e7 8c 00 66 81 ff 88 00 75 12 85 d2 75 0e b2 c3 b8 83 e9 29 f9 e8 a7 5f f9 c6 eb 74 66 81 e3 8c 005
[ 348.530014] EIP: [<f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211] SS:ESP 0068:f6409a40
[ 348.530014] CR2: 0000000000020040
[ 348.530014] ---[ end trace 48556ac26779732e ]---
[ 348.530014] Kernel panic - not syncing: Fatal exception in interrupt
[ 348.530014] Kernel Offset: disabled
Reported-by: Fred Veldini <fred.veldini@gmail.com>
Tested-by: Fred Veldini <fred.veldini@gmail.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/mac80211/mesh.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -161,6 +161,10 @@ void mesh_sta_cleanup(struct sta_info *s
del_timer_sync(&sta->plink_timer);
}
+ /* make sure no readers can access nexthop sta from here on */
+ mesh_path_flush_by_nexthop(sta);
+ synchronize_net();
+
if (changed)
ieee80211_mbss_info_change_notify(sdata, changed);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 115/305] wait/ptrace: assume __WALL if the child is traced
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (158 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 080/305] IB/IWPM: Fix a potential skb leak Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 092/305] fs/cifs: correctly to anonymous authentication via NTLMSSP Ben Hutchings
` (145 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, syzkaller, Roland McGrath, Jan Kratochvil, Denys Vlasenko,
Oleg Nesterov, Dmitry Vyukov, Pedro Alves,
Michael Kerrisk (man-pages),
Linus Torvalds
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit bf959931ddb88c4e4366e96dd22e68fa0db9527c upstream.
The following program (simplified version of generated by syzkaller)
#include <pthread.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <stdio.h>
#include <signal.h>
void *thread_func(void *arg)
{
ptrace(PTRACE_TRACEME, 0,0,0);
return 0;
}
int main(void)
{
pthread_t thread;
if (fork())
return 0;
while (getppid() != 1)
;
pthread_create(&thread, NULL, thread_func, NULL);
pthread_join(thread, NULL);
return 0;
}
creates an unreapable zombie if /sbin/init doesn't use __WALL.
This is not a kernel bug, at least in a sense that everything works as
expected: debugger should reap a traced sub-thread before it can reap the
leader, but without __WALL/__WCLONE do_wait() ignores sub-threads.
Unfortunately, it seems that /sbin/init in most (all?) distributions
doesn't use it and we have to change the kernel to avoid the problem.
Note also that most init's use sys_waitid() which doesn't allow __WALL, so
the necessary user-space fix is not that trivial.
This patch just adds the "ptrace" check into eligible_child(). To some
degree this matches the "tsk->ptrace" in exit_notify(), ->exit_signal is
mostly ignored when the tracee reports to debugger. Or WSTOPPED, the
tracer doesn't need to set this flag to wait for the stopped tracee.
This obviously means the user-visible change: __WCLONE and __WALL no
longer have any meaning for debugger. And I can only hope that this won't
break something, but at least strace/gdb won't suffer.
We could make a more conservative change. Say, we can take __WCLONE into
account, or !thread_group_leader(). But it would be nice to not
complicate these historical/confusing checks.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: Pedro Alves <palves@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: <syzkaller@googlegroups.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/exit.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -924,17 +924,28 @@ static int eligible_pid(struct wait_opts
task_pid_type(p, wo->wo_type) == wo->wo_pid;
}
-static int eligible_child(struct wait_opts *wo, struct task_struct *p)
+static int
+eligible_child(struct wait_opts *wo, bool ptrace, struct task_struct *p)
{
if (!eligible_pid(wo, p))
return 0;
- /* Wait for all children (clone and not) if __WALL is set;
- * otherwise, wait for clone children *only* if __WCLONE is
- * set; otherwise, wait for non-clone children *only*. (Note:
- * A "clone" child here is one that reports to its parent
- * using a signal other than SIGCHLD.) */
- if (((p->exit_signal != SIGCHLD) ^ !!(wo->wo_flags & __WCLONE))
- && !(wo->wo_flags & __WALL))
+
+ /*
+ * Wait for all children (clone and not) if __WALL is set or
+ * if it is traced by us.
+ */
+ if (ptrace || (wo->wo_flags & __WALL))
+ return 1;
+
+ /*
+ * Otherwise, wait for clone children *only* if __WCLONE is set;
+ * otherwise, wait for non-clone children *only*.
+ *
+ * Note: a "clone" child here is one that reports to its parent
+ * using a signal other than SIGCHLD, or a non-leader thread which
+ * we can only see if it is traced by us.
+ */
+ if ((p->exit_signal != SIGCHLD) ^ !!(wo->wo_flags & __WCLONE))
return 0;
return 1;
@@ -1305,7 +1316,7 @@ static int wait_consider_task(struct wai
if (unlikely(exit_state == EXIT_DEAD))
return 0;
- ret = eligible_child(wo, p);
+ ret = eligible_child(wo, ptrace, p);
if (!ret)
return ret;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 291/305] netfilter: x_tables: kill check_entry helper
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (61 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 226/305] nfsd: check permissions when setting ACLs Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 055/305] MIPS: Adjust set_pte() SMP fix to handle R10000_LLSC_WAR Ben Hutchings
` (242 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Florian Westphal
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit aa412ba225dd3bc36d404c28cdc3d674850d80d0 upstream.
Once we add more sanity testing to xt_check_entry_offsets it
becomes relvant if we're expecting a 32bit 'config_compat' blob
or a normal one.
Since we already have a lot of similar-named functions (check_entry,
compat_check_entry, find_and_check_entry, etc.) and the current
incarnation is short just fold its contents into the callers.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/netfilter/arp_tables.c | 19 ++++++++-----------
net/ipv4/netfilter/ip_tables.c | 20 ++++++++------------
net/ipv6/netfilter/ip6_tables.c | 20 ++++++++------------
3 files changed, 24 insertions(+), 35 deletions(-)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -491,14 +491,6 @@ static int mark_source_chains(const stru
return 1;
}
-static inline int check_entry(const struct arpt_entry *e)
-{
- if (!arp_checkentry(&e->arp))
- return -EINVAL;
-
- return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
-}
-
static inline int check_target(struct arpt_entry *e, const char *name)
{
struct xt_entry_target *t = arpt_get_target(e);
@@ -588,7 +580,10 @@ static inline int check_entry_size_and_h
return -EINVAL;
}
- err = check_entry(e);
+ if (!arp_checkentry(&e->arp))
+ return -EINVAL;
+
+ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
if (err)
return err;
@@ -1247,8 +1242,10 @@ check_compat_entry_size_and_hooks(struct
return -EINVAL;
}
- /* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct arpt_entry *)e);
+ if (!arp_checkentry(&e->arp))
+ return -EINVAL;
+
+ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
if (ret)
return ret;
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -585,15 +585,6 @@ static void cleanup_match(struct xt_entr
}
static int
-check_entry(const struct ipt_entry *e)
-{
- if (!ip_checkentry(&e->ip))
- return -EINVAL;
-
- return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
-}
-
-static int
check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
{
const struct ipt_ip *ip = par->entryinfo;
@@ -749,7 +740,10 @@ check_entry_size_and_hooks(struct ipt_en
return -EINVAL;
}
- err = check_entry(e);
+ if (!ip_checkentry(&e->ip))
+ return -EINVAL;
+
+ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
if (err)
return err;
@@ -1513,8 +1507,10 @@ check_compat_entry_size_and_hooks(struct
return -EINVAL;
}
- /* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct ipt_entry *)e);
+ if (!ip_checkentry(&e->ip))
+ return -EINVAL;
+
+ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
if (ret)
return ret;
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -594,15 +594,6 @@ static void cleanup_match(struct xt_entr
module_put(par.match->me);
}
-static int
-check_entry(const struct ip6t_entry *e)
-{
- if (!ip6_checkentry(&e->ipv6))
- return -EINVAL;
-
- return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
-}
-
static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
{
const struct ip6t_ip6 *ipv6 = par->entryinfo;
@@ -760,7 +751,10 @@ check_entry_size_and_hooks(struct ip6t_e
return -EINVAL;
}
- err = check_entry(e);
+ if (!ip6_checkentry(&e->ipv6))
+ return -EINVAL;
+
+ err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
if (err)
return err;
@@ -1525,8 +1519,10 @@ check_compat_entry_size_and_hooks(struct
return -EINVAL;
}
- /* For purposes of check_entry casting the compat entry is fine */
- ret = check_entry((struct ip6t_entry *)e);
+ if (!ip6_checkentry(&e->ipv6))
+ return -EINVAL;
+
+ ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 118/305] UBI: fix missing brace control flow
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (7 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 272/305] tmpfs: fix regression hang in fallocate undo Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 258/305] ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift() Ben Hutchings
` (296 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Brian Norris, Dan Carpenter, Richard Weinberger
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Brian Norris <computersforpeace@gmail.com>
commit b388e6a7a6ba988998ddd83919ae8d3debf1a13d upstream.
commit 0e707ae79ba3 ("UBI: do propagate positive error codes up") seems
to have produced an unintended change in the control flow here.
Completely untested, but it looks obvious.
Caught by Coverity, which didn't like the indentation. CID 1271184.
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/ubi/eba.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -425,9 +425,10 @@ retry:
ubi_warn("corrupted VID header at PEB %d, LEB %d:%d",
pnum, vol_id, lnum);
err = -EBADMSG;
- } else
+ } else {
err = -EINVAL;
ubi_ro_mode(ubi);
+ }
}
goto out_free;
} else if (err == UBI_IO_BITFLIPS)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 219/305] Input: wacom_w8001 - w8001_MAX_LENGTH should be 13
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (148 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 090/305] drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 136/305] arm64: Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks Ben Hutchings
` (155 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dmitry Torokhov, Peter Hutterer, Ping Cheng, Ping Cheng
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ping Cheng <pinglinux@gmail.com>
commit 12afb34400eb2b301f06b2aa3535497d14faee59 upstream.
Somehow the patch that added two-finger touch support forgot to update
W8001_MAX_LENGTH from 11 to 13.
Signed-off-by: Ping Cheng <pingc@wacom.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/touchscreen/wacom_w8001.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/wacom_w8001.c
+++ b/drivers/input/touchscreen/wacom_w8001.c
@@ -27,7 +27,7 @@ MODULE_AUTHOR("Jaya Kumar <jayakumar.lkm
MODULE_DESCRIPTION(DRIVER_DESC);
MODULE_LICENSE("GPL");
-#define W8001_MAX_LENGTH 11
+#define W8001_MAX_LENGTH 13
#define W8001_LEAD_MASK 0x80
#define W8001_LEAD_BYTE 0x80
#define W8001_TAB_MASK 0x40
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 013/305] ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (24 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 035/305] ext4: clean up error handling when orphan list is corrupted Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 043/305] tty: vt, return error when con_startup fails Ben Hutchings
` (279 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paul Walmsley, Suman Anna
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Suman Anna <s-anna@ti.com>
commit c20c8f750d9f8f8617f07ee2352d3ff560e66bc2 upstream.
The omap_hwmod _enable() function can return success without setting
the hwmod state to _HWMOD_STATE_ENABLED for IPs with reset lines when
all of the reset lines are asserted. The omap_hwmod _idle() function
also performs a similar check, but after checking for the hwmod state
first. This triggers the WARN when pm_runtime_get and pm_runtime_put
are invoked on IPs with all reset lines asserted. Reverse the checks
for hwmod state and reset lines status to fix this.
Issue found during a unbind operation on a device with reset lines
still asserted, example backtrace below
------------[ cut here ]------------
WARNING: CPU: 1 PID: 879 at arch/arm/mach-omap2/omap_hwmod.c:2207 _idle+0x1e4/0x240()
omap_hwmod: mmu_dsp: idle state can only be entered from enabled state
Modules linked in:
CPU: 1 PID: 879 Comm: sh Not tainted 4.4.0-00008-ga989d951331a #3
Hardware name: Generic OMAP5 (Flattened Device Tree)
[<c0018e60>] (unwind_backtrace) from [<c0014dc4>] (show_stack+0x10/0x14)
[<c0014dc4>] (show_stack) from [<c037ac28>] (dump_stack+0x90/0xc0)
[<c037ac28>] (dump_stack) from [<c003f420>] (warn_slowpath_common+0x78/0xb4)
[<c003f420>] (warn_slowpath_common) from [<c003f48c>] (warn_slowpath_fmt+0x30/0x40)
[<c003f48c>] (warn_slowpath_fmt) from [<c0028c20>] (_idle+0x1e4/0x240)
[<c0028c20>] (_idle) from [<c0029080>] (omap_hwmod_idle+0x28/0x48)
[<c0029080>] (omap_hwmod_idle) from [<c002a5a4>] (omap_device_idle+0x3c/0x90)
[<c002a5a4>] (omap_device_idle) from [<c0427a90>] (__rpm_callback+0x2c/0x60)
[<c0427a90>] (__rpm_callback) from [<c0427ae4>] (rpm_callback+0x20/0x80)
[<c0427ae4>] (rpm_callback) from [<c0427f84>] (rpm_suspend+0x138/0x74c)
[<c0427f84>] (rpm_suspend) from [<c0428b78>] (__pm_runtime_idle+0x78/0xa8)
[<c0428b78>] (__pm_runtime_idle) from [<c041f514>] (__device_release_driver+0x64/0x100)
[<c041f514>] (__device_release_driver) from [<c041f5d0>] (device_release_driver+0x20/0x2c)
[<c041f5d0>] (device_release_driver) from [<c041d85c>] (unbind_store+0x78/0xf8)
[<c041d85c>] (unbind_store) from [<c0206df8>] (kernfs_fop_write+0xc0/0x1c4)
[<c0206df8>] (kernfs_fop_write) from [<c018a120>] (__vfs_write+0x20/0xdc)
[<c018a120>] (__vfs_write) from [<c018a9cc>] (vfs_write+0x90/0x164)
[<c018a9cc>] (vfs_write) from [<c018b1f0>] (SyS_write+0x44/0x9c)
[<c018b1f0>] (SyS_write) from [<c0010420>] (ret_fast_syscall+0x0/0x1c)
---[ end trace a4182013c75a9f50 ]---
While at this, fix the sequence in _shutdown() as well, though there
is no easy reproducible scenario.
Fixes: 747834ab8347 ("ARM: OMAP2+: hwmod: revise hardreset behavior")
Signed-off-by: Suman Anna <s-anna@ti.com>
Signed-off-by: Paul Walmsley <paul@pwsan.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-omap2/omap_hwmod.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/arch/arm/mach-omap2/omap_hwmod.c
+++ b/arch/arm/mach-omap2/omap_hwmod.c
@@ -2263,15 +2263,15 @@ static int _idle(struct omap_hwmod *oh)
{
pr_debug("omap_hwmod: %s: idling\n", oh->name);
+ if (_are_all_hardreset_lines_asserted(oh))
+ return 0;
+
if (oh->_state != _HWMOD_STATE_ENABLED) {
WARN(1, "omap_hwmod: %s: idle state can only be entered from enabled state\n",
oh->name);
return -EINVAL;
}
- if (_are_all_hardreset_lines_asserted(oh))
- return 0;
-
if (oh->class->sysc)
_idle_sysc(oh);
_del_initiator_dep(oh, mpu_oh);
@@ -2318,6 +2318,9 @@ static int _shutdown(struct omap_hwmod *
int ret, i;
u8 prev_state;
+ if (_are_all_hardreset_lines_asserted(oh))
+ return 0;
+
if (oh->_state != _HWMOD_STATE_IDLE &&
oh->_state != _HWMOD_STATE_ENABLED) {
WARN(1, "omap_hwmod: %s: disabled state can only be entered from idle, or enabled state\n",
@@ -2325,9 +2328,6 @@ static int _shutdown(struct omap_hwmod *
return -EINVAL;
}
- if (_are_all_hardreset_lines_asserted(oh))
- return 0;
-
pr_debug("omap_hwmod: %s: disabling\n", oh->name);
if (oh->class->pre_shutdown) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 272/305] tmpfs: fix regression hang in fallocate undo
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (6 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 269/305] xenbus: don't bail early from xenbus_dev_request_and_reply() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 118/305] UBI: fix missing brace control flow Ben Hutchings
` (297 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Hugh Dickins, Linus Torvalds
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hugh Dickins <hughd@google.com>
commit 7f556567036cb7f89aabe2f0954b08566b4efb53 upstream.
The well-spotted fallocate undo fix is good in most cases, but not when
fallocate failed on the very first page. index 0 then passes lend -1
to shmem_undo_range(), and that has two bad effects: (a) that it will
undo every fallocation throughout the file, unrestricted by the current
range; but more importantly (b) it can cause the undo to hang, because
lend -1 is treated as truncation, which makes it keep on retrying until
every page has gone, but those already fully instantiated will never go
away. Big thank you to xfstests generic/269 which demonstrates this.
Fixes: b9b4bb26af01 ("tmpfs: don't undo fallocate past its last page")
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: use PAGE_CACHE_SHIFT instead of PAGE_SHIFT]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/shmem.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1865,9 +1865,11 @@ static long shmem_fallocate(struct file
NULL);
if (error) {
/* Remove the !PageUptodate pages we added */
- shmem_undo_range(inode,
- (loff_t)start << PAGE_CACHE_SHIFT,
- ((loff_t)index << PAGE_CACHE_SHIFT) - 1, true);
+ if (index > start) {
+ shmem_undo_range(inode,
+ (loff_t)start << PAGE_CACHE_SHIFT,
+ ((loff_t)index << PAGE_CACHE_SHIFT) - 1, true);
+ }
goto undone;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 143/305] ALSA: hda - Fix headset mic detection problem for Dell machine
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (200 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 137/305] scsi: Add QEMU CD-ROM to VPD Inquiry Blacklist Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 017/305] drm/i915: Prevent machine death on Ivybridge context switching Ben Hutchings
` (103 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, AceLan Kao
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: AceLan Kao <acelan.kao@canonical.com>
commit f90d83b301701026b2e4c437a3613f377f63290e upstream.
Add the pin configuration value of this machine into the pin_quirk
table to make DELL1_MIC_NO_PRESENCE apply to this machine.
Signed-off-by: AceLan Kao <acelan.kao@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_realtek.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5182,6 +5182,10 @@ static const struct snd_hda_pin_quirk al
{0x1d, 0x40700001},
{0x1e, 0x411111f0},
{0x21, 0x02211040}),
+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell Inspiron 5565", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ {0x12, 0x90a60180},
+ {0x14, 0x90170120},
+ {0x21, 0x02211030}),
SND_HDA_PIN_QUIRK(0x10ec0282, 0x103c, "HP 15 Touchsmart", ALC269_FIXUP_HP_MUTE_LED_MIC1,
{0x12, 0x99a30130},
{0x14, 0x90170110},
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 168/305] usb: f_fs: off by one bug in _ffs_func_bind()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (96 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 152/305] x86, build: copy ldlinux.c32 to image.iso Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 294/305] netfilter: x_tables: check standard target size too Ben Hutchings
` (207 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Dan Carpenter, Michal Nazarewicz
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 0015f9156092d07b3ec06d37d014328419d5832e upstream.
This loop is supposed to set all the .num[] values to -1 but it's off by
one so it skips the first element and sets one element past the end of
the array.
I've cleaned up the loop a little as well.
Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver')
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16:
- Adjust filename, context
- Add definition of i variable]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/f_fs.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -2355,7 +2355,8 @@ static int _ffs_func_bind(struct usb_con
const int super = gadget_is_superspeed(func->gadget) &&
func->ffs->ss_descs_count;
- int fs_len, hs_len, ret;
+ int fs_len, hs_len, ret, i;
+ struct ffs_ep *eps_ptr;
/* Make it a single chunk, less management later on */
vla_group(d);
@@ -2388,12 +2389,9 @@ static int _ffs_func_bind(struct usb_con
ffs->raw_descs_length);
memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
- for (ret = ffs->eps_count; ret; --ret) {
- struct ffs_ep *ptr;
-
- ptr = vla_ptr(vlabuf, d, eps);
- ptr[ret].num = -1;
- }
+ eps_ptr = vla_ptr(vlabuf, d, eps);
+ for (i = 0; i < ffs->eps_count; i++)
+ eps_ptr[i].num = -1;
/* Save pointers
* d_eps == vlabuf, func->eps used to kfree vlabuf later
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 136/305] arm64: Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (149 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 219/305] Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 100/305] batman-adv: Fix unexpected free of bcast_own on add_if error Ben Hutchings
` (154 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Will Deacon, Catalin Marinas
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Catalin Marinas <catalin.marinas@arm.com>
commit e47b020a323d1b2a7b1e9aac86e99eae19463630 upstream.
This patch brings the PER_LINUX32 /proc/cpuinfo format more in line with
the 32-bit ARM one by providing an additional line:
model name : ARMv8 Processor rev X (v8l)
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[bwh: Backported to 3.16:
- Adjust filename, context
- Open-code MIDR_REVISION()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/include/asm/elf.h | 4 ++--
arch/arm64/kernel/setup.c | 8 +++++++-
2 files changed, 9 insertions(+), 3 deletions(-)
--- a/arch/arm64/include/asm/elf.h
+++ b/arch/arm64/include/asm/elf.h
@@ -161,14 +161,14 @@ struct mm_struct;
extern unsigned long arch_randomize_brk(struct mm_struct *mm);
#define arch_randomize_brk arch_randomize_brk
-#ifdef CONFIG_COMPAT
-
#ifdef __AARCH64EB__
#define COMPAT_ELF_PLATFORM ("v8b")
#else
#define COMPAT_ELF_PLATFORM ("v8l")
#endif
+#ifdef CONFIG_COMPAT
+
#define COMPAT_ELF_ET_DYN_BASE (randomize_et_dyn(2 * TASK_SIZE_32 / 3))
/* AArch32 registers. */
--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
@@ -44,6 +44,8 @@
#include <linux/of_platform.h>
#include <linux/efi.h>
#include <linux/personality.h>
+#include <linux/compat.h>
+#include <linux/elf.h>
#include <asm/fixmap.h>
#include <asm/cputype.h>
@@ -489,6 +491,7 @@ static const char *compat_hwcap_str[] =
static int c_show(struct seq_file *m, void *v)
{
int i, j;
+ bool compat = personality(current->personality) == PER_LINUX32;
for_each_online_cpu(i) {
struct cpuinfo_arm64 *cpuinfo = &per_cpu(cpu_data, i);
@@ -500,6 +503,9 @@ static int c_show(struct seq_file *m, vo
* "processor". Give glibc what it expects.
*/
#ifdef CONFIG_SMP
+ if (compat)
+ seq_printf(m, "model name\t: ARMv8 Processor rev %d (%s)\n",
+ midr & 0xf, COMPAT_ELF_PLATFORM);
seq_printf(m, "processor\t: %d\n", i);
#endif
@@ -514,7 +520,7 @@ static int c_show(struct seq_file *m, vo
* software which does already (at least for 32-bit).
*/
seq_puts(m, "Features\t:");
- if (personality(current->personality) == PER_LINUX32) {
+ if (compat) {
#ifdef CONFIG_COMPAT
for (j = 0; compat_hwcap_str[j]; j++)
if (compat_elf_hwcap & (1 << j))
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 098/305] cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (183 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 068/305] kbuild: move -Wunused-const-variable to W=1 warning level Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 267/305] qeth: delete napi struct when removing a qeth device Ben Hutchings
` (120 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rafael J. Wysocki, Daniel Lezcano
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Lezcano <daniel.lezcano@linaro.org>
commit e7387da52028b072489c45efeb7a916c0205ebd2 upstream.
Commit 0b89e9aa2856 (cpuidle: delay enabling interrupts until all
coupled CPUs leave idle) rightfully fixed a regression by letting
the coupled idle state framework to handle local interrupt enabling
when the CPU is exiting an idle state.
The current code checks if the idle state is coupled and, if so, it
will let the coupled code to enable interrupts. This way, it can
decrement the ready-count before handling the interrupt. This
mechanism prevents the other CPUs from waiting for a CPU which is
handling interrupts.
But the check is done against the state index returned by the back
end driver's ->enter functions which could be different from the
initial index passed as parameter to the cpuidle_enter_state()
function.
entered_state = target_state->enter(dev, drv, index);
[ ... ]
if (!cpuidle_state_is_coupled(drv, entered_state))
local_irq_enable();
[ ... ]
If the 'index' is referring to a coupled idle state but the
'entered_state' is *not* coupled, then the interrupts are enabled
again. All CPUs blocked on the sync barrier may busy loop longer
if the CPU has interrupts to handle before decrementing the
ready-count. That's consuming more energy than saving.
Fixes: 0b89e9aa2856 (cpuidle: delay enabling interrupts until all coupled CPUs leave idle)
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
[ rjw: Subject & changelog ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/cpuidle/cpuidle.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cpuidle/cpuidle.c
+++ b/drivers/cpuidle/cpuidle.c
@@ -125,7 +125,7 @@ int cpuidle_enter_state(struct cpuidle_d
time_end = ktime_get();
- if (!cpuidle_state_is_coupled(dev, drv, entered_state))
+ if (!cpuidle_state_is_coupled(dev, drv, index))
local_irq_enable();
diff = ktime_to_us(ktime_sub(time_end, time_start));
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 067/305] arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (189 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 253/305] batman-adv: Fix use-after-free/double-free of tt_req_node Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 160/305] uvc: Forward compat ioctls to their handlers directly Ben Hutchings
` (114 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Will Deacon, Julien Grall
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julien Grall <julien.grall@arm.com>
commit f228b494e56d949be8d8ea09d4f973d1979201bf upstream.
The loop that browses the array compat_hwcap_str will stop when a NULL
is encountered, however NULL is missing at the end of array. This will
lead to overrun until a NULL is found somewhere in the following memory.
In reality, this works out because the compat_hwcap2_str array tends to
follow immediately in memory, and that *is* terminated correctly.
Furthermore, the unsigned int compat_elf_hwcap is checked before
printing each capability, so we end up doing the right thing because
the size of the two arrays is less than 32. Still, this is an obvious
mistake and should be fixed.
Note for backporting: commit 12d11817eaafa414 ("arm64: Move
/proc/cpuinfo handling code") moved this code in v4.4. Prior to that
commit, the same change should be made in arch/arm64/kernel/setup.c.
Fixes: 44b82b7700d0 "arm64: Fix up /proc/cpuinfo"
Signed-off-by: Julien Grall <julien.grall@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/setup.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/arm64/kernel/setup.c
+++ b/arch/arm64/kernel/setup.c
@@ -481,7 +481,8 @@ static const char *compat_hwcap_str[] =
"idivt",
"vfpd32",
"lpae",
- "evtstrm"
+ "evtstrm",
+ NULL
};
#endif /* CONFIG_COMPAT */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 256/305] batman-adv: Clean up untagged vlan when destroying via rtnl-link
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (282 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 233/305] iio:ad7266: Fix support for optional regulators Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 304/305] netfilter: ensure number of counters is >0 in do_replace() Ben Hutchings
` (21 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Antonio Quartulli, David S. Miller, Sven Eckelmann, Marek Lindner
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 420cb1b764f9169c5d2601b4af90e4a1702345ee upstream.
The untagged vlan object is only destroyed when the interface is removed
via the legacy sysfs interface. But it also has to be destroyed when the
standard rtnl-link interface is used.
Fixes: 5d2c05b21337 ("batman-adv: add per VLAN interface attribute framework")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: s/_put/_free_ref/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/soft-interface.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -975,7 +975,9 @@ void batadv_softif_destroy_sysfs(struct
static void batadv_softif_destroy_netlink(struct net_device *soft_iface,
struct list_head *head)
{
+ struct batadv_priv *bat_priv = netdev_priv(soft_iface);
struct batadv_hard_iface *hard_iface;
+ struct batadv_softif_vlan *vlan;
list_for_each_entry(hard_iface, &batadv_hardif_list, list) {
if (hard_iface->soft_iface == soft_iface)
@@ -983,6 +985,13 @@ static void batadv_softif_destroy_netlin
BATADV_IF_CLEANUP_KEEP);
}
+ /* destroy the "untagged" VLAN */
+ vlan = batadv_softif_vlan_get(bat_priv, BATADV_NO_FLAGS);
+ if (vlan) {
+ batadv_softif_destroy_vlan(bat_priv, vlan);
+ batadv_softif_vlan_free_ref(vlan);
+ }
+
batadv_sysfs_del_meshif(soft_iface);
unregister_netdevice_queue(soft_iface, head);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 292/305] netfilter: x_tables: assert minimum target size
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (194 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 242/305] s390: fix test_fp_ctl inline assembly contraints Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 006/305] iommu/vt-d: Ratelimit fault handler Ben Hutchings
` (109 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Florian Westphal
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit a08e4e190b866579896c09af59b3bdca821da2cd upstream.
The target size includes the size of the xt_entry_target struct.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/x_tables.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -587,6 +587,9 @@ int xt_check_entry_offsets(const void *b
return -EINVAL;
t = (void *)(e + target_offset);
+ if (t->u.target_size < sizeof(*t))
+ return -EINVAL;
+
if (target_offset + t->u.target_size > next_offset)
return -EINVAL;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 120/305] RDMA/cxgb3: device driver frees DMA memory with different size
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (255 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 078/305] ring-buffer: Prevent overflow of size in ring_buffer_resize() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 151/305] IB/IPoIB: Don't update neigh validity for unresolved entries Ben Hutchings
` (48 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Honggang Li, Steve Wise, Doug Ledford
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Honggang Li <honli@redhat.com>
commit 0de4cbb3dddca35ecd06b95918f38439c9c6401f upstream.
[ 598.852037] ------------[ cut here ]------------
[ 598.856698] WARNING: at lib/dma-debug.c:887 check_unmap+0xf8/0x920()
[ 598.863079] cxgb3 0000:01:00.0: DMA-API: device driver frees DMA memory with different size [device address=0x0000000003310000] [map size=17 bytes] [unmap size=16 bytes]
[ 598.878265] Modules linked in: xprtrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_sa ib_mad kvm_amd kvm ipmi_devintf ipmi_ssif dcdbas pcspkr ipmi_si sg ipmi_msghandler acpi_power_meter amd64_edac_mod shpchp edac_core sp5100_tco k10temp edac_mce_amd i2c_piix4 acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_common ata_generic iw_cxgb3 pata_acpi ib_core ib_addr mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm pata_atiixp drm ahci libahci serio_raw i2c_core cxgb3 libata bnx2 mdio dm_mirror dm_region_hash dm_log dm_mod
[ 598.946822] CPU: 3 PID: 11820 Comm: cmtime Not tainted 3.10.0-327.el7.x86_64.debug #1
[ 598.954681] Hardware name: Dell Inc. PowerEdge R415/0GXH08, BIOS 2.0.2 10/22/2012
[ 598.962193] ffff8808077479a8 000000000381a432 ffff880807747960 ffffffff81700918
[ 598.969663] ffff880807747998 ffffffff8108b6c0 ffff880807747a80 ffff8808063f55c0
[ 598.977132] ffffffff833ca850 0000000000000282 ffff88080b1bb800 ffff880807747a00
[ 598.984602] Call Trace:
[ 598.987062] [<ffffffff81700918>] dump_stack+0x19/0x1b
[ 598.992224] [<ffffffff8108b6c0>] warn_slowpath_common+0x70/0xb0
[ 598.998254] [<ffffffff8108b75c>] warn_slowpath_fmt+0x5c/0x80
[ 599.004033] [<ffffffff813903b8>] check_unmap+0xf8/0x920
[ 599.009369] [<ffffffff81025959>] ? sched_clock+0x9/0x10
[ 599.014702] [<ffffffff81390cee>] debug_dma_free_coherent+0x7e/0xa0
[ 599.021008] [<ffffffffa01ece2c>] cxio_destroy_cq+0xcc/0x160 [iw_cxgb3]
[ 599.027654] [<ffffffffa01e8da0>] iwch_destroy_cq+0xf0/0x140 [iw_cxgb3]
[ 599.034307] [<ffffffffa01c4bfe>] ib_destroy_cq+0x1e/0x30 [ib_core]
[ 599.040601] [<ffffffffa04ff2d2>] ib_uverbs_close+0x302/0x4d0 [ib_uverbs]
[ 599.047417] [<ffffffff812335a2>] __fput+0x102/0x310
[ 599.052401] [<ffffffff8123388e>] ____fput+0xe/0x10
[ 599.057297] [<ffffffff810bbde4>] task_work_run+0xb4/0xe0
[ 599.062719] [<ffffffff81092a84>] do_exit+0x304/0xc60
[ 599.067789] [<ffffffff81025905>] ? native_sched_clock+0x35/0x80
[ 599.073820] [<ffffffff81025959>] ? sched_clock+0x9/0x10
[ 599.079153] [<ffffffff8170a49c>] ? _raw_spin_unlock_irq+0x2c/0x50
[ 599.085358] [<ffffffff8109346c>] do_group_exit+0x4c/0xc0
[ 599.090779] [<ffffffff810a8661>] get_signal_to_deliver+0x2e1/0x960
[ 599.097071] [<ffffffff8101c497>] do_signal+0x57/0x6e0
[ 599.102229] [<ffffffff81714bd1>] ? sysret_signal+0x5/0x4e
[ 599.107738] [<ffffffff8101cb7f>] do_notify_resume+0x5f/0xb0
[ 599.113418] [<ffffffff81714e7d>] int_signal+0x12/0x17
[ 599.118576] ---[ end trace 1e4653102e7e7019 ]---
[ 599.123211] Mapped at:
[ 599.125577] [<ffffffff8138ed8b>] debug_dma_alloc_coherent+0x2b/0x80
[ 599.131968] [<ffffffffa01ec862>] cxio_create_cq+0xf2/0x1f0 [iw_cxgb3]
[ 599.139920] [<ffffffffa01e9c05>] iwch_create_cq+0x105/0x4e0 [iw_cxgb3]
[ 599.147895] [<ffffffffa0500584>] create_cq.constprop.14+0x184/0x2e0 [ib_uverbs]
[ 599.156649] [<ffffffffa05027fb>] ib_uverbs_create_cq+0x10b/0x140 [ib_uverbs]
Fixes: b955150ea784 ('RDMA/cxgb3: When a user QP is marked in error, also mark the CQs in error')
Signed-off-by: Honggang Li <honli@redhat.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/cxgb3/cxio_hal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/cxgb3/cxio_hal.c
+++ b/drivers/infiniband/hw/cxgb3/cxio_hal.c
@@ -327,7 +327,7 @@ int cxio_destroy_cq(struct cxio_rdev *rd
kfree(cq->sw_queue);
dma_free_coherent(&(rdev_p->rnic_info.pdev->dev),
(1UL << (cq->size_log2))
- * sizeof(struct t3_cqe), cq->queue,
+ * sizeof(struct t3_cqe) + 1, cq->queue,
dma_unmap_addr(cq, mapping));
cxio_hal_put_cqid(rdev_p->rscp, cq->cqid);
return err;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 221/305] cifs: use CIFS_MAX_DOMAINNAME_LEN when converting the domain name
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (181 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 036/305] MIPS: ath79: make bootconsole wait for both THRE and TEMT Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 068/305] kbuild: move -Wunused-const-variable to W=1 warning level Ben Hutchings
` (122 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Jerome Marchand
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Marchand <jmarchan@redhat.com>
commit 202d772ba02b1deb8835a631cd8255943d1906a0 upstream.
Currently in build_ntlmssp_auth_blob(), when converting the domain
name to UTF16, CIFS_MAX_USERNAME_LEN limit is used. It should be
CIFS_MAX_DOMAINNAME_LEN. This patch fixes this.
Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/sess.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -429,7 +429,7 @@ int build_ntlmssp_auth_blob(unsigned cha
} else {
int len;
len = cifs_strtoUTF16((__le16 *)tmp, ses->domainName,
- CIFS_MAX_USERNAME_LEN, nls_cp);
+ CIFS_MAX_DOMAINNAME_LEN, nls_cp);
len *= 2; /* unicode is 2 bytes each */
sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
sec_blob->DomainName.Length = cpu_to_le16(len);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 177/305] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (101 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 106/305] net: ehea: avoid null pointer dereference Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 245/305] mac80211: Fix mesh estab_plinks counting in STA removal case Ben Hutchings
` (202 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Andrew Goodbody, Bin Liu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Goodbody <andrew.goodbody@cambrionix.com>
commit f3eec0cf784e0d6c47822ca6b66df3d5812af7e6 upstream.
shared_fifo endpoints would only get a previous tx state cleared
out, the rx state was only cleared for non shared_fifo endpoints
Change this so that the rx state is cleared for all endpoints.
This addresses an issue that resulted in rx packets being dropped
silently.
Signed-off-by: Andrew Goodbody <andrew.goodbody@cambrionix.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/musb/musb_host.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/drivers/usb/musb/musb_host.c
+++ b/drivers/usb/musb/musb_host.c
@@ -583,14 +583,13 @@ musb_rx_reinit(struct musb *musb, struct
musb_writew(ep->regs, MUSB_TXCSR, 0);
/* scrub all previous state, clearing toggle */
- } else {
- csr = musb_readw(ep->regs, MUSB_RXCSR);
- if (csr & MUSB_RXCSR_RXPKTRDY)
- WARNING("rx%d, packet/%d ready?\n", ep->epnum,
- musb_readw(ep->regs, MUSB_RXCOUNT));
-
- musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG);
}
+ csr = musb_readw(ep->regs, MUSB_RXCSR);
+ if (csr & MUSB_RXCSR_RXPKTRDY)
+ WARNING("rx%d, packet/%d ready?\n", ep->epnum,
+ musb_readw(ep->regs, MUSB_RXCOUNT));
+
+ musb_h_flush_rxfifo(ep, MUSB_RXCSR_CLRDATATOG);
/* target addr and (for multipoint) hub addr/port */
if (musb->is_multipoint) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 261/305] bonding: prevent out of bound accesses
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (245 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 271/305] ecryptfs: don't allow mmap when the lower fs doesn't support it Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 166/305] iio:st_pressure: fix sampling gains (bring inline with ABI) Ben Hutchings
` (58 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ding Tianhong, Nikolay Aleksandrov, Dmitry Vyukov,
David S. Miller, Eric Dumazet
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit f87fda00b6ed232a817c655b8d179b48bde8fdbe upstream.
ether_addr_equal_64bits() requires some care about its arguments,
namely that 8 bytes might be read, even if last 2 byte values are not
used.
KASan detected a violation with null_mac_addr and lacpdu_mcast_addr
in bond_3ad.c
Same problem with mac_bcast[] and mac_v6_allmcast[] in bond_alb.c :
Although the 8-byte alignment was there, KASan would detect out
of bound accesses.
Fixes: 815117adaf5b ("bonding: use ether_addr_equal_unaligned for bond addr compare")
Fixes: bb54e58929f3 ("bonding: Verify RX LACPDU has proper dest mac-addr")
Fixes: 885a136c52a8 ("bonding: use compare_ether_addr_64bits() in ALB")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Adjust filename
- Drop change to bond_params::ad_actor_system
- Fix one more copy of null_mac_addr to use eth_zero_addr()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/bonding/bond_3ad.c | 11 +++++++----
drivers/net/bonding/bond_alb.c | 7 ++-----
drivers/net/bonding/bonding.h | 7 ++++++-
3 files changed, 15 insertions(+), 10 deletions(-)
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -95,11 +95,14 @@
#define MAC_ADDRESS_EQUAL(A, B) \
ether_addr_equal_64bits((const u8 *)A, (const u8 *)B)
-static struct mac_addr null_mac_addr = { { 0, 0, 0, 0, 0, 0 } };
+static const u8 null_mac_addr[ETH_ALEN + 2] __long_aligned = {
+ 0, 0, 0, 0, 0, 0
+};
static u16 ad_ticks_per_sec;
static const int ad_delta_in_ticks = (AD_TIMER_INTERVAL * HZ) / 1000;
-static const u8 lacpdu_mcast_addr[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
+static const u8 lacpdu_mcast_addr[ETH_ALEN + 2] __long_aligned =
+ MULTICAST_LACPDU_ADDR;
/* ================= main 802.3ad protocol functions ================== */
static int ad_lacpdu_send(struct port *port);
@@ -1614,7 +1617,7 @@ static void ad_clear_agg(struct aggregat
aggregator->is_individual = false;
aggregator->actor_admin_aggregator_key = 0;
aggregator->actor_oper_aggregator_key = 0;
- aggregator->partner_system = null_mac_addr;
+ eth_zero_addr(aggregator->partner_system.mac_addr_value);
aggregator->partner_system_priority = 0;
aggregator->partner_oper_aggregator_key = 0;
aggregator->receive_state = 0;
@@ -1636,7 +1639,7 @@ static void ad_initialize_agg(struct agg
if (aggregator) {
ad_clear_agg(aggregator);
- aggregator->aggregator_mac_address = null_mac_addr;
+ eth_zero_addr(aggregator->aggregator_mac_address.mac_addr_value);
aggregator->aggregator_identifier = 0;
aggregator->slave = NULL;
}
@@ -1671,7 +1674,7 @@ static void ad_initialize_port(struct po
if (port) {
port->actor_port_number = 1;
port->actor_port_priority = 0xff;
- port->actor_system = null_mac_addr;
+ eth_zero_addr(port->actor_system.mac_addr_value);
port->actor_system_priority = 0xffff;
port->actor_port_aggregator_identifier = 0;
port->ntt = false;
--- a/drivers/net/bonding/bond_alb.c
+++ b/drivers/net/bonding/bond_alb.c
@@ -44,13 +44,10 @@
-#ifndef __long_aligned
-#define __long_aligned __attribute__((aligned((sizeof(long)))))
-#endif
-static const u8 mac_bcast[ETH_ALEN] __long_aligned = {
+static const u8 mac_bcast[ETH_ALEN + 2] __long_aligned = {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
-static const u8 mac_v6_allmcast[ETH_ALEN] __long_aligned = {
+static const u8 mac_v6_allmcast[ETH_ALEN + 2] __long_aligned = {
0x33, 0x33, 0x00, 0x00, 0x00, 0x01
};
static const int alb_delta_in_ticks = HZ / ALB_TIMER_TICKS_PER_SEC;
--- a/drivers/net/bonding/bonding.h
+++ b/drivers/net/bonding/bonding.h
@@ -41,6 +41,9 @@
#define BOND_DEFAULT_MIIMON 100
+#ifndef __long_aligned
+#define __long_aligned __attribute__((aligned((sizeof(long)))))
+#endif
/*
* Less bad way to call ioctl from within the kernel; this needs to be
* done some other way to get the call out of interrupt context.
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 006/305] iommu/vt-d: Ratelimit fault handler
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (195 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 292/305] netfilter: x_tables: assert minimum target size Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 250/305] net: phy: Manage fixed PHY address space using IDA Ben Hutchings
` (108 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Williamson, Joerg Roedel
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
commit c43fce4eebae257ca413733690e2076757282093 upstream.
Fault rates can easily overwhelm the console and make the system
unresponsive. Ratelimit to allow an opportunity for maintenance.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Fixes: 0ac2491f57af ('x86, dmar: move page fault handling code to dmar.c')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iommu/dmar.c | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -1482,10 +1482,17 @@ irqreturn_t dmar_fault(int irq, void *de
int reg, fault_index;
u32 fault_status;
unsigned long flag;
+ bool ratelimited;
+ static DEFINE_RATELIMIT_STATE(rs,
+ DEFAULT_RATELIMIT_INTERVAL,
+ DEFAULT_RATELIMIT_BURST);
+
+ /* Disable printing, simply clear the fault when ratelimited */
+ ratelimited = !__ratelimit(&rs);
raw_spin_lock_irqsave(&iommu->register_lock, flag);
fault_status = readl(iommu->reg + DMAR_FSTS_REG);
- if (fault_status)
+ if (fault_status && !ratelimited)
pr_err("DRHD: handling fault status reg %x\n", fault_status);
/* TBD: ignore advanced fault log currently */
@@ -1507,24 +1514,28 @@ irqreturn_t dmar_fault(int irq, void *de
if (!(data & DMA_FRCD_F))
break;
- fault_reason = dma_frcd_fault_reason(data);
- type = dma_frcd_type(data);
-
- data = readl(iommu->reg + reg +
- fault_index * PRIMARY_FAULT_REG_LEN + 8);
- source_id = dma_frcd_source_id(data);
+ if (!ratelimited) {
+ fault_reason = dma_frcd_fault_reason(data);
+ type = dma_frcd_type(data);
+
+ data = readl(iommu->reg + reg +
+ fault_index * PRIMARY_FAULT_REG_LEN + 8);
+ source_id = dma_frcd_source_id(data);
+
+ guest_addr = dmar_readq(iommu->reg + reg +
+ fault_index * PRIMARY_FAULT_REG_LEN);
+ guest_addr = dma_frcd_page_addr(guest_addr);
+ }
- guest_addr = dmar_readq(iommu->reg + reg +
- fault_index * PRIMARY_FAULT_REG_LEN);
- guest_addr = dma_frcd_page_addr(guest_addr);
/* clear the fault */
writel(DMA_FRCD_F, iommu->reg + reg +
fault_index * PRIMARY_FAULT_REG_LEN + 12);
raw_spin_unlock_irqrestore(&iommu->register_lock, flag);
- dmar_fault_do_one(iommu, type, fault_reason,
- source_id, guest_addr);
+ if (!ratelimited)
+ dmar_fault_do_one(iommu, type, fault_reason,
+ source_id, guest_addr);
fault_index++;
if (fault_index >= cap_num_fault_regs(iommu->cap))
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 212/305] can: fix oops caused by wrong rtnl dellink usage
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (227 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 215/305] IB/mlx4: Fix the SQ size of an RC QP Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 046/305] cpufreq: Fix GOV_LIMITS handling for the userspace governor Ben Hutchings
` (76 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Oliver Hartkopp, ajneu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Hartkopp <socketcan@hartkopp.net>
commit 25e1ed6e64f52a692ba3191c4fde650aab3ecc07 upstream.
For 'real' hardware CAN devices the netlink interface is used to set CAN
specific communication parameters. Real CAN hardware can not be created nor
removed with the ip tool ...
This patch adds a private dellink function for the CAN device driver interface
that does just nothing.
It's a follow up to commit 993e6f2fd ("can: fix oops caused by wrong rtnl
newlink usage") but for dellink.
Reported-by: ajneu <ajneu1@gmail.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/dev.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -881,6 +881,11 @@ static int can_newlink(struct net *src_n
return -EOPNOTSUPP;
}
+static void can_dellink(struct net_device *dev, struct list_head *head)
+{
+ return;
+}
+
static struct rtnl_link_ops can_link_ops __read_mostly = {
.kind = "can",
.maxtype = IFLA_CAN_MAX,
@@ -888,6 +893,7 @@ static struct rtnl_link_ops can_link_ops
.setup = can_setup,
.newlink = can_newlink,
.changelink = can_changelink,
+ .dellink = can_dellink,
.get_size = can_get_size,
.fill_info = can_fill_info,
.get_xstats_size = can_get_xstats_size,
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 100/305] batman-adv: Fix unexpected free of bcast_own on add_if error
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (150 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 136/305] arm64: Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 072/305] rtlwifi: Fix logic error in enter/exit power-save mode Ben Hutchings
` (153 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sven Eckelmann, Marek Lindner, Antonio Quartulli
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f7dcdf5fdbe8fec7670d8f65a5db595c98e0ecab upstream.
The function batadv_iv_ogm_orig_add_if allocates new buffers for bcast_own
and bcast_own_sum. It is expected that these buffers are unchanged in case
either bcast_own or bcast_own_sum couldn't be resized.
But the error handling of this function frees the already resized buffer
for bcast_own when the allocation of the new bcast_own_sum buffer failed.
This will lead to an invalid memory access when some code will try to
access bcast_own.
Instead the resized new bcast_own buffer has to be kept. This will not lead
to problems because the size of the buffer was only increased and therefore
no user of the buffer will try to access bytes outside of the new buffer.
Fixes: d0015fdd3d2c ("batman-adv: provide orig_node routing API")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/bat_iv_ogm.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -124,10 +124,8 @@ static int batadv_iv_ogm_orig_add_if(str
orig_node->bat_iv.bcast_own = data_ptr;
data_ptr = kmalloc(max_if_num * sizeof(uint8_t), GFP_ATOMIC);
- if (!data_ptr) {
- kfree(orig_node->bat_iv.bcast_own);
+ if (!data_ptr)
goto unlock;
- }
memcpy(data_ptr, orig_node->bat_iv.bcast_own_sum,
(max_if_num - 1) * sizeof(uint8_t));
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 125/305] Input: xpad - prevent spurious input from wired Xbox 360 controllers
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (289 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 142/305] KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 025/305] ext4: fix data exposure after a crash Ben Hutchings
` (14 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Cameron Gutman, Pavel Rojtberg, Dmitry Torokhov
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cameron Gutman <aicommander@gmail.com>
commit 1ff5fa3c6732f08e01ae12f12286d4728c9e4d86 upstream.
After initially connecting a wired Xbox 360 controller or sending it
a command to change LEDs, a status/response packet is interpreted as
controller input. This causes the state of buttons represented in
byte 2 of the controller data packet to be incorrect until the next
valid input packet. Wireless Xbox 360 controllers are not affected.
Writing a new value to the LED device while holding the Start button
and running jstest is sufficient to reproduce this bug. An event will
come through with the Start button released.
Xboxdrv also won't attempt to read controller input from a packet
where byte 0 is non-zero. It also checks that byte 1 is 0x14, but
that value differs between wired and wireless controllers and this
code is shared by both. I think just checking byte 0 is enough to
eliminate unwanted packets.
The following are some examples of 3-byte status packets I saw:
01 03 02
02 03 00
03 03 03
08 03 00
Signed-off-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Pavel Rojtberg <rojtberg@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/joystick/xpad.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -415,6 +415,10 @@ static void xpad360_process_packet(struc
{
struct input_dev *dev = xpad->dev;
+ /* valid pad data */
+ if (data[0] != 0x00)
+ return;
+
/* digital pad */
if (xpad->mapping & MAP_DPAD_TO_BUTTONS) {
/* dpad as buttons (left, right, up, down) */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 227/305] Fix reconnect to not defer smb3 session reconnect long after socket reconnect
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 016/305] ipv6, token: allow for clearing the current device token Ben Hutchings
` (304 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Steve French, Pavel Shilovsky
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <smfrench@gmail.com>
commit 4fcd1813e6404dd4420c7d12fb483f9320f0bf93 upstream.
Azure server blocks clients that open a socket and don't do anything on it.
In our reconnect scenarios, we can reconnect the tcp session and
detect the socket is available but we defer the negprot and SMB3 session
setup and tree connect reconnection until the next i/o is requested, but
this looks suspicous to some servers who expect SMB3 negprog and session
setup soon after a socket is created.
In the echo thread, reconnect SMB3 sessions and tree connections
that are disconnected. A later patch will replay persistent (and
resilient) handle opens.
Signed-off-by: Steve French <steve.french@primarydata.com>
Acked-by: Pavel Shilovsky <pshilovsky@samba.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/connect.c | 4 +++-
fs/cifs/smb2pdu.c | 27 +++++++++++++++++++++++++++
2 files changed, 30 insertions(+), 1 deletion(-)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -410,7 +410,9 @@ cifs_echo_request(struct work_struct *wo
* server->ops->need_neg() == true. Also, no need to ping if
* we got a response recently.
*/
- if (!server->ops->need_neg || server->ops->need_neg(server) ||
+
+ if (server->tcpStatus == CifsNeedReconnect ||
+ server->tcpStatus == CifsExiting || server->tcpStatus == CifsNew ||
(server->ops->can_echo && !server->ops->can_echo(server)) ||
time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ))
goto requeue_echo;
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1590,6 +1590,33 @@ SMB2_echo(struct TCP_Server_Info *server
cifs_dbg(FYI, "In echo request\n");
+ if (server->tcpStatus == CifsNeedNegotiate) {
+ struct list_head *tmp, *tmp2;
+ struct cifs_ses *ses;
+ struct cifs_tcon *tcon;
+
+ cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n");
+ spin_lock(&cifs_tcp_ses_lock);
+ list_for_each(tmp, &server->smb_ses_list) {
+ ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
+ list_for_each(tmp2, &ses->tcon_list) {
+ tcon = list_entry(tmp2, struct cifs_tcon,
+ tcon_list);
+ /* add check for persistent handle reconnect */
+ if (tcon && tcon->need_reconnect) {
+ spin_unlock(&cifs_tcp_ses_lock);
+ rc = smb2_reconnect(SMB2_ECHO, tcon);
+ spin_lock(&cifs_tcp_ses_lock);
+ }
+ }
+ }
+ spin_unlock(&cifs_tcp_ses_lock);
+ }
+
+ /* if no session, renegotiate failed above */
+ if (server->tcpStatus == CifsNeedNegotiate)
+ return -EIO;
+
rc = small_smb2_init(SMB2_ECHO, NULL, (void **)&req);
if (rc)
return rc;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 275/305] proc: prevent stacking filesystems on top
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (44 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 007/305] iommu/vt-d: Improve fault handler error messages Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 204/305] tracing: Handle NULL formats in hold_module_trace_bprintk_format() Ben Hutchings
` (259 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jann Horn, Linus Torvalds
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 upstream.
This prevents stacking filesystems (ecryptfs and overlayfs) from using
procfs as lower filesystem. There is too much magic going on inside
procfs, and there is no good reason to stack stuff on top of procfs.
(For example, procfs does access checks in VFS open handlers, and
ecryptfs by design calls open handlers from a kernel thread that doesn't
drop privileges or so.)
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/proc/root.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -121,6 +121,13 @@ static struct dentry *proc_mount(struct
if (IS_ERR(sb))
return ERR_CAST(sb);
+ /*
+ * procfs isn't actually a stacking filesystem; however, there is
+ * too much magic going on inside it to permit stacking things on
+ * top of it
+ */
+ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
+
if (!proc_parse_options(options, ns)) {
deactivate_locked_super(sb);
return ERR_PTR(-EINVAL);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 147/305] mnt: fs_fully_visible test the proper mount for MNT_LOCKED
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (123 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 214/305] IB/mlx5: Fix post send fence logic Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 175/305] usb: quirks: Add no-lpm quirk for Acer C120 LED Projector Ben Hutchings
` (180 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric W. Biederman, Seth Forshee
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit d71ed6c930ac7d8f88f3cef6624a7e826392d61f upstream.
MNT_LOCKED implies on a child mount implies the child is locked to the
parent. So while looping through the children the children should be
tested (not their parent).
Typically an unshare of a mount namespace locks all mounts together
making both the parent and the slave as locked but there are a few
corner cases where other things work.
Fixes: ceeb0e5d39fc ("vfs: Ignore unlocked mounts in fs_fully_visible")
Reported-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3072,7 +3072,7 @@ static bool fs_fully_visible(struct file
list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
struct inode *inode = child->mnt_mountpoint->d_inode;
/* Only worry about locked mounts */
- if (!(mnt->mnt.mnt_flags & MNT_LOCKED))
+ if (!(child->mnt.mnt_flags & MNT_LOCKED))
continue;
/* Is the directory permanetly empty? */
if (!is_empty_dir_inode(inode))
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 210/305] UBIFS: Implement ->migratepage()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (117 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 158/305] net/mlx5: Fix the size of modify QP mailbox Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 083/305] mmc: mmc: Fix partition switch timeout for some eMMCs Ben Hutchings
` (186 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Kirill A. Shutemov, Richard Weinberger, Christoph Hellwig
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
commit 4ac1c17b2044a1b4b2fbed74451947e905fc2992 upstream.
During page migrations UBIFS might get confused
and the following assert triggers:
[ 213.480000] UBIFS assert failed in ubifs_set_page_dirty at 1451 (pid 436)
[ 213.490000] CPU: 0 PID: 436 Comm: drm-stress-test Not tainted 4.4.4-00176-geaa802524636-dirty #1008
[ 213.490000] Hardware name: Allwinner sun4i/sun5i Families
[ 213.490000] [<c0015e70>] (unwind_backtrace) from [<c0012cdc>] (show_stack+0x10/0x14)
[ 213.490000] [<c0012cdc>] (show_stack) from [<c02ad834>] (dump_stack+0x8c/0xa0)
[ 213.490000] [<c02ad834>] (dump_stack) from [<c0236ee8>] (ubifs_set_page_dirty+0x44/0x50)
[ 213.490000] [<c0236ee8>] (ubifs_set_page_dirty) from [<c00fa0bc>] (try_to_unmap_one+0x10c/0x3a8)
[ 213.490000] [<c00fa0bc>] (try_to_unmap_one) from [<c00fadb4>] (rmap_walk+0xb4/0x290)
[ 213.490000] [<c00fadb4>] (rmap_walk) from [<c00fb1bc>] (try_to_unmap+0x64/0x80)
[ 213.490000] [<c00fb1bc>] (try_to_unmap) from [<c010dc28>] (migrate_pages+0x328/0x7a0)
[ 213.490000] [<c010dc28>] (migrate_pages) from [<c00d0cb0>] (alloc_contig_range+0x168/0x2f4)
[ 213.490000] [<c00d0cb0>] (alloc_contig_range) from [<c010ec00>] (cma_alloc+0x170/0x2c0)
[ 213.490000] [<c010ec00>] (cma_alloc) from [<c001a958>] (__alloc_from_contiguous+0x38/0xd8)
[ 213.490000] [<c001a958>] (__alloc_from_contiguous) from [<c001ad44>] (__dma_alloc+0x23c/0x274)
[ 213.490000] [<c001ad44>] (__dma_alloc) from [<c001ae08>] (arm_dma_alloc+0x54/0x5c)
[ 213.490000] [<c001ae08>] (arm_dma_alloc) from [<c035cecc>] (drm_gem_cma_create+0xb8/0xf0)
[ 213.490000] [<c035cecc>] (drm_gem_cma_create) from [<c035cf20>] (drm_gem_cma_create_with_handle+0x1c/0xe8)
[ 213.490000] [<c035cf20>] (drm_gem_cma_create_with_handle) from [<c035d088>] (drm_gem_cma_dumb_create+0x3c/0x48)
[ 213.490000] [<c035d088>] (drm_gem_cma_dumb_create) from [<c0341ed8>] (drm_ioctl+0x12c/0x444)
[ 213.490000] [<c0341ed8>] (drm_ioctl) from [<c0121adc>] (do_vfs_ioctl+0x3f4/0x614)
[ 213.490000] [<c0121adc>] (do_vfs_ioctl) from [<c0121d30>] (SyS_ioctl+0x34/0x5c)
[ 213.490000] [<c0121d30>] (SyS_ioctl) from [<c000f2c0>] (ret_fast_syscall+0x0/0x34)
UBIFS is using PagePrivate() which can have different meanings across
filesystems. Therefore the generic page migration code cannot handle this
case correctly.
We have to implement our own migration function which basically does a
plain copy but also duplicates the page private flag.
UBIFS is not a block device filesystem and cannot use buffer_migrate_page().
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
[rw: Massaged changelog, build fixes, etc...]
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ubifs/file.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
--- a/fs/ubifs/file.c
+++ b/fs/ubifs/file.c
@@ -54,6 +54,7 @@
#include <linux/mount.h>
#include <linux/namei.h>
#include <linux/slab.h>
+#include <linux/migrate.h>
static int read_block(struct inode *inode, void *addr, unsigned int block,
struct ubifs_data_node *dn)
@@ -1419,6 +1420,26 @@ static int ubifs_set_page_dirty(struct p
return ret;
}
+#ifdef CONFIG_MIGRATION
+static int ubifs_migrate_page(struct address_space *mapping,
+ struct page *newpage, struct page *page, enum migrate_mode mode)
+{
+ int rc;
+
+ rc = migrate_page_move_mapping(mapping, newpage, page, NULL, mode, 0);
+ if (rc != MIGRATEPAGE_SUCCESS)
+ return rc;
+
+ if (PagePrivate(page)) {
+ ClearPagePrivate(page);
+ SetPagePrivate(newpage);
+ }
+
+ migrate_page_copy(newpage, page);
+ return MIGRATEPAGE_SUCCESS;
+}
+#endif
+
static int ubifs_releasepage(struct page *page, gfp_t unused_gfp_flags)
{
/*
@@ -1556,6 +1577,9 @@ const struct address_space_operations ub
.write_end = ubifs_write_end,
.invalidatepage = ubifs_invalidatepage,
.set_page_dirty = ubifs_set_page_dirty,
+#ifdef CONFIG_MIGRATION
+ .migratepage = ubifs_migrate_page,
+#endif
.releasepage = ubifs_releasepage,
};
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 296/305] netfilter: x_tables: validate all offsets and sizes in a rule
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (68 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 192/305] netem: fix a use after free Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 138/305] ACPI / processor: Avoid reserving IO regions too early Ben Hutchings
` (235 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Florian Westphal
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 13631bfc604161a9d69cd68991dff8603edd66f9 upstream.
Validate that all matches (if any) add up to the beginning of
the target and that each match covers at least the base structure size.
The compat path should be able to safely re-use the function
as the structures only differ in alignment; added a
BUILD_BUG_ON just in case we have an arch that adds padding as well.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/x_tables.c | 81 +++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 76 insertions(+), 5 deletions(-)
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -435,6 +435,47 @@ int xt_check_match(struct xt_mtchk_param
}
EXPORT_SYMBOL_GPL(xt_check_match);
+/** xt_check_entry_match - check that matches end before start of target
+ *
+ * @match: beginning of xt_entry_match
+ * @target: beginning of this rules target (alleged end of matches)
+ * @alignment: alignment requirement of match structures
+ *
+ * Validates that all matches add up to the beginning of the target,
+ * and that each match covers at least the base structure size.
+ *
+ * Return: 0 on success, negative errno on failure.
+ */
+static int xt_check_entry_match(const char *match, const char *target,
+ const size_t alignment)
+{
+ const struct xt_entry_match *pos;
+ int length = target - match;
+
+ if (length == 0) /* no matches */
+ return 0;
+
+ pos = (struct xt_entry_match *)match;
+ do {
+ if ((unsigned long)pos % alignment)
+ return -EINVAL;
+
+ if (length < (int)sizeof(struct xt_entry_match))
+ return -EINVAL;
+
+ if (pos->u.match_size < sizeof(struct xt_entry_match))
+ return -EINVAL;
+
+ if (pos->u.match_size > length)
+ return -EINVAL;
+
+ length -= pos->u.match_size;
+ pos = ((void *)((char *)(pos) + (pos)->u.match_size));
+ } while (length > 0);
+
+ return 0;
+}
+
#ifdef CONFIG_COMPAT
int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
{
@@ -590,7 +631,14 @@ int xt_compat_check_entry_offsets(const
target_offset + sizeof(struct compat_xt_standard_target) != next_offset)
return -EINVAL;
- return 0;
+ /* compat_xt_entry match has less strict aligment requirements,
+ * otherwise they are identical. In case of padding differences
+ * we need to add compat version of xt_check_entry_match.
+ */
+ BUILD_BUG_ON(sizeof(struct compat_xt_entry_match) != sizeof(struct xt_entry_match));
+
+ return xt_check_entry_match(elems, base + target_offset,
+ __alignof__(struct compat_xt_entry_match));
}
EXPORT_SYMBOL(xt_compat_check_entry_offsets);
#endif /* CONFIG_COMPAT */
@@ -603,17 +651,39 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs
* @target_offset: the arp/ip/ip6_t->target_offset
* @next_offset: the arp/ip/ip6_t->next_offset
*
- * validates that target_offset and next_offset are sane.
- * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
+ * validates that target_offset and next_offset are sane and that all
+ * match sizes (if any) align with the target offset.
*
* This function does not validate the targets or matches themselves, it
- * only tests that all the offsets and sizes are correct.
+ * only tests that all the offsets and sizes are correct, that all
+ * match structures are aligned, and that the last structure ends where
+ * the target structure begins.
+ *
+ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
*
* The arp/ip/ip6t_entry structure @base must have passed following tests:
* - it must point to a valid memory location
* - base to base + next_offset must be accessible, i.e. not exceed allocated
* length.
*
+ * A well-formed entry looks like this:
+ *
+ * ip(6)t_entry match [mtdata] match [mtdata] target [tgdata] ip(6)t_entry
+ * e->elems[]-----' | |
+ * matchsize | |
+ * matchsize | |
+ * | |
+ * target_offset---------------------------------' |
+ * next_offset---------------------------------------------------'
+ *
+ * elems[]: flexible array member at end of ip(6)/arpt_entry struct.
+ * This is where matches (if any) and the target reside.
+ * target_offset: beginning of target.
+ * next_offset: start of the next rule; also: size of this rule.
+ * Since targets have a minimum size, target_offset + minlen <= next_offset.
+ *
+ * Every match stores its size, sum of sizes must not exceed target_offset.
+ *
* Return: 0 on success, negative errno on failure.
*/
int xt_check_entry_offsets(const void *base,
@@ -643,7 +713,8 @@ int xt_check_entry_offsets(const void *b
target_offset + sizeof(struct xt_standard_target) != next_offset)
return -EINVAL;
- return 0;
+ return xt_check_entry_match(elems, base + target_offset,
+ __alignof__(struct xt_entry_match));
}
EXPORT_SYMBOL(xt_check_entry_offsets);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 052/305] MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (76 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 202/305] can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 159/305] net/mlx5: Fix masking of reserved bits in XRCD number Ben Hutchings
` (227 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, pgynther, Ralf Baechle, Florian Fainelli, john, cernekee,
dragan.stancevic, jogo, linux-mips, jaedon.shin, jfraser
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit cbbda6e7c9c3e4532bd70a73ff9d5e6655c894dc upstream.
BMIPS5000 have a PrID value of 0x5A00 and BMIPS5200 have a PrID value of
0x5B00, which, masked with 0x5A00, returns 0x5A00. Update all conditionals on
the PrID to cover both variants since we are going to need this to enable
BMIPS5200 SMP. The existing check, masking with 0xFF00 would not cover
BMIPS5200 at all.
Fixes: 68e6a78373a6d ("MIPS: BMIPS: Add PRId for BMIPS5200 (Whirlwind)")
Fixes: 6465460c92a85 ("MIPS: BMIPS: change compile time checks to runtime checks")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: john@phrozen.org
Cc: cernekee@gmail.com
Cc: jogo@openwrt.org
Cc: jaedon.shin@gmail.com
Cc: jfraser@broadcom.com
Cc: pgynther@google.com
Cc: dragan.stancevic@gmail.com
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/12279/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/bmips_vec.S | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/arch/mips/kernel/bmips_vec.S
+++ b/arch/mips/kernel/bmips_vec.S
@@ -93,7 +93,8 @@ NESTED(bmips_reset_nmi_vec, PT_SIZE, sp)
#if defined(CONFIG_CPU_BMIPS5000)
mfc0 k0, CP0_PRID
li k1, PRID_IMP_BMIPS5000
- andi k0, 0xff00
+ /* mask with PRID_IMP_BMIPS5000 to cover both variants */
+ andi k0, PRID_IMP_BMIPS5000
bne k0, k1, 1f
/* if we're not on core 0, this must be the SMP boot signal */
@@ -166,10 +167,12 @@ bmips_smp_entry:
2:
#endif /* CONFIG_CPU_BMIPS4350 || CONFIG_CPU_BMIPS4380 */
#if defined(CONFIG_CPU_BMIPS5000)
- /* set exception vector base */
+ /* mask with PRID_IMP_BMIPS5000 to cover both variants */
li k1, PRID_IMP_BMIPS5000
+ andi k0, PRID_IMP_BMIPS5000
bne k0, k1, 3f
+ /* set exception vector base */
la k0, ebase
lw k0, 0(k0)
mtc0 k0, $15, 1
@@ -264,6 +267,8 @@ LEAF(bmips_enable_xks01)
#endif /* CONFIG_CPU_BMIPS4380 */
#if defined(CONFIG_CPU_BMIPS5000)
li t1, PRID_IMP_BMIPS5000
+ /* mask with PRID_IMP_BMIPS5000 to cover both variants */
+ andi t2, PRID_IMP_BMIPS5000
bne t2, t1, 2f
mfc0 t0, $22, 5
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 085/305] net/mlx4_core: Fix access to uninitialized index
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (205 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 264/305] block: fix use-after-free in sys_ioprio_get() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 260/305] x86/amd_nb: Fix boot crash on non-AMD systems Ben Hutchings
` (98 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Dan Carpenter, Tariq Toukan
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tariq Toukan <tariqt@mellanox.com>
commit 2bb07e155bb3e0c722c806723f737cf8020961ef upstream.
Prevent using uninitialized or negative index when handling
steering entries.
Fixes: b12d93d63c32 ('mlx4: Add support for promiscuous mode in the new steering model.')
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/mcg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c
+++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c
@@ -953,7 +953,7 @@ int mlx4_qp_attach_common(struct mlx4_de
struct mlx4_cmd_mailbox *mailbox;
struct mlx4_mgm *mgm;
u32 members_count;
- int index, prev;
+ int index = -1, prev;
int link = 0;
int i;
int err;
@@ -1032,7 +1032,7 @@ int mlx4_qp_attach_common(struct mlx4_de
goto out;
out:
- if (prot == MLX4_PROT_ETH) {
+ if (prot == MLX4_PROT_ETH && index != -1) {
/* manage the steering entry for promisc mode */
if (new_entry)
new_steering_entry(dev, port, steer, index, qp->qpn);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 060/305] USB: serial: quatech2: fix use-after-free in probe error path
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (37 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 279/305] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 284/305] s390/sclp_ctl: fix potential information leak with /dev/sclp Ben Hutchings
` (266 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Johan Hovold
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 028c49f5e02a257c94129cd815f7c8485f51d4ef upstream.
The interface read URB is submitted in attach, but was only unlinked by
the driver at disconnect.
In case of a late probe error (e.g. due to failed minor allocation),
disconnect is never called and we would end up with active URBs for an
unbound interface. This in turn could lead to deallocated memory being
dereferenced in the completion callback.
Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/quatech2.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -141,6 +141,7 @@ static void qt2_release(struct usb_seria
serial_priv = usb_get_serial_data(serial);
+ usb_kill_urb(serial_priv->read_urb);
usb_free_urb(serial_priv->read_urb);
kfree(serial_priv->read_buffer);
kfree(serial_priv);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 298/305] netfilter: arp_tables: simplify translate_compat_table args
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (279 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 121/305] ALSA: hda - Fix headset mic detection problem for one Dell machine Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 201/305] hwmon: (dell-smm) Restrict fan control and serial number to CAP_SYS_ADMIN by default Ben Hutchings
` (24 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Florian Westphal
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 8dddd32756f6fe8e4e82a63361119b7e2384e02f upstream.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.6: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/netfilter/arp_tables.c | 82 ++++++++++++++++++-----------------------
1 file changed, 36 insertions(+), 46 deletions(-)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1205,6 +1205,18 @@ static int do_add_counters(struct net *n
}
#ifdef CONFIG_COMPAT
+struct compat_arpt_replace {
+ char name[XT_TABLE_MAXNAMELEN];
+ u32 valid_hooks;
+ u32 num_entries;
+ u32 size;
+ u32 hook_entry[NF_ARP_NUMHOOKS];
+ u32 underflow[NF_ARP_NUMHOOKS];
+ u32 num_counters;
+ compat_uptr_t counters;
+ struct compat_arpt_entry entries[0];
+};
+
static inline void compat_release_entry(struct compat_arpt_entry *e)
{
struct xt_entry_target *t;
@@ -1220,8 +1232,7 @@ check_compat_entry_size_and_hooks(struct
const unsigned char *base,
const unsigned char *limit,
const unsigned int *hook_entries,
- const unsigned int *underflows,
- const char *name)
+ const unsigned int *underflows)
{
struct xt_entry_target *t;
struct xt_target *target;
@@ -1292,7 +1303,7 @@ out:
static int
compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
- unsigned int *size, const char *name,
+ unsigned int *size,
struct xt_table_info *newinfo, unsigned char *base)
{
struct xt_entry_target *t;
@@ -1325,14 +1336,9 @@ compat_copy_entry_from_user(struct compa
return ret;
}
-static int translate_compat_table(const char *name,
- unsigned int valid_hooks,
- struct xt_table_info **pinfo,
+static int translate_compat_table(struct xt_table_info **pinfo,
void **pentry0,
- unsigned int total_size,
- unsigned int number,
- unsigned int *hook_entries,
- unsigned int *underflows)
+ const struct compat_arpt_replace *compatr)
{
unsigned int i, j;
struct xt_table_info *newinfo, *info;
@@ -1344,8 +1350,8 @@ static int translate_compat_table(const
info = *pinfo;
entry0 = *pentry0;
- size = total_size;
- info->number = number;
+ size = compatr->size;
+ info->number = compatr->num_entries;
/* Init all hooks to impossible value. */
for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
@@ -1356,40 +1362,39 @@ static int translate_compat_table(const
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(NFPROTO_ARP);
- xt_compat_init_offsets(NFPROTO_ARP, number);
+ xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries);
/* Walk through entries, checking offsets. */
- xt_entry_foreach(iter0, entry0, total_size) {
+ xt_entry_foreach(iter0, entry0, compatr->size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0,
- entry0 + total_size,
- hook_entries,
- underflows,
- name);
+ entry0 + compatr->size,
+ compatr->hook_entry,
+ compatr->underflow);
if (ret != 0)
goto out_unlock;
++j;
}
ret = -EINVAL;
- if (j != number) {
+ if (j != compatr->num_entries) {
duprintf("translate_compat_table: %u not %u entries\n",
- j, number);
+ j, compatr->num_entries);
goto out_unlock;
}
/* Check hooks all assigned */
for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
/* Only hooks which are valid */
- if (!(valid_hooks & (1 << i)))
+ if (!(compatr->valid_hooks & (1 << i)))
continue;
if (info->hook_entry[i] == 0xFFFFFFFF) {
duprintf("Invalid hook entry %u %u\n",
- i, hook_entries[i]);
+ i, info->hook_entry[i]);
goto out_unlock;
}
if (info->underflow[i] == 0xFFFFFFFF) {
duprintf("Invalid underflow %u %u\n",
- i, underflows[i]);
+ i, info->underflow[i]);
goto out_unlock;
}
}
@@ -1399,17 +1404,17 @@ static int translate_compat_table(const
if (!newinfo)
goto out_unlock;
- newinfo->number = number;
+ newinfo->number = compatr->num_entries;
for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
newinfo->hook_entry[i] = info->hook_entry[i];
newinfo->underflow[i] = info->underflow[i];
}
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
- size = total_size;
- xt_entry_foreach(iter0, entry0, total_size) {
+ size = compatr->size;
+ xt_entry_foreach(iter0, entry0, compatr->size) {
ret = compat_copy_entry_from_user(iter0, &pos, &size,
- name, newinfo, entry1);
+ newinfo, entry1);
if (ret != 0)
break;
}
@@ -1419,12 +1424,12 @@ static int translate_compat_table(const
goto free_newinfo;
ret = -ELOOP;
- if (!mark_source_chains(newinfo, valid_hooks, entry1))
+ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
goto free_newinfo;
i = 0;
xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = check_target(iter1, name);
+ ret = check_target(iter1, compatr->name);
if (ret != 0)
break;
++i;
@@ -1469,7 +1474,7 @@ static int translate_compat_table(const
free_newinfo:
xt_free_table_info(newinfo);
out:
- xt_entry_foreach(iter0, entry0, total_size) {
+ xt_entry_foreach(iter0, entry0, compatr->size) {
if (j-- == 0)
break;
compat_release_entry(iter0);
@@ -1481,18 +1486,6 @@ out_unlock:
goto out;
}
-struct compat_arpt_replace {
- char name[XT_TABLE_MAXNAMELEN];
- u32 valid_hooks;
- u32 num_entries;
- u32 size;
- u32 hook_entry[NF_ARP_NUMHOOKS];
- u32 underflow[NF_ARP_NUMHOOKS];
- u32 num_counters;
- compat_uptr_t counters;
- struct compat_arpt_entry entries[0];
-};
-
static int compat_do_replace(struct net *net, void __user *user,
unsigned int len)
{
@@ -1523,10 +1516,7 @@ static int compat_do_replace(struct net
goto free_newinfo;
}
- ret = translate_compat_table(tmp.name, tmp.valid_hooks,
- &newinfo, &loc_cpu_entry, tmp.size,
- tmp.num_entries, tmp.hook_entry,
- tmp.underflow);
+ ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp);
if (ret != 0)
goto free_newinfo;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 131/305] powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (106 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 010/305] Bluetooth: vhci: fix open_timeout vs. hdev race Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 140/305] ARM: fix PTRACE_SETVFPREGS on SMP systems Ben Hutchings
` (197 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Ellerman, Gavin Shan, Russell Currey
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell Currey <ruscur@russell.cc>
commit 871e178e0f2c4fa788f694721a10b4758d494ce1 upstream.
In the "ibm,configure-pe" and "ibm,configure-bridge" RTAS calls, the
spec states that values of 9900-9905 can be returned, indicating that
software should delay for 10^x (where x is the last digit, i.e. 990x)
milliseconds and attempt the call again. Currently, the kernel doesn't
know about this, and respecting it fixes some PCI failures when the
hypervisor is busy.
The delay is capped at 0.2 seconds.
Signed-off-by: Russell Currey <ruscur@russell.cc>
Acked-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/platforms/pseries/eeh_pseries.c | 51 ++++++++++++++++++++--------
1 file changed, 36 insertions(+), 15 deletions(-)
--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
+++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
@@ -655,29 +655,50 @@ static int pseries_eeh_configure_bridge(
{
int config_addr;
int ret;
+ /* Waiting 0.2s maximum before skipping configuration */
+ int max_wait = 200;
/* Figure out the PE address */
config_addr = pe->config_addr;
if (pe->addr)
config_addr = pe->addr;
- /* Use new configure-pe function, if supported */
- if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) {
- ret = rtas_call(ibm_configure_pe, 3, 1, NULL,
- config_addr, BUID_HI(pe->phb->buid),
- BUID_LO(pe->phb->buid));
- } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) {
- ret = rtas_call(ibm_configure_bridge, 3, 1, NULL,
- config_addr, BUID_HI(pe->phb->buid),
- BUID_LO(pe->phb->buid));
- } else {
- return -EFAULT;
- }
+ while (max_wait > 0) {
+ /* Use new configure-pe function, if supported */
+ if (ibm_configure_pe != RTAS_UNKNOWN_SERVICE) {
+ ret = rtas_call(ibm_configure_pe, 3, 1, NULL,
+ config_addr, BUID_HI(pe->phb->buid),
+ BUID_LO(pe->phb->buid));
+ } else if (ibm_configure_bridge != RTAS_UNKNOWN_SERVICE) {
+ ret = rtas_call(ibm_configure_bridge, 3, 1, NULL,
+ config_addr, BUID_HI(pe->phb->buid),
+ BUID_LO(pe->phb->buid));
+ } else {
+ return -EFAULT;
+ }
+
+ if (!ret)
+ return ret;
+
+ /*
+ * If RTAS returns a delay value that's above 100ms, cut it
+ * down to 100ms in case firmware made a mistake. For more
+ * on how these delay values work see rtas_busy_delay_time
+ */
+ if (ret > RTAS_EXTENDED_DELAY_MIN+2 &&
+ ret <= RTAS_EXTENDED_DELAY_MAX)
+ ret = RTAS_EXTENDED_DELAY_MIN+2;
- if (ret)
- pr_warning("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n",
- __func__, pe->phb->global_number, pe->addr, ret);
+ max_wait -= rtas_busy_delay_time(ret);
+
+ if (max_wait < 0)
+ break;
+
+ rtas_busy_delay(ret);
+ }
+ pr_warn("%s: Unable to configure bridge PHB#%d-PE#%x (%d)\n",
+ __func__, pe->phb->global_number, pe->addr, ret);
return ret;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 188/305] kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (12 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 268/305] xenbus: don't BUG() on user mode induced condition Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 225/305] posix_acl: Add set_posix_acl Ben Hutchings
` (291 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Andrey Ryabinin, Peter Zijlstra,
Linus Torvalds, Ingo Molnar
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Ryabinin <aryabinin@virtuozzo.com>
commit 57675cb976eff977aefb428e68e4e0236d48a9ff upstream.
Lengthy output of sysrq-w may take a lot of time on slow serial console.
Currently we reset NMI-watchdog on the current CPU to avoid spurious
lockup messages. Sometimes this doesn't work since softlockup watchdog
might trigger on another CPU which is waiting for an IPI to proceed.
We reset softlockup watchdogs on all CPUs, but we do this only after
listing all tasks, and this may be too late on a busy system.
So, reset watchdogs CPUs earlier, in for_each_process_thread() loop.
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1465474805-14641-1-git-send-email-aryabinin@virtuozzo.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/sched/core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4548,14 +4548,16 @@ void show_state_filter(unsigned long sta
/*
* reset the NMI-timeout, listing all files on a slow
* console might take a lot of time:
+ * Also, reset softlockup watchdogs on all CPUs, because
+ * another CPU might be blocked waiting for us to process
+ * an IPI.
*/
touch_nmi_watchdog();
+ touch_all_softlockup_watchdogs();
if (!state_filter || (p->state & state_filter))
sched_show_task(p);
} while_each_thread(g, p);
- touch_all_softlockup_watchdogs();
-
#ifdef CONFIG_SCHED_DEBUG
sysrq_sched_debug_show();
#endif
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 209/305] mm: Export migrate_page_move_mapping and migrate_page_copy
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (171 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 302/305] netfilter: x_tables: do compat validation via translate_table Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 193/305] net_sched: fix pfifo_head_drop behavior vs backlog Ben Hutchings
` (132 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Richard Weinberger, Christoph Hellwig
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 1118dce773d84f39ebd51a9fe7261f9169cb056e upstream.
Export these symbols such that UBIFS can implement
->migratepage.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/migrate.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -443,6 +443,7 @@ int migrate_page_move_mapping(struct add
return MIGRATEPAGE_SUCCESS;
}
+EXPORT_SYMBOL(migrate_page_move_mapping);
/*
* The expected number of remaining references is the same as that
@@ -591,6 +592,7 @@ void migrate_page_copy(struct page *newp
if (PageWriteback(newpage))
end_page_writeback(newpage);
}
+EXPORT_SYMBOL(migrate_page_copy);
/************************************************************
* Migration functions
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 170/305] usb: gadget: avoid exposing kernel stack
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (210 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 154/305] of: fix autoloading due to broken modalias with no 'compatible' Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 079/305] RDMA/iw_cxgb4: Always wake up waiter in c4iw_peer_abort_intr() Ben Hutchings
` (93 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Heinrich Schuchardt, Felipe Balbi
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
commit ffeee83aa0461992e8a99a59db2df31933e60362 upstream.
Function in_rq_cur copies random bytes from the stack.
Zero the memory instead.
Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/f_uac2.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/gadget/f_uac2.c
+++ b/drivers/usb/gadget/f_uac2.c
@@ -1153,6 +1153,7 @@ in_rq_cur(struct usb_function *fn, const
if (control_selector == UAC2_CS_CONTROL_SAM_FREQ) {
struct cntrl_cur_lay3 c;
+ memset(&c, 0, sizeof(struct cntrl_cur_lay3));
if (entity_id == USB_IN_CLK_ID)
c.dCUR = p_srate;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 023/305] PM / Runtime: Fix error path in pm_runtime_force_resume()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (217 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 034/305] ext4: fix hang when processing corrupted orphaned inode list Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 053/305] MIPS: Don't unwind to user mode with EVA Ben Hutchings
` (86 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Walleij, Ulf Hansson, Rafael J. Wysocki
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ulf Hansson <ulf.hansson@linaro.org>
commit 0ae3aeefabbeef26294e7a349b51f1c761d46c9f upstream.
As pm_runtime_set_active() may fail because the device's parent isn't
active, we can end up executing the ->runtime_resume() callback for the
device when it isn't allowed.
Fix this by invoking pm_runtime_set_active() before running the callback
and let's also deal with the error code.
Fixes: 37f204164dfb (PM: Add pm_runtime_suspend|resume_force functions)
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/base/power/runtime.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1474,11 +1474,16 @@ int pm_runtime_force_resume(struct devic
goto out;
}
- ret = callback(dev);
+ ret = pm_runtime_set_active(dev);
if (ret)
goto out;
- pm_runtime_set_active(dev);
+ ret = callback(dev);
+ if (ret) {
+ pm_runtime_set_suspended(dev);
+ goto out;
+ }
+
pm_runtime_mark_last_busy(dev);
out:
pm_runtime_enable(dev);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 092/305] fs/cifs: correctly to anonymous authentication via NTLMSSP
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (159 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 115/305] wait/ptrace: assume __WALL if the child is traced Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 066/305] irqchip/gic: Ensure ordering between read of INTACK and shared data Ben Hutchings
` (144 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Stefan Metzmacher, Steve French
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
commit cfda35d98298131bf38fbad3ce4cd5ecb3cf18db upstream.
See [MS-NLMP] 3.2.5.1.2 Server Receives an AUTHENTICATE_MESSAGE from the Client:
...
Set NullSession to FALSE
If (AUTHENTICATE_MESSAGE.UserNameLen == 0 AND
AUTHENTICATE_MESSAGE.NtChallengeResponse.Length == 0 AND
(AUTHENTICATE_MESSAGE.LmChallengeResponse == Z(1)
OR
AUTHENTICATE_MESSAGE.LmChallengeResponse.Length == 0))
-- Special case: client requested anonymous authentication
Set NullSession to TRUE
...
Only server which map unknown users to guest will allow
access using a non-null NTChallengeResponse.
For Samba it's the "map to guest = bad user" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/sess.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -399,19 +399,27 @@ int build_ntlmssp_auth_blob(unsigned cha
sec_blob->LmChallengeResponse.MaximumLength = 0;
sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
- rc = setup_ntlmv2_rsp(ses, nls_cp);
- if (rc) {
- cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
- goto setup_ntlmv2_ret;
- }
- memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
- ses->auth_key.len - CIFS_SESS_KEY_SIZE);
- tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
+ if (ses->user_name != NULL) {
+ rc = setup_ntlmv2_rsp(ses, nls_cp);
+ if (rc) {
+ cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
+ goto setup_ntlmv2_ret;
+ }
+ memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
+ ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+ tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
- sec_blob->NtChallengeResponse.Length =
- cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
- sec_blob->NtChallengeResponse.MaximumLength =
- cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+ sec_blob->NtChallengeResponse.Length =
+ cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+ sec_blob->NtChallengeResponse.MaximumLength =
+ cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+ } else {
+ /*
+ * don't send an NT Response for anonymous access
+ */
+ sec_blob->NtChallengeResponse.Length = 0;
+ sec_blob->NtChallengeResponse.MaximumLength = 0;
+ }
if (ses->domainName == NULL) {
sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 139/305] drm/nouveau/fbcon: fix out-of-bounds memory accesses
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (138 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 059/305] USB: serial: mxuport: fix use-after-free in probe error path Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 126/305] Input: pwm-beeper - remove useless call to pwm_config() Ben Hutchings
` (165 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ben Skeggs
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Skeggs <bskeggs@redhat.com>
commit f045f459d925138fe7d6193a8c86406bda7e49da upstream.
Reported by KASAN.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 +
drivers/gpu/drm/nouveau/nv04_fbcon.c | 7 ++-----
drivers/gpu/drm/nouveau/nv50_fbcon.c | 6 ++----
drivers/gpu/drm/nouveau/nvc0_fbcon.c | 6 ++----
4 files changed, 7 insertions(+), 13 deletions(-)
--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
@@ -562,6 +562,7 @@ nouveau_fbcon_init(struct drm_device *de
drm_helper_disable_unused_functions(dev);
drm_fb_helper_initial_config(&fbcon->helper, preferred_bpp);
+ fbcon->helper.fbdev->pixmap.buf_align = 4;
return 0;
}
--- a/drivers/gpu/drm/nouveau/nv04_fbcon.c
+++ b/drivers/gpu/drm/nouveau/nv04_fbcon.c
@@ -84,7 +84,6 @@ nv04_fbcon_imageblit(struct fb_info *inf
uint32_t fg;
uint32_t bg;
uint32_t dsize;
- uint32_t width;
uint32_t *data = (uint32_t *)image->data;
int ret;
@@ -95,9 +94,6 @@ nv04_fbcon_imageblit(struct fb_info *inf
if (ret)
return ret;
- width = ALIGN(image->width, 8);
- dsize = ALIGN(width * image->height, 32) >> 5;
-
if (info->fix.visual == FB_VISUAL_TRUECOLOR ||
info->fix.visual == FB_VISUAL_DIRECTCOLOR) {
fg = ((uint32_t *) info->pseudo_palette)[image->fg_color];
@@ -113,10 +109,11 @@ nv04_fbcon_imageblit(struct fb_info *inf
((image->dx + image->width) & 0xffff));
OUT_RING(chan, bg);
OUT_RING(chan, fg);
- OUT_RING(chan, (image->height << 16) | width);
+ OUT_RING(chan, (image->height << 16) | image->width);
OUT_RING(chan, (image->height << 16) | image->width);
OUT_RING(chan, (image->dy << 16) | (image->dx & 0xffff));
+ dsize = ALIGN(image->width * image->height, 32) >> 5;
while (dsize) {
int iter_len = dsize > 128 ? 128 : dsize;
--- a/drivers/gpu/drm/nouveau/nv50_fbcon.c
+++ b/drivers/gpu/drm/nouveau/nv50_fbcon.c
@@ -95,7 +95,7 @@ nv50_fbcon_imageblit(struct fb_info *inf
struct nouveau_fbdev *nfbdev = info->par;
struct nouveau_drm *drm = nouveau_drm(nfbdev->dev);
struct nouveau_channel *chan = drm->channel;
- uint32_t width, dwords, *data = (uint32_t *)image->data;
+ uint32_t dwords, *data = (uint32_t *)image->data;
uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel));
uint32_t *palette = info->pseudo_palette;
int ret;
@@ -107,9 +107,6 @@ nv50_fbcon_imageblit(struct fb_info *inf
if (ret)
return ret;
- width = ALIGN(image->width, 32);
- dwords = (width * image->height) >> 5;
-
BEGIN_NV04(chan, NvSub2D, 0x0814, 2);
if (info->fix.visual == FB_VISUAL_TRUECOLOR ||
info->fix.visual == FB_VISUAL_DIRECTCOLOR) {
@@ -128,6 +125,7 @@ nv50_fbcon_imageblit(struct fb_info *inf
OUT_RING(chan, 0);
OUT_RING(chan, image->dy);
+ dwords = ALIGN(image->width * image->height, 32) >> 5;
while (dwords) {
int push = dwords > 2047 ? 2047 : dwords;
--- a/drivers/gpu/drm/nouveau/nvc0_fbcon.c
+++ b/drivers/gpu/drm/nouveau/nvc0_fbcon.c
@@ -95,7 +95,7 @@ nvc0_fbcon_imageblit(struct fb_info *inf
struct nouveau_fbdev *nfbdev = info->par;
struct nouveau_drm *drm = nouveau_drm(nfbdev->dev);
struct nouveau_channel *chan = drm->channel;
- uint32_t width, dwords, *data = (uint32_t *)image->data;
+ uint32_t dwords, *data = (uint32_t *)image->data;
uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel));
uint32_t *palette = info->pseudo_palette;
int ret;
@@ -107,9 +107,6 @@ nvc0_fbcon_imageblit(struct fb_info *inf
if (ret)
return ret;
- width = ALIGN(image->width, 32);
- dwords = (width * image->height) >> 5;
-
BEGIN_NVC0(chan, NvSub2D, 0x0814, 2);
if (info->fix.visual == FB_VISUAL_TRUECOLOR ||
info->fix.visual == FB_VISUAL_DIRECTCOLOR) {
@@ -128,6 +125,7 @@ nvc0_fbcon_imageblit(struct fb_info *inf
OUT_RING (chan, 0);
OUT_RING (chan, image->dy);
+ dwords = ALIGN(image->width * image->height, 32) >> 5;
while (dwords) {
int push = dwords > 2047 ? 2047 : dwords;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 105/305] crypto: public_key: select CRYPTO_AKCIPHER
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (143 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 075/305] MIPS: Fix race condition in lazy cache flushing Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 033/305] aacraid: Fix for aac_command_thread hang Ben Hutchings
` (160 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Arnd Bergmann
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit bad6a185b4d6f81d0ed2b6e4c16307969f160b95 upstream.
In some rare randconfig builds, we can end up with
ASYMMETRIC_PUBLIC_KEY_SUBTYPE enabled but CRYPTO_AKCIPHER disabled,
which fails to link because of the reference to crypto_alloc_akcipher:
crypto/built-in.o: In function `public_key_verify_signature':
:(.text+0x110e4): undefined reference to `crypto_alloc_akcipher'
This adds a Kconfig 'select' statement to ensure the dependency
is always there.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
crypto/asymmetric_keys/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -14,6 +14,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select MPILIB
select PUBLIC_KEY_ALGO_RSA
select CRYPTO_HASH_INFO
+ select CRYPTO_AKCIPHER
help
This option provides support for asymmetric public key type handling.
If signature generation and/or verification are to be used,
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 288/305] netfilter: x_tables: don't move to non-existent next rule
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (225 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 050/305] ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 215/305] IB/mlx4: Fix the SQ size of an RC QP Ben Hutchings
` (78 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ben Hawkes, Florian Westphal, Pablo Neira Ayuso
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit f24e230d257af1ad7476c6e81a8dc3127a74204e upstream.
Ben Hawkes says:
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.
Base chains enforce absolute verdict.
User defined chains are supposed to end with an unconditional return,
xtables userspace adds them automatically.
But if such return is missing we will move to non-existent next rule.
Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/netfilter/arp_tables.c | 8 +++++---
net/ipv4/netfilter/ip_tables.c | 4 ++++
net/ipv6/netfilter/ip6_tables.c | 4 ++++
3 files changed, 13 insertions(+), 3 deletions(-)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -435,6 +435,8 @@ static int mark_source_chains(const stru
size = e->next_offset;
e = (struct arpt_entry *)
(entry0 + pos + size);
+ if (pos + size >= newinfo->size)
+ return 0;
e->counters.pcnt = pos;
pos += size;
} else {
@@ -457,6 +459,8 @@ static int mark_source_chains(const stru
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
+ if (newpos >= newinfo->size)
+ return 0;
}
e = (struct arpt_entry *)
(entry0 + newpos);
@@ -680,10 +684,8 @@ static int translate_table(struct xt_tab
}
}
- if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) {
- duprintf("Looping hook\n");
+ if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
return -ELOOP;
- }
/* Finally, each sanity check must pass */
i = 0;
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -516,6 +516,8 @@ mark_source_chains(const struct xt_table
size = e->next_offset;
e = (struct ipt_entry *)
(entry0 + pos + size);
+ if (pos + size >= newinfo->size)
+ return 0;
e->counters.pcnt = pos;
pos += size;
} else {
@@ -537,6 +539,8 @@ mark_source_chains(const struct xt_table
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
+ if (newpos >= newinfo->size)
+ return 0;
}
e = (struct ipt_entry *)
(entry0 + newpos);
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -526,6 +526,8 @@ mark_source_chains(const struct xt_table
size = e->next_offset;
e = (struct ip6t_entry *)
(entry0 + pos + size);
+ if (pos + size >= newinfo->size)
+ return 0;
e->counters.pcnt = pos;
pos += size;
} else {
@@ -547,6 +549,8 @@ mark_source_chains(const struct xt_table
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
+ if (newpos >= newinfo->size)
+ return 0;
}
e = (struct ip6t_entry *)
(entry0 + newpos);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 293/305] netfilter: x_tables: add compat version of xt_check_entry_offsets
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (141 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 116/305] xen/events: Don't move disabled irqs Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 075/305] MIPS: Fix race condition in lazy cache flushing Ben Hutchings
` (162 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Florian Westphal
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit fc1221b3a163d1386d1052184202d5dc50d302d1 upstream.
32bit rulesets have different layout and alignment requirements, so once
more integrity checks get added to xt_check_entry_offsets it will reject
well-formed 32bit rulesets.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/netfilter/x_tables.h | 3 +++
net/ipv4/netfilter/arp_tables.c | 3 ++-
net/ipv4/netfilter/ip_tables.c | 3 ++-
net/ipv6/netfilter/ip6_tables.c | 3 ++-
net/netfilter/x_tables.c | 22 ++++++++++++++++++++++
5 files changed, 31 insertions(+), 3 deletions(-)
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -435,6 +435,9 @@ void xt_compat_target_from_user(struct x
unsigned int *size);
int xt_compat_target_to_user(const struct xt_entry_target *t,
void __user **dstptr, unsigned int *size);
+int xt_compat_check_entry_offsets(const void *base,
+ unsigned int target_offset,
+ unsigned int next_offset);
#endif /* CONFIG_COMPAT */
#endif /* _X_TABLES_H */
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1245,7 +1245,8 @@ check_compat_entry_size_and_hooks(struct
if (!arp_checkentry(&e->arp))
return -EINVAL;
- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
+ ret = xt_compat_check_entry_offsets(e, e->target_offset,
+ e->next_offset);
if (ret)
return ret;
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1510,7 +1510,8 @@ check_compat_entry_size_and_hooks(struct
if (!ip_checkentry(&e->ip))
return -EINVAL;
- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
+ ret = xt_compat_check_entry_offsets(e,
+ e->target_offset, e->next_offset);
if (ret)
return ret;
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1522,7 +1522,8 @@ check_compat_entry_size_and_hooks(struct
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- ret = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
+ ret = xt_compat_check_entry_offsets(e,
+ e->target_offset, e->next_offset);
if (ret)
return ret;
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -558,6 +558,27 @@ int xt_compat_match_to_user(const struct
return 0;
}
EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
+
+int xt_compat_check_entry_offsets(const void *base,
+ unsigned int target_offset,
+ unsigned int next_offset)
+{
+ const struct compat_xt_entry_target *t;
+ const char *e = base;
+
+ if (target_offset + sizeof(*t) > next_offset)
+ return -EINVAL;
+
+ t = (void *)(e + target_offset);
+ if (t->u.target_size < sizeof(*t))
+ return -EINVAL;
+
+ if (target_offset + t->u.target_size > next_offset)
+ return -EINVAL;
+
+ return 0;
+}
+EXPORT_SYMBOL(xt_compat_check_entry_offsets);
#endif /* CONFIG_COMPAT */
/**
@@ -568,6 +589,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_use
* @next_offset: the arp/ip/ip6_t->next_offset
*
* validates that target_offset and next_offset are sane.
+ * Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
*
* The arp/ip/ip6t_entry structure @base must have passed following tests:
* - it must point to a valid memory location
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 011/305] Bluetooth: vhci: purge unhandled skbs
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (130 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 176/305] USB: xhci: Add broken streams quirk for Frescologic device id 1009 Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 001/305] regmap: cache: Fix typo in cache_bypass parameter description Ben Hutchings
` (173 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marcel Holtmann, Jiri Slaby
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
commit 13407376b255325fa817798800117a839f3aa055 upstream.
The write handler allocates skbs and queues them into data->readq.
Read side should read them, if there is any. If there is none, skbs
should be dropped by hdev->flush. But this happens only if the device
is HCI_UP, i.e. hdev->power_on work was triggered already. When it was
not, skbs stay allocated in the queue when /dev/vhci is closed. So
purge the queue in ->release.
Program to reproduce:
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/uio.h>
int main()
{
char buf[] = { 0xff, 0 };
struct iovec iov = {
.iov_base = buf,
.iov_len = sizeof(buf),
};
int fd;
while (1) {
fd = open("/dev/vhci", O_RDWR);
if (fd < 0)
err(1, "open");
usleep(50);
if (writev(fd, &iov, 1) < 0)
err(1, "writev");
usleep(50);
close(fd);
}
return 0;
}
Result:
kmemleak: 4609 new suspected memory leaks
unreferenced object 0xffff88059f4d5440 (size 232):
comm "vhci", pid 1084, jiffies 4294912542 (age 37569.296s)
hex dump (first 32 bytes):
20 f0 23 87 05 88 ff ff 20 f0 23 87 05 88 ff ff .#..... .#.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
...
[<ffffffff81ece010>] __alloc_skb+0x0/0x5a0
[<ffffffffa021886c>] vhci_create_device+0x5c/0x580 [hci_vhci]
[<ffffffffa0219436>] vhci_write+0x306/0x4c8 [hci_vhci]
Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers)
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/bluetooth/hci_vhci.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -342,6 +342,7 @@ static int vhci_release(struct inode *in
hci_free_dev(hdev);
}
+ skb_queue_purge(&data->readq);
file->private_data = NULL;
kfree(data);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 016/305] ipv6, token: allow for clearing the current device token
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 227/305] Fix reconnect to not defer smb3 session reconnect long after socket reconnect Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 241/305] arc: unwind: warn only once if DW2_UNWIND is disabled Ben Hutchings
` (303 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Hannes Frederic Sowa, Robin H. Johnson,
Daniel Borkmann
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
commit 47e27d5e92c46a3a62d4dfd8895b1ddb8613f531 upstream.
The original tokenized iid support implemented via f53adae4eae5 ("net: ipv6:
add tokenized interface identifier support") didn't allow for clearing a
device token as it was intended that this addressing mode was the only one
active for globally scoped IPv6 addresses. Later we relaxed that restriction
via 617fe29d45bd ("net: ipv6: only invalidate previously tokenized addresses"),
and we should also allow for clearing tokens as there's no good reason why
it shouldn't be allowed.
Fixes: 617fe29d45bd ("net: ipv6: only invalidate previously tokenized addresses")
Reported-by: Robin H. Johnson <robbat2@gentoo.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/addrconf.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4453,15 +4453,13 @@ static int inet6_set_iftoken(struct inet
{
struct inet6_ifaddr *ifp;
struct net_device *dev = idev->dev;
- bool update_rs = false;
+ bool clear_token, update_rs = false;
struct in6_addr ll_addr;
ASSERT_RTNL();
if (token == NULL)
return -EINVAL;
- if (ipv6_addr_any(token))
- return -EINVAL;
if (dev->flags & (IFF_LOOPBACK | IFF_NOARP))
return -EINVAL;
if (!ipv6_accept_ra(idev))
@@ -4476,10 +4474,13 @@ static int inet6_set_iftoken(struct inet
write_unlock_bh(&idev->lock);
+ clear_token = ipv6_addr_any(token);
+ if (clear_token)
+ goto update_lft;
+
if (!idev->dead && (idev->if_flags & IF_READY) &&
!ipv6_get_lladdr(dev, &ll_addr, IFA_F_TENTATIVE |
IFA_F_OPTIMISTIC)) {
-
/* If we're not ready, then normal ifup will take care
* of this. Otherwise, we need to request our rs here.
*/
@@ -4487,6 +4488,7 @@ static int inet6_set_iftoken(struct inet
update_rs = true;
}
+update_lft:
write_lock_bh(&idev->lock);
if (update_rs) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 244/305] net: bgmac: Remove superflous netif_carrier_on()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (287 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 124/305] dma-debug: avoid spinlock recursion when disabling dma-debug Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 142/305] KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS Ben Hutchings
` (16 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Florian Fainelli
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 3894396e64994f31c3ef5c7e6f63dded0593e567 upstream.
bgmac_open() calls phy_start() to initialize the PHY state machine,
which will set the interface's carrier state accordingly, no need to
force that as this could be conflicting with the PHY state determined by
PHYLIB.
Fixes: dd4544f05469 ("bgmac: driver for GBit MAC core on BCMA bus")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/broadcom/bgmac.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/net/ethernet/broadcom/bgmac.c
+++ b/drivers/net/ethernet/broadcom/bgmac.c
@@ -1198,8 +1198,6 @@ static int bgmac_open(struct net_device
phy_start(bgmac->phy_dev);
- netif_carrier_on(net_dev);
-
netif_start_queue(net_dev);
err_out:
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 150/305] IB/mlx5: Fix returned values of query QP
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (298 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 091/305] drm/fb_helper: Fix references to dev->mode_config.num_connector Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 236/305] KVM: arm/arm64: Stop leaking vcpu pid references Ben Hutchings
` (5 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sagi Grimberg, Leon Romanovsky, Noa Osherovich, Doug Ledford
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Noa Osherovich <noaos@mellanox.com>
commit 0540d8148d419bf769e5aa99c77027febd8922f0 upstream.
Some variables were not initialized properly: max_recv_wr,
max_recv_sge, max_send_wr, qp_context and max_inline_data.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB...')
Signed-off-by: Noa Osherovich <noaos@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx5/qp.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -169,6 +169,8 @@ static int set_rq_size(struct mlx5_ib_de
qp->rq.max_gs = 0;
qp->rq.wqe_cnt = 0;
qp->rq.wqe_shift = 0;
+ cap->max_recv_wr = 0;
+ cap->max_recv_sge = 0;
} else {
if (ucmd) {
qp->rq.wqe_cnt = ucmd->rq_wqe_count;
@@ -2979,17 +2981,19 @@ int mlx5_ib_query_qp(struct ib_qp *ibqp,
qp_attr->cap.max_recv_sge = qp->rq.max_gs;
if (!ibqp->uobject) {
- qp_attr->cap.max_send_wr = qp->sq.wqe_cnt;
+ qp_attr->cap.max_send_wr = qp->sq.max_post;
qp_attr->cap.max_send_sge = qp->sq.max_gs;
+ qp_init_attr->qp_context = ibqp->qp_context;
} else {
qp_attr->cap.max_send_wr = 0;
qp_attr->cap.max_send_sge = 0;
}
- /* We don't support inline sends for kernel QPs (yet), and we
- * don't know what userspace's value should be.
- */
- qp_attr->cap.max_inline_data = 0;
+ qp_init_attr->qp_type = ibqp->qp_type;
+ qp_init_attr->recv_cq = ibqp->recv_cq;
+ qp_init_attr->send_cq = ibqp->send_cq;
+ qp_init_attr->srq = ibqp->srq;
+ qp_attr->cap.max_inline_data = qp->max_inline_data;
qp_init_attr->cap = qp_attr->cap;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 159/305] net/mlx5: Fix masking of reserved bits in XRCD number
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (77 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 052/305] MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200 Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 132/305] powerpc: Fix definition of SIAR and SDAR registers Ben Hutchings
` (226 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Saeed Mahameed, Majd Dibbiny
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Majd Dibbiny <majd@mellanox.com>
commit 9cd3411c42c5d5ba55d6e745edfe7df53c1ffa41 upstream.
Mask the reserved bits when reading the number of newly
created XRCD.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Majd Dibbiny <majd@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx5/core/qp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/qp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/qp.c
@@ -274,7 +274,7 @@ int mlx5_core_xrcd_alloc(struct mlx5_cor
if (out.hdr.status)
err = mlx5_cmd_status_to_err(&out.hdr);
else
- *xrcdn = be32_to_cpu(out.xrcdn);
+ *xrcdn = be32_to_cpu(out.xrcdn) & 0xffffff;
return err;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 035/305] ext4: clean up error handling when orphan list is corrupted
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (23 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 257/305] qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 013/305] ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence Ben Hutchings
` (280 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 7827a7f6ebfcb7f388dc47fddd48567a314701ba upstream.
Instead of just printing warning messages, if the orphan list is
corrupted, declare the file system is corrupted. If there are any
reserved inodes in the orphaned inode list, declare the file system
corrupted and stop right away to avoid doing more potential damage to
the file system.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: leave error code as EIO]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/ialloc.c | 49 ++++++++++++++++++++++---------------------------
1 file changed, 22 insertions(+), 27 deletions(-)
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -1090,22 +1090,19 @@ struct inode *ext4_orphan_get(struct sup
unsigned long max_ino = le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count);
ext4_group_t block_group;
int bit;
- struct buffer_head *bitmap_bh;
+ struct buffer_head *bitmap_bh = NULL;
struct inode *inode = NULL;
- long err = -EIO;
+ int err = -EIO;
- /* Error cases - e2fsck has already cleaned up for us */
- if (ino > max_ino) {
- ext4_warning(sb, "bad orphan ino %lu! e2fsck was run?", ino);
- goto error;
- }
+ if (ino < EXT4_FIRST_INO(sb) || ino > max_ino)
+ goto bad_orphan;
block_group = (ino - 1) / EXT4_INODES_PER_GROUP(sb);
bit = (ino - 1) % EXT4_INODES_PER_GROUP(sb);
bitmap_bh = ext4_read_inode_bitmap(sb, block_group);
if (!bitmap_bh) {
- ext4_warning(sb, "inode bitmap error for orphan %lu", ino);
- goto error;
+ ext4_error(sb, "inode bitmap error for orphan %lu", ino);
+ return (struct inode *) bitmap_bh;
}
/* Having the inode bit set should be a 100% indicator that this
@@ -1116,8 +1113,12 @@ struct inode *ext4_orphan_get(struct sup
goto bad_orphan;
inode = ext4_iget(sb, ino);
- if (IS_ERR(inode))
- goto iget_failed;
+ if (IS_ERR(inode)) {
+ err = PTR_ERR(inode);
+ ext4_error(sb, "couldn't read orphan inode %lu (err %d)",
+ ino, err);
+ return inode;
+ }
/*
* If the orphans has i_nlinks > 0 then it should be able to
@@ -1134,29 +1135,25 @@ struct inode *ext4_orphan_get(struct sup
brelse(bitmap_bh);
return inode;
-iget_failed:
- err = PTR_ERR(inode);
- inode = NULL;
bad_orphan:
- ext4_warning(sb, "bad orphan inode %lu! e2fsck was run?", ino);
- printk(KERN_WARNING "ext4_test_bit(bit=%d, block=%llu) = %d\n",
- bit, (unsigned long long)bitmap_bh->b_blocknr,
- ext4_test_bit(bit, bitmap_bh->b_data));
- printk(KERN_WARNING "inode=%p\n", inode);
+ ext4_error(sb, "bad orphan inode %lu", ino);
+ if (bitmap_bh)
+ printk(KERN_ERR "ext4_test_bit(bit=%d, block=%llu) = %d\n",
+ bit, (unsigned long long)bitmap_bh->b_blocknr,
+ ext4_test_bit(bit, bitmap_bh->b_data));
if (inode) {
- printk(KERN_WARNING "is_bad_inode(inode)=%d\n",
+ printk(KERN_ERR "is_bad_inode(inode)=%d\n",
is_bad_inode(inode));
- printk(KERN_WARNING "NEXT_ORPHAN(inode)=%u\n",
+ printk(KERN_ERR "NEXT_ORPHAN(inode)=%u\n",
NEXT_ORPHAN(inode));
- printk(KERN_WARNING "max_ino=%lu\n", max_ino);
- printk(KERN_WARNING "i_nlink=%u\n", inode->i_nlink);
+ printk(KERN_ERR "max_ino=%lu\n", max_ino);
+ printk(KERN_ERR "i_nlink=%u\n", inode->i_nlink);
/* Avoid freeing blocks if we got a bad deleted inode */
if (inode->i_nlink == 0)
inode->i_blocks = 0;
iput(inode);
}
brelse(bitmap_bh);
-error:
return ERR_PTR(err);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 237/305] make nfs_atomic_open() call d_drop() on all ->open_context() errors.
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (262 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 076/305] MIPS: math-emu: Fix jalr emulation when rd == $0 Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 251/305] batman-adv: Fix memory leak on tt add with invalid vlan Ben Hutchings
` (41 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Oleg Drokin, Trond Myklebust, Anna Schumaker, Al Viro, Al Viro
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@ZenIV.linux.org.uk>
commit d20cb71dbf3487f24549ede1a8e2d67579b4632e upstream.
In "NFSv4: Move dentry instantiation into the NFSv4-specific atomic open code"
unconditional d_drop() after the ->open_context() had been removed. It had
been correct for success cases (there ->open_context() itself had been doing
dcache manipulations), but not for error ones. Only one of those (ENOENT)
got a compensatory d_drop() added in that commit, but in fact it should've
been done for all errors. As it is, the case of O_CREAT non-exclusive open
on a hashed negative dentry racing with e.g. symlink creation from another
client ended up with ->open_context() getting an error and proceeding to
call nfs_lookup(). On a hashed dentry, which would've instantly triggered
BUG_ON() in d_materialise_unique() (or, these days, its equivalent in
d_splice_alias()).
Tested-by: Oleg Drokin <green@linuxhacker.ru>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1492,9 +1492,9 @@ int nfs_atomic_open(struct inode *dir, s
err = PTR_ERR(inode);
trace_nfs_atomic_open_exit(dir, ctx, open_flags, err);
put_nfs_open_context(ctx);
+ d_drop(dentry);
switch (err) {
case -ENOENT:
- d_drop(dentry);
d_add(dentry, NULL);
break;
case -EISDIR:
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 117/305] UBI: do propagate positive error codes up
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (178 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 110/305] tuntap: correctly wake up process during uninit Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 134/305] mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL Ben Hutchings
` (125 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Artem Bityutskiy
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
commit 0e707ae79ba357d60b8a36025ec8968e5020d827 upstream.
UBI uses positive function return codes internally, and should not propagate
them up, except in the place this path fixes. Here is the original bug report
from Dan Carpenter:
The problem is really in ubi_eba_read_leb().
drivers/mtd/ubi/eba.c
412 err = ubi_io_read_vid_hdr(ubi, pnum, vid_hdr, 1);
413 if (err && err != UBI_IO_BITFLIPS) {
414 if (err > 0) {
415 /*
416 * The header is either absent or corrupted.
417 * The former case means there is a bug -
418 * switch to read-only mode just in case.
419 * The latter case means a real corruption - we
420 * may try to recover data. FIXME: but this is
421 * not implemented.
422 */
423 if (err == UBI_IO_BAD_HDR_EBADMSG ||
424 err == UBI_IO_BAD_HDR) {
425 ubi_warn("corrupted VID header at PEB %d, LEB %d:%d",
426 pnum, vol_id, lnum);
427 err = -EBADMSG;
428 } else
429 ubi_ro_mode(ubi);
On this path we return UBI_IO_FF and UBI_IO_FF_BITFLIPS and it
eventually gets passed to ERR_PTR(). We probably dereference the bad
pointer and oops. At that point we've gone read only so it was already
a bad situation...
430 }
431 goto out_free;
432 } else if (err == UBI_IO_BITFLIPS)
433 scrub = 1;
434
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/ubi/eba.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -426,6 +426,7 @@ retry:
pnum, vol_id, lnum);
err = -EBADMSG;
} else
+ err = -EINVAL;
ubi_ro_mode(ubi);
}
goto out_free;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 283/305] KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (57 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 073/305] sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 297/305] netfilter: x_tables: don't reject valid target size on some architectures Ben Hutchings
` (246 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paul Mackerras
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Mackerras <paulus@ozlabs.org>
commit 93d17397e4e2182fdaad503e2f9da46202c0f1c3 upstream.
It turns out that if the guest does a H_CEDE while the CPU is in
a transactional state, and the H_CEDE does a nap, and the nap
loses the architected state of the CPU (which is is allowed to do),
then we lose the checkpointed state of the virtual CPU. In addition,
the transactional-memory state recorded in the MSR gets reset back
to non-transactional, and when we try to return to the guest, we take
a TM bad thing type of program interrupt because we are trying to
transition from non-transactional to transactional with a hrfid
instruction, which is not permitted.
The result of the program interrupt occurring at that point is that
the host CPU will hang in an infinite loop with interrupts disabled.
Thus this is a denial of service vulnerability in the host which can
be triggered by any guest (and depending on the guest kernel, it can
potentially triggered by unprivileged userspace in the guest).
This vulnerability has been assigned the ID CVE-2016-5412.
To fix this, we save the TM state before napping and restore it
on exit from the nap, when handling a H_CEDE in real mode. The
case where H_CEDE exits to host virtual mode is already OK (as are
other hcalls which exit to host virtual mode) because the exit
path saves the TM state.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -1954,6 +1954,13 @@ END_FTR_SECTION_IFCLR(CPU_FTR_ARCH_206)
/* save FP state */
bl kvmppc_save_fp
+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+BEGIN_FTR_SECTION
+ ld r9, HSTATE_KVM_VCPU(r13)
+ bl kvmppc_save_tm
+END_FTR_SECTION_IFSET(CPU_FTR_TM)
+#endif
+
/*
* Take a nap until a decrementer or external or doobell interrupt
* occurs, with PECE1, PECE0 and PECEDP set in LPCR. Also clear the
@@ -1993,6 +2000,12 @@ kvm_end_cede:
/* Woken by external or decrementer interrupt */
ld r1, HSTATE_HOST_R1(r13)
+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+BEGIN_FTR_SECTION
+ bl kvmppc_restore_tm
+END_FTR_SECTION_IFSET(CPU_FTR_TM)
+#endif
+
/* load up FP state */
bl kvmppc_load_fp
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 128/305] MIPS: fix read_msa_* & write_msa_* functions on non-MSA toolchains
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (236 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 089/305] sched/preempt: Fix preempt_count manipulations Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 262/305] net/mlx5: Fix potential deadlock in command mode change Ben Hutchings
` (67 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ralf Baechle, linux-mips, Paul Burton
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Burton <paul.burton@imgtec.com>
commit 70dff4d90aab40326d1d06a331e2b07eae99d067 upstream.
Commit d96cc3d1ec5d "MIPS: Add microMIPS MSA support." attempted to use
the value of a macro within an inline asm statement but instead emitted
a comment leading to the cfcmsa & ctcmsa instructions being omitted. Fix
that by passing CFC_MSA_INSN & CTC_MSA_INSN as arguments to the asm
statements.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7305/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/msa.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/mips/include/asm/msa.h
+++ b/arch/mips/include/asm/msa.h
@@ -112,10 +112,10 @@ static inline unsigned int read_msa_##na
" .set push\n" \
" .set noat\n" \
" .insn\n" \
- " .word #CFC_MSA_INSN | (" #cs " << 11)\n" \
+ " .word %1 | (" #cs " << 11)\n" \
" move %0, $1\n" \
" .set pop\n" \
- : "=r"(reg)); \
+ : "=r"(reg) : "i"(CFC_MSA_INSN)); \
return reg; \
} \
\
@@ -126,9 +126,9 @@ static inline void write_msa_##name(unsi
" .set noat\n" \
" move $1, %0\n" \
" .insn\n" \
- " .word #CTC_MSA_INSN | (" #cs " << 6)\n" \
+ " .word %1 | (" #cs " << 6)\n" \
" .set pop\n" \
- : : "r"(val)); \
+ : : "r"(val), "i"(CTC_MSA_INSN)); \
}
#endif /* !TOOLCHAIN_SUPPORTS_MSA */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 154/305] of: fix autoloading due to broken modalias with no 'compatible'
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (209 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 086/305] x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 170/305] usb: gadget: avoid exposing kernel stack Ben Hutchings
` (94 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andreas Schwab, Wolfram Sang, Philipp Zabel,
Mathieu Malaterre, Michael Ellerman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa@the-dreams.de>
commit b3c0a4dab7e35a9b6d69c0415641d2280fdefb2b upstream.
Because of an improper dereference, a stray 'C' character was output to
the modalias when no 'compatible' was specified. This is the case for
some old PowerMac drivers which only set the 'name' property. Fix it to
let them match again.
Reported-by: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Tested-by: Mathieu Malaterre <malat@debian.org>
Cc: Philipp Zabel <p.zabel@pengutronix.de>
Cc: Andreas Schwab <schwab@linux-m68k.org>
Fixes: 6543becf26fff6 ("mod/file2alias: make modalias generation safe for cross compiling")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
scripts/mod/file2alias.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/scripts/mod/file2alias.c
+++ b/scripts/mod/file2alias.c
@@ -653,7 +653,7 @@ static int do_of_entry (const char *file
len = sprintf(alias, "of:N%sT%s", (*name)[0] ? *name : "*",
(*type)[0] ? *type : "*");
- if (compatible[0])
+ if ((*compatible)[0])
sprintf(&alias[len], "%sC%s", (*type)[0] ? "*" : "",
*compatible);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 034/305] ext4: fix hang when processing corrupted orphaned inode list
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (216 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 164/305] iio: proximity: as3935: remove triggered buffer processing Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 023/305] PM / Runtime: Fix error path in pm_runtime_force_resume() Ben Hutchings
` (87 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Theodore Ts'o
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit c9eb13a9105e2e418f72e46a2b6da3f49e696902 upstream.
If the orphaned inode list contains inode #5, ext4_iget() returns a
bad inode (since the bootloader inode should never be referenced
directly). Because of the bad inode, we end up processing the inode
repeatedly and this hangs the machine.
This can be reproduced via:
mke2fs -t ext4 /tmp/foo.img 100
debugfs -w -R "ssv last_orphan 5" /tmp/foo.img
mount -o loop /tmp/foo.img /mnt
(But don't do this if you are using an unpatched kernel if you care
about the system staying functional. :-)
This bug was found by the port of American Fuzzy Lop into the kernel
to find file system problems[1]. (Since it *only* happens if inode #5
shows up on the orphan list --- 3, 7, 8, etc. won't do it, it's not
surprising that AFL needed two hours before it found it.)
[1] http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
Reported by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/ialloc.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -1120,11 +1120,13 @@ struct inode *ext4_orphan_get(struct sup
goto iget_failed;
/*
- * If the orphans has i_nlinks > 0 then it should be able to be
- * truncated, otherwise it won't be removed from the orphan list
- * during processing and an infinite loop will result.
+ * If the orphans has i_nlinks > 0 then it should be able to
+ * be truncated, otherwise it won't be removed from the orphan
+ * list during processing and an infinite loop will result.
+ * Similarly, it must not be a bad inode.
*/
- if (inode->i_nlink && !ext4_can_truncate(inode))
+ if ((inode->i_nlink && !ext4_can_truncate(inode)) ||
+ is_bad_inode(inode))
goto bad_orphan;
if (NEXT_ORPHAN(inode) > max_ino)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 218/305] IB/mlx4: Fix memory leak if QP creation failed
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (252 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 190/305] net_sched: introduce qdisc_replace() helper Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 224/305] ALSA: dummy: Fix a use-after-free at closing Ben Hutchings
` (51 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Doug Ledford, Leon Romanovsky, Dotan Barak, Jack Morgenstein
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dotan Barak <dotanb@dev.mellanox.co.il>
commit 5b420d9cf7382c6e1512e96e02d18842d272049c upstream.
When RC, UC, or RAW QPs are created, a qp object is allocated (kzalloc).
If at a later point (in procedure create_qp_common) the qp creation fails,
this qp object must be freed.
Fixes: 1ffeb2eb8be99 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
Signed-off-by: Dotan Barak <dotanb@dev.mellanox.co.il>
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/qp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1108,8 +1108,10 @@ struct ib_qp *mlx4_ib_create_qp(struct i
{
err = create_qp_common(to_mdev(pd->device), pd, init_attr,
udata, 0, &qp, gfp);
- if (err)
+ if (err) {
+ kfree(qp);
return ERR_PTR(err);
+ }
qp->ibqp.qp_num = qp->mqp.qpn;
qp->xrcdn = xrcdn;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 222/305] cifs: dynamic allocation of ntlmssp blob
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (41 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 278/305] ALSA: timer: Fix leak in events via snd_timer_user_ccallback Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 082/305] i40e: fix an uninitialized variable bug Ben Hutchings
` (262 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Jerome Marchand
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Marchand <jmarchan@redhat.com>
commit b8da344b74c822e966c6d19d6b2321efe82c5d97 upstream.
In sess_auth_rawntlmssp_authenticate(), the ntlmssp blob is allocated
statically and its size is an "empirical" 5*sizeof(struct
_AUTHENTICATE_MESSAGE) (320B on x86_64). I don't know where this value
comes from or if it was ever appropriate, but it is currently
insufficient: the user and domain name in UTF16 could take 1kB by
themselves. Because of that, build_ntlmssp_auth_blob() might corrupt
memory (out-of-bounds write). The size of ntlmssp_blob in
SMB2_sess_setup() is too small too (sizeof(struct _NEGOTIATE_MESSAGE)
+ 500).
This patch allocates the blob dynamically in
build_ntlmssp_auth_blob().
Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/ntlmssp.h | 2 +-
fs/cifs/sess.c | 76 ++++++++++++++++++++++++++++++-------------------------
fs/cifs/smb2pdu.c | 10 ++------
3 files changed, 45 insertions(+), 43 deletions(-)
--- a/fs/cifs/ntlmssp.h
+++ b/fs/cifs/ntlmssp.h
@@ -133,6 +133,6 @@ typedef struct _AUTHENTICATE_MESSAGE {
int decode_ntlmssp_challenge(char *bcc_ptr, int blob_len, struct cifs_ses *ses);
void build_ntlmssp_negotiate_blob(unsigned char *pbuffer, struct cifs_ses *ses);
-int build_ntlmssp_auth_blob(unsigned char *pbuffer, u16 *buflen,
+int build_ntlmssp_auth_blob(unsigned char **pbuffer, u16 *buflen,
struct cifs_ses *ses,
const struct nls_table *nls_cp);
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -363,19 +363,43 @@ void build_ntlmssp_negotiate_blob(unsign
sec_blob->DomainName.MaximumLength = 0;
}
-/* We do not malloc the blob, it is passed in pbuffer, because its
- maximum possible size is fixed and small, making this approach cleaner.
- This function returns the length of the data in the blob */
-int build_ntlmssp_auth_blob(unsigned char *pbuffer,
+static int size_of_ntlmssp_blob(struct cifs_ses *ses)
+{
+ int sz = sizeof(AUTHENTICATE_MESSAGE) + ses->auth_key.len
+ - CIFS_SESS_KEY_SIZE + CIFS_CPHTXT_SIZE + 2;
+
+ if (ses->domainName)
+ sz += 2 * strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
+ else
+ sz += 2;
+
+ if (ses->user_name)
+ sz += 2 * strnlen(ses->user_name, CIFS_MAX_USERNAME_LEN);
+ else
+ sz += 2;
+
+ return sz;
+}
+
+int build_ntlmssp_auth_blob(unsigned char **pbuffer,
u16 *buflen,
struct cifs_ses *ses,
const struct nls_table *nls_cp)
{
int rc;
- AUTHENTICATE_MESSAGE *sec_blob = (AUTHENTICATE_MESSAGE *)pbuffer;
+ AUTHENTICATE_MESSAGE *sec_blob;
__u32 flags;
unsigned char *tmp;
+ rc = setup_ntlmv2_rsp(ses, nls_cp);
+ if (rc) {
+ cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
+ *buflen = 0;
+ goto setup_ntlmv2_ret;
+ }
+ *pbuffer = kmalloc(size_of_ntlmssp_blob(ses), GFP_KERNEL);
+ sec_blob = (AUTHENTICATE_MESSAGE *)*pbuffer;
+
memcpy(sec_blob->Signature, NTLMSSP_SIGNATURE, 8);
sec_blob->MessageType = NtLmAuthenticate;
@@ -390,7 +414,7 @@ int build_ntlmssp_auth_blob(unsigned cha
flags |= NTLMSSP_NEGOTIATE_KEY_XCH;
}
- tmp = pbuffer + sizeof(AUTHENTICATE_MESSAGE);
+ tmp = *pbuffer + sizeof(AUTHENTICATE_MESSAGE);
sec_blob->NegotiateFlags = cpu_to_le32(flags);
sec_blob->LmChallengeResponse.BufferOffset =
@@ -398,13 +422,9 @@ int build_ntlmssp_auth_blob(unsigned cha
sec_blob->LmChallengeResponse.Length = 0;
sec_blob->LmChallengeResponse.MaximumLength = 0;
- sec_blob->NtChallengeResponse.BufferOffset = cpu_to_le32(tmp - pbuffer);
+ sec_blob->NtChallengeResponse.BufferOffset =
+ cpu_to_le32(tmp - *pbuffer);
if (ses->user_name != NULL) {
- rc = setup_ntlmv2_rsp(ses, nls_cp);
- if (rc) {
- cifs_dbg(VFS, "Error %d during NTLMSSP authentication\n", rc);
- goto setup_ntlmv2_ret;
- }
memcpy(tmp, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
ses->auth_key.len - CIFS_SESS_KEY_SIZE);
tmp += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
@@ -422,7 +442,7 @@ int build_ntlmssp_auth_blob(unsigned cha
}
if (ses->domainName == NULL) {
- sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
+ sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - *pbuffer);
sec_blob->DomainName.Length = 0;
sec_blob->DomainName.MaximumLength = 0;
tmp += 2;
@@ -431,14 +451,14 @@ int build_ntlmssp_auth_blob(unsigned cha
len = cifs_strtoUTF16((__le16 *)tmp, ses->domainName,
CIFS_MAX_DOMAINNAME_LEN, nls_cp);
len *= 2; /* unicode is 2 bytes each */
- sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - pbuffer);
+ sec_blob->DomainName.BufferOffset = cpu_to_le32(tmp - *pbuffer);
sec_blob->DomainName.Length = cpu_to_le16(len);
sec_blob->DomainName.MaximumLength = cpu_to_le16(len);
tmp += len;
}
if (ses->user_name == NULL) {
- sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
+ sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - *pbuffer);
sec_blob->UserName.Length = 0;
sec_blob->UserName.MaximumLength = 0;
tmp += 2;
@@ -447,13 +467,13 @@ int build_ntlmssp_auth_blob(unsigned cha
len = cifs_strtoUTF16((__le16 *)tmp, ses->user_name,
CIFS_MAX_USERNAME_LEN, nls_cp);
len *= 2; /* unicode is 2 bytes each */
- sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - pbuffer);
+ sec_blob->UserName.BufferOffset = cpu_to_le32(tmp - *pbuffer);
sec_blob->UserName.Length = cpu_to_le16(len);
sec_blob->UserName.MaximumLength = cpu_to_le16(len);
tmp += len;
}
- sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - pbuffer);
+ sec_blob->WorkstationName.BufferOffset = cpu_to_le32(tmp - *pbuffer);
sec_blob->WorkstationName.Length = 0;
sec_blob->WorkstationName.MaximumLength = 0;
tmp += 2;
@@ -462,19 +482,19 @@ int build_ntlmssp_auth_blob(unsigned cha
(ses->ntlmssp->server_flags & NTLMSSP_NEGOTIATE_EXTENDED_SEC))
&& !calc_seckey(ses)) {
memcpy(tmp, ses->ntlmssp->ciphertext, CIFS_CPHTXT_SIZE);
- sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
+ sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
sec_blob->SessionKey.Length = cpu_to_le16(CIFS_CPHTXT_SIZE);
sec_blob->SessionKey.MaximumLength =
cpu_to_le16(CIFS_CPHTXT_SIZE);
tmp += CIFS_CPHTXT_SIZE;
} else {
- sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
+ sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - *pbuffer);
sec_blob->SessionKey.Length = 0;
sec_blob->SessionKey.MaximumLength = 0;
}
+ *buflen = tmp - *pbuffer;
setup_ntlmv2_ret:
- *buflen = tmp - pbuffer;
return rc;
}
@@ -547,7 +567,7 @@ CIFS_SessSetup(const unsigned int xid, s
struct key *spnego_key = NULL;
__le32 phase = NtLmNegotiate; /* NTLMSSP, if needed, is multistage */
u16 blob_len;
- char *ntlmsspblob = NULL;
+ unsigned char *ntlmsspblob = NULL;
if (ses == NULL) {
WARN(1, "%s: ses == NULL!", __func__);
@@ -809,20 +829,7 @@ ssetup_ntlmssp_authenticate:
cpu_to_le16(sizeof(NEGOTIATE_MESSAGE));
break;
case NtLmAuthenticate:
- /*
- * 5 is an empirical value, large enough to hold
- * authenticate message plus max 10 of av paris,
- * domain, user, workstation names, flags, etc.
- */
- ntlmsspblob = kzalloc(
- 5*sizeof(struct _AUTHENTICATE_MESSAGE),
- GFP_KERNEL);
- if (!ntlmsspblob) {
- rc = -ENOMEM;
- goto ssetup_exit;
- }
-
- rc = build_ntlmssp_auth_blob(ntlmsspblob,
+ rc = build_ntlmssp_auth_blob(&ntlmsspblob,
&blob_len, ses, nls_cp);
if (rc)
goto ssetup_exit;
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -550,7 +550,7 @@ SMB2_sess_setup(const unsigned int xid,
struct TCP_Server_Info *server = ses->server;
u16 blob_length = 0;
char *security_blob;
- char *ntlmssp_blob = NULL;
+ unsigned char *ntlmssp_blob = NULL;
bool use_spnego = false; /* else use raw ntlmssp */
cifs_dbg(FYI, "Session Setup\n");
@@ -631,13 +631,7 @@ ssetup_ntlmssp_authenticate:
}
} else if (phase == NtLmAuthenticate) {
req->hdr.SessionId = ses->Suid;
- ntlmssp_blob = kzalloc(sizeof(struct _NEGOTIATE_MESSAGE) + 500,
- GFP_KERNEL);
- if (ntlmssp_blob == NULL) {
- rc = -ENOMEM;
- goto ssetup_exit;
- }
- rc = build_ntlmssp_auth_blob(ntlmssp_blob, &blob_length, ses,
+ rc = build_ntlmssp_auth_blob(&ntlmssp_blob, &blob_length, ses,
nls_cp);
if (rc) {
cifs_dbg(FYI, "build_ntlmssp_auth_blob failed %d\n",
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 157/305] gpio: bcm-kona: fix bcm_kona_gpio_reset() warnings
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (145 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 033/305] aacraid: Fix for aac_command_thread hang Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 145/305] parisc: Fix pagefault crash in unaligned __get_user() call Ben Hutchings
` (158 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ray Jui, Markus Mayer, Ben Dooks, Linus Walleij
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@codethink.co.uk>
commit b66b2a0adf0e48973b582e055758b9907a7eee7c upstream.
The bcm_kona_gpio_reset() calls bcm_kona_gpio_write_lock_regs()
with what looks like the wrong parameter. The write_lock_regs
function takes a pointer to the registers, not the bcm_kona_gpio
structure.
Fix the warning, and probably bug by changing the function to
pass reg_base instead of kona_gpio, fixing the following warning:
drivers/gpio/gpio-bcm-kona.c:550:47: warning: incorrect type in argument 1
(different address spaces)
expected void [noderef] <asn:2>*reg_base
got struct bcm_kona_gpio *kona_gpio
warning: incorrect type in argument 1 (different address spaces)
expected void [noderef] <asn:2>*reg_base
got struct bcm_kona_gpio *kona_gpio
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Acked-by: Ray Jui <ray.jui@broadcom.com>
Reviewed-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpio/gpio-bcm-kona.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpio/gpio-bcm-kona.c
+++ b/drivers/gpio/gpio-bcm-kona.c
@@ -549,11 +549,11 @@ static void bcm_kona_gpio_reset(struct b
/* disable interrupts and clear status */
for (i = 0; i < kona_gpio->num_bank; i++) {
/* Unlock the entire bank first */
- bcm_kona_gpio_write_lock_regs(kona_gpio, i, UNLOCK_CODE);
+ bcm_kona_gpio_write_lock_regs(reg_base, i, UNLOCK_CODE);
writel(0xffffffff, reg_base + GPIO_INT_MASK(i));
writel(0xffffffff, reg_base + GPIO_INT_STATUS(i));
/* Now re-lock the bank */
- bcm_kona_gpio_write_lock_regs(kona_gpio, i, LOCK_CODE);
+ bcm_kona_gpio_write_lock_regs(reg_base, i, LOCK_CODE);
}
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 225/305] posix_acl: Add set_posix_acl
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (13 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 188/305] kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 122/305] crypto: ccp - Fix AES XTS error for request sizes above 4096 Ben Hutchings
` (290 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andreas Gruenbacher, Al Viro, J. Bruce Fields, Christoph Hellwig
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
commit 485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f upstream.
Factor out part of posix_acl_xattr_set into a common function that takes
a posix_acl, which nfsd can also call.
The prototype already exists in include/linux/posix_acl.h.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
[carnil: backport to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/posix_acl.c | 42 +++++++++++++++++++++++-------------------
1 file changed, 23 insertions(+), 19 deletions(-)
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -787,38 +787,42 @@ posix_acl_xattr_get(struct dentry *dentr
return error;
}
-static int
-posix_acl_xattr_set(struct dentry *dentry, const char *name,
- const void *value, size_t size, int flags, int type)
+int
+set_posix_acl(struct inode *inode, int type, struct posix_acl *acl)
{
- struct inode *inode = dentry->d_inode;
- struct posix_acl *acl = NULL;
- int ret;
-
if (!IS_POSIXACL(inode))
return -EOPNOTSUPP;
if (!inode->i_op->set_acl)
return -EOPNOTSUPP;
if (type == ACL_TYPE_DEFAULT && !S_ISDIR(inode->i_mode))
- return value ? -EACCES : 0;
+ return acl ? -EACCES : 0;
if (!inode_owner_or_capable(inode))
return -EPERM;
+ if (acl) {
+ int ret = posix_acl_valid(acl);
+ if (ret)
+ return ret;
+ }
+ return inode->i_op->set_acl(inode, acl, type);
+}
+EXPORT_SYMBOL(set_posix_acl);
+
+static int
+posix_acl_xattr_set(struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags, int type)
+{
+ struct inode *inode = dentry->d_inode;
+ struct posix_acl *acl = NULL;
+ int ret;
+
if (value) {
acl = posix_acl_from_xattr(&init_user_ns, value, size);
if (IS_ERR(acl))
return PTR_ERR(acl);
-
- if (acl) {
- ret = posix_acl_valid(acl);
- if (ret)
- goto out;
- }
}
-
- ret = inode->i_op->set_acl(inode, acl, type);
-out:
+ ret = set_posix_acl(inode, type, acl);
posix_acl_release(acl);
return ret;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 109/305] PM / sleep: Handle failures in device_suspend_late() consistently
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (187 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 228/305] tmpfs: don't undo fallocate past its last page Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 253/305] batman-adv: Fix use-after-free/double-free of tt_req_node Ben Hutchings
` (116 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Grygorii Strashko, Rafael J. Wysocki
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
commit 3a17fb329da68cb00558721aff876a80bba2fdb9 upstream.
Grygorii Strashko reports:
The PM runtime will be left disabled for the device if its
.suspend_late() callback fails and async suspend is not allowed
for this device. In this case device will not be added in
dpm_late_early_list and dpm_resume_early() will ignore this
device, as result PM runtime will be disabled for it forever
(side effect: after 8 subsequent failures for the same device
the PM runtime will be reenabled due to disable_depth overflow).
To fix this problem, add devices to dpm_late_early_list regardless
of whether or not device_suspend_late() returns errors for them.
That will ensure failures in there to be handled consistently for
all devices regardless of their async suspend/resume status.
Reported-by: Grygorii Strashko <grygorii.strashko@ti.com>
Tested-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/base/power/main.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -1247,14 +1247,15 @@ static int dpm_suspend_late(pm_message_t
error = device_suspend_late(dev);
mutex_lock(&dpm_list_mtx);
+ if (!list_empty(&dev->power.entry))
+ list_move(&dev->power.entry, &dpm_late_early_list);
+
if (error) {
pm_dev_err(dev, state, " late", error);
dpm_save_failed_dev(dev_name(dev));
put_device(dev);
break;
}
- if (!list_empty(&dev->power.entry))
- list_move(&dev->power.entry, &dpm_late_early_list);
put_device(dev);
if (async_error)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 126/305] Input: pwm-beeper - remove useless call to pwm_config()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (139 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 139/305] drm/nouveau/fbcon: fix out-of-bounds memory accesses Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 116/305] xen/events: Don't move disabled irqs Ben Hutchings
` (164 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Olivier Sobrie, Dmitry Torokhov
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Olivier Sobrie <olivier@sobrie.be>
commit d1b12075ffa808dce33dd46b7ad035bebf8da215 upstream.
Calling pwm_config() with a period equal to zero always results in
error (-EINVAL) and pwm chip config method is never called.
Signed-off-by: Olivier Sobrie <olivier@sobrie.be>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/misc/pwm-beeper.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/input/misc/pwm-beeper.c
+++ b/drivers/input/misc/pwm-beeper.c
@@ -50,7 +50,6 @@ static int pwm_beeper_event(struct input
}
if (value == 0) {
- pwm_config(beeper->pwm, 0, 0);
pwm_disable(beeper->pwm);
} else {
period = HZ_TO_NANOSECONDS(value);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 142/305] KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (288 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 244/305] net: bgmac: Remove superflous netif_carrier_on() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 125/305] Input: xpad - prevent spurious input from wired Xbox 360 controllers Ben Hutchings
` (15 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Paolo Bonzini, Radim Krčmář, Dmitry Vyukov
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit d14bdb553f9196169f003058ae1cdabe514470e6 upstream.
MOV to DR6 or DR7 causes a #GP if an attempt is made to write a 1 to
any of bits 63:32. However, this is not detected at KVM_SET_DEBUGREGS
time, and the next KVM_RUN oopses:
general protection fault: 0000 [#1] SMP
CPU: 2 PID: 14987 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1
Hardware name: LENOVO 2325F51/2325F51, BIOS G2ET32WW (1.12 ) 05/30/2012
[...]
Call Trace:
[<ffffffffa072c93d>] kvm_arch_vcpu_ioctl_run+0x141d/0x14e0 [kvm]
[<ffffffffa071405d>] kvm_vcpu_ioctl+0x33d/0x620 [kvm]
[<ffffffff81241648>] do_vfs_ioctl+0x298/0x480
[<ffffffff812418a9>] SyS_ioctl+0x79/0x90
[<ffffffff817a0f2e>] entry_SYSCALL_64_fastpath+0x12/0x71
Code: 55 83 ff 07 48 89 e5 77 27 89 ff ff 24 fd 90 87 80 81 0f 23 fe 5d c3 0f 23 c6 5d c3 0f 23 ce 5d c3 0f 23 d6 5d c3 0f 23 de 5d c3 <0f> 23 f6 5d c3 0f 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
RIP [<ffffffff810639eb>] native_set_debugreg+0x2b/0x40
RSP <ffff88005836bd50>
Testcase (beautified/reduced from syzkaller output):
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <linux/kvm.h>
#include <fcntl.h>
#include <sys/ioctl.h>
long r[8];
int main()
{
struct kvm_debugregs dr = { 0 };
r[2] = open("/dev/kvm", O_RDONLY);
r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
memcpy(&dr,
"\x5d\x6a\x6b\xe8\x57\x3b\x4b\x7e\xcf\x0d\xa1\x72"
"\xa3\x4a\x29\x0c\xfc\x6d\x44\x00\xa7\x52\xc7\xd8"
"\x00\xdb\x89\x9d\x78\xb5\x54\x6b\x6b\x13\x1c\xe9"
"\x5e\xd3\x0e\x40\x6f\xb4\x66\xf7\x5b\xe3\x36\xcb",
48);
r[7] = ioctl(r[4], KVM_SET_DEBUGREGS, &dr);
r[6] = ioctl(r[4], KVM_RUN, 0);
}
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/x86.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3069,6 +3069,11 @@ static int kvm_vcpu_ioctl_x86_set_debugr
if (dbgregs->flags)
return -EINVAL;
+ if (dbgregs->dr6 & ~0xffffffffull)
+ return -EINVAL;
+ if (dbgregs->dr7 & ~0xffffffffull)
+ return -EINVAL;
+
memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db));
vcpu->arch.dr6 = dbgregs->dr6;
kvm_update_dr6(vcpu);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 097/305] sunrpc: Update RPCBIND_MAXNETIDLEN
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (103 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 245/305] mac80211: Fix mesh estab_plinks counting in STA removal case Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 144/305] of: irq: fix of_irq_get[_byname]() kernel-doc Ben Hutchings
` (200 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chuck Lever, Anna Schumaker
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 4b9c7f9db9a003f5c342184dc4401c1b7f2efb39 upstream.
Commit 176e21ee2ec8 ("SUNRPC: Support for RPC over AF_LOCAL
transports") added a 5-character netid, but did not bump
RPCBIND_MAXNETIDLEN from 4 to 5.
Fixes: 176e21ee2ec8 ("SUNRPC: Support for RPC over AF_LOCAL ...")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/sunrpc/msg_prot.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/linux/sunrpc/msg_prot.h
+++ b/include/linux/sunrpc/msg_prot.h
@@ -152,9 +152,9 @@ typedef __be32 rpc_fraghdr;
/*
* Note that RFC 1833 does not put any size restrictions on the
- * netid string, but all currently defined netid's fit in 4 bytes.
+ * netid string, but all currently defined netid's fit in 5 bytes.
*/
-#define RPCBIND_MAXNETIDLEN (4u)
+#define RPCBIND_MAXNETIDLEN (5u)
/*
* Universal addresses are introduced in RFC 1833 and further spelled
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 145/305] parisc: Fix pagefault crash in unaligned __get_user() call
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (146 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 157/305] gpio: bcm-kona: fix bcm_kona_gpio_reset() warnings Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 090/305] drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config() Ben Hutchings
` (157 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Helge Deller
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 8b78f260887df532da529f225c49195d18fef36b upstream.
One of the debian buildd servers had this crash in the syslog without
any other information:
Unaligned handler failed, ret = -2
clock_adjtime (pid 22578): Unaligned data reference (code 28)
CPU: 1 PID: 22578 Comm: clock_adjtime Tainted: G E 4.5.0-2-parisc64-smp #1 Debian 4.5.4-1
task: 000000007d9960f8 ti: 00000001bde7c000 task.ti: 00000001bde7c000
YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
PSW: 00001000000001001111100000001111 Tainted: G E
r00-03 000000ff0804f80f 00000001bde7c2b0 00000000402d2be8 00000001bde7c2b0
r04-07 00000000409e1fd0 00000000fa6f7fff 00000001bde7c148 00000000fa6f7fff
r08-11 0000000000000000 00000000ffffffff 00000000fac9bb7b 000000000002b4d4
r12-15 000000000015241c 000000000015242c 000000000000002d 00000000fac9bb7b
r16-19 0000000000028800 0000000000000001 0000000000000070 00000001bde7c218
r20-23 0000000000000000 00000001bde7c210 0000000000000002 0000000000000000
r24-27 0000000000000000 0000000000000000 00000001bde7c148 00000000409e1fd0
r28-31 0000000000000001 00000001bde7c320 00000001bde7c350 00000001bde7c218
sr00-03 0000000001200000 0000000001200000 0000000000000000 0000000001200000
sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000
IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d2e84 00000000402d2e88
IIR: 0ca0d089 ISR: 0000000001200000 IOR: 00000000fa6f7fff
CPU: 1 CR30: 00000001bde7c000 CR31: ffffffffffffffff
ORIG_R28: 00000002369fe628
IAOQ[0]: compat_get_timex+0x2dc/0x3c0
IAOQ[1]: compat_get_timex+0x2e0/0x3c0
RP(r2): compat_get_timex+0x40/0x3c0
Backtrace:
[<00000000402d4608>] compat_SyS_clock_adjtime+0x40/0xc0
[<0000000040205024>] syscall_exit+0x0/0x14
This means the userspace program clock_adjtime called the clock_adjtime()
syscall and then crashed inside the compat_get_timex() function.
Syscalls should never crash programs, but instead return EFAULT.
The IIR register contains the executed instruction, which disassebles
into "ldw 0(sr3,r5),r9".
This load-word instruction is part of __get_user() which tried to read the word
at %r5/IOR (0xfa6f7fff). This means the unaligned handler jumped in. The
unaligned handler is able to emulate all ldw instructions, but it fails if it
fails to read the source e.g. because of page fault.
The following program reproduces the problem:
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/mman.h>
int main(void) {
/* allocate 8k */
char *ptr = mmap(NULL, 2*4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
/* free second half (upper 4k) and make it invalid. */
munmap(ptr+4096, 4096);
/* syscall where first int is unaligned and clobbers into invalid memory region */
/* syscall should return EFAULT */
return syscall(__NR_clock_adjtime, 0, ptr+4095);
}
To fix this issue we simply need to check if the faulting instruction address
is in the exception fixup table when the unaligned handler failed. If it
is, call the fixup routine instead of crashing.
While looking at the unaligned handler I found another issue as well: The
target register should not be modified if the handler was unsuccessful.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/parisc/kernel/unaligned.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/arch/parisc/kernel/unaligned.c
+++ b/arch/parisc/kernel/unaligned.c
@@ -666,7 +666,7 @@ void handle_unaligned(struct pt_regs *re
break;
}
- if (modify && R1(regs->iir))
+ if (ret == 0 && modify && R1(regs->iir))
regs->gr[R1(regs->iir)] = newbase;
@@ -677,6 +677,14 @@ void handle_unaligned(struct pt_regs *re
if (ret)
{
+ /*
+ * The unaligned handler failed.
+ * If we were called by __get_user() or __put_user() jump
+ * to it's exception fixup handler instead of crashing.
+ */
+ if (!user_mode(regs) && fixup_exception(regs))
+ return;
+
printk(KERN_CRIT "Unaligned handler failed, ret = %d\n", ret);
die_if_kernel("Unaligned data reference", regs, 28);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 184/305] drm/radeon: fix asic initialization for virtualized environments
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (296 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 277/305] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 091/305] drm/fb_helper: Fix references to dev->mode_config.num_connector Ben Hutchings
` (7 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alex Deucher, Alex Williamson, Andres Rodriguez
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 05082b8bbd1a0ffc74235449c4b8930a8c240f85 upstream.
When executing in a PCI passthrough based virtuzliation environment, the
hypervisor will usually attempt to send a PCIe bus reset signal to the
ASIC when the VM reboots. In this scenario, the card is not correctly
initialized, but we still consider it to be posted. Therefore, in a
passthrough based environemnt we should always post the card to guarantee
it is in a good state for driver initialization.
Ported from amdgpu commit:
amdgpu: fix asic initialization for virtualized environments
Cc: Andres Rodriguez <andres.rodriguez@amd.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_device.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -598,6 +598,23 @@ void radeon_gtt_location(struct radeon_d
/*
* GPU helpers function.
*/
+
+/**
+ * radeon_device_is_virtual - check if we are running is a virtual environment
+ *
+ * Check if the asic has been passed through to a VM (all asics).
+ * Used at driver startup.
+ * Returns true if virtual or false if not.
+ */
+static bool radeon_device_is_virtual(void)
+{
+#ifdef CONFIG_X86
+ return boot_cpu_has(X86_FEATURE_HYPERVISOR);
+#else
+ return false;
+#endif
+}
+
/**
* radeon_card_posted - check if the hw has already been initialized
*
@@ -611,6 +628,10 @@ bool radeon_card_posted(struct radeon_de
{
uint32_t reg;
+ /* for pass through, always force asic_init */
+ if (radeon_device_is_virtual())
+ return false;
+
/* required for EFI mode on macbook2,1 which uses an r5xx asic */
if (efi_enabled(EFI_BOOT) &&
(rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE) &&
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 290/305] netfilter: x_tables: add and use xt_check_entry_offsets
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (133 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 133/305] powerpc: Use privileged SPR number for MMCR2 Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 266/305] ALSA: timer: Fix negative queue usage by racy accesses Ben Hutchings
` (170 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Florian Westphal
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 7d35812c3214afa5b37a675113555259cfd67b98 upstream.
Currently arp/ip and ip6tables each implement a short helper to check that
the target offset is large enough to hold one xt_entry_target struct and
that t->u.target_size fits within the current rule.
Unfortunately these checks are not sufficient.
To avoid adding new tests to all of ip/ip6/arptables move the current
checks into a helper, then extend this helper in followup patches.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/netfilter/x_tables.h | 4 ++++
net/ipv4/netfilter/arp_tables.c | 11 +----------
net/ipv4/netfilter/ip_tables.c | 12 +-----------
net/ipv6/netfilter/ip6_tables.c | 12 +-----------
net/netfilter/x_tables.c | 34 ++++++++++++++++++++++++++++++++++
5 files changed, 41 insertions(+), 32 deletions(-)
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -239,6 +239,10 @@ void xt_unregister_match(struct xt_match
int xt_register_matches(struct xt_match *match, unsigned int n);
void xt_unregister_matches(struct xt_match *match, unsigned int n);
+int xt_check_entry_offsets(const void *base,
+ unsigned int target_offset,
+ unsigned int next_offset);
+
int xt_check_match(struct xt_mtchk_param *, unsigned int size, u_int8_t proto,
bool inv_proto);
int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -493,19 +493,10 @@ static int mark_source_chains(const stru
static inline int check_entry(const struct arpt_entry *e)
{
- const struct xt_entry_target *t;
-
if (!arp_checkentry(&e->arp))
return -EINVAL;
- if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
- return -EINVAL;
-
- t = arpt_get_target_c(e);
- if (e->target_offset + t->u.target_size > e->next_offset)
- return -EINVAL;
-
- return 0;
+ return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
}
static inline int check_target(struct arpt_entry *e, const char *name)
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -587,20 +587,10 @@ static void cleanup_match(struct xt_entr
static int
check_entry(const struct ipt_entry *e)
{
- const struct xt_entry_target *t;
-
if (!ip_checkentry(&e->ip))
return -EINVAL;
- if (e->target_offset + sizeof(struct xt_entry_target) >
- e->next_offset)
- return -EINVAL;
-
- t = ipt_get_target_c(e);
- if (e->target_offset + t->u.target_size > e->next_offset)
- return -EINVAL;
-
- return 0;
+ return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
}
static int
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -597,20 +597,10 @@ static void cleanup_match(struct xt_entr
static int
check_entry(const struct ip6t_entry *e)
{
- const struct xt_entry_target *t;
-
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- if (e->target_offset + sizeof(struct xt_entry_target) >
- e->next_offset)
- return -EINVAL;
-
- t = ip6t_get_target_c(e);
- if (e->target_offset + t->u.target_size > e->next_offset)
- return -EINVAL;
-
- return 0;
+ return xt_check_entry_offsets(e, e->target_offset, e->next_offset);
}
static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -560,6 +560,40 @@ int xt_compat_match_to_user(const struct
EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
#endif /* CONFIG_COMPAT */
+/**
+ * xt_check_entry_offsets - validate arp/ip/ip6t_entry
+ *
+ * @base: pointer to arp/ip/ip6t_entry
+ * @target_offset: the arp/ip/ip6_t->target_offset
+ * @next_offset: the arp/ip/ip6_t->next_offset
+ *
+ * validates that target_offset and next_offset are sane.
+ *
+ * The arp/ip/ip6t_entry structure @base must have passed following tests:
+ * - it must point to a valid memory location
+ * - base to base + next_offset must be accessible, i.e. not exceed allocated
+ * length.
+ *
+ * Return: 0 on success, negative errno on failure.
+ */
+int xt_check_entry_offsets(const void *base,
+ unsigned int target_offset,
+ unsigned int next_offset)
+{
+ const struct xt_entry_target *t;
+ const char *e = base;
+
+ if (target_offset + sizeof(*t) > next_offset)
+ return -EINVAL;
+
+ t = (void *)(e + target_offset);
+ if (target_offset + t->u.target_size > next_offset)
+ return -EINVAL;
+
+ return 0;
+}
+EXPORT_SYMBOL(xt_check_entry_offsets);
+
int xt_check_target(struct xt_tgchk_param *par,
unsigned int size, u_int8_t proto, bool inv_proto)
{
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 156/305] fix d_walk()/non-delayed __d_free() race
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (66 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 024/305] EDAC: Increment correct counter in edac_inc_ue_error() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 192/305] netem: fix a use after free Ben Hutchings
` (237 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 upstream.
Ascend-to-parent logics in d_walk() depends on all encountered child
dentries not getting freed without an RCU delay. Unfortunately, in
quite a few cases it is not true, with hard-to-hit oopsable race as
the result.
Fortunately, the fix is simiple; right now the rule is "if it ever
been hashed, freeing must be delayed" and changing it to "if it
ever had a parent, freeing must be delayed" closes that hole and
covers all cases the old rule used to cover. Moreover, pipes and
sockets remain _not_ covered, so we do not introduce RCU delay in
the cases which are the reason for having that delay conditional
in the first place.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16:
- Adjust context
- Also set the flag in __d_materialise_dentry())]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/dcache.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1502,7 +1502,7 @@ struct dentry *d_alloc(struct dentry * p
struct dentry *dentry = __d_alloc(parent->d_sb, name);
if (!dentry)
return NULL;
-
+ dentry->d_flags |= DCACHE_RCUACCESS;
spin_lock(&parent->d_lock);
/*
* don't need child lock because it is not subject
@@ -2354,7 +2354,6 @@ static void __d_rehash(struct dentry * e
{
BUG_ON(!d_unhashed(entry));
hlist_bl_lock(b);
- entry->d_flags |= DCACHE_RCUACCESS;
hlist_bl_add_head_rcu(&entry->d_hash, b);
hlist_bl_unlock(b);
}
@@ -2560,6 +2559,7 @@ static void __d_move(struct dentry *dent
/* ... and switch the parents */
if (IS_ROOT(dentry)) {
+ dentry->d_flags |= DCACHE_RCUACCESS;
dentry->d_parent = target->d_parent;
target->d_parent = target;
INIT_LIST_HEAD(&target->d_child);
@@ -2696,6 +2696,7 @@ static void __d_materialise_dentry(struc
switch_names(dentry, anon, false);
+ dentry->d_flags |= DCACHE_RCUACCESS;
dentry->d_parent = dentry;
list_del_init(&dentry->d_child);
anon->d_parent = dparent;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 066/305] irqchip/gic: Ensure ordering between read of INTACK and shared data
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (160 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 092/305] fs/cifs: correctly to anonymous authentication via NTLMSSP Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 211/305] powerpc/bpf/jit: Disable classic BPF JIT on ppc64le Ben Hutchings
` (143 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Zyngier, Will Deacon
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will.deacon@arm.com>
commit f86c4fbd930ff6fecf3d8a1c313182bd0f49f496 upstream.
When an IPI is generated by a CPU, the pattern looks roughly like:
<write shared data>
smp_wmb();
<write to GIC to signal SGI>
On the receiving CPU we rely on the fact that, once we've taken the
interrupt, then the freshly written shared data must be visible to us.
Put another way, the CPU isn't going to speculate taking an interrupt.
Unfortunately, this assumption turns out to be broken.
Consider that CPUx wants to send an IPI to CPUy, which will cause CPUy
to read some shared_data. Before CPUx has done anything, a random
peripheral raises an IRQ to the GIC and the IRQ line on CPUy is raised.
CPUy then takes the IRQ and starts executing the entry code, heading
towards gic_handle_irq. Furthermore, let's assume that a bunch of the
previous interrupts handled by CPUy were SGIs, so the branch predictor
kicks in and speculates that irqnr will be <16 and we're likely to
head into handle_IPI. The prefetcher then grabs a speculative copy of
shared_data which contains a stale value.
Meanwhile, CPUx gets round to updating shared_data and asking the GIC
to send an SGI to CPUy. Internally, the GIC decides that the SGI is
more important than the peripheral interrupt (which hasn't yet been
ACKed) but doesn't need to do anything to CPUy, because the IRQ line
is already raised.
CPUy then reads the ACK register on the GIC, sees the SGI value which
confirms the branch prediction and we end up with a stale shared_data
value.
This patch fixes the problem by adding an smp_rmb() to the IPI entry
code in gic_handle_irq. As it turns out, the combination of a control
dependency and an ISB instruction from the EOI in the GICv3 driver is
enough to provide the ordering we need, so we add a comment there
justifying the absence of an explicit smp_rmb().
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
[bwh: Backported to 3.16: drop changes to irq-gic-v3]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/irqchip/irq-gic.c
+++ b/drivers/irqchip/irq-gic.c
@@ -302,6 +302,14 @@ static void __exception_irq_entry gic_ha
if (irqnr < 16) {
writel_relaxed(irqstat, cpu_base + GIC_CPU_EOI);
#ifdef CONFIG_SMP
+ /*
+ * Ensure any shared data written by the CPU sending
+ * the IPI is read after we've read the ACK register
+ * on the GIC.
+ *
+ * Pairs with the write barrier in gic_raise_softirq
+ */
+ smp_rmb();
handle_IPI(irqnr, regs);
#endif
continue;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 138/305] ACPI / processor: Avoid reserving IO regions too early
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (69 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 296/305] netfilter: x_tables: validate all offsets and sizes in a rule Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 181/305] ARM: 8578/1: mm: ensure pmd_present only checks the valid bit Ben Hutchings
` (234 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rafael J. Wysocki, Roland Dreier
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
commit 86314751c7945fa0c67f459beeda2e7c610ca429 upstream.
Roland Dreier reports that one of his systems cannot boot because of
the changes made by commit ac212b6980d8 (ACPI / processor: Use common
hotplug infrastructure).
The problematic part of it is the request_region() call in
acpi_processor_get_info() that used to run at module init time before
the above commit and now it runs much earlier. Unfortunately, the
region(s) reserved by it fall into a range the PCI subsystem attempts
to reserve for AHCI IO BARs. As a result, the PCI reservation fails
and AHCI doesn't work, while previously the PCI reservation would
be made before acpi_processor_get_info() and it would succeed.
That request_region() call, however, was overlooked by commit
ac212b6980d8, as it is not necessary for the enumeration of the
processors. It only is needed when the ACPI processor driver
actually attempts to handle them which doesn't happen before
loading the ACPI processor driver module. Therefore that call
should have been moved from acpi_processor_get_info() into that
module.
Address the problem by moving the request_region() call in question
out of acpi_processor_get_info() and use the observation that the
region reserved by it is only needed if the FADT-based CPU
throttling method is going to be used, which means that it should
be sufficient to invoke it from acpi_processor_get_throttling_fadt().
Fixes: ac212b6980d8 (ACPI / processor: Use common hotplug infrastructure)
Reported-by: Roland Dreier <roland@purestorage.com>
Tested-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/acpi/acpi_processor.c | 9 ---------
drivers/acpi/processor_throttling.c | 9 +++++++++
2 files changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/acpi/acpi_processor.c
+++ b/drivers/acpi/acpi_processor.c
@@ -311,15 +311,6 @@ static int acpi_processor_get_info(struc
pr->throttling.duty_width = acpi_gbl_FADT.duty_width;
pr->pblk = object.processor.pblk_address;
-
- /*
- * We don't care about error returns - we just try to mark
- * these reserved so that nobody else is confused into thinking
- * that this region might be unused..
- *
- * (In particular, allocating the IO range for Cardbus)
- */
- request_region(pr->throttling.address, 6, "ACPI CPU throttle");
}
/*
--- a/drivers/acpi/processor_throttling.c
+++ b/drivers/acpi/processor_throttling.c
@@ -680,6 +680,15 @@ static int acpi_processor_get_throttling
if (!pr->flags.throttling)
return -ENODEV;
+ /*
+ * We don't care about error returns - we just try to mark
+ * these reserved so that nobody else is confused into thinking
+ * that this region might be unused..
+ *
+ * (In particular, allocating the IO range for Cardbus)
+ */
+ request_region(pr->throttling.address, 6, "ACPI CPU throttle");
+
pr->throttling.state = 0;
duty_mask = pr->throttling.state_count - 1;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 027/305] PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (135 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 266/305] ALSA: timer: Fix negative queue usage by racy accesses Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 062/305] MIPS: KVM: Fix timer IRQ race when writing CP0_Compare Ben Hutchings
` (168 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arjan van de Ven, Yinghai Lu, Bjorn Helgaas
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
commit ca620723d4ff9ea7ed484eab46264c3af871b9ae upstream.
iomem_is_exclusive() requires a CPU physical address, but on some arches we
supplied a PCI bus address instead.
On most arches, pci_resource_to_user(res) returns "res->start", which is a
CPU physical address. But on microblaze, mips, powerpc, and sparc, it
returns the PCI bus address corresponding to "res->start".
The result is that pci_mmap_resource() may fail when it shouldn't (if the
bus address happens to match an existing resource), or it may succeed when
it should fail (if the resource is exclusive but the bus address doesn't
match it).
Call iomem_is_exclusive() with "res->start", which is always a CPU physical
address, not the result of pci_resource_to_user().
Fixes: e8de1481fd71 ("resource: allow MMIO exclusivity for device drivers")
Suggested-by: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/pci-sysfs.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -1005,6 +1005,9 @@ static int pci_mmap_resource(struct kobj
if (i >= PCI_ROM_RESOURCE)
return -ENODEV;
+ if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
+ return -EINVAL;
+
if (!pci_mmap_fits(pdev, i, vma, PCI_MMAP_SYSFS)) {
WARN(1, "process \"%s\" tried to map 0x%08lx bytes at page 0x%08lx on %s BAR %d (start 0x%16Lx, size 0x%16Lx)\n",
current->comm, vma->vm_end-vma->vm_start, vma->vm_pgoff,
@@ -1021,10 +1024,6 @@ static int pci_mmap_resource(struct kobj
pci_resource_to_user(pdev, i, res, &start, &end);
vma->vm_pgoff += start >> PAGE_SHIFT;
mmap_type = res->flags & IORESOURCE_MEM ? pci_mmap_mem : pci_mmap_io;
-
- if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(start))
- return -EINVAL;
-
return pci_mmap_page_range(pdev, vma, mmap_type, write_combine);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 194/305] drm/i915/ilk: Don't disable SSC source if it's in use
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (265 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 048/305] ext4: fix oops on corrupted filesystem Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 032/305] aacraid: Relinquish CPU during timeout wait Ben Hutchings
` (38 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Lyude, Daniel Vetter, Ville Syrjälä
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lyude <cpaul@redhat.com>
commit 476490a945e1f0f6bd58e303058d2d8ca93a974c upstream.
Thanks to Ville Syrjälä for pointing me towards the cause of this issue.
Unfortunately one of the sideaffects of having the refclk for a DPLL set
to SSC is that as long as it's set to SSC, the GPU will prevent us from
powering down any of the pipes or transcoders using it. A couple of
BIOSes enable SSC in both PCH_DREF_CONTROL and in the DPLL
configurations. This causes issues on the first modeset, since we don't
expect SSC to be left on and as a result, can't successfully power down
the pipes or the transcoders using it. Here's an example from this Dell
OptiPlex 990:
[drm:intel_modeset_init] SSC enabled by BIOS, overriding VBT which says disabled
[drm:intel_modeset_init] 2 display pipes available.
[drm:intel_update_cdclk] Current CD clock rate: 400000 kHz
[drm:intel_update_max_cdclk] Max CD clock rate: 400000 kHz
[drm:intel_update_max_cdclk] Max dotclock rate: 360000 kHz
vgaarb: device changed decodes: PCI:0000:00:02.0,olddecodes=io+mem,decodes=io+mem:owns=io+mem
[drm:intel_crt_reset] crt adpa set to 0xf40000
[drm:intel_dp_init_connector] Adding DP connector on port C
[drm:intel_dp_aux_init] registering DPDDC-C bus for card0-DP-1
[drm:ironlake_init_pch_refclk] has_panel 0 has_lvds 0 has_ck505 0
[drm:ironlake_init_pch_refclk] Disabling SSC entirely
… later we try committing the first modeset …
[drm:intel_dump_pipe_config] [CRTC:26][modeset] config ffff88041b02e800 for pipe A
[drm:intel_dump_pipe_config] cpu_transcoder: A
…
[drm:intel_dump_pipe_config] dpll_hw_state: dpll: 0xc4016001, dpll_md: 0x0, fp0: 0x20e08, fp1: 0x30d07
[drm:intel_dump_pipe_config] planes on this crtc
[drm:intel_dump_pipe_config] STANDARD PLANE:23 plane: 0.0 idx: 0 enabled
[drm:intel_dump_pipe_config] FB:42, fb = 800x600 format = 0x34325258
[drm:intel_dump_pipe_config] scaler:0 src (0, 0) 800x600 dst (0, 0) 800x600
[drm:intel_dump_pipe_config] CURSOR PLANE:25 plane: 0.1 idx: 1 disabled, scaler_id = 0
[drm:intel_dump_pipe_config] STANDARD PLANE:27 plane: 0.1 idx: 2 disabled, scaler_id = 0
[drm:intel_get_shared_dpll] CRTC:26 allocated PCH DPLL A
[drm:intel_get_shared_dpll] using PCH DPLL A for pipe A
[drm:ilk_audio_codec_disable] Disable audio codec on port C, pipe A
[drm:intel_disable_pipe] disabling pipe A
------------[ cut here ]------------
WARNING: CPU: 1 PID: 130 at drivers/gpu/drm/i915/intel_display.c:1146 intel_disable_pipe+0x297/0x2d0 [i915]
pipe_off wait timed out
…
---[ end trace 94fc8aa03ae139e8 ]---
[drm:intel_dp_link_down]
[drm:ironlake_crtc_disable [i915]] *ERROR* failed to disable transcoder A
Later modesets succeed since they reset the DPLL's configuration anyway,
but this is enough to get stuck with a big fat warning in dmesg.
A better solution would be to add refcounts for the SSC source, but for
now leaving the source clock on should suffice.
Changes since v4:
- Fix calculation of final for systems with LVDS panels (fixes BUG() on
CI test suite)
Changes since v3:
- Move temp variable into loop
- Move checks for using_ssc_source to after we've figured out has_ck505
- Add using_ssc_source to debug output
Changes since v2:
- Fix debug output for when we disable the CPU source
Changes since v1:
- Leave the SSC source clock on instead of just shutting it off on all
of the DPLL configurations.
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Lyude <cpaul@redhat.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1465916649-10228-1-git-send-email-cpaul@redhat.com
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/intel_display.c | 48 +++++++++++++++++++++++++-----------
1 file changed, 34 insertions(+), 14 deletions(-)
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -6263,12 +6263,14 @@ static void ironlake_init_pch_refclk(str
struct drm_i915_private *dev_priv = dev->dev_private;
struct drm_mode_config *mode_config = &dev->mode_config;
struct intel_encoder *encoder;
+ int i;
u32 val, final;
bool has_lvds = false;
bool has_cpu_edp = false;
bool has_panel = false;
bool has_ck505 = false;
bool can_ssc = false;
+ bool using_ssc_source = false;
/* We need to take the global config into account */
list_for_each_entry(encoder, &mode_config->encoder_list,
@@ -6294,8 +6296,22 @@ static void ironlake_init_pch_refclk(str
can_ssc = true;
}
- DRM_DEBUG_KMS("has_panel %d has_lvds %d has_ck505 %d\n",
- has_panel, has_lvds, has_ck505);
+ /* Check if any DPLLs are using the SSC source */
+ for (i = 0; i < dev_priv->num_shared_dpll; i++) {
+ u32 temp = I915_READ(PCH_DPLL(i));
+
+ if (!(temp & DPLL_VCO_ENABLE))
+ continue;
+
+ if ((temp & PLL_REF_INPUT_MASK) ==
+ PLLB_REF_INPUT_SPREADSPECTRUMIN) {
+ using_ssc_source = true;
+ break;
+ }
+ }
+
+ DRM_DEBUG_KMS("has_panel %d has_lvds %d has_ck505 %d using_ssc_source %d\n",
+ has_panel, has_lvds, has_ck505, using_ssc_source);
/* Ironlake: try to setup display ref clock before DPLL
* enabling. This is only under driver's control after
@@ -6332,9 +6348,9 @@ static void ironlake_init_pch_refclk(str
final |= DREF_CPU_SOURCE_OUTPUT_NONSPREAD;
} else
final |= DREF_CPU_SOURCE_OUTPUT_DISABLE;
- } else {
- final |= DREF_SSC_SOURCE_DISABLE;
- final |= DREF_CPU_SOURCE_OUTPUT_DISABLE;
+ } else if (using_ssc_source) {
+ final |= DREF_SSC_SOURCE_ENABLE;
+ final |= DREF_SSC1_ENABLE;
}
if (final == val)
@@ -6380,7 +6396,7 @@ static void ironlake_init_pch_refclk(str
POSTING_READ(PCH_DREF_CONTROL);
udelay(200);
} else {
- DRM_DEBUG_KMS("Disabling SSC entirely\n");
+ DRM_DEBUG_KMS("Disabling CPU source output\n");
val &= ~DREF_CPU_SOURCE_OUTPUT_MASK;
@@ -6391,16 +6407,20 @@ static void ironlake_init_pch_refclk(str
POSTING_READ(PCH_DREF_CONTROL);
udelay(200);
- /* Turn off the SSC source */
- val &= ~DREF_SSC_SOURCE_MASK;
- val |= DREF_SSC_SOURCE_DISABLE;
+ if (!using_ssc_source) {
+ DRM_DEBUG_KMS("Disabling SSC source\n");
- /* Turn off SSC1 */
- val &= ~DREF_SSC1_ENABLE;
+ /* Turn off the SSC source */
+ val &= ~DREF_SSC_SOURCE_MASK;
+ val |= DREF_SSC_SOURCE_DISABLE;
- I915_WRITE(PCH_DREF_CONTROL, val);
- POSTING_READ(PCH_DREF_CONTROL);
- udelay(200);
+ /* Turn off SSC1 */
+ val &= ~DREF_SSC1_ENABLE;
+
+ I915_WRITE(PCH_DREF_CONTROL, val);
+ POSTING_READ(PCH_DREF_CONTROL);
+ udelay(200);
+ }
}
BUG_ON(val != final);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 113/305] mmc: longer timeout for long read time quirk
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (222 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 182/305] ARM: 8579/1: mm: Fix definition of pmd_mknotpresent Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 070/305] powerpc/mm/hash64: Fix subpage protection with 4K HPTE config Ben Hutchings
` (81 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Matt Gumbel, Ulf Hansson, Adrian Hunter
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Gumbel <matthew.k.gumbel@intel.com>
commit 32ecd320db39bcb007679ed42f283740641b81ea upstream.
008GE0 Toshiba mmc in some Intel Baytrail tablets responds to
MMC_SEND_EXT_CSD in 450-600ms.
This patch will...
() Increase the long read time quirk timeout from 300ms to 600ms. Original
author of that quirk says 300ms was only a guess and that the number
may need to be raised in the future.
() Add this specific MMC to the quirk
Signed-off-by: Matt Gumbel <matthew.k.gumbel@intel.com>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mmc/card/block.c | 5 +++--
drivers/mmc/core/core.c | 4 ++--
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -2401,11 +2401,12 @@ static const struct mmc_fixup blk_fixups
MMC_QUIRK_BLK_NO_CMD23),
/*
- * Some Micron MMC cards needs longer data read timeout than
- * indicated in CSD.
+ * Some MMC cards need longer data read timeout than indicated in CSD.
*/
MMC_FIXUP(CID_NAME_ANY, CID_MANFID_MICRON, 0x200, add_quirk_mmc,
MMC_QUIRK_LONG_READ_TIME),
+ MMC_FIXUP("008GE0", CID_MANFID_TOSHIBA, CID_OEMID_ANY, add_quirk_mmc,
+ MMC_QUIRK_LONG_READ_TIME),
/*
* On these Samsung MoviNAND parts, performing secure erase or
--- a/drivers/mmc/core/core.c
+++ b/drivers/mmc/core/core.c
@@ -811,11 +811,11 @@ void mmc_set_data_timeout(struct mmc_dat
/*
* Some cards require longer data read timeout than indicated in CSD.
* Address this by setting the read timeout to a "reasonably high"
- * value. For the cards tested, 300ms has proven enough. If necessary,
+ * value. For the cards tested, 600ms has proven enough. If necessary,
* this value can be increased if other problematic cards require this.
*/
if (mmc_card_long_read_time(card) && data->flags & MMC_DATA_READ) {
- data->timeout_ns = 300000000;
+ data->timeout_ns = 600000000;
data->timeout_clks = 0;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 258/305] ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (8 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 118/305] UBI: fix missing brace control flow Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 084/305] blk-mq: fix undefined behaviour in order_to_size() Ben Hutchings
` (295 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Dan Carpenter
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 62db7152c924e4c060e42b34a69cd39658e8a0dc upstream.
vortex_wtdma_bufshift() function does calculate the page index
wrongly, first masking then shift, which always results in zero.
The proper computation is to first shift, then mask.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/au88x0/au88x0_core.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/sound/pci/au88x0/au88x0_core.c
+++ b/sound/pci/au88x0/au88x0_core.c
@@ -1442,9 +1442,8 @@ static int vortex_wtdma_bufshift(vortex_
int page, p, pp, delta, i;
page =
- (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2)) &
- WT_SUBBUF_MASK)
- >> WT_SUBBUF_SHIFT;
+ (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2))
+ >> WT_SUBBUF_SHIFT) & WT_SUBBUF_MASK;
if (dma->nr_periods >= 4)
delta = (page - dma->period_real) & 3;
else {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 144/305] of: irq: fix of_irq_get[_byname]() kernel-doc
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (104 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 097/305] sunrpc: Update RPCBIND_MAXNETIDLEN Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 010/305] Bluetooth: vhci: fix open_timeout vs. hdev race Ben Hutchings
` (199 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sergei Shtylyov, Rob Herring
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
commit 3993546646baf1dab5f5c4f7d9bb58f2046fd1c1 upstream.
The kernel-doc for the of_irq_get[_byname]() is clearly inadequate in
describing the return values -- of_irq_get_byname() is documented better
than of_irq_get() but it still doesn't mention that 0 is returned iff
irq_create_of_mapping() fails (it doesn't return an error code in this
case). Document all possible return value variants, making the writing
of the word "IRQ" consistent, while at it...
Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
Fixes: ad69674e73a1 ("of/irq: do irq resolution in platform_get_irq_byname()")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/of/irq.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -385,13 +385,13 @@ int of_irq_to_resource(struct device_nod
EXPORT_SYMBOL_GPL(of_irq_to_resource);
/**
- * of_irq_get - Decode a node's IRQ and return it as a Linux irq number
+ * of_irq_get - Decode a node's IRQ and return it as a Linux IRQ number
* @dev: pointer to device tree node
- * @index: zero-based index of the irq
- *
- * Returns Linux irq number on success, or -EPROBE_DEFER if the irq domain
- * is not yet created.
+ * @index: zero-based index of the IRQ
*
+ * Returns Linux IRQ number on success, or 0 on the IRQ mapping failure, or
+ * -EPROBE_DEFER if the IRQ domain is not yet created, or error code in case
+ * of any other failure.
*/
int of_irq_get(struct device_node *dev, int index)
{
@@ -411,12 +411,13 @@ int of_irq_get(struct device_node *dev,
}
/**
- * of_irq_get_byname - Decode a node's IRQ and return it as a Linux irq number
+ * of_irq_get_byname - Decode a node's IRQ and return it as a Linux IRQ number
* @dev: pointer to device tree node
- * @name: irq name
+ * @name: IRQ name
*
- * Returns Linux irq number on success, or -EPROBE_DEFER if the irq domain
- * is not yet created, or error code in case of any other failure.
+ * Returns Linux IRQ number on success, or 0 on the IRQ mapping failure, or
+ * -EPROBE_DEFER if the IRQ domain is not yet created, or error code in case
+ * of any other failure.
*/
int of_irq_get_byname(struct device_node *dev, const char *name)
{
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 231/305] iio: accel: kxsd9: fix the usage of spi_w8r8()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (27 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 217/305] IB/mlx4: Verify port number in flow steering create flow Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 254/305] batman-adv: Fix double-put of vlan object Ben Hutchings
` (276 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Walleij, Jonathan Cameron
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linus.walleij@linaro.org>
commit 0c1f91b98552da49d9d8eed32b3132a58d2f4598 upstream.
These two spi_w8r8() calls return a value with is used by the code
following the error check. The dubious use was caused by a cleanup
patch.
Fixes: d34dbee8ac8e ("staging:iio:accel:kxsd9 cleanup and conversion to iio_chan_spec.")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/accel/kxsd9.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -81,7 +81,7 @@ static int kxsd9_write_scale(struct iio_
mutex_lock(&st->buf_lock);
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
- if (ret)
+ if (ret < 0)
goto error_ret;
st->tx[0] = KXSD9_WRITE(KXSD9_REG_CTRL_C);
st->tx[1] = (ret & ~KXSD9_FS_MASK) | i;
@@ -163,7 +163,7 @@ static int kxsd9_read_raw(struct iio_dev
break;
case IIO_CHAN_INFO_SCALE:
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
- if (ret)
+ if (ret < 0)
goto error_ret;
*val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
ret = IIO_VAL_INT_PLUS_MICRO;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 003/305] ARM: dts: kirkwood: add kirkwood-nsa320.dtb to Makefile
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (277 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 248/305] ipr: Clear interrupt on croc/crocodile when running with LSI Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 121/305] ALSA: hda - Fix headset mic detection problem for one Dell machine Ben Hutchings
` (26 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Gregory CLEMENT, Heinrich Schuchardt
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
commit 9ec423ed62b8278412400fae6c064edb6ce1bb51 upstream.
Commit be3d7d023b87 ("ARM: kirkwood: Add DTS file for NSA320")
created the new file kirkwood-nsa320.dts but did not
add it to the Makefile.
Fixes: be3d7d023b87 ("ARM: kirkwood: Add DTS file for NSA320")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/boot/dts/Makefile
+++ b/arch/arm/boot/dts/Makefile
@@ -132,6 +132,7 @@ kirkwood := \
kirkwood-ns2mini.dtb \
kirkwood-nsa310.dtb \
kirkwood-nsa310a.dtb \
+ kirkwood-nsa320.dtb \
kirkwood-openblocks_a6.dtb \
kirkwood-openblocks_a7.dtb \
kirkwood-openrd-base.dtb \
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 265/305] net: bcmsysport: Device stats are unsigned long
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (163 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 018/305] scsi: Add intermediate STARGET_REMOVE state to scsi_target_state Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 049/305] arm64: Ensure pmd_present() returns false after pmd_mknotpresent() Ben Hutchings
` (140 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Fainelli, David S. Miller
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit 016eb55157166132b094e53434748cae35e18455 upstream.
On 64bits kernels, device stats are 64bits wide, not 32bits.
Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/broadcom/bcmsysport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -380,7 +380,7 @@ static void bcm_sysport_get_stats(struct
else
p = (char *)priv;
p += s->stat_offset;
- data[i] = *(u32 *)p;
+ data[i] = *(unsigned long *)p;
}
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 165/305] iio: proximity: as3935: fix buffer stack trashing
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (92 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 240/305] ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame) Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 180/305] scsi: fix race between simultaneous decrements of ->host_failed Ben Hutchings
` (211 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, george.mccollister, Jonathan Cameron, Matt Ranostay
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Ranostay <mranostay@gmail.com>
commit 37b1ba2c68cfbe37f5f45bb91bcfaf2b016ae6a1 upstream.
Buffer wasn't of a valid size to allow the timestamp, and correct padding.
This patchset also moves the buffer off the stack, and onto the heap.
Cc: george.mccollister@gmail.com
Signed-off-by: Matt Ranostay <mranostay@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/proximity/as3935.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/iio/proximity/as3935.c
+++ b/drivers/iio/proximity/as3935.c
@@ -64,6 +64,7 @@ struct as3935_state {
struct delayed_work work;
u32 tune_cap;
+ u8 buffer[16]; /* 8-bit data + 56-bit padding + 64-bit timestamp */
u8 buf[2] ____cacheline_aligned;
};
@@ -212,9 +213,10 @@ static irqreturn_t as3935_trigger_handle
ret = as3935_read(st, AS3935_DATA, &val);
if (ret)
goto err_read;
- val &= AS3935_DATA_MASK;
- iio_push_to_buffers_with_timestamp(indio_dev, &val, pf->timestamp);
+ st->buffer[0] = val & AS3935_DATA_MASK;
+ iio_push_to_buffers_with_timestamp(indio_dev, &st->buffer,
+ pf->timestamp);
err_read:
iio_trigger_notify_done(indio_dev->trig);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 299/305] netfilter: ip_tables: simplify translate_compat_table args
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (241 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 037/305] Revert "tty: Fix pty master poll() after slave closes v2" Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 174/305] usb: quirks: Fix sorting Ben Hutchings
` (62 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Westphal, Pablo Neira Ayuso
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 7d3f843eed29222254c9feab481f55175a1afcc9 upstream.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1445,7 +1445,6 @@ compat_copy_entry_to_user(struct ipt_ent
static int
compat_find_calc_match(struct xt_entry_match *m,
- const char *name,
const struct ipt_ip *ip,
unsigned int hookmask,
int *size)
@@ -1483,8 +1482,7 @@ check_compat_entry_size_and_hooks(struct
const unsigned char *base,
const unsigned char *limit,
const unsigned int *hook_entries,
- const unsigned int *underflows,
- const char *name)
+ const unsigned int *underflows)
{
struct xt_entry_match *ematch;
struct xt_entry_target *t;
@@ -1520,8 +1518,7 @@ check_compat_entry_size_and_hooks(struct
entry_offset = (void *)e - (void *)base;
j = 0;
xt_ematch_foreach(ematch, e) {
- ret = compat_find_calc_match(ematch, name,
- &e->ip, e->comefrom, &off);
+ ret = compat_find_calc_match(ematch, &e->ip, e->comefrom, &off);
if (ret != 0)
goto release_matches;
++j;
@@ -1570,7 +1567,7 @@ release_matches:
static int
compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
- unsigned int *size, const char *name,
+ unsigned int *size,
struct xt_table_info *newinfo, unsigned char *base)
{
struct xt_entry_target *t;
@@ -1646,14 +1643,9 @@ compat_check_entry(struct ipt_entry *e,
static int
translate_compat_table(struct net *net,
- const char *name,
- unsigned int valid_hooks,
struct xt_table_info **pinfo,
void **pentry0,
- unsigned int total_size,
- unsigned int number,
- unsigned int *hook_entries,
- unsigned int *underflows)
+ const struct compat_ipt_replace *compatr)
{
unsigned int i, j;
struct xt_table_info *newinfo, *info;
@@ -1665,8 +1657,8 @@ translate_compat_table(struct net *net,
info = *pinfo;
entry0 = *pentry0;
- size = total_size;
- info->number = number;
+ size = compatr->size;
+ info->number = compatr->num_entries;
/* Init all hooks to impossible value. */
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
@@ -1677,40 +1669,39 @@ translate_compat_table(struct net *net,
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(AF_INET);
- xt_compat_init_offsets(AF_INET, number);
+ xt_compat_init_offsets(AF_INET, compatr->num_entries);
/* Walk through entries, checking offsets. */
- xt_entry_foreach(iter0, entry0, total_size) {
+ xt_entry_foreach(iter0, entry0, compatr->size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0,
- entry0 + total_size,
- hook_entries,
- underflows,
- name);
+ entry0 + compatr->size,
+ compatr->hook_entry,
+ compatr->underflow);
if (ret != 0)
goto out_unlock;
++j;
}
ret = -EINVAL;
- if (j != number) {
+ if (j != compatr->num_entries) {
duprintf("translate_compat_table: %u not %u entries\n",
- j, number);
+ j, compatr->num_entries);
goto out_unlock;
}
/* Check hooks all assigned */
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
/* Only hooks which are valid */
- if (!(valid_hooks & (1 << i)))
+ if (!(compatr->valid_hooks & (1 << i)))
continue;
if (info->hook_entry[i] == 0xFFFFFFFF) {
duprintf("Invalid hook entry %u %u\n",
- i, hook_entries[i]);
+ i, info->hook_entry[i]);
goto out_unlock;
}
if (info->underflow[i] == 0xFFFFFFFF) {
duprintf("Invalid underflow %u %u\n",
- i, underflows[i]);
+ i, info->underflow[i]);
goto out_unlock;
}
}
@@ -1720,17 +1711,17 @@ translate_compat_table(struct net *net,
if (!newinfo)
goto out_unlock;
- newinfo->number = number;
+ newinfo->number = compatr->num_entries;
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
newinfo->hook_entry[i] = info->hook_entry[i];
newinfo->underflow[i] = info->underflow[i];
}
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
- size = total_size;
- xt_entry_foreach(iter0, entry0, total_size) {
+ size = compatr->size;
+ xt_entry_foreach(iter0, entry0, compatr->size) {
ret = compat_copy_entry_from_user(iter0, &pos, &size,
- name, newinfo, entry1);
+ newinfo, entry1);
if (ret != 0)
break;
}
@@ -1740,12 +1731,12 @@ translate_compat_table(struct net *net,
goto free_newinfo;
ret = -ELOOP;
- if (!mark_source_chains(newinfo, valid_hooks, entry1))
+ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
goto free_newinfo;
i = 0;
xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = compat_check_entry(iter1, net, name);
+ ret = compat_check_entry(iter1, net, compatr->name);
if (ret != 0)
break;
++i;
@@ -1790,7 +1781,7 @@ translate_compat_table(struct net *net,
free_newinfo:
xt_free_table_info(newinfo);
out:
- xt_entry_foreach(iter0, entry0, total_size) {
+ xt_entry_foreach(iter0, entry0, compatr->size) {
if (j-- == 0)
break;
compat_release_entry(iter0);
@@ -1833,10 +1824,7 @@ compat_do_replace(struct net *net, void
goto free_newinfo;
}
- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
- &newinfo, &loc_cpu_entry, tmp.size,
- tmp.num_entries, tmp.hook_entry,
- tmp.underflow);
+ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
if (ret != 0)
goto free_newinfo;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 062/305] MIPS: KVM: Fix timer IRQ race when writing CP0_Compare
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (136 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 027/305] PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 059/305] USB: serial: mxuport: fix use-after-free in probe error path Ben Hutchings
` (167 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ralf Baechle, James Hogan, kvm, linux-mips,
Radim KrÄmář,
Paolo Bonzini
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit b45bacd2d048f405c7760e5cc9b60dd67708734f upstream.
Writing CP0_Compare clears the timer interrupt pending bit
(CP0_Cause.TI), but this wasn't being done atomically. If a timer
interrupt raced with the write of the guest CP0_Compare, the timer
interrupt could end up being pending even though the new CP0_Compare is
nowhere near CP0_Count.
We were already updating the hrtimer expiry with
kvm_mips_update_hrtimer(), which used both kvm_mips_freeze_hrtimer() and
kvm_mips_resume_hrtimer(). Close the race window by expanding out
kvm_mips_update_hrtimer(), and clearing CP0_Cause.TI and setting
CP0_Compare between the freeze and resume. Since the pending timer
interrupt should not be cleared when CP0_Compare is written via the KVM
user API, an ack argument is added to distinguish the source of the
write.
Fixes: e30492bbe95a ("MIPS: KVM: Rewrite count/compare timer emulation")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim KrÄmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/kvm_host.h | 2 +-
arch/mips/kvm/kvm_mips_emul.c | 61 ++++++++++++++++++----------------------
arch/mips/kvm/kvm_trap_emul.c | 2 +-
3 files changed, 29 insertions(+), 36 deletions(-)
--- a/arch/mips/include/asm/kvm_host.h
+++ b/arch/mips/include/asm/kvm_host.h
@@ -718,7 +718,7 @@ extern enum emulation_result kvm_mips_co
uint32_t kvm_mips_read_count(struct kvm_vcpu *vcpu);
void kvm_mips_write_count(struct kvm_vcpu *vcpu, uint32_t count);
-void kvm_mips_write_compare(struct kvm_vcpu *vcpu, uint32_t compare);
+void kvm_mips_write_compare(struct kvm_vcpu *vcpu, uint32_t compare, bool ack);
void kvm_mips_init_count(struct kvm_vcpu *vcpu);
int kvm_mips_set_count_ctl(struct kvm_vcpu *vcpu, s64 count_ctl);
int kvm_mips_set_count_resume(struct kvm_vcpu *vcpu, s64 count_resume);
--- a/arch/mips/kvm/kvm_mips_emul.c
+++ b/arch/mips/kvm/kvm_mips_emul.c
@@ -447,32 +447,6 @@ static void kvm_mips_resume_hrtimer(stru
}
/**
- * kvm_mips_update_hrtimer() - Update next expiry time of hrtimer.
- * @vcpu: Virtual CPU.
- *
- * Recalculates and updates the expiry time of the hrtimer. This can be used
- * after timer parameters have been altered which do not depend on the time that
- * the change occurs (in those cases kvm_mips_freeze_hrtimer() and
- * kvm_mips_resume_hrtimer() are used directly).
- *
- * It is guaranteed that no timer interrupts will be lost in the process.
- *
- * Assumes !kvm_mips_count_disabled(@vcpu) (guest CP0_Count timer is running).
- */
-static void kvm_mips_update_hrtimer(struct kvm_vcpu *vcpu)
-{
- ktime_t now;
- uint32_t count;
-
- /*
- * freeze_hrtimer takes care of a timer interrupts <= count, and
- * resume_hrtimer the hrtimer takes care of a timer interrupts > count.
- */
- now = kvm_mips_freeze_hrtimer(vcpu, &count);
- kvm_mips_resume_hrtimer(vcpu, now, count);
-}
-
-/**
* kvm_mips_write_count() - Modify the count and update timer.
* @vcpu: Virtual CPU.
* @count: Guest CP0_Count value to set.
@@ -567,23 +541,42 @@ int kvm_mips_set_count_hz(struct kvm_vcp
* kvm_mips_write_compare() - Modify compare and update timer.
* @vcpu: Virtual CPU.
* @compare: New CP0_Compare value.
+ * @ack: Whether to acknowledge timer interrupt.
*
* Update CP0_Compare to a new value and update the timeout.
+ * If @ack, atomically acknowledge any pending timer interrupt, otherwise ensure
+ * any pending timer interrupt is preserved.
*/
-void kvm_mips_write_compare(struct kvm_vcpu *vcpu, uint32_t compare)
+void kvm_mips_write_compare(struct kvm_vcpu *vcpu, uint32_t compare, bool ack)
{
struct mips_coproc *cop0 = vcpu->arch.cop0;
+ int dc;
+ u32 old_compare = kvm_read_c0_guest_compare(cop0);
+ ktime_t now;
+ uint32_t count;
/* if unchanged, must just be an ack */
- if (kvm_read_c0_guest_compare(cop0) == compare)
+ if (old_compare == compare) {
+ if (!ack)
+ return;
+ kvm_mips_callbacks->dequeue_timer_int(vcpu);
+ kvm_write_c0_guest_compare(cop0, compare);
return;
+ }
+
+ /* freeze_hrtimer() takes care of timer interrupts <= count */
+ dc = kvm_mips_count_disabled(vcpu);
+ if (!dc)
+ now = kvm_mips_freeze_hrtimer(vcpu, &count);
+
+ if (ack)
+ kvm_mips_callbacks->dequeue_timer_int(vcpu);
- /* Update compare */
kvm_write_c0_guest_compare(cop0, compare);
- /* Update timeout if count enabled */
- if (!kvm_mips_count_disabled(vcpu))
- kvm_mips_update_hrtimer(vcpu);
+ /* resume_hrtimer() takes care of timer interrupts > count */
+ if (!dc)
+ kvm_mips_resume_hrtimer(vcpu, now, count);
}
/**
@@ -1061,9 +1054,9 @@ kvm_mips_emulate_CP0(uint32_t inst, uint
/* If we are writing to COMPARE */
/* Clear pending timer interrupt, if any */
- kvm_mips_callbacks->dequeue_timer_int(vcpu);
kvm_mips_write_compare(vcpu,
- vcpu->arch.gprs[rt]);
+ vcpu->arch.gprs[rt],
+ true);
} else if ((rd == MIPS_CP0_STATUS) && (sel == 0)) {
kvm_write_c0_guest_status(cop0,
vcpu->arch.gprs[rt]);
--- a/arch/mips/kvm/kvm_trap_emul.c
+++ b/arch/mips/kvm/kvm_trap_emul.c
@@ -451,7 +451,7 @@ static int kvm_trap_emul_set_one_reg(str
kvm_mips_write_count(vcpu, v);
break;
case KVM_REG_MIPS_CP0_COMPARE:
- kvm_mips_write_compare(vcpu, v);
+ kvm_mips_write_compare(vcpu, v, false);
break;
case KVM_REG_MIPS_CP0_CAUSE:
/*
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 123/305] sfc: on MC reset, clear PIO buffer linkage in TXQs
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (10 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 084/305] blk-mq: fix undefined behaviour in order_to_size() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 268/305] xenbus: don't BUG() on user mode induced condition Ben Hutchings
` (293 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Edward Cree, David S. Miller
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Edward Cree <ecree@solarflare.com>
commit c0795bf64cba4d1b796fdc5b74b33772841ed1bb upstream.
Otherwise, if we fail to allocate new PIO buffers, our TXQs will try to
use the old ones, which aren't there any more.
Fixes: 183233bec810 "sfc: Allocate and link PIO buffers; map them with write-combining"
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/sfc/ef10.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/net/ethernet/sfc/ef10.c
+++ b/drivers/net/ethernet/sfc/ef10.c
@@ -451,6 +451,17 @@ fail:
return rc;
}
+static void efx_ef10_forget_old_piobufs(struct efx_nic *efx)
+{
+ struct efx_channel *channel;
+ struct efx_tx_queue *tx_queue;
+
+ /* All our existing PIO buffers went away */
+ efx_for_each_channel(channel, efx)
+ efx_for_each_channel_tx_queue(tx_queue, channel)
+ tx_queue->piobuf = NULL;
+}
+
#else /* !EFX_USE_PIO */
static int efx_ef10_alloc_piobufs(struct efx_nic *efx, unsigned int n)
@@ -467,6 +478,10 @@ static void efx_ef10_free_piobufs(struct
{
}
+static void efx_ef10_forget_old_piobufs(struct efx_nic *efx)
+{
+}
+
#endif /* EFX_USE_PIO */
static void efx_ef10_remove(struct efx_nic *efx)
@@ -698,6 +713,7 @@ static void efx_ef10_reset_mc_allocation
nic_data->must_realloc_vis = true;
nic_data->must_restore_filters = true;
nic_data->must_restore_piobufs = true;
+ efx_ef10_forget_old_piobufs(efx);
nic_data->rx_rss_context = EFX_EF10_RSS_CONTEXT_INVALID;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 217/305] IB/mlx4: Verify port number in flow steering create flow
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (26 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 043/305] tty: vt, return error when con_startup fails Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 231/305] iio: accel: kxsd9: fix the usage of spi_w8r8() Ben Hutchings
` (277 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Yishai Hadas, Doug Ledford, Leon Romanovsky, Moni Shoua,
Jack Morgenstein
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yishai Hadas <yishaih@mellanox.com>
commit 5533c18ab02b17a7f2ac11908e2d97d4b421617d upstream.
In procedure mlx4_ib_create_flow, passing an invalid port number
will cause an out-of-bounds array access. Data passed to this procedure
can come from user-space. Therefore, need to validate port number
before proceeding onwards.
Note that we check against the number of physical ports declared at
the verbs (ib core) level; When bonding is active, the verbs level
sees one physical port, even though the low-level driver sees two ports.
Fixes: f77c0162a339 ("IB/mlx4: Add receive flow steering support")
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Reviewed-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Reviewed-by: Moni Shoua <monis@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16:
- Adjust context
- Function returns an integer, not a pointer/error]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/main.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -1016,6 +1016,9 @@ static int __mlx4_ib_create_flow(struct
[IB_FLOW_DOMAIN_NIC] = MLX4_DOMAIN_NIC,
};
+ if (flow_attr->port < 1 || flow_attr->port > qp->device->phys_port_cnt)
+ return -EINVAL;
+
if (flow_attr->priority > MLX4_IB_FLOW_MAX_PRIO) {
pr_err("Invalid priority value %d\n", flow_attr->priority);
return -EINVAL;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 001/305] regmap: cache: Fix typo in cache_bypass parameter description
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (131 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 011/305] Bluetooth: vhci: purge unhandled skbs Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 133/305] powerpc: Use privileged SPR number for MMCR2 Ben Hutchings
` (172 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Brown, Andrew F. Davis
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Andrew F. Davis" <afd@ti.com>
commit 267c85860308d36bc163c5573308cd024f659d7c upstream.
Setting the flag 'cache_bypass' will bypass the cache not the hardware.
Fix this comment here.
Fixes: 0eef6b0415f5 ("regmap: Fix doc comment")
Signed-off-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/base/regmap/regcache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/base/regmap/regcache.c
+++ b/drivers/base/regmap/regcache.c
@@ -473,7 +473,7 @@ EXPORT_SYMBOL_GPL(regcache_mark_dirty);
* regcache_cache_bypass: Put a register map into cache bypass mode
*
* @map: map to configure
- * @cache_bypass: flag if changes should not be written to the hardware
+ * @cache_bypass: flag if changes should not be written to the cache
*
* When a register map is marked with the cache bypass option, writes
* to the register map API will only update the hardware and not the
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 110/305] tuntap: correctly wake up process during uninit
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (177 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 167/305] usb: dwc3: exynos: Fix deferred probing storm Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 117/305] UBI: do propagate positive error codes up Ben Hutchings
` (126 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, Xi Wang, David S. Miller, Jason Wang,
Michael S. Tsirkin
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
commit addf8fc4acb1cf79492ac64966f07178793cb3d7 upstream.
We used to check dev->reg_state against NETREG_REGISTERED after each
time we are woke up. But after commit 9e641bdcfa4e ("net-tun:
restructure tun_do_read for better sleep/wakeup efficiency"), it uses
skb_recv_datagram() which does not check dev->reg_state. This will
result if we delete a tun/tap device after a process is blocked in the
reading. The device will wait for the reference count which was held
by that process for ever.
Fixes this by using RCV_SHUTDOWN which will be checked during
sk_recv_datagram() before trying to wake up the process during uninit.
Fixes: 9e641bdcfa4e ("net-tun: restructure tun_do_read for better
sleep/wakeup efficiency")
Cc: Eric Dumazet <edumazet@google.com>
Cc: Xi Wang <xii@google.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/tun.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -499,11 +499,13 @@ static void tun_detach_all(struct net_de
for (i = 0; i < n; i++) {
tfile = rtnl_dereference(tun->tfiles[i]);
BUG_ON(!tfile);
+ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;
tfile->socket.sk->sk_data_ready(tfile->socket.sk);
RCU_INIT_POINTER(tfile->tun, NULL);
--tun->numqueues;
}
list_for_each_entry(tfile, &tun->disabled, next) {
+ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;
tfile->socket.sk->sk_data_ready(tfile->socket.sk);
RCU_INIT_POINTER(tfile->tun, NULL);
}
@@ -559,6 +561,7 @@ static int tun_attach(struct tun_struct
goto out;
}
tfile->queue_index = tun->numqueues;
+ tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN;
rcu_assign_pointer(tfile->tun, tun);
rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile);
tun->numqueues++;
@@ -1345,9 +1348,6 @@ static ssize_t tun_do_read(struct tun_st
if (!len)
return ret;
- if (tun->dev->reg_state != NETREG_REGISTERED)
- return -EIO;
-
/* Read frames from queue */
skb = __skb_recv_datagram(tfile->socket.sk, noblock ? MSG_DONTWAIT : 0,
&peeked, &off, &err);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 048/305] ext4: fix oops on corrupted filesystem
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (264 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 251/305] batman-adv: Fix memory leak on tt add with invalid vlan Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 194/305] drm/i915/ilk: Don't disable SSC source if it's in use Ben Hutchings
` (39 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Kara, Theodore Ts'o, Vegard Nossum
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 74177f55b70e2f2be770dd28684dd6d17106a4ba upstream.
When filesystem is corrupted in the right way, it can happen
ext4_mark_iloc_dirty() in ext4_orphan_add() returns error and we
subsequently remove inode from the in-memory orphan list. However this
deletion is done with list_del(&EXT4_I(inode)->i_orphan) and thus we
leave i_orphan list_head with a stale content. Later we can look at this
content causing list corruption, oops, or other issues. The reported
trace looked like:
WARNING: CPU: 0 PID: 46 at lib/list_debug.c:53 __list_del_entry+0x6b/0x100()
list_del corruption, 0000000061c1d6e0->next is LIST_POISON1
0000000000100100)
CPU: 0 PID: 46 Comm: ext4.exe Not tainted 4.1.0-rc4+ #250
Stack:
60462947 62219960 602ede24 62219960
602ede24 603ca293 622198f0 602f02eb
62219950 6002c12c 62219900 601b4d6b
Call Trace:
[<6005769c>] ? vprintk_emit+0x2dc/0x5c0
[<602ede24>] ? printk+0x0/0x94
[<600190bc>] show_stack+0xdc/0x1a0
[<602ede24>] ? printk+0x0/0x94
[<602ede24>] ? printk+0x0/0x94
[<602f02eb>] dump_stack+0x2a/0x2c
[<6002c12c>] warn_slowpath_common+0x9c/0xf0
[<601b4d6b>] ? __list_del_entry+0x6b/0x100
[<6002c254>] warn_slowpath_fmt+0x94/0xa0
[<602f4d09>] ? __mutex_lock_slowpath+0x239/0x3a0
[<6002c1c0>] ? warn_slowpath_fmt+0x0/0xa0
[<60023ebf>] ? set_signals+0x3f/0x50
[<600a205a>] ? kmem_cache_free+0x10a/0x180
[<602f4e88>] ? mutex_lock+0x18/0x30
[<601b4d6b>] __list_del_entry+0x6b/0x100
[<601177ec>] ext4_orphan_del+0x22c/0x2f0
[<6012f27c>] ? __ext4_journal_start_sb+0x2c/0xa0
[<6010b973>] ? ext4_truncate+0x383/0x390
[<6010bc8b>] ext4_write_begin+0x30b/0x4b0
[<6001bb50>] ? copy_from_user+0x0/0xb0
[<601aa840>] ? iov_iter_fault_in_readable+0xa0/0xc0
[<60072c4f>] generic_perform_write+0xaf/0x1e0
[<600c4166>] ? file_update_time+0x46/0x110
[<60072f0f>] __generic_file_write_iter+0x18f/0x1b0
[<6010030f>] ext4_file_write_iter+0x15f/0x470
[<60094e10>] ? unlink_file_vma+0x0/0x70
[<6009b180>] ? unlink_anon_vmas+0x0/0x260
[<6008f169>] ? free_pgtables+0xb9/0x100
[<600a6030>] __vfs_write+0xb0/0x130
[<600a61d5>] vfs_write+0xa5/0x170
[<600a63d6>] SyS_write+0x56/0xe0
[<6029fcb0>] ? __libc_waitpid+0x0/0xa0
[<6001b698>] handle_syscall+0x68/0x90
[<6002633d>] userspace+0x4fd/0x600
[<6002274f>] ? save_registers+0x1f/0x40
[<60028bd7>] ? arch_prctl+0x177/0x1b0
[<60017bd5>] fork_handler+0x85/0x90
Fix the problem by using list_del_init() as we always should with
i_orphan list.
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2626,7 +2626,7 @@ int ext4_orphan_add(handle_t *handle, st
* list entries can cause panics at unmount time.
*/
mutex_lock(&sbi->s_orphan_lock);
- list_del(&EXT4_I(inode)->i_orphan);
+ list_del_init(&EXT4_I(inode)->i_orphan);
mutex_unlock(&sbi->s_orphan_lock);
}
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 107/305] cifs: Create dedicated keyring for spnego operations
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (250 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 051/305] MIPS: Fix siginfo.h to use strict posix types Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 190/305] net_sched: introduce qdisc_replace() helper Ben Hutchings
` (53 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Shirish Pargaonkar, Sachin Prabhu, Scott Mayhew, Steve French
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sachin Prabhu <sprabhu@redhat.com>
commit b74cb9a80268be5c80cf4c87c74debf0ff2129ac upstream.
The session key is the default keyring set for request_key operations.
This session key is revoked when the user owning the session logs out.
Any long running daemon processes started by this session ends up with
revoked session keyring which prevents these processes from using the
request_key mechanism from obtaining the krb5 keys.
The problem has been reported by a large number of autofs users. The
problem is also seen with multiuser mounts where the share may be used
by processes run by a user who has since logged out. A reproducer using
automount is available on the Red Hat bz.
The patch creates a new keyring which is used to cache cifs spnego
upcalls.
Red Hat bz: 1267754
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reported-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16: keyring_alloc() doesn't take a restrict_link param]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/cifs_spnego.c | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++
fs/cifs/cifsfs.c | 4 +--
fs/cifs/cifsproto.h | 2 ++
3 files changed, 71 insertions(+), 2 deletions(-)
--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
@@ -24,10 +24,13 @@
#include <linux/string.h>
#include <keys/user-type.h>
#include <linux/key-type.h>
+#include <linux/keyctl.h>
#include <linux/inet.h>
#include "cifsglob.h"
#include "cifs_spnego.h"
#include "cifs_debug.h"
+#include "cifsproto.h"
+static const struct cred *spnego_cred;
/* create a new cifs key */
static int
@@ -103,6 +106,7 @@ cifs_get_spnego_key(struct cifs_ses *ses
size_t desc_len;
struct key *spnego_key;
const char *hostname = server->hostname;
+ const struct cred *saved_cred;
/* length of fields (with semicolons): ver=0xyz ip4=ipaddress
host=hostname sec=mechanism uid=0xFF user=username */
@@ -164,7 +168,9 @@ cifs_get_spnego_key(struct cifs_ses *ses
sprintf(dp, ";pid=0x%x", current->pid);
cifs_dbg(FYI, "key description = %s\n", description);
+ saved_cred = override_creds(spnego_cred);
spnego_key = request_key(&cifs_spnego_key_type, description, "");
+ revert_creds(saved_cred);
#ifdef CONFIG_CIFS_DEBUG2
if (cifsFYI && !IS_ERR(spnego_key)) {
@@ -178,3 +184,64 @@ out:
kfree(description);
return spnego_key;
}
+
+int
+init_cifs_spnego(void)
+{
+ struct cred *cred;
+ struct key *keyring;
+ int ret;
+
+ cifs_dbg(FYI, "Registering the %s key type\n",
+ cifs_spnego_key_type.name);
+
+ /*
+ * Create an override credential set with special thread keyring for
+ * spnego upcalls.
+ */
+
+ cred = prepare_kernel_cred(NULL);
+ if (!cred)
+ return -ENOMEM;
+
+ keyring = keyring_alloc(".cifs_spnego",
+ GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, cred,
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ,
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
+ if (IS_ERR(keyring)) {
+ ret = PTR_ERR(keyring);
+ goto failed_put_cred;
+ }
+
+ ret = register_key_type(&cifs_spnego_key_type);
+ if (ret < 0)
+ goto failed_put_key;
+
+ /*
+ * instruct request_key() to use this special keyring as a cache for
+ * the results it looks up
+ */
+ set_bit(KEY_FLAG_ROOT_CAN_CLEAR, &keyring->flags);
+ cred->thread_keyring = keyring;
+ cred->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
+ spnego_cred = cred;
+
+ cifs_dbg(FYI, "cifs spnego keyring: %d\n", key_serial(keyring));
+ return 0;
+
+failed_put_key:
+ key_put(keyring);
+failed_put_cred:
+ put_cred(cred);
+ return ret;
+}
+
+void
+exit_cifs_spnego(void)
+{
+ key_revoke(spnego_cred->thread_keyring);
+ unregister_key_type(&cifs_spnego_key_type);
+ put_cred(spnego_cred);
+ cifs_dbg(FYI, "Unregistered %s key type\n", cifs_spnego_key_type.name);
+}
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -1228,7 +1228,7 @@ init_cifs(void)
goto out_destroy_mids;
#ifdef CONFIG_CIFS_UPCALL
- rc = register_key_type(&cifs_spnego_key_type);
+ rc = init_cifs_spnego();
if (rc)
goto out_destroy_request_bufs;
#endif /* CONFIG_CIFS_UPCALL */
@@ -1251,7 +1251,7 @@ out_init_cifs_idmap:
out_register_key_type:
#endif
#ifdef CONFIG_CIFS_UPCALL
- unregister_key_type(&cifs_spnego_key_type);
+ exit_cifs_spnego();
out_destroy_request_bufs:
#endif
cifs_destroy_request_bufs();
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -59,6 +59,8 @@ do { \
} while (0)
extern int init_cifs_idmap(void);
extern void exit_cifs_idmap(void);
+extern int init_cifs_spnego(void);
+extern void exit_cifs_spnego(void);
extern char *build_path_from_dentry(struct dentry *);
extern char *cifs_build_path_to_root(struct smb_vol *vol,
struct cifs_sb_info *cifs_sb,
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 103/305] xfs: fix inode validity check in xfs_iflush_cluster
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (35 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 042/305] mcb: Fixed bar number assignment for the gdd Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 279/305] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt Ben Hutchings
` (268 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dave Chinner, Christoph Hellwig, Dave Chinner
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Chinner <dchinner@redhat.com>
commit 51b07f30a71c27405259a0248206ed4e22adbee2 upstream.
Some careless idiot(*) wrote crap code in commit 1a3e8f3 ("xfs:
convert inode cache lookups to use RCU locking") back in late 2010,
and so xfs_iflush_cluster checks the wrong inode for whether it is
still valid under RCU protection. Fix it to lock and check the
correct inode.
(*) Careless-idiot: Dave Chinner <dchinner@redhat.com>
Discovered-by: Brain Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/xfs/xfs_inode.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -3029,13 +3029,13 @@ xfs_iflush_cluster(
* We need to check under the i_flags_lock for a valid inode
* here. Skip it if it is not valid or the wrong inode.
*/
- spin_lock(&ip->i_flags_lock);
- if (!ip->i_ino ||
+ spin_lock(&iq->i_flags_lock);
+ if (!iq->i_ino ||
(XFS_INO_TO_AGINO(mp, iq->i_ino) & mask) != first_index) {
- spin_unlock(&ip->i_flags_lock);
+ spin_unlock(&iq->i_flags_lock);
continue;
}
- spin_unlock(&ip->i_flags_lock);
+ spin_unlock(&iq->i_flags_lock);
/*
* Do an un-protected check to see if the inode is dirty and
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 178/305] usb: musb: Stop bulk endpoint while queue is rotated
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (19 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 270/305] xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7 Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 054/305] MIPS: Avoid using unwind_stack() with usermode Ben Hutchings
` (284 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bin Liu, Greg Kroah-Hartman, Andrew Goodbody
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Goodbody <andrew.goodbody@cambrionix.com>
commit 7b2c17f829545df27a910e8d82e133c21c9a8c9c upstream.
Ensure that the endpoint is stopped by clearing REQPKT before
clearing DATAERR_NAKTIMEOUT before rotating the queue on the
dedicated bulk endpoint.
This addresses an issue where a race could result in the endpoint
receiving data before it was reprogrammed resulting in a warning
about such data from musb_rx_reinit before it was thrown away.
The data thrown away was a valid packet that had been correctly
ACKed which meant the host and device got out of sync.
Signed-off-by: Andrew Goodbody <andrew.goodbody@cambrionix.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/musb/musb_host.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/usb/musb/musb_host.c
+++ b/drivers/usb/musb/musb_host.c
@@ -949,9 +949,15 @@ static void musb_bulk_nak_timeout(struct
if (is_in) {
dma = is_dma_capable() ? ep->rx_channel : NULL;
- /* clear nak timeout bit */
+ /*
+ * Need to stop the transaction by clearing REQPKT first
+ * then the NAK Timeout bit ref MUSBMHDRC USB 2.0 HIGH-SPEED
+ * DUAL-ROLE CONTROLLER Programmer's Guide, section 9.2.2
+ */
rx_csr = musb_readw(epio, MUSB_RXCSR);
rx_csr |= MUSB_RXCSR_H_WZC_BITS;
+ rx_csr &= ~MUSB_RXCSR_H_REQPKT;
+ musb_writew(epio, MUSB_RXCSR, rx_csr);
rx_csr &= ~MUSB_RXCSR_DATAERROR;
musb_writew(epio, MUSB_RXCSR, rx_csr);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 266/305] ALSA: timer: Fix negative queue usage by racy accesses
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (134 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 290/305] netfilter: x_tables: add and use xt_check_entry_offsets Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 027/305] PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive() Ben Hutchings
` (169 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 3fa6993fef634e05d200d141a85df0b044572364 upstream.
The user timer tu->qused counter may go to a negative value when
multiple concurrent reads are performed since both the check and the
decrement of tu->qused are done in two individual locked contexts.
This results in bogus read outs, and the endless loop in the
user-space side.
The fix is to move the decrement of the tu->qused counter into the
same spinlock context as the zero-check of the counter.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1965,6 +1965,7 @@ static ssize_t snd_timer_user_read(struc
qhead = tu->qhead++;
tu->qhead %= tu->queue_size;
+ tu->qused--;
spin_unlock_irq(&tu->qlock);
if (tu->tread) {
@@ -1978,7 +1979,6 @@ static ssize_t snd_timer_user_read(struc
}
spin_lock_irq(&tu->qlock);
- tu->qused--;
if (err < 0)
goto _error;
result += unit;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 189/305] ipv6: fix endianness error in icmpv6_err
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (247 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 166/305] iio:st_pressure: fix sampling gains (bring inline with ABI) Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 029/305] crypto: s5p-sss - fix incorrect usage of scatterlists api Ben Hutchings
` (56 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Lorenzo Colitti, Hannes Frederic Sowa, David S. Miller
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
commit dcb94b88c09ce82a80e188d49bcffdc83ba215a6 upstream.
IPv6 ping socket error handler doesn't correctly convert the new 32 bit
mtu to host endianness before using.
Cc: Lorenzo Colitti <lorenzo@google.com>
Fixes: 6d0bfe22611602f ("net: ipv6: Add IPv6 support to the ping socket.")
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/icmp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -97,7 +97,7 @@ static void icmpv6_err(struct sk_buff *s
if (!(type & ICMPV6_INFOMSG_MASK))
if (icmp6->icmp6_type == ICMPV6_ECHO_REQUEST)
- ping_err(skb, offset, info);
+ ping_err(skb, offset, ntohl(info));
}
static int icmpv6_rcv(struct sk_buff *skb);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 253/305] batman-adv: Fix use-after-free/double-free of tt_req_node
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (188 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 109/305] PM / sleep: Handle failures in device_suspend_late() consistently Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 067/305] arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str Ben Hutchings
` (115 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin Weinelt, Amadeus Alfa, Marek Lindner,
Sven Eckelmann, David S. Miller
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 9c4604a298e0a9807eaf2cd912d1ebf24d98fbeb upstream.
The tt_req_node is added and removed from a list inside a spinlock. But the
locking is sometimes removed even when the object is still referenced and
will be used later via this reference. For example batadv_send_tt_request
can create a new tt_req_node (including add to a list) and later
re-acquires the lock to remove it from the list and to free it. But at this
time another context could have already removed this tt_req_node from the
list and freed it.
CPU#0
batadv_batman_skb_recv from net_device 0
-> batadv_iv_ogm_receive
-> batadv_iv_ogm_process
-> batadv_iv_ogm_process_per_outif
-> batadv_tvlv_ogm_receive
-> batadv_tvlv_ogm_receive
-> batadv_tvlv_containers_process
-> batadv_tvlv_call_handler
-> batadv_tt_tvlv_ogm_handler_v1
-> batadv_tt_update_orig
-> batadv_send_tt_request
-> batadv_tt_req_node_new
spin_lock(...)
allocates new tt_req_node and adds it to list
spin_unlock(...)
return tt_req_node
CPU#1
batadv_batman_skb_recv from net_device 1
-> batadv_recv_unicast_tvlv
-> batadv_tvlv_containers_process
-> batadv_tvlv_call_handler
-> batadv_tt_tvlv_unicast_handler_v1
-> batadv_handle_tt_response
spin_lock(...)
tt_req_node gets removed from list and is freed
spin_unlock(...)
CPU#0
<- returned to batadv_send_tt_request
spin_lock(...)
tt_req_node gets removed from list and is freed
MEMORY CORRUPTION/SEGFAULT/...
spin_unlock(...)
This can only be solved via reference counting to allow multiple contexts
to handle the list manipulation while making sure that only the last
context holding a reference will free the object.
Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Tested-by: Martin Weinelt <martin@darmstadt.freifunk.net>
Tested-by: Amadeus Alfa <amadeus@chemnitz.freifunk.net>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Adjust context
- Use list_empty() instead of hlist_unhashed()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/translation-table.c | 43 ++++++++++++++++++++++++++++++++------
net/batman-adv/types.h | 2 ++
2 files changed, 39 insertions(+), 6 deletions(-)
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -2165,6 +2165,29 @@ static uint32_t batadv_tt_local_crc(stru
return crc;
}
+/**
+ * batadv_tt_req_node_release - free tt_req node entry
+ * @ref: kref pointer of the tt req_node entry
+ */
+static void batadv_tt_req_node_release(struct kref *ref)
+{
+ struct batadv_tt_req_node *tt_req_node;
+
+ tt_req_node = container_of(ref, struct batadv_tt_req_node, refcount);
+
+ kfree(tt_req_node);
+}
+
+/**
+ * batadv_tt_req_node_put - decrement the tt_req_node refcounter and
+ * possibly release it
+ * @tt_req_node: tt_req_node to be free'd
+ */
+static void batadv_tt_req_node_put(struct batadv_tt_req_node *tt_req_node)
+{
+ kref_put(&tt_req_node->refcount, batadv_tt_req_node_release);
+}
+
static void batadv_tt_req_list_free(struct batadv_priv *bat_priv)
{
struct batadv_tt_req_node *node, *safe;
@@ -2173,7 +2196,7 @@ static void batadv_tt_req_list_free(stru
list_for_each_entry_safe(node, safe, &bat_priv->tt.req_list, list) {
list_del(&node->list);
- kfree(node);
+ batadv_tt_req_node_put(node);
}
spin_unlock_bh(&bat_priv->tt.req_list_lock);
@@ -2209,7 +2232,7 @@ static void batadv_tt_req_purge(struct b
if (batadv_has_timed_out(node->issued_at,
BATADV_TT_REQUEST_TIMEOUT)) {
list_del(&node->list);
- kfree(node);
+ batadv_tt_req_node_put(node);
}
}
spin_unlock_bh(&bat_priv->tt.req_list_lock);
@@ -2236,9 +2259,11 @@ batadv_new_tt_req_node(struct batadv_pri
if (!tt_req_node)
goto unlock;
+ kref_init(&tt_req_node->refcount);
ether_addr_copy(tt_req_node->addr, orig_node->orig);
tt_req_node->issued_at = jiffies;
+ kref_get(&tt_req_node->refcount);
list_add(&tt_req_node->list, &bat_priv->tt.req_list);
unlock:
spin_unlock_bh(&bat_priv->tt.req_list_lock);
@@ -2488,12 +2513,19 @@ static int batadv_send_tt_request(struct
out:
if (primary_if)
batadv_hardif_free_ref(primary_if);
+
if (ret && tt_req_node) {
spin_lock_bh(&bat_priv->tt.req_list_lock);
- list_del(&tt_req_node->list);
+ if (!list_empty(&tt_req_node->list)) {
+ list_del(&tt_req_node->list);
+ batadv_tt_req_node_put(tt_req_node);
+ }
spin_unlock_bh(&bat_priv->tt.req_list_lock);
- kfree(tt_req_node);
}
+
+ if (tt_req_node)
+ batadv_tt_req_node_put(tt_req_node);
+
kfree(tvlv_tt_data);
return ret;
}
@@ -2929,7 +2961,7 @@ static void batadv_handle_tt_response(st
if (!batadv_compare_eth(node->addr, resp_src))
continue;
list_del(&node->list);
- kfree(node);
+ batadv_tt_req_node_put(node);
}
spin_unlock_bh(&bat_priv->tt.req_list_lock);
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -988,11 +988,13 @@ struct batadv_tt_change_node {
* struct batadv_tt_req_node - data to keep track of the tt requests in flight
* @addr: mac address address of the originator this request was sent to
* @issued_at: timestamp used for purging stale tt requests
+ * @refcount: number of contexts the object is used by
* @list: list node for batadv_priv_tt::req_list
*/
struct batadv_tt_req_node {
uint8_t addr[ETH_ALEN];
unsigned long issued_at;
+ struct kref refcount;
struct list_head list;
};
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 152/305] x86, build: copy ldlinux.c32 to image.iso
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (95 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 008/305] xfs: disallow rw remount on fs with unknown ro-compat features Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 168/305] usb: f_fs: off by one bug in _ffs_func_bind() Ben Hutchings
` (208 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, H. Peter Anvin
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "H. Peter Anvin" <hpa@zytor.com>
commit 9c77679cadb118c0aa99e6f88533d91765a131ba upstream.
For newer versions of Syslinux, we need ldlinux.c32 in addition to
isolinux.bin to reside on the boot disk, so if the latter is found,
copy it, too, to the isoimage tree.
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/boot/Makefile | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/boot/Makefile
+++ b/arch/x86/boot/Makefile
@@ -156,6 +156,9 @@ isoimage: $(obj)/bzImage
for i in lib lib64 share end ; do \
if [ -f /usr/$$i/syslinux/isolinux.bin ] ; then \
cp /usr/$$i/syslinux/isolinux.bin $(obj)/isoimage ; \
+ if [ -f /usr/$$i/syslinux/ldlinux.c32 ]; then \
+ cp /usr/$$i/syslinux/ldlinux.c32 $(obj)/isoimage ; \
+ fi ; \
break ; \
fi ; \
if [ $$i = end ] ; then exit 1 ; fi ; \
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 171/305] HID: elo: kill not flush the work
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (51 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 172/305] usb: xhci-plat: properly handle probe deferral for devm_clk_get() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 263/305] net/mlx5: Add timeout handle to commands with callback Ben Hutchings
` (252 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Oliver Neukum, Oliver Neukum, Jiri Kosina, Benjamin Tissoires
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit ed596a4a88bd161f868ccba078557ee7ede8a6ef upstream.
Flushing a work that reschedules itself is not a sensible operation. It needs
to be killed. Failure to do so leads to a kernel panic in the timer code.
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hid/hid-elo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hid/hid-elo.c
+++ b/drivers/hid/hid-elo.c
@@ -259,7 +259,7 @@ static void elo_remove(struct hid_device
struct elo_priv *priv = hid_get_drvdata(hdev);
hid_hw_stop(hdev);
- flush_workqueue(wq);
+ cancel_delayed_work_sync(&priv->work);
kfree(priv);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 122/305] crypto: ccp - Fix AES XTS error for request sizes above 4096
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (14 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 225/305] posix_acl: Add set_posix_acl Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 161/305] crypto: caam - fix caam_jr_alloc() ret code Ben Hutchings
` (289 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tom Lendacky, Herbert Xu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tom Lendacky <thomas.lendacky@amd.com>
commit ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1 upstream.
The ccp-crypto module for AES XTS support has a bug that can allow requests
greater than 4096 bytes in size to be passed to the CCP hardware. The CCP
hardware does not support request sizes larger than 4096, resulting in
incorrect output. The request should actually be handled by the fallback
mechanism instantiated by the ccp-crypto module.
Add a check to insure the request size is less than or equal to the maximum
supported size and use the fallback mechanism if it is not.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/ccp/ccp-crypto-aes-xts.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/crypto/ccp/ccp-crypto-aes-xts.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes-xts.c
@@ -123,6 +123,7 @@ static int ccp_aes_xts_crypt(struct ablk
struct ccp_ctx *ctx = crypto_tfm_ctx(req->base.tfm);
struct ccp_aes_req_ctx *rctx = ablkcipher_request_ctx(req);
unsigned int unit;
+ u32 unit_size;
int ret;
if (!ctx->u.aes.key_len)
@@ -134,11 +135,17 @@ static int ccp_aes_xts_crypt(struct ablk
if (!req->info)
return -EINVAL;
- for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++)
- if (!(req->nbytes & (unit_size_map[unit].size - 1)))
- break;
+ unit_size = CCP_XTS_AES_UNIT_SIZE__LAST;
+ if (req->nbytes <= unit_size_map[0].size) {
+ for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) {
+ if (!(req->nbytes & (unit_size_map[unit].size - 1))) {
+ unit_size = unit_size_map[unit].value;
+ break;
+ }
+ }
+ }
- if ((unit_size_map[unit].value == CCP_XTS_AES_UNIT_SIZE__LAST) ||
+ if ((unit_size == CCP_XTS_AES_UNIT_SIZE__LAST) ||
(ctx->u.aes.key_len != AES_KEYSIZE_128)) {
/* Use the fallback to process the request for any
* unsupported unit sizes or key sizes
@@ -159,7 +166,7 @@ static int ccp_aes_xts_crypt(struct ablk
rctx->cmd.engine = CCP_ENGINE_XTS_AES_128;
rctx->cmd.u.xts.action = (encrypt) ? CCP_AES_ACTION_ENCRYPT
: CCP_AES_ACTION_DECRYPT;
- rctx->cmd.u.xts.unit_size = unit_size_map[unit].value;
+ rctx->cmd.u.xts.unit_size = unit_size;
rctx->cmd.u.xts.key = &ctx->u.aes.key_sg;
rctx->cmd.u.xts.key_len = ctx->u.aes.key_len;
rctx->cmd.u.xts.iv = &rctx->iv_sg;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 213/305] xen/pciback: Fix conf_space read/write overlap check.
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (82 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 096/305] remove directory incorrectly tries to set delete on close on non-empty directories Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 200/305] isa: Call isa_bus_init before dependent ISA bus drivers register Ben Hutchings
` (221 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Vrabel, Jan Beulich, Boris Ostrovsky, Andrey Grodzovsky
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Grodzovsky <andrey2805@gmail.com>
commit 02ef871ecac290919ea0c783d05da7eedeffc10e upstream.
Current overlap check is evaluating to false a case where a filter
field is fully contained (proper subset) of a r/w request. This
change applies classical overlap check instead to include all the
scenarios.
More specifically, for (Hilscher GmbH CIFX 50E-DP(M/S)) device driver
the logic is such that the entire confspace is read and written in 4
byte chunks. In this case as an example, CACHE_LINE_SIZE,
LATENCY_TIMER and PCI_BIST are arriving together in one call to
xen_pcibk_config_write() with offset == 0xc and size == 4. With the
exsisting overlap check the LATENCY_TIMER field (offset == 0xd, length
== 1) is fully contained in the write request and hence is excluded
from write, which is incorrect.
Signed-off-by: Andrey Grodzovsky <andrey2805@gmail.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/xen-pciback/conf_space.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/xen/xen-pciback/conf_space.c
+++ b/drivers/xen/xen-pciback/conf_space.c
@@ -183,8 +183,7 @@ int xen_pcibk_config_read(struct pci_dev
field_start = OFFSET(cfg_entry);
field_end = OFFSET(cfg_entry) + field->size;
- if ((req_start >= field_start && req_start < field_end)
- || (req_end > field_start && req_end <= field_end)) {
+ if (req_end > field_start && field_end > req_start) {
err = conf_space_read(dev, cfg_entry, field_start,
&tmp_val);
if (err)
@@ -230,8 +229,7 @@ int xen_pcibk_config_write(struct pci_de
field_start = OFFSET(cfg_entry);
field_end = OFFSET(cfg_entry) + field->size;
- if ((req_start >= field_start && req_start < field_end)
- || (req_end > field_start && req_end <= field_end)) {
+ if (req_end > field_start && field_end > req_start) {
tmp_val = 0;
err = xen_pcibk_config_read(dev, field_start,
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 196/305] kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (72 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 005/305] ath5k: Change led pin configuration for compaq c700 laptop Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 252/305] batman-adv: replace WARN with rate limited output on non-existing VLAN Ben Hutchings
` (231 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Zhang Zhuoyu, Paolo Bonzini, Wei Tang, Xiubo Li
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xiubo Li <lixiubo@cmss.chinamobile.com>
commit caf1ff26e1aa178133df68ac3d40815fed2187d9 upstream.
These days, we experienced one guest crash with 8 cores and 3 disks,
with qemu error logs as bellow:
qemu-system-x86_64: /build/qemu-2.0.0/kvm-all.c:984:
kvm_irqchip_commit_routes: Assertion `ret == 0' failed.
And then we found one patch(bdf026317d) in qemu tree, which said
could fix this bug.
Execute the following script will reproduce the BUG quickly:
irq_affinity.sh
========================================================================
vda_irq_num=25
vdb_irq_num=27
while [ 1 ]
do
for irq in {1,2,4,8,10,20,40,80}
do
echo $irq > /proc/irq/$vda_irq_num/smp_affinity
echo $irq > /proc/irq/$vdb_irq_num/smp_affinity
dd if=/dev/vda of=/dev/zero bs=4K count=100 iflag=direct
dd if=/dev/vdb of=/dev/zero bs=4K count=100 iflag=direct
done
done
========================================================================
The following qemu log is added in the qemu code and is displayed when
this bug reproduced:
kvm_irqchip_commit_routes: max gsi: 1008, nr_allocated_irq_routes: 1024,
irq_routes->nr: 1024, gsi_count: 1024.
That's to say when irq_routes->nr == 1024, there are 1024 routing entries,
but in the kernel code when routes->nr >= 1024, will just return -EINVAL;
The nr is the number of the routing entries which is in of
[1 ~ KVM_MAX_IRQ_ROUTES], not the index in [0 ~ KVM_MAX_IRQ_ROUTES - 1].
This patch fix the BUG above.
Signed-off-by: Xiubo Li <lixiubo@cmss.chinamobile.com>
Signed-off-by: Wei Tang <tangwei@cmss.chinamobile.com>
Signed-off-by: Zhang Zhuoyu <zhangzhuoyu@cmss.chinamobile.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
virt/kvm/kvm_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2461,7 +2461,7 @@ static long kvm_vm_ioctl(struct file *fi
if (copy_from_user(&routing, argp, sizeof(routing)))
goto out;
r = -EINVAL;
- if (routing.nr >= KVM_MAX_IRQ_ROUTES)
+ if (routing.nr > KVM_MAX_IRQ_ROUTES)
goto out;
if (routing.flags)
goto out;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 267/305] qeth: delete napi struct when removing a qeth device
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (184 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 098/305] cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 148/305] IB/IPoIB: Fix race between ipoib_remove_one to sysfs functions Ben Hutchings
` (119 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alexander Klein, David S. Miller, Ursula Braun
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ursula Braun <ubraun@linux.vnet.ibm.com>
commit 7831b4ff0d926e0deeaabef9db8800ed069a2757 upstream.
A qeth_card contains a napi_struct linked to the net_device during
device probing. This struct must be deleted when removing the qeth
device, otherwise Panic on oops can occur when qeth devices are
repeatedly removed and added.
Fixes: a1c3ed4c9ca ("qeth: NAPI support for l2 and l3 discipline")
Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
Tested-by: Alexander Klein <ALKL@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/net/qeth_l2_main.c | 1 +
drivers/s390/net/qeth_l3_main.c | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -911,6 +911,7 @@ static void qeth_l2_remove_device(struct
qeth_l2_set_offline(cgdev);
if (card->dev) {
+ netif_napi_del(&card->napi);
unregister_netdev(card->dev);
card->dev = NULL;
}
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -3337,6 +3337,7 @@ static void qeth_l3_remove_device(struct
qeth_l3_set_offline(cgdev);
if (card->dev) {
+ netif_napi_del(&card->napi);
unregister_netdev(card->dev);
card->dev = NULL;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 096/305] remove directory incorrectly tries to set delete on close on non-empty directories
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (81 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 249/305] powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0 Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 213/305] xen/pciback: Fix conf_space read/write overlap check Ben Hutchings
` (222 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sachin Prabhu, Steve French, Steve French
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <smfrench@gmail.com>
commit 897fba1172d637d344f009d700f7eb8a1fa262f1 upstream.
Wrong return code was being returned on SMB3 rmdir of
non-empty directory.
For SMB3 (unlike for cifs), we attempt to delete a directory by
set of delete on close flag on the open. Windows clients set
this flag via a set info (SET_FILE_DISPOSITION to set this flag)
which properly checks if the directory is empty.
With this patch on smb3 mounts we correctly return
"DIRECTORY NOT EMPTY"
on attempts to remove a non-empty directory.
Signed-off-by: Steve French <steve.french@primarydata.com>
Acked-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2glob.h | 1 +
fs/cifs/smb2inode.c | 8 ++++++--
fs/cifs/smb2pdu.c | 16 ++++++++++++++++
fs/cifs/smb2proto.h | 2 ++
4 files changed, 25 insertions(+), 2 deletions(-)
--- a/fs/cifs/smb2glob.h
+++ b/fs/cifs/smb2glob.h
@@ -44,6 +44,7 @@
#define SMB2_OP_DELETE 7
#define SMB2_OP_HARDLINK 8
#define SMB2_OP_SET_EOF 9
+#define SMB2_OP_RMDIR 10
/* Used when constructing chained read requests. */
#define CHAINED_REQUEST 1
--- a/fs/cifs/smb2inode.c
+++ b/fs/cifs/smb2inode.c
@@ -80,6 +80,10 @@ smb2_open_op_close(const unsigned int xi
* SMB2_open() call.
*/
break;
+ case SMB2_OP_RMDIR:
+ tmprc = SMB2_rmdir(xid, tcon, fid.persistent_fid,
+ fid.volatile_fid);
+ break;
case SMB2_OP_RENAME:
tmprc = SMB2_rename(xid, tcon, fid.persistent_fid,
fid.volatile_fid, (__le16 *)data);
@@ -191,8 +195,8 @@ smb2_rmdir(const unsigned int xid, struc
struct cifs_sb_info *cifs_sb)
{
return smb2_open_op_close(xid, tcon, cifs_sb, name, DELETE, FILE_OPEN,
- CREATE_NOT_FILE | CREATE_DELETE_ON_CLOSE,
- NULL, SMB2_OP_DELETE);
+ CREATE_NOT_FILE,
+ NULL, SMB2_OP_RMDIR);
}
int
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2297,6 +2297,22 @@ SMB2_rename(const unsigned int xid, stru
}
int
+SMB2_rmdir(const unsigned int xid, struct cifs_tcon *tcon,
+ u64 persistent_fid, u64 volatile_fid)
+{
+ __u8 delete_pending = 1;
+ void *data;
+ unsigned int size;
+
+ data = &delete_pending;
+ size = 1; /* sizeof __u8 */
+
+ return send_set_info(xid, tcon, persistent_fid, volatile_fid,
+ current->tgid, FILE_DISPOSITION_INFORMATION, 1, &data,
+ &size);
+}
+
+int
SMB2_set_hardlink(const unsigned int xid, struct cifs_tcon *tcon,
u64 persistent_fid, u64 volatile_fid, __le16 *target_file)
{
--- a/fs/cifs/smb2proto.h
+++ b/fs/cifs/smb2proto.h
@@ -134,6 +134,8 @@ extern int SMB2_query_directory(const un
extern int SMB2_rename(const unsigned int xid, struct cifs_tcon *tcon,
u64 persistent_fid, u64 volatile_fid,
__le16 *target_file);
+extern int SMB2_rmdir(const unsigned int xid, struct cifs_tcon *tcon,
+ u64 persistent_fid, u64 volatile_fid);
extern int SMB2_set_hardlink(const unsigned int xid, struct cifs_tcon *tcon,
u64 persistent_fid, u64 volatile_fid,
__le16 *target_file);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 304/305] netfilter: ensure number of counters is >0 in do_replace()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (283 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 256/305] batman-adv: Clean up untagged vlan when destroying via rtnl-link Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-14 15:06 ` Dave Jones
2016-08-13 17:42 ` [PATCH 3.16 104/305] xfs: skip stale inodes in xfs_iflush_cluster Ben Hutchings
` (20 subsequent siblings)
305 siblings, 1 reply; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Dave Jones
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Jones <davej@codemonkey.org.uk>
commit 1086bbe97a074844188c6c988fa0b1a98c3ccbb9 upstream.
After improving setsockopt() coverage in trinity, I started triggering
vmalloc failures pretty reliably from this code path:
warn_alloc_failed+0xe9/0x140
__vmalloc_node_range+0x1be/0x270
vzalloc+0x4b/0x50
__do_replace+0x52/0x260 [ip_tables]
do_ipt_set_ctl+0x15d/0x1d0 [ip_tables]
nf_setsockopt+0x65/0x90
ip_setsockopt+0x61/0xa0
raw_setsockopt+0x16/0x60
sock_common_setsockopt+0x14/0x20
SyS_setsockopt+0x71/0xd0
It turns out we don't validate that the num_counters field in the
struct we pass in from userspace is initialized.
The same problem also exists in ebtables, arptables, ipv6, and the
compat variants.
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bridge/netfilter/ebtables.c | 4 ++++
net/ipv4/netfilter/arp_tables.c | 6 ++++++
net/ipv4/netfilter/ip_tables.c | 6 ++++++
net/ipv6/netfilter/ip6_tables.c | 6 ++++++
4 files changed, 22 insertions(+)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1105,6 +1105,8 @@ static int do_replace(struct net *net, c
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
tmp.name[sizeof(tmp.name) - 1] = 0;
@@ -2150,6 +2152,8 @@ static int compat_copy_ebt_replace_from_
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1082,6 +1082,9 @@ static int do_replace(struct net *net, c
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
@@ -1392,6 +1395,9 @@ static int compat_do_replace(struct net
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1268,6 +1268,9 @@ do_replace(struct net *net, const void _
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
@@ -1669,6 +1672,9 @@ compat_do_replace(struct net *net, void
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1278,6 +1278,9 @@ do_replace(struct net *net, const void _
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
@@ -1672,6 +1675,9 @@ compat_do_replace(struct net *net, void
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
+ if (tmp.num_counters == 0)
+ return -EINVAL;
+
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 269/305] xenbus: don't bail early from xenbus_dev_request_and_reply()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (5 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 276/305] USB: usbfs: fix potential infoleak in devio Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 272/305] tmpfs: fix regression hang in fallocate undo Ben Hutchings
` (298 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Vrabel, Konrad Rzeszutek Wilk, Jan Beulich, Jan Beulich
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <JBeulich@suse.com>
commit 7469be95a487319514adce2304ad2af3553d2fc9 upstream.
xenbus_dev_request_and_reply() needs to track whether a transaction is
open. For XS_TRANSACTION_START messages it calls transaction_start()
and for XS_TRANSACTION_END messages it calls transaction_end().
If sending an XS_TRANSACTION_START message fails or responds with an
an error, the transaction is not open and transaction_end() must be
called.
If sending an XS_TRANSACTION_END message fails, the transaction is
still open, but if an error response is returned the transaction is
closed.
Commit 027bd7e89906 ("xen/xenbus: Avoid synchronous wait on XenBus
stalling shutdown/restart") introduced a regression where failed
XS_TRANSACTION_START messages were leaving the transaction open. This
can cause problems with suspend (and migration) as all transactions
must be closed before suspending.
It appears that the problematic change was added accidentally, so just
remove it.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/xenbus/xenbus_xs.c | 3 ---
1 file changed, 3 deletions(-)
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -250,9 +250,6 @@ void *xenbus_dev_request_and_reply(struc
mutex_unlock(&xs_state.request_mutex);
- if (IS_ERR(ret))
- return ret;
-
if ((msg->type == XS_TRANSACTION_END) ||
((req_msg.type == XS_TRANSACTION_START) &&
(msg->type == XS_ERROR)))
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 028/305] alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (32 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 155/305] cpufreq: intel_pstate: Fix ->set_policy() interface for no_turbo Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 179/305] iio: Fix error handling in iio_trigger_attach_poll_func Ben Hutchings
` (271 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ivan Kokshaysky, Bjorn Helgaas
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
commit c20e128030caf0537d5e906753eac1c28fefdb75 upstream.
The alpha pci_mmap_resource() is used for both IORESOURCE_MEM and
IORESOURCE_IO resources, but iomem_is_exclusive() is only applicable for
IORESOURCE_MEM.
Call iomem_is_exclusive() only for IORESOURCE_MEM resources, and do it
earlier to match the generic version of pci_mmap_resource().
Fixes: 10a0ef39fbd1 ("PCI/alpha: pci sysfs resources")
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/alpha/kernel/pci-sysfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/alpha/kernel/pci-sysfs.c
+++ b/arch/alpha/kernel/pci-sysfs.c
@@ -77,10 +77,10 @@ static int pci_mmap_resource(struct kobj
if (i >= PCI_ROM_RESOURCE)
return -ENODEV;
- if (!__pci_mmap_fits(pdev, i, vma, sparse))
+ if (res->flags & IORESOURCE_MEM && iomem_is_exclusive(res->start))
return -EINVAL;
- if (iomem_is_exclusive(res->start))
+ if (!__pci_mmap_fits(pdev, i, vma, sparse))
return -EINVAL;
pcibios_resource_to_bus(pdev->bus, &bar, res);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 104/305] xfs: skip stale inodes in xfs_iflush_cluster
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (284 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 304/305] netfilter: ensure number of counters is >0 in do_replace() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 207/305] net/mlx4_en: Fix the return value of a failure in VLAN VID add/kill Ben Hutchings
` (19 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Christoph Hellwig, Dave Chinner, Dave Chinner, Brian Foster
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Chinner <dchinner@redhat.com>
commit 7d3aa7fe970791f1a674b14572a411accf2f4d4e upstream.
We don't write back stale inodes so we should skip them in
xfs_iflush_cluster, too.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/xfs/xfs_inode.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -3031,6 +3031,7 @@ xfs_iflush_cluster(
*/
spin_lock(&iq->i_flags_lock);
if (!iq->i_ino ||
+ __xfs_iflags_test(iq, XFS_ISTALE) ||
(XFS_INO_TO_AGINO(mp, iq->i_ino) & mask) != first_index) {
spin_unlock(&iq->i_flags_lock);
continue;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 176/305] USB: xhci: Add broken streams quirk for Frescologic device id 1009
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (129 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 243/305] net: bgmac: Start transmit queue in bgmac_open Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 011/305] Bluetooth: vhci: purge unhandled skbs Ben Hutchings
` (174 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Hans de Goede
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit d95815ba6a0f287213118c136e64d8c56daeaeab upstream.
I got one of these cards for testing uas with, it seems that with streams
it dma-s all over the place, corrupting memory. On my first tests it
managed to dma over the BIOS of the motherboard somehow and completely
bricked it.
Tests on another motherboard show that it does work with streams disabled.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-pci.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -30,6 +30,7 @@
/* Device for a quirk */
#define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
#define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000
+#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009
#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400
#define PCI_VENDOR_ID_ETRON 0x1b6f
@@ -99,6 +100,10 @@ static void xhci_pci_quirks(struct devic
xhci->quirks |= XHCI_TRUST_TX_LENGTH;
}
+ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC &&
+ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1009)
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+
if (pdev->vendor == PCI_VENDOR_ID_NEC)
xhci->quirks |= XHCI_NEC_HOST;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 063/305] gcov: disable tree-loop-im to reduce stack usage
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (165 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 049/305] arm64: Ensure pmd_present() returns false after pmd_mknotpresent() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 057/305] USB: serial: io_edgeport: fix memory leaks in probe error path Ben Hutchings
` (138 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arnd Bergmann, Peter Oberparleiter, Michal Marek
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit c87bf431448b404a6ef5fbabd74c0e3e42157a7f upstream.
Enabling CONFIG_GCOV_PROFILE_ALL produces us a lot of warnings like
lib/lz4/lz4hc_compress.c: In function 'lz4_compresshcctx':
lib/lz4/lz4hc_compress.c:514:1: warning: the frame size of 1504 bytes is larger than 1024 bytes [-Wframe-larger-than=]
After some investigation, I found that this behavior started with gcc-4.9,
and opened https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69702.
A suggested workaround for it is to use the -fno-tree-loop-im
flag that turns off one of the optimization stages in gcc, so the
code runs a little slower but does not use excessive amounts
of stack.
We could make this conditional on the gcc version, but I could not
find an easy way to do this in Kbuild and the benefit would be
fairly small, given that most of the gcc version in production are
affected now.
I'm marking this for 'stable' backports because it addresses a bug
with code generation in gcc that exists in all kernel versions
with the affected gcc releases.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Signed-off-by: Michal Marek <mmarek@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Makefile
+++ b/Makefile
@@ -381,7 +381,7 @@ AFLAGS_MODULE =
LDFLAGS_MODULE =
CFLAGS_KERNEL =
AFLAGS_KERNEL =
-CFLAGS_GCOV = -fprofile-arcs -ftest-coverage
+CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im
# Use USERINCLUDE when you must reference the UAPI directories only.
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 024/305] EDAC: Increment correct counter in edac_inc_ue_error()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (65 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 246/305] Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 156/305] fix d_walk()/non-delayed __d_free() race Ben Hutchings
` (238 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, linux-edac, Mauro Carvalho Chehab, Borislav Petkov,
Emmanouil Maroudas
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Emmanouil Maroudas <emmanouil.maroudas@gmail.com>
commit 993f88f1cc7f0879047ff353e824e5cc8f10adfc upstream.
Fix typo in edac_inc_ue_error() to increment ue_noinfo_count instead of
ce_noinfo_count.
Signed-off-by: Emmanouil Maroudas <emmanouil.maroudas@gmail.com>
Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Fixes: 4275be635597 ("edac: Change internal representation to work with layers")
Link: http://lkml.kernel.org/r/1461425580-5898-1-git-send-email-emmanouil.maroudas@gmail.com
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/edac/edac_mc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/edac/edac_mc.c
+++ b/drivers/edac/edac_mc.c
@@ -962,7 +962,7 @@ static void edac_inc_ue_error(struct mem
mci->ue_mc += count;
if (!enable_per_layer_report) {
- mci->ce_noinfo_count += count;
+ mci->ue_noinfo_count += count;
return;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 042/305] mcb: Fixed bar number assignment for the gdd
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (34 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 179/305] iio: Fix error handling in iio_trigger_attach_poll_func Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 103/305] xfs: fix inode validity check in xfs_iflush_cluster Ben Hutchings
` (269 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Johannes Thumshirn, Andreas Werner, Greg Kroah-Hartman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Werner <andreas.werner@men.de>
commit f75564d343010b025301d9548f2304f48eb25f01 upstream.
The bar number is found in reg2 within the gdd. Therefore
we need to change the assigment from reg1 to reg2 which
is the correct location.
Signed-off-by: Andreas Werner <andreas.werner@men.de>
Fixes: '3764e82e5' drivers: Introduce MEN Chameleon Bus
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mcb/mcb-parse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mcb/mcb-parse.c
+++ b/drivers/mcb/mcb-parse.c
@@ -57,7 +57,7 @@ static int chameleon_parse_gdd(struct mc
mdev->id = GDD_DEV(reg1);
mdev->rev = GDD_REV(reg1);
mdev->var = GDD_VAR(reg1);
- mdev->bar = GDD_BAR(reg1);
+ mdev->bar = GDD_BAR(reg2);
mdev->group = GDD_GRP(reg2);
mdev->inst = GDD_INS(reg2);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 038/305] Fix OpenSSH pty regression on close
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (168 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 232/305] iio:ad7266: Fix broken regulator error handling Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 019/305] Revert "scsi: fix soft lockup in scsi_remove_target() on module removal" Ben Hutchings
` (135 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Brian Bloniarz, Peter Hurley, Volth, Greg Kroah-Hartman,
Marc Aurele La France
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Brian Bloniarz <brian.bloniarz@gmail.com>
commit 0f40fbbcc34e093255a2b2d70b6b0fb48c3f39aa upstream.
OpenSSH expects the (non-blocking) read() of pty master to return
EAGAIN only if it has received all of the slave-side output after
it has received SIGCHLD. This used to work on pre-3.12 kernels.
This fix effectively forces non-blocking read() and poll() to
block for parallel i/o to complete for all ttys. It also unwinds
these changes:
1) f8747d4a466ab2cafe56112c51b3379f9fdb7a12
tty: Fix pty master read() after slave closes
2) 52bce7f8d4fc633c9a9d0646eef58ba6ae9a3b73
pty, n_tty: Simplify input processing on final close
3) 1a48632ffed61352a7810ce089dc5a8bcd505a60
pty: Fix input race when closing
Inspired by analysis and patch from Marc Aurele La France <tsi@tuyoix.net>
Reported-by: Volth <openssh@volth.com>
Reported-by: Marc Aurele La France <tsi@tuyoix.net>
BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=52
BugLink: https://bugzilla.mindrot.org/show_bug.cgi?id=2492
Signed-off-by: Brian Bloniarz <brian.bloniarz@gmail.com>
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- No need to unwind commits 2 and 3
- Keep using tty_flush_to_ldisc() rather than adding tty_buffer_flush_work()]]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -2251,15 +2251,14 @@ static ssize_t n_tty_read(struct tty_str
ldata->minimum_to_wake = (minimum - (b - buf));
if (!input_available_p(tty, 0)) {
- if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) {
- up_read(&tty->termios_rwsem);
- tty_flush_to_ldisc(tty);
- down_read(&tty->termios_rwsem);
- if (!input_available_p(tty, 0)) {
+ up_read(&tty->termios_rwsem);
+ tty_flush_to_ldisc(tty);
+ down_read(&tty->termios_rwsem);
+ if (!input_available_p(tty, 0)) {
+ if (test_bit(TTY_OTHER_CLOSED, &tty->flags)) {
retval = -EIO;
break;
}
- } else {
if (tty_hung_up_p(file))
break;
if (!timeout)
@@ -2467,6 +2466,11 @@ static unsigned int n_tty_poll(struct tt
poll_wait(file, &tty->write_wait, wait);
if (input_available_p(tty, 1))
mask |= POLLIN | POLLRDNORM;
+ else {
+ tty_flush_to_ldisc(tty);
+ if (input_available_p(tty, 1))
+ mask |= POLLIN | POLLRDNORM;
+ }
if (tty->packet && tty->link->ctrl_status)
mask |= POLLPRI | POLLIN | POLLRDNORM;
if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 243/305] net: bgmac: Start transmit queue in bgmac_open
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (128 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 220/305] Input: elantech - add more IC body types to the list Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 176/305] USB: xhci: Add broken streams quirk for Frescologic device id 1009 Ben Hutchings
` (175 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Florian Fainelli
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <f.fainelli@gmail.com>
commit c3897f2a69e54dd113fc9abd2daf872e5b495798 upstream.
The driver does not start the transmit queue in bgmac_open(). If the
queue was stopped prior to closing then re-opening the interface, we
would never be able to wake-up again.
Fixes: dd4544f05469 ("bgmac: driver for GBit MAC core on BCMA bus")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/broadcom/bgmac.c
+++ b/drivers/net/ethernet/broadcom/bgmac.c
@@ -1200,6 +1200,8 @@ static int bgmac_open(struct net_device
netif_carrier_on(net_dev);
+ netif_start_queue(net_dev);
+
err_out:
return err;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 208/305] ubi: Make recover_peb power cut aware
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (47 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 074/305] powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 045/305] USB: serial: option: add even more ZTE device ids Ben Hutchings
` (256 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Richard Weinberger, Jörg Pfähler
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 972228d87445dc46c0a01f5f3de673ac017626f7 upstream.
recover_peb() was never power cut aware,
if a power cut happened right after writing the VID header
upon next attach UBI would blindly use the new partial written
PEB and all data from the old PEB is lost.
In order to make recover_peb() power cut aware, write the new
VID with a proper crc and copy_flag set such that the UBI attach
process will detect whether the new PEB is completely written
or not.
We cannot directly use ubi_eba_atomic_leb_change() since we'd
have to unlock the LEB which is facing a write error.
Reported-by: Jörg Pfähler <pfaehler@isse.de>
Reviewed-by: Jörg Pfähler <pfaehler@isse.de>
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16: no need to unlock ubi->fm_eba_sem on error]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -521,6 +521,7 @@ static int recover_peb(struct ubi_device
int err, idx = vol_id2idx(ubi, vol_id), new_pnum, data_size, tries = 0;
struct ubi_volume *vol = ubi->volumes[idx];
struct ubi_vid_hdr *vid_hdr;
+ uint32_t crc;
vid_hdr = ubi_zalloc_vid_hdr(ubi, GFP_NOFS);
if (!vid_hdr)
@@ -542,12 +543,8 @@ retry:
goto out_put;
}
- vid_hdr->sqnum = cpu_to_be64(ubi_next_sqnum(ubi));
- err = ubi_io_write_vid_hdr(ubi, new_pnum, vid_hdr);
- if (err)
- goto write_error;
+ ubi_assert(vid_hdr->vol_type == UBI_VID_DYNAMIC);
- data_size = offset + len;
mutex_lock(&ubi->buf_mutex);
memset(ubi->peb_buf + offset, 0xFF, len);
@@ -560,6 +557,18 @@ retry:
memcpy(ubi->peb_buf + offset, buf, len);
+ data_size = offset + len;
+ crc = crc32(UBI_CRC32_INIT, ubi->peb_buf, data_size);
+ vid_hdr->sqnum = cpu_to_be64(ubi_next_sqnum(ubi));
+ vid_hdr->copy_flag = 1;
+ vid_hdr->data_size = cpu_to_be32(data_size);
+ vid_hdr->data_crc = cpu_to_be32(crc);
+ err = ubi_io_write_vid_hdr(ubi, new_pnum, vid_hdr);
+ if (err) {
+ mutex_unlock(&ubi->buf_mutex);
+ goto write_error;
+ }
+
err = ubi_io_write_data(ubi, ubi->peb_buf, new_pnum, 0, data_size);
if (err) {
mutex_unlock(&ubi->buf_mutex);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 172/305] usb: xhci-plat: properly handle probe deferral for devm_clk_get()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (50 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 015/305] [media] cx23885: uninitialized variable in cx23885_av_work_handler() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 171/305] HID: elo: kill not flush the work Ben Hutchings
` (253 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Petazzoni, Mathias Nyman, Greg Kroah-Hartman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
commit de95c40d5beaa47f6dc8fe9ac4159b4672b51523 upstream.
On some platforms, the clocks might be registered by a platform
driver. When this is the case, the clock platform driver may very well
be probed after xhci-plat, in which case the first probe() invocation
of xhci-plat will receive -EPROBE_DEFER as the return value of
devm_clk_get().
The current code handles that as a normal error, and simply assumes
that this means that the system doesn't have a clock for the XHCI
controller, and continues probing without calling
clk_prepare_enable(). Unfortunately, this doesn't work on systems
where the XHCI controller does have a clock, but that clock is
provided by another platform driver. In order to fix this situation,
we handle the -EPROBE_DEFER error condition specially, and abort the
XHCI controller probe(). It will be retried later automatically, the
clock will be available, devm_clk_get() will succeed, and the probe()
will continue with the clock prepared and enabled as expected.
In practice, such issue is seen on the ARM64 Marvell 7K/8K platform,
where the clocks are registered by a platform driver.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: correct error label here is unmap_registers]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/xhci-plat.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -154,6 +154,9 @@ static int xhci_plat_probe(struct platfo
ret = clk_prepare_enable(clk);
if (ret)
goto unmap_registers;
+ } else if (PTR_ERR(clk) == -EPROBE_DEFER) {
+ ret = -EPROBE_DEFER;
+ goto unmap_registers;
}
if (of_device_is_compatible(pdev->dev.of_node,
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 167/305] usb: dwc3: exynos: Fix deferred probing storm.
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (176 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 197/305] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 110/305] tuntap: correctly wake up process during uninit Ben Hutchings
` (127 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Vivek Gautam, Steinar H. Gunderson, Felipe Balbi,
Krzysztof Kozlowski
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steinar H. Gunderson" <sesse@google.com>
commit 4879efb34f7d49235fac334d76d9c6a77a021413 upstream.
dwc3-exynos has two problems during init if the regulators are slow
to come up (for instance if the I2C bus driver is not on the initramfs)
and return probe deferral. First, every time this happens, the driver
leaks the USB phys created; they need to be deallocated on error.
Second, since the phy devices are created before the regulators fail,
this means that there's a new device to re-trigger deferred probing,
which causes it to essentially go into a busy loop of re-probing the
device until the regulators come up.
Move the phy creation to after the regulators have succeeded, and also
fix cleanup on failure. On my ODROID XU4 system (with Debian's initramfs
which doesn't contain the I2C driver), this reduces the number of probe
attempts (for each of the two controllers) from more than 2000 to eight.
Signed-off-by: Steinar H. Gunderson <sesse@google.com>
Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Reviewed-by: Vivek Gautam <gautam.vivek@samsung.com>
Fixes: d720f057fda4 ("usb: dwc3: exynos: add nop transceiver support")
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/dwc3/dwc3-exynos.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
--- a/drivers/usb/dwc3/dwc3-exynos.c
+++ b/drivers/usb/dwc3/dwc3-exynos.c
@@ -129,12 +129,6 @@ static int dwc3_exynos_probe(struct plat
platform_set_drvdata(pdev, exynos);
- ret = dwc3_exynos_register_phys(exynos);
- if (ret) {
- dev_err(dev, "couldn't register PHYs\n");
- return ret;
- }
-
clk = devm_clk_get(dev, "usbdrd30");
if (IS_ERR(clk)) {
dev_err(dev, "couldn't get clock\n");
@@ -168,20 +162,29 @@ static int dwc3_exynos_probe(struct plat
goto err3;
}
+ ret = dwc3_exynos_register_phys(exynos);
+ if (ret) {
+ dev_err(dev, "couldn't register PHYs\n");
+ goto err4;
+ }
+
if (node) {
ret = of_platform_populate(node, NULL, NULL, dev);
if (ret) {
dev_err(dev, "failed to add dwc3 core\n");
- goto err4;
+ goto err5;
}
} else {
dev_err(dev, "no device node, failed to add dwc3 core\n");
ret = -ENODEV;
- goto err4;
+ goto err5;
}
return 0;
+err5:
+ platform_device_unregister(exynos->usb2_phy);
+ platform_device_unregister(exynos->usb3_phy);
err4:
regulator_disable(exynos->vdd10);
err3:
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 030/305] btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (89 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 259/305] x86/power/64: Fix kernel text mapping corruption during image restoration Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 153/305] tcp: record TLP and ER timer stats in v6 stats Ben Hutchings
` (214 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Josef Bacik, Luke Dashjr, Luke Dashjr, David Sterba
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Luke Dashjr <luke@dashjr.org>
commit 4c63c2454eff996c5e27991221106eb511f7db38 upstream.
32-bit ioctl uses these rather than the regular FS_IOC_* versions. They can
be handled in btrfs using the same code. Without this, 32-bit {ch,ls}attr
fail.
Signed-off-by: Luke Dashjr <luke-jr+git@utopios.org>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/ctree.h | 1 +
fs/btrfs/file.c | 2 +-
fs/btrfs/inode.c | 2 +-
fs/btrfs/ioctl.c | 21 +++++++++++++++++++++
4 files changed, 24 insertions(+), 2 deletions(-)
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -3876,6 +3876,7 @@ extern const struct dentry_operations bt
/* ioctl.c */
long btrfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
+long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
void btrfs_update_iflags(struct inode *inode);
void btrfs_inherit_iflags(struct inode *inode, struct inode *dir);
int btrfs_is_empty_uuid(u8 *uuid);
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -2739,7 +2739,7 @@ const struct file_operations btrfs_file_
.fallocate = btrfs_fallocate,
.unlocked_ioctl = btrfs_ioctl,
#ifdef CONFIG_COMPAT
- .compat_ioctl = btrfs_ioctl,
+ .compat_ioctl = btrfs_compat_ioctl,
#endif
};
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -9102,7 +9102,7 @@ static const struct file_operations btrf
.iterate = btrfs_real_readdir,
.unlocked_ioctl = btrfs_ioctl,
#ifdef CONFIG_COMPAT
- .compat_ioctl = btrfs_ioctl,
+ .compat_ioctl = btrfs_compat_ioctl,
#endif
.release = btrfs_release_file,
.fsync = btrfs_sync_file,
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -5520,3 +5520,24 @@ long btrfs_ioctl(struct file *file, unsi
return -ENOTTY;
}
+
+#ifdef CONFIG_COMPAT
+long btrfs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+ switch (cmd) {
+ case FS_IOC32_GETFLAGS:
+ cmd = FS_IOC_GETFLAGS;
+ break;
+ case FS_IOC32_SETFLAGS:
+ cmd = FS_IOC_SETFLAGS;
+ break;
+ case FS_IOC32_GETVERSION:
+ cmd = FS_IOC_GETVERSION;
+ break;
+ default:
+ return -ENOIOCTLCMD;
+ }
+
+ return btrfs_ioctl(file, cmd, (unsigned long) compat_ptr(arg));
+}
+#endif
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 223/305] HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (198 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 077/305] ring-buffer: Use long for nr_pages to avoid overflow failures Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 137/305] scsi: Add QEMU CD-ROM to VPD Inquiry Blacklist Ben Hutchings
` (105 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Scott Bauer, Jiri Kosina
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Scott Bauer <sbauer@plzdonthack.me>
commit 93a2001bdfd5376c3dc2158653034c20392d15c5 upstream.
This patch validates the num_values parameter from userland during the
HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
leading to a heap overflow.
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hid/usbhid/hiddev.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -516,13 +516,13 @@ static noinline int hiddev_ioctl_usage(s
goto inval;
} else if (uref->usage_index >= field->report_count)
goto inval;
-
- else if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
- (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
- uref->usage_index + uref_multi->num_values > field->report_count))
- goto inval;
}
+ if ((cmd == HIDIOCGUSAGES || cmd == HIDIOCSUSAGES) &&
+ (uref_multi->num_values > HID_MAX_MULTI_USAGES ||
+ uref->usage_index + uref_multi->num_values > field->report_count))
+ goto inval;
+
switch (cmd) {
case HIDIOCGUSAGE:
uref->value = field->value[uref->usage_index];
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 175/305] usb: quirks: Add no-lpm quirk for Acer C120 LED Projector
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (124 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 147/305] mnt: fs_fully_visible test the proper mount for MNT_LOCKED Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 065/305] s390/vmem: fix identity mapping Ben Hutchings
` (179 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Hans de Goede, Greg Kroah-Hartman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 32cb0b37098f4beeff5ad9e325f11b42a6ede56c upstream.
The Acer C120 LED Projector is a USB-3 connected pico projector which
takes both its power and video data from USB-3.
In combination with some hubs this device does not play well with
lpm, so disable lpm for it.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -193,6 +193,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x1a0a, 0x0200), .driver_info =
USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+ /* Acer C120 LED Projector */
+ { USB_DEVICE(0x1de1, 0xc102), .driver_info = USB_QUIRK_NO_LPM },
+
/* Blackmagic Design Intensity Shuttle */
{ USB_DEVICE(0x1edb, 0xbd3b), .driver_info = USB_QUIRK_NO_LPM },
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 055/305] MIPS: Adjust set_pte() SMP fix to handle R10000_LLSC_WAR
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (62 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 291/305] netfilter: x_tables: kill check_entry helper Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 281/305] rds: fix an infoleak in rds_inc_info_copy Ben Hutchings
` (241 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linux/MIPS, David Daney, Joshua Kinard, Ralf Baechle
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Kinard <kumba@gentoo.org>
commit 128639395b2ceacc6a56a0141d0261012bfe04d3 upstream.
Update the recent changes to set_pte() that were added in 46011e6ea392
to handle R10000_LLSC_WAR, and format the assembly to match other areas
of the MIPS tree using the same WAR.
This also incorporates a patch recently sent in my Markos Chandras,
"Remove local LL/SC preprocessor variants", so that patch doesn't need
to be applied if this one is accepted.
Signed-off-by: Joshua Kinard <kumba@gentoo.org>
Fixes: 46011e6ea392 ("MIPS: Make set_pte() SMP safe.)
Cc: David Daney <david.daney@cavium.com>
Cc: Linux/MIPS <linux-mips@linux-mips.org>
Patchwork: https://patchwork.linux-mips.org/patch/11103/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
[bwh: Backported to 3.2:
- Use {LL,SC}_INSN not __{LL,SC}
- Use literal arch=r4000 instead of MIPS_ISA_ARCH_LEVEL since R6 is not
supported]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/include/asm/pgtable.h | 45 +++++++++++++++++++++++++++++------------
1 file changed, 32 insertions(+), 13 deletions(-)
--- a/arch/mips/include/asm/pgtable.h
+++ b/arch/mips/include/asm/pgtable.h
@@ -167,20 +167,39 @@ static inline void set_pte(pte_t *ptep,
unsigned long page_global = _PAGE_GLOBAL;
unsigned long tmp;
- __asm__ __volatile__ (
- " .set push\n"
- " .set noreorder\n"
- "1: " LL_INSN " %[tmp], %[buddy]\n"
- " bnez %[tmp], 2f\n"
- " or %[tmp], %[tmp], %[global]\n"
- " " SC_INSN " %[tmp], %[buddy]\n"
- " beqz %[tmp], 1b\n"
- " nop\n"
- "2:\n"
- " .set pop"
- : [buddy] "+m" (buddy->pte),
- [tmp] "=&r" (tmp)
+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
+ __asm__ __volatile__ (
+ " .set arch=r4000 \n"
+ " .set push \n"
+ " .set noreorder \n"
+ "1:" LL_INSN " %[tmp], %[buddy] \n"
+ " bnez %[tmp], 2f \n"
+ " or %[tmp], %[tmp], %[global] \n"
+ SC_INSN " %[tmp], %[buddy] \n"
+ " beqzl %[tmp], 1b \n"
+ " nop \n"
+ "2: \n"
+ " .set pop \n"
+ " .set mips0 \n"
+ : [buddy] "+m" (buddy->pte), [tmp] "=&r" (tmp)
: [global] "r" (page_global));
+ } else if (kernel_uses_llsc) {
+ __asm__ __volatile__ (
+ " .set arch=r4000 \n"
+ " .set push \n"
+ " .set noreorder \n"
+ "1:" LL_INSN " %[tmp], %[buddy] \n"
+ " bnez %[tmp], 2f \n"
+ " or %[tmp], %[tmp], %[global] \n"
+ SC_INSN " %[tmp], %[buddy] \n"
+ " beqz %[tmp], 1b \n"
+ " nop \n"
+ "2: \n"
+ " .set pop \n"
+ " .set mips0 \n"
+ : [buddy] "+m" (buddy->pte), [tmp] "=&r" (tmp)
+ : [global] "r" (page_global));
+ }
#else /* !CONFIG_SMP */
if (pte_none(*buddy))
pte_val(*buddy) = pte_val(*buddy) | _PAGE_GLOBAL;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 091/305] drm/fb_helper: Fix references to dev->mode_config.num_connector
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (297 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 184/305] drm/radeon: fix asic initialization for virtualized environments Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 150/305] IB/mlx5: Fix returned values of query QP Ben Hutchings
` (6 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Lyude, Daniel Vetter
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lyude <cpaul@redhat.com>
commit 255f0e7c418ad95a4baeda017ae6182ba9b3c423 upstream.
During boot, MST hotplugs are generally expected (even if no physical
hotplugging occurs) and result in DRM's connector topology changing.
This means that using num_connector from the current mode configuration
can lead to the number of connectors changing under us. This can lead to
some nasty scenarios in fbcon:
- We allocate an array to the size of dev->mode_config.num_connectors.
- MST hotplug occurs, dev->mode_config.num_connectors gets incremented.
- We try to loop through each element in the array using the new value
of dev->mode_config.num_connectors, and end up going out of bounds
since dev->mode_config.num_connectors is now larger then the array we
allocated.
fb_helper->connector_count however, will always remain consistent while
we do a modeset in fb_helper.
Note: This is just polish for 4.7, Dave Airlie's drm_connector
refcounting fixed these bugs for real. But it's good enough duct-tape
for stable kernel backporting, since backporting the refcounting
changes is way too invasive.
Signed-off-by: Lyude <cpaul@redhat.com>
[danvet: Clarify why we need this. Also remove the now unused "dev"
local variable to appease gcc.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1463065021-18280-3-git-send-email-cpaul@redhat.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_fb_helper.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -1396,7 +1396,6 @@ static int drm_pick_crtcs(struct drm_fb_
int n, int width, int height)
{
int c, o;
- struct drm_device *dev = fb_helper->dev;
struct drm_connector *connector;
struct drm_connector_helper_funcs *connector_funcs;
struct drm_encoder *encoder;
@@ -1415,7 +1414,7 @@ static int drm_pick_crtcs(struct drm_fb_
if (modes[n] == NULL)
return best_score;
- crtcs = kzalloc(dev->mode_config.num_connector *
+ crtcs = kzalloc(fb_helper->connector_count *
sizeof(struct drm_fb_helper_crtc *), GFP_KERNEL);
if (!crtcs)
return best_score;
@@ -1461,7 +1460,7 @@ static int drm_pick_crtcs(struct drm_fb_
if (score > best_score) {
best_score = score;
memcpy(best_crtcs, crtcs,
- dev->mode_config.num_connector *
+ fb_helper->connector_count *
sizeof(struct drm_fb_helper_crtc *));
}
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 021/305] Bluetooth: vhci: Fix race at creating hci device
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (270 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 173/305] USB: quirks: Fix entries on wrong list in 3.16.y Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 093/305] fs/cifs: correctly to anonymous authentication for the LANMAN authentication Ben Hutchings
` (33 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marcel Holtmann, Takashi Iwai
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit c7c999cb18da88a881e10e07f0724ad0bfaff770 upstream.
hci_vhci driver creates a hci device object dynamically upon each
HCI_VENDOR_PKT write. Although it checks the already created object
and returns an error, it's still racy and may build multiple hci_dev
objects concurrently when parallel writes are performed, as the device
tracks only a single hci_dev object.
This patch introduces a mutex to protect against the concurrent device
creations.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/bluetooth/hci_vhci.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -50,6 +50,7 @@ struct vhci_data {
wait_queue_head_t read_wait;
struct sk_buff_head readq;
+ struct mutex open_mutex;
struct delayed_work open_timeout;
};
@@ -95,11 +96,14 @@ static int vhci_send_frame(struct hci_de
return 0;
}
-static int vhci_create_device(struct vhci_data *data, __u8 dev_type)
+static int __vhci_create_device(struct vhci_data *data, __u8 dev_type)
{
struct hci_dev *hdev;
struct sk_buff *skb;
+ if (data->hdev)
+ return -EBADFD;
+
skb = bt_skb_alloc(4, GFP_KERNEL);
if (!skb)
return -ENOMEM;
@@ -140,6 +144,17 @@ static int vhci_create_device(struct vhc
return 0;
}
+static int vhci_create_device(struct vhci_data *data, __u8 opcode)
+{
+ int err;
+
+ mutex_lock(&data->open_mutex);
+ err = __vhci_create_device(data, opcode);
+ mutex_unlock(&data->open_mutex);
+
+ return err;
+}
+
static inline ssize_t vhci_get_user(struct vhci_data *data,
const struct iovec *iov,
unsigned long count)
@@ -185,11 +200,6 @@ static inline ssize_t vhci_get_user(stru
case HCI_VENDOR_PKT:
cancel_delayed_work_sync(&data->open_timeout);
- if (data->hdev) {
- kfree_skb(skb);
- return -EBADFD;
- }
-
dev_type = *((__u8 *) skb->data);
skb_pull(skb, 1);
@@ -318,6 +328,7 @@ static int vhci_open(struct inode *inode
skb_queue_head_init(&data->readq);
init_waitqueue_head(&data->read_wait);
+ mutex_init(&data->open_mutex);
INIT_DELAYED_WORK(&data->open_timeout, vhci_open_timeout);
file->private_data = data;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 010/305] Bluetooth: vhci: fix open_timeout vs. hdev race
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (105 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 144/305] of: irq: fix of_irq_get[_byname]() kernel-doc Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 131/305] powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge Ben Hutchings
` (198 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jiri Slaby, Marcel Holtmann, Dmitry Vyukov
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
commit 373a32c848ae3a1c03618517cce85f9211a6facf upstream.
Both vhci_get_user and vhci_release race with open_timeout work. They
both contain cancel_delayed_work_sync, but do not test whether the
work actually created hdev or not. Since the work can be in progress
and _sync will wait for finishing it, we can have data->hdev allocated
when cancel_delayed_work_sync returns. But the call sites do 'if
(data->hdev)' *before* cancel_delayed_work_sync.
As a result:
* vhci_get_user allocates a second hdev and puts it into
data->hdev. The former is leaked.
* vhci_release does not release data->hdev properly as it thinks there
is none.
Fix both cases by moving the actual test *after* the call to
cancel_delayed_work_sync.
This can be hit by this program:
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
int main(int argc, char **argv)
{
int fd;
srand(time(NULL));
while (1) {
const int delta = (rand() % 200 - 100) * 100;
fd = open("/dev/vhci", O_RDWR);
if (fd < 0)
err(1, "open");
usleep(1000000 + delta);
close(fd);
}
return 0;
}
And the result is:
BUG: KASAN: use-after-free in skb_queue_tail+0x13e/0x150 at addr ffff88006b0c1228
Read of size 8 by task kworker/u13:1/32068
=============================================================================
BUG kmalloc-192 (Tainted: G E ): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in vhci_open+0x50/0x330 [hci_vhci] age=260 cpu=3 pid=32040
...
kmem_cache_alloc_trace+0x150/0x190
vhci_open+0x50/0x330 [hci_vhci]
misc_open+0x35b/0x4e0
chrdev_open+0x23b/0x510
...
INFO: Freed in vhci_release+0xa4/0xd0 [hci_vhci] age=9 cpu=2 pid=32040
...
__slab_free+0x204/0x310
vhci_release+0xa4/0xd0 [hci_vhci]
...
INFO: Slab 0xffffea0001ac3000 objects=16 used=13 fp=0xffff88006b0c1e00 flags=0x5fffff80004080
INFO: Object 0xffff88006b0c1200 @offset=4608 fp=0xffff88006b0c0600
Bytes b4 ffff88006b0c11f0: 09 df 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff88006b0c1200: 00 06 0c 6b 00 88 ff ff 00 00 00 00 00 00 00 00 ...k............
Object ffff88006b0c1210: 10 12 0c 6b 00 88 ff ff 10 12 0c 6b 00 88 ff ff ...k.......k....
Object ffff88006b0c1220: c0 46 c2 6b 00 88 ff ff c0 46 c2 6b 00 88 ff ff .F.k.....F.k....
Object ffff88006b0c1230: 01 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00 ................
Object ffff88006b0c1240: 40 12 0c 6b 00 88 ff ff 40 12 0c 6b 00 88 ff ff @..k....@..k....
Object ffff88006b0c1250: 50 0d 6e a0 ff ff ff ff 00 02 00 00 00 00 ad de P.n.............
Object ffff88006b0c1260: 00 00 00 00 00 00 00 00 ab 62 02 00 01 00 00 00 .........b......
Object ffff88006b0c1270: 90 b9 19 81 ff ff ff ff 38 12 0c 6b 00 88 ff ff ........8..k....
Object ffff88006b0c1280: 03 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00 .. .............
Object ffff88006b0c1290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff88006b0c12a0: 00 00 00 00 00 00 00 00 00 80 cd 3d 00 88 ff ff ...........=....
Object ffff88006b0c12b0: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . ..............
Redzone ffff88006b0c12c0: bb bb bb bb bb bb bb bb ........
Padding ffff88006b0c13f8: 00 00 00 00 00 00 00 00 ........
CPU: 3 PID: 32068 Comm: kworker/u13:1 Tainted: G B E 4.4.6-0-default #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
Workqueue: hci0 hci_cmd_work [bluetooth]
00000000ffffffff ffffffff81926cfa ffff88006be37c68 ffff88006bc27180
ffff88006b0c1200 ffff88006b0c1234 ffffffff81577993 ffffffff82489320
ffff88006bc24240 0000000000000046 ffff88006a100000 000000026e51eb80
Call Trace:
...
[<ffffffff81ec8ebe>] ? skb_queue_tail+0x13e/0x150
[<ffffffffa06e027c>] ? vhci_send_frame+0xac/0x100 [hci_vhci]
[<ffffffffa0c61268>] ? hci_send_frame+0x188/0x320 [bluetooth]
[<ffffffffa0c61515>] ? hci_cmd_work+0x115/0x310 [bluetooth]
[<ffffffff811a1375>] ? process_one_work+0x815/0x1340
[<ffffffff811a1f85>] ? worker_thread+0xe5/0x11f0
[<ffffffff811a1ea0>] ? process_one_work+0x1340/0x1340
[<ffffffff811b3c68>] ? kthread+0x1c8/0x230
...
Memory state around the buggy address:
ffff88006b0c1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88006b0c1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88006b0c1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88006b0c1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff88006b0c1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers)
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/bluetooth/hci_vhci.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -183,13 +183,13 @@ static inline ssize_t vhci_get_user(stru
break;
case HCI_VENDOR_PKT:
+ cancel_delayed_work_sync(&data->open_timeout);
+
if (data->hdev) {
kfree_skb(skb);
return -EBADFD;
}
- cancel_delayed_work_sync(&data->open_timeout);
-
dev_type = *((__u8 *) skb->data);
skb_pull(skb, 1);
@@ -331,10 +331,12 @@ static int vhci_open(struct inode *inode
static int vhci_release(struct inode *inode, struct file *file)
{
struct vhci_data *data = file->private_data;
- struct hci_dev *hdev = data->hdev;
+ struct hci_dev *hdev;
cancel_delayed_work_sync(&data->open_timeout);
+ hdev = data->hdev;
+
if (hdev) {
hci_unregister_dev(hdev);
hci_free_dev(hdev);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 070/305] powerpc/mm/hash64: Fix subpage protection with 4K HPTE config
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (223 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 113/305] mmc: longer timeout for long read time quirk Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 050/305] ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats Ben Hutchings
` (80 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Aneesh Kumar K.V, Michael Ellerman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
commit aac55d7573c5d46ed9a62818d5d3e69dd2060105 upstream.
With Linux page size of 64K and hardware only supporting 4K HPTE, if we
use subpage protection, we always fail for the subpage 0 as shown
below (using the selftest subpage_prot test):
520175565: (4520111850): Failed at 0x3fffad4b0000 (p=13,sp=0,w=0), want=fault, got=pass !
4520890210: (4520826495): Failed at 0x3fffad5b0000 (p=29,sp=0,w=0), want=fault, got=pass !
4521574251: (4521510536): Failed at 0x3fffad6b0000 (p=45,sp=0,w=0), want=fault, got=pass !
4522258324: (4522194609): Failed at 0x3fffad7b0000 (p=61,sp=0,w=0), want=fault, got=pass !
This is because hash preload wrongly inserts the HPTE entry for subpage
0 without looking at the subpage protection information.
Fix it by teaching should_hash_preload() not to preload if we have
subpage protection configured for that range.
It appears this has been broken since it was introduced in 2008.
Fixes: fa28237cfcc5 ("[POWERPC] Provide a way to protect 4k subpages when using 64k pages")
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
[mpe: Rework into should_hash_preload() to avoid build fails w/SLICES=n]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/mm/hash_utils_64.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/arch/powerpc/mm/hash_utils_64.c
+++ b/arch/powerpc/mm/hash_utils_64.c
@@ -1199,8 +1199,16 @@ EXPORT_SYMBOL_GPL(hash_page);
#ifdef CONFIG_PPC_MM_SLICES
static bool should_hash_preload(struct mm_struct *mm, unsigned long ea)
{
+ int psize = get_slice_psize(mm, ea);
+
/* We only prefault standard pages for now */
- if (unlikely(get_slice_psize(mm, ea) != mm->context.user_psize))
+ if (unlikely(psize != mm->context.user_psize))
+ return false;
+
+ /*
+ * Don't prefault if subpage protection is enabled for the EA.
+ */
+ if (unlikely((psize == MMU_PAGE_4K) && subpage_protection(mm, ea)))
return false;
return true;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 228/305] tmpfs: don't undo fallocate past its last page
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (186 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 148/305] IB/IPoIB: Fix race between ipoib_remove_one to sysfs functions Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 109/305] PM / sleep: Handle failures in device_suspend_late() consistently Ben Hutchings
` (117 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Vlastimil Babka, Anthony Romano,
Hugh Dickins, Brandon Philips
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Anthony Romano <anthony.romano@coreos.com>
commit b9b4bb26af017dbe930cd4df7f9b2fc3a0497bfe upstream.
When fallocate is interrupted it will undo a range that extends one byte
past its range of allocated pages. This can corrupt an in-use page by
zeroing out its first byte. Instead, undo using the inclusive byte
range.
Fixes: 1635f6a74152f1d ("tmpfs: undo fallocation on failure")
Link: http://lkml.kernel.org/r/1462713387-16724-1-git-send-email-anthony.romano@coreos.com
Signed-off-by: Anthony Romano <anthony.romano@coreos.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Hugh Dickins <hughd@google.com>
Cc: Brandon Philips <brandon@ifup.co>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: use PAGE_CACHE_SHIFT instead of PAGE_SHIFT]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/shmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1867,7 +1867,7 @@ static long shmem_fallocate(struct file
/* Remove the !PageUptodate pages we added */
shmem_undo_range(inode,
(loff_t)start << PAGE_CACHE_SHIFT,
- (loff_t)index << PAGE_CACHE_SHIFT, true);
+ ((loff_t)index << PAGE_CACHE_SHIFT) - 1, true);
goto undone;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 079/305] RDMA/iw_cxgb4: Always wake up waiter in c4iw_peer_abort_intr()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (211 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 170/305] usb: gadget: avoid exposing kernel stack Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 061/305] MIPS: KVM: Fix timer IRQ race when freezing timer Ben Hutchings
` (92 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve Wise, Hariprasad S, Doug Ledford
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hariprasad S <hariprasad@chelsio.com>
commit 093108cb3640844cfdabb0f506fa6b592b64272d upstream.
Currently c4iw_peer_abort_intr() does not wake up the waiter if the
endpoint state indicates we're using MPAv2 and we're currently trying to
connect. This was introduced with commit 7c0a33d61187a ("RDMA/cxgb4:
Don't wakeup threads for MPAv2")
However, this original fix is flawed because it introduces a race that
can cause a deadlock of the iwarp stack. Here is the race:
->local side sets up an active offload connection.
->local side sends MPA_START request.
->peer sends MPA_START response.
->local side ingress cpl thread begins processing the MPA_START response,
but before it changes the state from MPA_REQ_SENT to FPDU_MODE:
->peer sends a RST which results in a ABORT_REQ_RSS. This triggers
peer_abort_intr() which sees the state in MPA_REQ_SENT and since mpa_rev
is 2, it will avoid waking up the endpoint with -ECONNRESET, assuming the
stack will re-attempt the connection using MPAv1.
->Meanwhile, the cpl thread moves the state to FPDU_MODE and calls
c4iw_modify_rc_qp() which calls rdma_init() which sends a RI_WR/INIT WR
to firmware. But since HW sent an abort, FW correctly drops the RI_WR/INIT
WR.
->So the cpl thread is stuck waiting for a reply and cannot process the
ABORT_REQ_RSS cpl sitting in its input queue. Thus everything comes to a
halt because no more ingress cpls are processed by the stack...
The correct fix for the issue is to always do the wake up in
c4iw_abort_intr() but reinitialize the wait object in c4iw_reconnect().
Fixes: 7c0a33d61187a ("RDMA/cxgb4: Don't wakeup threads for MPAv2")
Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/cxgb4/cm.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -1904,6 +1904,7 @@ static int c4iw_reconnect(struct c4iw_ep
PDBG("%s qp %p cm_id %p\n", __func__, ep->com.qp, ep->com.cm_id);
init_timer(&ep->timer);
+ c4iw_init_wr_wait(&ep->com.wr_wait);
/*
* Allocate an active TID to initiate a TCP connection.
@@ -3875,16 +3876,7 @@ static int peer_abort_intr(struct c4iw_d
PDBG("%s ep %p tid %u state %u\n", __func__, ep, ep->hwtid,
ep->com.state);
- /*
- * Wake up any threads in rdma_init() or rdma_fini().
- * However, if we are on MPAv2 and want to retry with MPAv1
- * then, don't wake up yet.
- */
- if (mpa_rev == 2 && !ep->tried_with_mpa_v1) {
- if (ep->com.state != MPA_REQ_SENT)
- c4iw_wake_up(&ep->com.wr_wait, -ECONNRESET);
- } else
- c4iw_wake_up(&ep->com.wr_wait, -ECONNRESET);
+ c4iw_wake_up(&ep->com.wr_wait, -ECONNRESET);
sched(dev, skb);
return 0;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 153/305] tcp: record TLP and ER timer stats in v6 stats
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (90 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 030/305] btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 240/305] ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame) Ben Hutchings
` (213 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Yuchung Cheng, Neal Cardwell
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yuchung Cheng <ycheng@google.com>
commit ce3cf4ec0305919fc69a972f6c2b2efd35d36abc upstream.
The v6 tcp stats scan do not provide TLP and ER timer information
correctly like the v4 version . This patch fixes that.
Fixes: 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)")
Fixes: eed530b6c676 ("tcp: early retransmit")
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv6/tcp_ipv6.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1804,7 +1804,9 @@ static void get_tcp6_sock(struct seq_fil
destp = ntohs(inet->inet_dport);
srcp = ntohs(inet->inet_sport);
- if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
+ if (icsk->icsk_pending == ICSK_TIME_RETRANS ||
+ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS ||
+ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) {
timer_active = 1;
timer_expires = icsk->icsk_timeout;
} else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 239/305] ALSA: echoaudio: Fix memory allocation
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (152 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 072/305] rtlwifi: Fix logic error in enter/exit power-save mode Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 287/305] misc: mic: Fix for double fetch security bug in VOP driver Ben Hutchings
` (151 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Christophe JAILLET
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
commit 9c6795a9b3cbb56a9fbfaf43909c5c22999ba317 upstream.
'commpage_bak' is allocated with 'sizeof(struct echoaudio)' bytes.
We then copy 'sizeof(struct comm_page)' bytes in it.
On my system, smatch complains because one is 2960 and the other is 3072.
This would result in memory corruption or a oops.
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/echoaudio/echoaudio.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/pci/echoaudio/echoaudio.c
+++ b/sound/pci/echoaudio/echoaudio.c
@@ -2253,11 +2253,11 @@ static int snd_echo_resume(struct device
DE_INIT(("resume start\n"));
pci_restore_state(pci);
- commpage_bak = kmalloc(sizeof(struct echoaudio), GFP_KERNEL);
+ commpage_bak = kmalloc(sizeof(*commpage), GFP_KERNEL);
if (commpage_bak == NULL)
return -ENOMEM;
commpage = chip->comm_page;
- memcpy(commpage_bak, commpage, sizeof(struct comm_page));
+ memcpy(commpage_bak, commpage, sizeof(*commpage));
err = init_hw(chip, chip->pci->device, chip->pci->subsystem_device);
if (err < 0) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 061/305] MIPS: KVM: Fix timer IRQ race when freezing timer
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (212 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 079/305] RDMA/iw_cxgb4: Always wake up waiter in c4iw_peer_abort_intr() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 069/305] powerpc/mm/hash64: Factor out hash preload psize check Ben Hutchings
` (91 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Paolo Bonzini,
Radim KrÄmář,
linux-mips, kvm, James Hogan, Ralf Baechle
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 4355c44f063d3de4f072d796604c7f4ba4085cc3 upstream.
There's a particularly narrow and subtle race condition when the
software emulated guest timer is frozen which can allow a guest timer
interrupt to be missed.
This happens due to the hrtimer expiry being inexact, so very
occasionally the freeze time will be after the moment when the emulated
CP0_Count transitions to the same value as CP0_Compare (so an IRQ should
be generated), but before the moment when the hrtimer is due to expire
(so no IRQ is generated). The IRQ won't be generated when the timer is
resumed either, since the resume CP0_Count will already match CP0_Compare.
With VZ guests in particular this is far more likely to happen, since
the soft timer may be frozen frequently in order to restore the timer
state to the hardware guest timer. This happens after 5-10 hours of
guest soak testing, resulting in an overflow in guest kernel timekeeping
calculations, hanging the guest. A more focussed test case to
intentionally hit the race (with the help of a new hypcall to cause the
timer state to migrated between hardware & software) hits the condition
fairly reliably within around 30 seconds.
Instead of relying purely on the inexact hrtimer expiry to determine
whether an IRQ should be generated, read the guest CP0_Compare and
directly check whether the freeze time is before or after it. Only if
CP0_Count is on or after CP0_Compare do we check the hrtimer expiry to
determine whether the last IRQ has already been generated (which will
have pushed back the expiry by one timer period).
Fixes: e30492bbe95a ("MIPS: KVM: Rewrite count/compare timer emulation")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Radim KrÄmář" <rkrcmar@redhat.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: kvm@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kvm/kvm_mips_emul.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
--- a/arch/mips/kvm/kvm_mips_emul.c
+++ b/arch/mips/kvm/kvm_mips_emul.c
@@ -310,12 +310,31 @@ static inline ktime_t kvm_mips_count_tim
*/
static uint32_t kvm_mips_read_count_running(struct kvm_vcpu *vcpu, ktime_t now)
{
- ktime_t expires;
+ struct mips_coproc *cop0 = vcpu->arch.cop0;
+ ktime_t expires, threshold;
+ uint32_t count, compare;
int running;
- /* Is the hrtimer pending? */
+ /* Calculate the biased and scaled guest CP0_Count */
+ count = vcpu->arch.count_bias + kvm_mips_ktime_to_count(vcpu, now);
+ compare = kvm_read_c0_guest_compare(cop0);
+
+ /*
+ * Find whether CP0_Count has reached the closest timer interrupt. If
+ * not, we shouldn't inject it.
+ */
+ if ((int32_t)(count - compare) < 0)
+ return count;
+
+ /*
+ * The CP0_Count we're going to return has already reached the closest
+ * timer interrupt. Quickly check if it really is a new interrupt by
+ * looking at whether the interval until the hrtimer expiry time is
+ * less than 1/4 of the timer period.
+ */
expires = hrtimer_get_expires(&vcpu->arch.comparecount_timer);
- if (ktime_compare(now, expires) >= 0) {
+ threshold = ktime_add_ns(now, vcpu->arch.count_period / 4);
+ if (ktime_before(expires, threshold)) {
/*
* Cancel it while we handle it so there's no chance of
* interference with the timeout handler.
@@ -337,8 +356,7 @@ static uint32_t kvm_mips_read_count_runn
}
}
- /* Return the biased and scaled guest CP0_Count */
- return vcpu->arch.count_bias + kvm_mips_ktime_to_count(vcpu, now);
+ return count;
}
/**
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 088/305] netlink: Fix dump skb leak/double free
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (173 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 193/305] net_sched: fix pfifo_head_drop behavior vs backlog Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 295/305] netfilter: x_tables: check for bogus target offset Ben Hutchings
` (130 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Herbert Xu, David S. Miller, Baozeng Ding, Cong Wang
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 92964c79b357efd980812c4de5c1fd2ec8bb5520 upstream.
When we free cb->skb after a dump, we do it after releasing the
lock. This means that a new dump could have started in the time
being and we'll end up freeing their skb instead of ours.
This patch saves the skb and module before we unlock so we free
the right memory.
Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netlink/af_netlink.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2693,6 +2693,7 @@ static int netlink_dump(struct sock *sk)
struct netlink_callback *cb;
struct sk_buff *skb = NULL;
struct nlmsghdr *nlh;
+ struct module *module;
int len, err = -ENOBUFS;
int alloc_min_size;
int alloc_size;
@@ -2773,9 +2774,11 @@ static int netlink_dump(struct sock *sk)
cb->done(cb);
nlk->cb_running = false;
+ module = cb->module;
+ skb = cb->skb;
mutex_unlock(nlk->cb_mutex);
- module_put(cb->module);
- consume_skb(cb->skb);
+ module_put(module);
+ consume_skb(skb);
return 0;
errout_skb:
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 163/305] iio: proximity: as3935: correct IIO_CHAN_INFO_RAW output
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (230 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 285/305] audit: fix a double fetch in audit_log_single_execve_arg() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 087/305] PCI: Disable all BAR sizing for devices with non-compliant BARs Ben Hutchings
` (73 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jonathan Cameron, Matt Ranostay
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Ranostay <mranostay@gmail.com>
commit 5138806f16c74c7cb8ac3e408a859c79eb7c9567 upstream.
IIO_CHAN_INFO_RAW was returning processed data which was incorrect.
This also adds the IIO_CHAN_INFO_SCALE value to convert to a processed value.
Signed-off-by: Matt Ranostay <mranostay@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/ABI/testing/sysfs-bus-iio-proximity-as3935 | 2 +-
drivers/iio/proximity/as3935.c | 10 ++++++++--
2 files changed, 9 insertions(+), 3 deletions(-)
--- a/Documentation/ABI/testing/sysfs-bus-iio-proximity-as3935
+++ b/Documentation/ABI/testing/sysfs-bus-iio-proximity-as3935
@@ -1,4 +1,4 @@
-What /sys/bus/iio/devices/iio:deviceX/in_proximity_raw
+What /sys/bus/iio/devices/iio:deviceX/in_proximity_input
Date: March 2014
KernelVersion: 3.15
Contact: Matt Ranostay <mranostay@gmail.com>
--- a/drivers/iio/proximity/as3935.c
+++ b/drivers/iio/proximity/as3935.c
@@ -72,7 +72,8 @@ static const struct iio_chan_spec as3935
.type = IIO_PROXIMITY,
.info_mask_separate =
BIT(IIO_CHAN_INFO_RAW) |
- BIT(IIO_CHAN_INFO_PROCESSED),
+ BIT(IIO_CHAN_INFO_PROCESSED) |
+ BIT(IIO_CHAN_INFO_SCALE),
.scan_index = 0,
.scan_type = {
.sign = 'u',
@@ -181,7 +182,12 @@ static int as3935_read_raw(struct iio_de
/* storm out of range */
if (*val == AS3935_DATA_MASK)
return -EINVAL;
- *val *= 1000;
+
+ if (m == IIO_CHAN_INFO_PROCESSED)
+ *val *= 1000;
+ break;
+ case IIO_CHAN_INFO_SCALE:
+ *val = 1000;
break;
default:
return -EINVAL;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 202/305] can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (75 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 206/305] pinctrl: single: Fix missing flush of posted write for a wakeirq Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 052/305] MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200 Ben Hutchings
` (228 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thor Thayer, Marc Kleine-Budde, Richard Andrysek
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thor Thayer <tthayer@opensource.altera.com>
commit 427460c83cdf55069eee49799a0caef7dde8df69 upstream.
When testing CAN write floods on Altera's CycloneV, the first 2 bytes
are sometimes 0x00, 0x00 or corrupted instead of the values sent. Also
observed bytes 4 & 5 were corrupted in some cases.
The D_CAN Data registers are 32 bits and changing from 16 bit writes to
32 bit writes fixes the problem.
Testing performed on Altera CycloneV (D_CAN). Requesting tests on other
C_CAN & D_CAN platforms.
Reported-by: Richard Andrysek <richard.andrysek@gomtec.de>
Signed-off-by: Thor Thayer <tthayer@opensource.altera.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/c_can/c_can.c | 38 +++++++++++++++++++++++++++++++-------
1 file changed, 31 insertions(+), 7 deletions(-)
--- a/drivers/net/can/c_can/c_can.c
+++ b/drivers/net/can/c_can/c_can.c
@@ -331,9 +331,23 @@ static void c_can_setup_tx_object(struct
priv->write_reg(priv, C_CAN_IFACE(MSGCTRL_REG, iface), ctrl);
- for (i = 0; i < frame->can_dlc; i += 2) {
- priv->write_reg(priv, C_CAN_IFACE(DATA1_REG, iface) + i / 2,
- frame->data[i] | (frame->data[i + 1] << 8));
+ if (priv->type == BOSCH_D_CAN) {
+ u32 data = 0, dreg = C_CAN_IFACE(DATA1_REG, iface);
+
+ for (i = 0; i < frame->can_dlc; i += 4, dreg += 2) {
+ data = (u32)frame->data[i];
+ data |= (u32)frame->data[i + 1] << 8;
+ data |= (u32)frame->data[i + 2] << 16;
+ data |= (u32)frame->data[i + 3] << 24;
+ priv->write_reg32(priv, dreg, data);
+ }
+ } else {
+ for (i = 0; i < frame->can_dlc; i += 2) {
+ priv->write_reg(priv,
+ C_CAN_IFACE(DATA1_REG, iface) + i / 2,
+ frame->data[i] |
+ (frame->data[i + 1] << 8));
+ }
}
}
@@ -401,10 +415,20 @@ static int c_can_read_msg_object(struct
} else {
int i, dreg = C_CAN_IFACE(DATA1_REG, iface);
- for (i = 0; i < frame->can_dlc; i += 2, dreg ++) {
- data = priv->read_reg(priv, dreg);
- frame->data[i] = data;
- frame->data[i + 1] = data >> 8;
+ if (priv->type == BOSCH_D_CAN) {
+ for (i = 0; i < frame->can_dlc; i += 4, dreg += 2) {
+ data = priv->read_reg32(priv, dreg);
+ frame->data[i] = data;
+ frame->data[i + 1] = data >> 8;
+ frame->data[i + 2] = data >> 16;
+ frame->data[i + 3] = data >> 24;
+ }
+ } else {
+ for (i = 0; i < frame->can_dlc; i += 2, dreg++) {
+ data = priv->read_reg(priv, dreg);
+ frame->data[i] = data;
+ frame->data[i + 1] = data >> 8;
+ }
}
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 137/305] scsi: Add QEMU CD-ROM to VPD Inquiry Blacklist
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (199 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 223/305] HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 143/305] ALSA: hda - Fix headset mic detection problem for Dell machine Ben Hutchings
` (104 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ewan D. Milne, Johannes Thumshirn, Martin K. Petersen, Jan Stancek
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Ewan D. Milne" <emilne@redhat.com>
commit fbd83006e3e536fcb103228d2422ea63129ccb03 upstream.
Linux fails to boot as a guest with a QEMU CD-ROM:
[ 4.439488] ata2.00: ATAPI: QEMU CD-ROM, 0.8.2, max UDMA/100
[ 4.443649] ata2.00: configured for MWDMA2
[ 4.450267] scsi 1:0:0:0: CD-ROM QEMU QEMU CD-ROM 0.8. PQ: 0 ANSI: 5
[ 4.464317] ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
[ 4.464319] ata2.00: BMDMA stat 0x5
[ 4.464339] ata2.00: cmd a0/01:00:00:00:01/00:00:00:00:00/a0 tag 0 dma 16640 in
[ 4.464339] Inquiry 12 01 00 00 ff 00res 48/20:02:00:24:00/00:00:00:00:00/a0 Emask 0x2 (HSM violation)
[ 4.464341] ata2.00: status: { DRDY DRQ }
[ 4.465864] ata2: soft resetting link
[ 4.625971] ata2.00: configured for MWDMA2
[ 4.628290] ata2: EH complete
[ 4.646670] ata2.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
[ 4.646671] ata2.00: BMDMA stat 0x5
[ 4.646683] ata2.00: cmd a0/01:00:00:00:01/00:00:00:00:00/a0 tag 0 dma 16640 in
[ 4.646683] Inquiry 12 01 00 00 ff 00res 48/20:02:00:24:00/00:00:00:00:00/a0 Emask 0x2 (HSM violation)
[ 4.646685] ata2.00: status: { DRDY DRQ }
[ 4.648193] ata2: soft resetting link
...
Fix this by suppressing VPD inquiry for this device.
Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Reported-by: Jan Stancek <jstancek@redhat.com>
Tested-by: Jan Stancek <jstancek@redhat.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/scsi_devinfo.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/scsi/scsi_devinfo.c
+++ b/drivers/scsi/scsi_devinfo.c
@@ -227,6 +227,7 @@ static struct {
{"PIONEER", "CD-ROM DRM-624X", NULL, BLIST_FORCELUN | BLIST_SINGLELUN},
{"Promise", "VTrak E610f", NULL, BLIST_SPARSELUN | BLIST_NO_RSOC},
{"Promise", "", NULL, BLIST_SPARSELUN},
+ {"QEMU", "QEMU CD-ROM", NULL, BLIST_SKIP_VPD_PAGES},
{"QNAP", "iSCSI Storage", NULL, BLIST_MAX_1024},
{"QUANTUM", "XP34301", "1071", BLIST_NOTQ},
{"REGAL", "CDC-4X", NULL, BLIST_MAX5LUN | BLIST_SINGLELUN},
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 076/305] MIPS: math-emu: Fix jalr emulation when rd == $0
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (261 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 009/305] drm/gma500: Fix possible out of bounds read Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 237/305] make nfs_atomic_open() call d_drop() on all ->open_context() errors Ben Hutchings
` (42 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ralf Baechle, James Hogan, Maciej W. Rozycki, Paul Burton,
linux-mips
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Burton <paul.burton@imgtec.com>
commit ab4a92e66741b35ca12f8497896bafbe579c28a1 upstream.
When emulating a jalr instruction with rd == $0, the code in
isBranchInstr was incorrectly writing to GPR $0 which should actually
always remain zeroed. This would lead to any further instructions
emulated which use $0 operating on a bogus value until the task is next
context switched, at which point the value of $0 in the task context
would be restored to the correct zero by a store in SAVE_SOME. Fix this
by not writing to rd if it is $0.
Fixes: 102cedc32a6e ("MIPS: microMIPS: Floating point support.")
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/13160/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/math-emu/cp1emu.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -443,9 +443,11 @@ static int isBranchInstr(struct pt_regs
case spec_op:
switch (insn.r_format.func) {
case jalr_op:
- regs->regs[insn.r_format.rd] =
- regs->cp0_epc + dec_insn.pc_inc +
- dec_insn.next_pc_inc;
+ if (insn.r_format.rd != 0) {
+ regs->regs[insn.r_format.rd] =
+ regs->cp0_epc + dec_insn.pc_inc +
+ dec_insn.next_pc_inc;
+ }
/* Fall through */
case jr_op:
*contpc = regs->regs[insn.r_format.rs];
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 216/305] IB/mlx4: Fix error flow when sending mads under SRIOV
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (258 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 022/305] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 099/305] batman-adv: fix skb deref after free Ben Hutchings
` (45 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jack Morgenstein, Doug Ledford, Yishai Hadas, Leon Romanovsky
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yishai Hadas <yishaih@mellanox.com>
commit a6100603a4a87fc436199362bdb81cb849faaf6e upstream.
Fix mad send error flow to prevent double freeing address handles,
and leaking tx_ring entries when SRIOV is active.
If ib_mad_post_send fails, the address handle pointer in the tx_ring entry
must be set to NULL (or there will be a double-free) and tx_tail must be
incremented (or there will be a leak of tx_ring entries).
The tx_ring is handled the same way in the send-completion handler.
Fixes: 37bfc7c1e83f ("IB/mlx4: SR-IOV multiplex and demultiplex MADs")
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Reviewed-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx4/mad.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
--- a/drivers/infiniband/hw/mlx4/mad.c
+++ b/drivers/infiniband/hw/mlx4/mad.c
@@ -531,7 +531,7 @@ int mlx4_ib_send_to_slave(struct mlx4_ib
tun_tx_ix = (++tun_qp->tx_ix_head) & (MLX4_NUM_TUNNEL_BUFS - 1);
spin_unlock(&tun_qp->tx_lock);
if (ret)
- goto out;
+ goto end;
tun_mad = (struct mlx4_rcv_tunnel_mad *) (tun_qp->tx_ring[tun_tx_ix].buf.addr);
if (tun_qp->tx_ring[tun_tx_ix].ah)
@@ -600,9 +600,15 @@ int mlx4_ib_send_to_slave(struct mlx4_ib
wr.send_flags = IB_SEND_SIGNALED;
ret = ib_post_send(src_qp, &wr, &bad_wr);
-out:
- if (ret)
- ib_destroy_ah(ah);
+ if (!ret)
+ return 0;
+ out:
+ spin_lock(&tun_qp->tx_lock);
+ tun_qp->tx_ix_tail++;
+ spin_unlock(&tun_qp->tx_lock);
+ tun_qp->tx_ring[tun_tx_ix].ah = NULL;
+end:
+ ib_destroy_ah(ah);
return ret;
}
@@ -1256,9 +1262,15 @@ int mlx4_ib_send_to_wire(struct mlx4_ib_
ret = ib_post_send(send_qp, &wr, &bad_wr);
+ if (!ret)
+ return 0;
+
+ spin_lock(&sqp->tx_lock);
+ sqp->tx_ix_tail++;
+ spin_unlock(&sqp->tx_lock);
+ sqp->tx_ring[wire_tx_ix].ah = NULL;
out:
- if (ret)
- ib_destroy_ah(ah);
+ ib_destroy_ah(ah);
return ret;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 047/305] ACPI / sysfs: fix error code in get_status()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (232 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 087/305] PCI: Disable all BAR sizing for devices with non-compliant BARs Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 101/305] batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq Ben Hutchings
` (71 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Rafael J. Wysocki
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit f18ebc211e259d4f591e39e74b2aa2de226c9a1d upstream.
The problem with ornamental, do-nothing gotos is that they lead to
"forgot to set the error code" bugs. We should be returning -EINVAL
here but we don't. It leads to an uninitalized variable in
counter_show():
drivers/acpi/sysfs.c:603 counter_show()
error: uninitialized symbol 'status'.
Fixes: 1c8fce27e275 (ACPI: introduce drivers/acpi/sysfs.c)
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/acpi/sysfs.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/acpi/sysfs.c
+++ b/drivers/acpi/sysfs.c
@@ -492,23 +492,22 @@ static void acpi_global_event_handler(u3
static int get_status(u32 index, acpi_event_status *status,
acpi_handle *handle)
{
- int result = 0;
+ int result;
if (index >= num_gpes + ACPI_NUM_FIXED_EVENTS)
- goto end;
+ return -EINVAL;
if (index < num_gpes) {
result = acpi_get_gpe_device(index, handle);
if (result) {
ACPI_EXCEPTION((AE_INFO, AE_NOT_FOUND,
"Invalid GPE 0x%x", index));
- goto end;
+ return result;
}
result = acpi_get_gpe_status(*handle, index, status);
} else if (index < (num_gpes + ACPI_NUM_FIXED_EVENTS))
result = acpi_get_event_status(index - num_gpes, status);
-end:
return result;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 057/305] USB: serial: io_edgeport: fix memory leaks in probe error path
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (166 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 063/305] gcov: disable tree-loop-im to reduce stack usage Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 232/305] iio:ad7266: Fix broken regulator error handling Ben Hutchings
` (137 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Greg Kroah-Hartman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c8d62957d450cc1a22ce3242908709fe367ddc8e upstream.
URBs and buffers allocated in attach for Epic devices would never be
deallocated in case of a later probe error (e.g. failure to allocate
minor numbers) as disconnect is then never called.
Fix by moving deallocation to release and making sure that the
URBs are first unlinked.
Fixes: f9c99bb8b3a1 ("USB: usb-serial: replace shutdown with disconnect,
release")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/io_edgeport.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2966,16 +2966,9 @@ static void edge_disconnect(struct usb_s
{
struct edgeport_serial *edge_serial = usb_get_serial_data(serial);
- /* stop reads and writes on all ports */
- /* free up our endpoint stuff */
if (edge_serial->is_epic) {
usb_kill_urb(edge_serial->interrupt_read_urb);
- usb_free_urb(edge_serial->interrupt_read_urb);
- kfree(edge_serial->interrupt_in_buffer);
-
usb_kill_urb(edge_serial->read_urb);
- usb_free_urb(edge_serial->read_urb);
- kfree(edge_serial->bulk_in_buffer);
}
}
@@ -2988,6 +2981,16 @@ static void edge_release(struct usb_seri
{
struct edgeport_serial *edge_serial = usb_get_serial_data(serial);
+ if (edge_serial->is_epic) {
+ usb_kill_urb(edge_serial->interrupt_read_urb);
+ usb_free_urb(edge_serial->interrupt_read_urb);
+ kfree(edge_serial->interrupt_in_buffer);
+
+ usb_kill_urb(edge_serial->read_urb);
+ usb_free_urb(edge_serial->read_urb);
+ kfree(edge_serial->bulk_in_buffer);
+ }
+
kfree(edge_serial);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 158/305] net/mlx5: Fix the size of modify QP mailbox
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (116 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 031/305] arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 210/305] UBIFS: Implement ->migratepage() Ben Hutchings
` (187 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Majd Dibbiny, David S. Miller, Saeed Mahameed
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Majd Dibbiny <majd@mellanox.com>
commit 418f8399a8bedf376ec13eb01088f04a76ebdd6f upstream.
Add 16 reserved bytes at the end of mlx5_modify_qp_mbox_in to
match the hardware spec definition.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Majd Dibbiny <majd@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/mlx5/qp.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/mlx5/qp.h
+++ b/include/linux/mlx5/qp.h
@@ -445,6 +445,7 @@ struct mlx5_modify_qp_mbox_in {
__be32 optparam;
u8 rsvd0[4];
struct mlx5_qp_context ctx;
+ u8 rsvd2[16];
};
struct mlx5_modify_qp_mbox_out {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 229/305] fs/nilfs2: fix potential underflow in call to crc32_le
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (98 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 294/305] netfilter: x_tables: check standard target size too Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 183/305] crypto: ux500 - memmove the right size Ben Hutchings
` (205 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Torsten Hilbrich, Ryusuke Konishi
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Torsten Hilbrich <torsten.hilbrich@secunet.com>
commit 63d2f95d63396059200c391ca87161897b99e74a upstream.
The value `bytes' comes from the filesystem which is about to be
mounted. We cannot trust that the value is always in the range we
expect it to be.
Check its value before using it to calculate the length for the crc32_le
call. It value must be larger (or equal) sumoff + 4.
This fixes a kernel bug when accidentially mounting an image file which
had the nilfs2 magic value 0x3434 at the right offset 0x406 by chance.
The bytes 0x01 0x00 were stored at 0x408 and were interpreted as a
s_bytes value of 1. This caused an underflow when substracting sumoff +
4 (20) in the call to crc32_le.
BUG: unable to handle kernel paging request at ffff88021e600000
IP: crc32_le+0x36/0x100
...
Call Trace:
nilfs_valid_sb.part.5+0x52/0x60 [nilfs2]
nilfs_load_super_block+0x142/0x300 [nilfs2]
init_nilfs+0x60/0x390 [nilfs2]
nilfs_mount+0x302/0x520 [nilfs2]
mount_fs+0x38/0x160
vfs_kern_mount+0x67/0x110
do_mount+0x269/0xe00
SyS_mount+0x9f/0x100
entry_SYSCALL_64_fastpath+0x16/0x71
Link: http://lkml.kernel.org/r/1466778587-5184-2-git-send-email-konishi.ryusuke@lab.ntt.co.jp
Signed-off-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Tested-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nilfs2/the_nilfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nilfs2/the_nilfs.c
+++ b/fs/nilfs2/the_nilfs.c
@@ -441,7 +441,7 @@ static int nilfs_valid_sb(struct nilfs_s
if (!sbp || le16_to_cpu(sbp->s_magic) != NILFS_SUPER_MAGIC)
return 0;
bytes = le16_to_cpu(sbp->s_bytes);
- if (bytes > BLOCK_SIZE)
+ if (bytes < sumoff + 4 || bytes > BLOCK_SIZE)
return 0;
crc = crc32_le(le32_to_cpu(sbp->s_crc_seed), (unsigned char *)sbp,
sumoff);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 095/305] fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (121 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 102/305] xfs: xfs_iflush_cluster fails to abort on error Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 214/305] IB/mlx5: Fix post send fence logic Ben Hutchings
` (182 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Stefan Metzmacher
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
commit 1a967d6c9b39c226be1b45f13acd4d8a5ab3dc44 upstream.
Only server which map unknown users to guest will allow
access using a non-null NTLMv2_Response.
For Samba it's the "map to guest = bad user" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16:adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -703,22 +703,26 @@ ssetup_ntlmssp_authenticate:
/* LM2 password would be here if we supported it */
pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
- /* calculate nlmv2 response and session key */
- rc = setup_ntlmv2_rsp(ses, nls_cp);
- if (rc) {
- cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n",
- rc);
- goto ssetup_exit;
- }
- memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
- ses->auth_key.len - CIFS_SESS_KEY_SIZE);
- bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
+ if (ses->user_name != NULL) {
+ /* calculate nlmv2 response and session key */
+ rc = setup_ntlmv2_rsp(ses, nls_cp);
+ if (rc) {
+ cifs_dbg(VFS, "Error %d during NTLMv2 authentication\n", rc);
+ goto ssetup_exit;
+ }
+
+ memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
+ ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+ bcc_ptr += ses->auth_key.len - CIFS_SESS_KEY_SIZE;
- /* set case sensitive password length after tilen may get
- * assigned, tilen is 0 otherwise.
- */
- pSMB->req_no_secext.CaseSensitivePasswordLength =
- cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+ /* set case sensitive password length after tilen may get
+ * assigned, tilen is 0 otherwise.
+ */
+ pSMB->req_no_secext.CaseSensitivePasswordLength =
+ cpu_to_le16(ses->auth_key.len - CIFS_SESS_KEY_SIZE);
+ } else {
+ pSMB->req_no_secext.CaseSensitivePasswordLength = 0;
+ }
if (ses->capabilities & CAP_UNICODE) {
if (iov[0].iov_len % 2) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 285/305] audit: fix a double fetch in audit_log_single_execve_arg()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (229 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 046/305] cpufreq: Fix GOV_LIMITS handling for the userspace governor Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 163/305] iio: proximity: as3935: correct IIO_CHAN_INFO_RAW output Ben Hutchings
` (74 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paul Moore, Pengfei Wang
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paul Moore <paul@paul-moore.com>
commit 43761473c254b45883a64441dd0bc85a42f3645c upstream.
There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1]. Of course this leaves a window of
opportunity for an unsavory application to munge with the data.
This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s). In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).
As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:
* https://github.com/linux-audit/audit-testsuite/issues/25
[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.
[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data. I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation). The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/auditsc.c | 332 +++++++++++++++++++++++++++----------------------------
1 file changed, 164 insertions(+), 168 deletions(-)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -71,6 +71,7 @@
#include <linux/fs_struct.h>
#include <linux/compat.h>
#include <linux/ctype.h>
+#include <linux/uaccess.h>
#include "audit.h"
@@ -79,7 +80,8 @@
#define AUDITSC_SUCCESS 1
#define AUDITSC_FAILURE 2
-/* no execve audit message should be longer than this (userspace limits) */
+/* no execve audit message should be longer than this (userspace limits),
+ * see the note near the top of audit_log_execve_info() about this value */
#define MAX_EXECVE_AUDIT_LEN 7500
/* max length to print of cmdline/proctitle value during audit */
@@ -1015,185 +1017,178 @@ static int audit_log_pid_context(struct
return rc;
}
-/*
- * to_send and len_sent accounting are very loose estimates. We aren't
- * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being
- * within about 500 bytes (next page boundary)
- *
- * why snprintf? an int is up to 12 digits long. if we just assumed when
- * logging that a[%d]= was going to be 16 characters long we would be wasting
- * space in every audit message. In one 7500 byte message we can log up to
- * about 1000 min size arguments. That comes down to about 50% waste of space
- * if we didn't do the snprintf to find out how long arg_num_len was.
- */
-static int audit_log_single_execve_arg(struct audit_context *context,
- struct audit_buffer **ab,
- int arg_num,
- size_t *len_sent,
- const char __user *p,
- char *buf)
-{
- char arg_num_len_buf[12];
- const char __user *tmp_p = p;
- /* how many digits are in arg_num? 5 is the length of ' a=""' */
- size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5;
- size_t len, len_left, to_send;
- size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN;
- unsigned int i, has_cntl = 0, too_long = 0;
- int ret;
-
- /* strnlen_user includes the null we don't want to send */
- len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1;
+static void audit_log_execve_info(struct audit_context *context,
+ struct audit_buffer **ab)
+{
+ long len_max;
+ long len_rem;
+ long len_full;
+ long len_buf;
+ long len_abuf;
+ long len_tmp;
+ bool require_data;
+ bool encode;
+ unsigned int iter;
+ unsigned int arg;
+ char *buf_head;
+ char *buf;
+ const char __user *p = (const char __user *)current->mm->arg_start;
- /*
- * We just created this mm, if we can't find the strings
- * we just copied into it something is _very_ wrong. Similar
- * for strings that are too long, we should not have created
- * any.
- */
- if (unlikely((len == -1) || len > MAX_ARG_STRLEN - 1)) {
- WARN_ON(1);
- send_sig(SIGKILL, current, 0);
- return -1;
+ /* NOTE: this buffer needs to be large enough to hold all the non-arg
+ * data we put in the audit record for this argument (see the
+ * code below) ... at this point in time 96 is plenty */
+ char abuf[96];
+
+ /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the
+ * current value of 7500 is not as important as the fact that it
+ * is less than 8k, a setting of 7500 gives us plenty of wiggle
+ * room if we go over a little bit in the logging below */
+ WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500);
+ len_max = MAX_EXECVE_AUDIT_LEN;
+
+ /* scratch buffer to hold the userspace args */
+ buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
+ if (!buf_head) {
+ audit_panic("out of memory for argv string");
+ return;
}
+ buf = buf_head;
+
+ audit_log_format(*ab, "argc=%d", context->execve.argc);
- /* walk the whole argument looking for non-ascii chars */
+ len_rem = len_max;
+ len_buf = 0;
+ len_full = 0;
+ require_data = true;
+ encode = false;
+ iter = 0;
+ arg = 0;
do {
- if (len_left > MAX_EXECVE_AUDIT_LEN)
- to_send = MAX_EXECVE_AUDIT_LEN;
- else
- to_send = len_left;
- ret = copy_from_user(buf, tmp_p, to_send);
- /*
- * There is no reason for this copy to be short. We just
- * copied them here, and the mm hasn't been exposed to user-
- * space yet.
- */
- if (ret) {
- WARN_ON(1);
- send_sig(SIGKILL, current, 0);
- return -1;
- }
- buf[to_send] = '\0';
- has_cntl = audit_string_contains_control(buf, to_send);
- if (has_cntl) {
- /*
- * hex messages get logged as 2 bytes, so we can only
- * send half as much in each message
- */
- max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2;
- break;
- }
- len_left -= to_send;
- tmp_p += to_send;
- } while (len_left > 0);
-
- len_left = len;
-
- if (len > max_execve_audit_len)
- too_long = 1;
-
- /* rewalk the argument actually logging the message */
- for (i = 0; len_left > 0; i++) {
- int room_left;
-
- if (len_left > max_execve_audit_len)
- to_send = max_execve_audit_len;
- else
- to_send = len_left;
-
- /* do we have space left to send this argument in this ab? */
- room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent;
- if (has_cntl)
- room_left -= (to_send * 2);
- else
- room_left -= to_send;
- if (room_left < 0) {
- *len_sent = 0;
- audit_log_end(*ab);
- *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE);
- if (!*ab)
- return 0;
- }
+ /* NOTE: we don't ever want to trust this value for anything
+ * serious, but the audit record format insists we
+ * provide an argument length for really long arguments,
+ * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but
+ * to use strncpy_from_user() to obtain this value for
+ * recording in the log, although we don't use it
+ * anywhere here to avoid a double-fetch problem */
+ if (len_full == 0)
+ len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1;
+
+ /* read more data from userspace */
+ if (require_data) {
+ /* can we make more room in the buffer? */
+ if (buf != buf_head) {
+ memmove(buf_head, buf, len_buf);
+ buf = buf_head;
+ }
- /*
- * first record needs to say how long the original string was
- * so we can be sure nothing was lost.
- */
- if ((i == 0) && (too_long))
- audit_log_format(*ab, " a%d_len=%zu", arg_num,
- has_cntl ? 2*len : len);
-
- /*
- * normally arguments are small enough to fit and we already
- * filled buf above when we checked for control characters
- * so don't bother with another copy_from_user
- */
- if (len >= max_execve_audit_len)
- ret = copy_from_user(buf, p, to_send);
- else
- ret = 0;
- if (ret) {
- WARN_ON(1);
- send_sig(SIGKILL, current, 0);
- return -1;
- }
- buf[to_send] = '\0';
+ /* fetch as much as we can of the argument */
+ len_tmp = strncpy_from_user(&buf_head[len_buf], p,
+ len_max - len_buf);
+ if (len_tmp == -EFAULT) {
+ /* unable to copy from userspace */
+ send_sig(SIGKILL, current, 0);
+ goto out;
+ } else if (len_tmp == (len_max - len_buf)) {
+ /* buffer is not large enough */
+ require_data = true;
+ /* NOTE: if we are going to span multiple
+ * buffers force the encoding so we stand
+ * a chance at a sane len_full value and
+ * consistent record encoding */
+ encode = true;
+ len_full = len_full * 2;
+ p += len_tmp;
+ } else {
+ require_data = false;
+ if (!encode)
+ encode = audit_string_contains_control(
+ buf, len_tmp);
+ /* try to use a trusted value for len_full */
+ if (len_full < len_max)
+ len_full = (encode ?
+ len_tmp * 2 : len_tmp);
+ p += len_tmp + 1;
+ }
+ len_buf += len_tmp;
+ buf_head[len_buf] = '\0';
- /* actually log it */
- audit_log_format(*ab, " a%d", arg_num);
- if (too_long)
- audit_log_format(*ab, "[%d]", i);
- audit_log_format(*ab, "=");
- if (has_cntl)
- audit_log_n_hex(*ab, buf, to_send);
- else
- audit_log_string(*ab, buf);
-
- p += to_send;
- len_left -= to_send;
- *len_sent += arg_num_len;
- if (has_cntl)
- *len_sent += to_send * 2;
- else
- *len_sent += to_send;
- }
- /* include the null we didn't log */
- return len + 1;
-}
+ /* length of the buffer in the audit record? */
+ len_abuf = (encode ? len_buf * 2 : len_buf + 2);
+ }
-static void audit_log_execve_info(struct audit_context *context,
- struct audit_buffer **ab)
-{
- int i, len;
- size_t len_sent = 0;
- const char __user *p;
- char *buf;
+ /* write as much as we can to the audit log */
+ if (len_buf > 0) {
+ /* NOTE: some magic numbers here - basically if we
+ * can't fit a reasonable amount of data into the
+ * existing audit buffer, flush it and start with
+ * a new buffer */
+ if ((sizeof(abuf) + 8) > len_rem) {
+ len_rem = len_max;
+ audit_log_end(*ab);
+ *ab = audit_log_start(context,
+ GFP_KERNEL, AUDIT_EXECVE);
+ if (!*ab)
+ goto out;
+ }
- p = (const char __user *)current->mm->arg_start;
+ /* create the non-arg portion of the arg record */
+ len_tmp = 0;
+ if (require_data || (iter > 0) ||
+ ((len_abuf + sizeof(abuf)) > len_rem)) {
+ if (iter == 0) {
+ len_tmp += snprintf(&abuf[len_tmp],
+ sizeof(abuf) - len_tmp,
+ " a%d_len=%lu",
+ arg, len_full);
+ }
+ len_tmp += snprintf(&abuf[len_tmp],
+ sizeof(abuf) - len_tmp,
+ " a%d[%d]=", arg, iter++);
+ } else
+ len_tmp += snprintf(&abuf[len_tmp],
+ sizeof(abuf) - len_tmp,
+ " a%d=", arg);
+ WARN_ON(len_tmp >= sizeof(abuf));
+ abuf[sizeof(abuf) - 1] = '\0';
+
+ /* log the arg in the audit record */
+ audit_log_format(*ab, "%s", abuf);
+ len_rem -= len_tmp;
+ len_tmp = len_buf;
+ if (encode) {
+ if (len_abuf > len_rem)
+ len_tmp = len_rem / 2; /* encoding */
+ audit_log_n_hex(*ab, buf, len_tmp);
+ len_rem -= len_tmp * 2;
+ len_abuf -= len_tmp * 2;
+ } else {
+ if (len_abuf > len_rem)
+ len_tmp = len_rem - 2; /* quotes */
+ audit_log_n_string(*ab, buf, len_tmp);
+ len_rem -= len_tmp + 2;
+ /* don't subtract the "2" because we still need
+ * to add quotes to the remaining string */
+ len_abuf -= len_tmp;
+ }
+ len_buf -= len_tmp;
+ buf += len_tmp;
+ }
- audit_log_format(*ab, "argc=%d", context->execve.argc);
+ /* ready to move to the next argument? */
+ if ((len_buf == 0) && !require_data) {
+ arg++;
+ iter = 0;
+ len_full = 0;
+ require_data = true;
+ encode = false;
+ }
+ } while (arg < context->execve.argc);
- /*
- * we need some kernel buffer to hold the userspace args. Just
- * allocate one big one rather than allocating one of the right size
- * for every single argument inside audit_log_single_execve_arg()
- * should be <8k allocation so should be pretty safe.
- */
- buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL);
- if (!buf) {
- audit_panic("out of memory for argv string");
- return;
- }
+ /* NOTE: the caller handles the final audit_log_end() call */
- for (i = 0; i < context->execve.argc; i++) {
- len = audit_log_single_execve_arg(context, ab, i,
- &len_sent, p, buf);
- if (len <= 0)
- break;
- p += len;
- }
- kfree(buf);
+out:
+ kfree(buf_head);
}
static void show_special(struct audit_context *context, int *call_panic)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 036/305] MIPS: ath79: make bootconsole wait for both THRE and TEMT
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (180 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 134/305] mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 221/305] cifs: use CIFS_MAX_DOMAINNAME_LEN when converting the domain name Ben Hutchings
` (123 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Matthias Schiffer
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schiffer <mschiffer@universe-factory.net>
commit f5b556c94c8490d42fea79d7b4ae0ecbc291e69d upstream.
This makes the ath79 bootconsole behave the same way as the generic 8250
bootconsole.
Also waiting for TEMT (transmit buffer is empty) instead of just THRE
(transmit buffer is not full) ensures that all characters have been
transmitted before the real serial driver starts reconfiguring the serial
controller (which would sometimes result in garbage being transmitted.)
This change does not cause a visible performance loss.
In addition, this seems to fix a hang observed in certain configurations on
many AR7xxx/AR9xxx SoCs during autoconfig of the real serial driver.
A more complete follow-up patch will disable 8250 autoconfig for ath79
altogether (the serial controller is detected as a 16550A, which is not
fully compatible with the ath79 serial, and the autoconfig may lead to
undefined behavior on ath79.)
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/ath79/early_printk.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/mips/ath79/early_printk.c
+++ b/arch/mips/ath79/early_printk.c
@@ -31,13 +31,15 @@ static inline void prom_putchar_wait(voi
} while (1);
}
+#define BOTH_EMPTY (UART_LSR_TEMT | UART_LSR_THRE)
+
static void prom_putchar_ar71xx(unsigned char ch)
{
void __iomem *base = (void __iomem *)(KSEG1ADDR(AR71XX_UART_BASE));
- prom_putchar_wait(base + UART_LSR * 4, UART_LSR_THRE, UART_LSR_THRE);
+ prom_putchar_wait(base + UART_LSR * 4, BOTH_EMPTY, BOTH_EMPTY);
__raw_writel(ch, base + UART_TX * 4);
- prom_putchar_wait(base + UART_LSR * 4, UART_LSR_THRE, UART_LSR_THRE);
+ prom_putchar_wait(base + UART_LSR * 4, BOTH_EMPTY, BOTH_EMPTY);
}
static void prom_putchar_ar933x(unsigned char ch)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 094/305] fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (54 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 274/305] fs: limit filesystem stacking depth Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 012/305] cpuidle: Indicate when a device has been unregistered Ben Hutchings
` (249 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, Stefan Metzmacher
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
commit 777f69b8d26bf35ade4a76b08f203c11e048365d upstream.
Only server which map unknown users to guest will allow
access using a non-null NTChallengeResponse.
For Samba it's the "map to guest = bad user" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -662,26 +662,31 @@ ssetup_ntlmssp_authenticate:
#endif
} else if (type == NTLM) {
pSMB->req_no_secext.Capabilities = cpu_to_le32(capabilities);
- pSMB->req_no_secext.CaseInsensitivePasswordLength =
- cpu_to_le16(CIFS_AUTH_RESP_SIZE);
- pSMB->req_no_secext.CaseSensitivePasswordLength =
- cpu_to_le16(CIFS_AUTH_RESP_SIZE);
+ if (ses->user_name != NULL) {
+ pSMB->req_no_secext.CaseInsensitivePasswordLength =
+ cpu_to_le16(CIFS_AUTH_RESP_SIZE);
+ pSMB->req_no_secext.CaseSensitivePasswordLength =
+ cpu_to_le16(CIFS_AUTH_RESP_SIZE);
- /* calculate ntlm response and session key */
- rc = setup_ntlm_response(ses, nls_cp);
- if (rc) {
- cifs_dbg(VFS, "Error %d during NTLM authentication\n",
- rc);
- goto ssetup_exit;
- }
+ /* calculate ntlm response and session key */
+ rc = setup_ntlm_response(ses, nls_cp);
+ if (rc) {
+ cifs_dbg(VFS, "Error %d during NTLM authentication\n",
+ rc);
+ goto ssetup_exit;
+ }
- /* copy ntlm response */
- memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
- CIFS_AUTH_RESP_SIZE);
- bcc_ptr += CIFS_AUTH_RESP_SIZE;
- memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
- CIFS_AUTH_RESP_SIZE);
- bcc_ptr += CIFS_AUTH_RESP_SIZE;
+ /* copy ntlm response */
+ memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
+ CIFS_AUTH_RESP_SIZE);
+ bcc_ptr += CIFS_AUTH_RESP_SIZE;
+ memcpy(bcc_ptr, ses->auth_key.response + CIFS_SESS_KEY_SIZE,
+ CIFS_AUTH_RESP_SIZE);
+ bcc_ptr += CIFS_AUTH_RESP_SIZE;
+ } else {
+ pSMB->req_no_secext.CaseInsensitivePasswordLength = 0;
+ pSMB->req_no_secext.CaseSensitivePasswordLength = 0;
+ }
if (ses->capabilities & CAP_UNICODE) {
/* unicode strings must be word aligned */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 130/305] hpfs: implement the show_options method
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (87 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 026/305] crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 259/305] x86/power/64: Fix kernel text mapping corruption during image restoration Ben Hutchings
` (216 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mikulas Patocka, Linus Torvalds, Mikulas Patocka
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mikulas@twibright.com>
commit 037369b872940cd923835a0a589763180c4a36bc upstream.
The HPFS filesystem used generic_show_options to produce string that is
displayed in /proc/mounts. However, there is a problem that the options
may disappear after remount. If we mount the filesystem with option1
and then remount it with option2, /proc/mounts should show both option1
and option2, however it only shows option2 because the whole option
string is replaced with replace_mount_options in hpfs_remount_fs.
To fix this bug, implement the hpfs_show_options function that prints
options that are currently selected.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/hpfs/super.c | 43 ++++++++++++++++++++++++++++++++-----------
1 file changed, 32 insertions(+), 11 deletions(-)
--- a/fs/hpfs/super.c
+++ b/fs/hpfs/super.c
@@ -15,6 +15,7 @@
#include <linux/sched.h>
#include <linux/bitmap.h>
#include <linux/slab.h>
+#include <linux/seq_file.h>
/* Mark the filesystem dirty, so that chkdsk checks it when os/2 booted */
@@ -426,10 +427,6 @@ static int hpfs_remount_fs(struct super_
int lowercase, eas, chk, errs, chkdsk, timeshift;
int o;
struct hpfs_sb_info *sbi = hpfs_sb(s);
- char *new_opts = kstrdup(data, GFP_KERNEL);
-
- if (data && !new_opts)
- return -ENOMEM;
sync_filesystem(s);
@@ -466,18 +463,44 @@ static int hpfs_remount_fs(struct super_
if (!(*flags & MS_RDONLY)) mark_dirty(s, 1);
- if (new_opts)
- replace_mount_options(s, new_opts);
-
hpfs_unlock(s);
return 0;
out_err:
hpfs_unlock(s);
- kfree(new_opts);
return -EINVAL;
}
+static int hpfs_show_options(struct seq_file *seq, struct dentry *root)
+{
+ struct hpfs_sb_info *sbi = hpfs_sb(root->d_sb);
+
+ seq_printf(seq, ",uid=%u", from_kuid_munged(&init_user_ns, sbi->sb_uid));
+ seq_printf(seq, ",gid=%u", from_kgid_munged(&init_user_ns, sbi->sb_gid));
+ seq_printf(seq, ",umask=%03o", (~sbi->sb_mode & 0777));
+ if (sbi->sb_lowercase)
+ seq_printf(seq, ",case=lower");
+ if (!sbi->sb_chk)
+ seq_printf(seq, ",check=none");
+ if (sbi->sb_chk == 2)
+ seq_printf(seq, ",check=strict");
+ if (!sbi->sb_err)
+ seq_printf(seq, ",errors=continue");
+ if (sbi->sb_err == 2)
+ seq_printf(seq, ",errors=panic");
+ if (!sbi->sb_chkdsk)
+ seq_printf(seq, ",chkdsk=no");
+ if (sbi->sb_chkdsk == 2)
+ seq_printf(seq, ",chkdsk=always");
+ if (!sbi->sb_eas)
+ seq_printf(seq, ",eas=no");
+ if (sbi->sb_eas == 1)
+ seq_printf(seq, ",eas=ro");
+ if (sbi->sb_timeshift)
+ seq_printf(seq, ",timeshift=%d", sbi->sb_timeshift);
+ return 0;
+}
+
/* Super operations */
static const struct super_operations hpfs_sops =
@@ -488,7 +511,7 @@ static const struct super_operations hpf
.put_super = hpfs_put_super,
.statfs = hpfs_statfs,
.remount_fs = hpfs_remount_fs,
- .show_options = generic_show_options,
+ .show_options = hpfs_show_options,
};
static int hpfs_fill_super(struct super_block *s, void *options, int silent)
@@ -511,8 +534,6 @@ static int hpfs_fill_super(struct super_
int o;
- save_mount_options(s, options);
-
sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
if (!sbi) {
return -ENOMEM;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 148/305] IB/IPoIB: Fix race between ipoib_remove_one to sysfs functions
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (185 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 267/305] qeth: delete napi struct when removing a qeth device Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 228/305] tmpfs: don't undo fallocate past its last page Ben Hutchings
` (118 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Leon Romanovsky, Erez Shitrit, Doug Ledford
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Erez Shitrit <erezsh@mellanox.com>
commit 198b12f77084244d310888dd5d643083cb5c2aa1 upstream.
In ipoib_remove_one the driver holds the rtnl_lock and tries to do some
operation like dev_change_flags or unregister_netdev, while sysfs
callback like ipoib_vlan_delete holds sysfs mutex and tries to hold the
rtnl_lock via rtnl_trylock() and restart_syscall() if the lock is not
free, meanwhile ipoib_remove_one tries to get the sysfs lock in order to
free its sysfs directory, and we will get a->b, b->a deadlock.
Trace like the following:
schedule+0x37/0x80
schedule_preempt_disabled+0xe/0x10
__mutex_lock_slowpath+0xb5/0x120
mutex_lock+0x23/0x40
rtnl_lock+0x15/0x20
netdev_run_todo+0x17c/0x320
rtnl_unlock+0xe/0x10
ipoib_vlan_delete+0x11b/0x1b0 [ib_ipoib]
delete_child+0x54/0x80 [ib_ipoib]
dev_attr_store+0x18/0x30
sysfs_kf_write+0x37/0x40
mutex_lock+0x16/0x40
SyS_write+0x55/0xc0
entry_SYSCALL_64_fastpath+0x16/0x75
And
schedule+0x37/0x80
__kernfs_remove+0x1a8/0x260
? wake_atomic_t_function+0x60/0x60
kernfs_remove+0x25/0x40
sysfs_remove_dir+0x50/0x80
kobject_del+0x18/0x50
device_del+0x19f/0x260
netdev_unregister_kobject+0x6a/0x80
rollback_registered_many+0x1fd/0x340
rollback_registered+0x3c/0x70
unregister_netdevice_queue+0x55/0xc0
unregister_netdev+0x20/0x30
ipoib_remove_one+0x114/0x1b0 [ib_ipoib]
ib_unregister_client+0x4a/0x170 [ib_core]
? find_module_all+0x71/0xa0
ipoib_cleanup_module+0x10/0x94 [ib_ipoib]
SyS_delete_module+0x1b5/0x210
entry_SYSCALL_64_fastpath+0x16/0x75
The fix is by checking the flag IPOIB_FLAG_INTF_ON_DESTROY in order to
get out from the sysfs function.
Fixes: 862096a8bbf8 ("IB/ipoib: Add more rtnl_link_ops callbacks")
Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support")
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib.h | 1 +
drivers/infiniband/ulp/ipoib/ipoib_cm.c | 4 ++++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 3 +++
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 6 ++++++
4 files changed, 14 insertions(+)
--- a/drivers/infiniband/ulp/ipoib/ipoib.h
+++ b/drivers/infiniband/ulp/ipoib/ipoib.h
@@ -94,6 +94,7 @@ enum {
IPOIB_FLAG_UMCAST = 10,
IPOIB_STOP_NEIGH_GC = 11,
IPOIB_NEIGH_TBL_FLUSH = 12,
+ IPOIB_FLAG_GOING_DOWN = 15,
IPOIB_MAX_BACKOFF_SECONDS = 16,
--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
@@ -1472,6 +1472,10 @@ static ssize_t set_mode(struct device *d
{
struct net_device *dev = to_net_dev(d);
int ret;
+ struct ipoib_dev_priv *priv = netdev_priv(dev);
+
+ if (test_bit(IPOIB_FLAG_GOING_DOWN, &priv->flags))
+ return -EPERM;
if (!rtnl_trylock())
return restart_syscall();
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -1701,6 +1701,9 @@ static void ipoib_remove_one(struct ib_d
list_for_each_entry_safe(priv, tmp, dev_list, list) {
ib_unregister_event_handler(&priv->event_handler);
+ /* mark interface in the middle of destruction */
+ set_bit(IPOIB_FLAG_GOING_DOWN, &priv->flags);
+
rtnl_lock();
dev_change_flags(priv->dev, priv->dev->flags & ~IFF_UP);
rtnl_unlock();
--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
@@ -131,6 +131,9 @@ int ipoib_vlan_add(struct net_device *pd
ppriv = netdev_priv(pdev);
+ if (test_bit(IPOIB_FLAG_GOING_DOWN, &ppriv->flags))
+ return -EPERM;
+
snprintf(intf_name, sizeof intf_name, "%s.%04x",
ppriv->dev->name, pkey);
priv = ipoib_intf_alloc(intf_name);
@@ -183,6 +186,9 @@ int ipoib_vlan_delete(struct net_device
ppriv = netdev_priv(pdev);
+ if (test_bit(IPOIB_FLAG_GOING_DOWN, &ppriv->flags))
+ return -EPERM;
+
if (!rtnl_trylock())
return restart_syscall();
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 160/305] uvc: Forward compat ioctls to their handlers directly
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (190 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 067/305] arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 114/305] sunrpc: fix stripping of padded MIC tokens Ben Hutchings
` (113 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Andy Lutomirski
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <luto@kernel.org>
commit a44323e2a8f342848bb77e8e04fcd85fcb91b3b4 upstream.
The current code goes through a lot of indirection just to call a
known handler. Simplify it: just call the handlers directly.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
[bwh: Backported to 3.16: old code forwarded to uvc_v4l2_ioctl()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/uvc/uvc_v4l2.c | 39 ++++++++++++++++++---------------------
1 file changed, 18 insertions(+), 21 deletions(-)
--- a/drivers/media/usb/uvc/uvc_v4l2.c
+++ b/drivers/media/usb/uvc/uvc_v4l2.c
@@ -1279,47 +1279,44 @@ static int uvc_v4l2_put_xu_query(const s
static long uvc_v4l2_compat_ioctl32(struct file *file,
unsigned int cmd, unsigned long arg)
{
+ struct uvc_fh *handle = file->private_data;
union {
struct uvc_xu_control_mapping xmap;
struct uvc_xu_control_query xqry;
} karg;
void __user *up = compat_ptr(arg);
- mm_segment_t old_fs;
long ret;
switch (cmd) {
case UVCIOC_CTRL_MAP32:
- cmd = UVCIOC_CTRL_MAP;
ret = uvc_v4l2_get_xu_mapping(&karg.xmap, up);
+ if (ret)
+ return ret;
+ ret = uvc_ioctl_ctrl_map(handle->chain, &karg.xmap);
+ if (ret)
+ return ret;
+ ret = uvc_v4l2_put_xu_mapping(&karg.xmap, up);
+ if (ret)
+ return ret;
+
break;
case UVCIOC_CTRL_QUERY32:
- cmd = UVCIOC_CTRL_QUERY;
ret = uvc_v4l2_get_xu_query(&karg.xqry, up);
+ if (ret)
+ return ret;
+ ret = uvc_xu_ctrl_query(handle->chain, &karg.xqry);
+ if (ret)
+ return ret;
+ ret = uvc_v4l2_put_xu_query(&karg.xqry, up);
+ if (ret)
+ return ret;
break;
default:
return -ENOIOCTLCMD;
}
- old_fs = get_fs();
- set_fs(KERNEL_DS);
- ret = uvc_v4l2_ioctl(file, cmd, (unsigned long)&karg);
- set_fs(old_fs);
-
- if (ret < 0)
- return ret;
-
- switch (cmd) {
- case UVCIOC_CTRL_MAP:
- ret = uvc_v4l2_put_xu_mapping(&karg.xmap, up);
- break;
-
- case UVCIOC_CTRL_QUERY:
- ret = uvc_v4l2_put_xu_query(&karg.xqry, up);
- break;
- }
-
return ret;
}
#endif
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 197/305] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (175 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 295/305] netfilter: x_tables: check for bogus target offset Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-16 7:34 ` SebastienOcquidant
2016-08-13 17:42 ` [PATCH 3.16 167/305] usb: dwc3: exynos: Fix deferred probing storm Ben Hutchings
` (128 subsequent siblings)
305 siblings, 1 reply; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Roger Quadros, Ocquidant, Sebastien
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Ocquidant, Sebastien" <sebastienocquidant@eaton.com>
commit 8f50b8e57442d28e41bb736c173d8a2490549a82 upstream.
In the omap gpmc driver it can be noticed that GPMC_CONFIG4_OEEXTRADELAY
is overwritten by the WEEXTRADELAY value from the device tree and
GPMC_CONFIG4_WEEXTRADELAY is not updated by the value from the device
tree.
As a consequence, the memory accesses cannot be configured properly when
the extra delay are needed for OE and WE.
Fix the update of GPMC_CONFIG4_WEEXTRADELAY with the value from the
device tree file and prevents GPMC_CONFIG4_OEXTRADELAY
being overwritten by the WEXTRADELAY value from the device tree.
Signed-off-by: Ocquidant, Sebastien <sebastienocquidant@eaton.com>
Signed-off-by: Roger Quadros <rogerq@ti.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-omap2/gpmc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/mach-omap2/gpmc.c
+++ b/arch/arm/mach-omap2/gpmc.c
@@ -274,7 +274,7 @@ static void gpmc_cs_bool_timings(int cs,
gpmc_cs_modify_reg(cs, GPMC_CS_CONFIG4,
GPMC_CONFIG4_OEEXTRADELAY, p->oe_extra_delay);
gpmc_cs_modify_reg(cs, GPMC_CS_CONFIG4,
- GPMC_CONFIG4_OEEXTRADELAY, p->we_extra_delay);
+ GPMC_CONFIG4_WEEXTRADELAY, p->we_extra_delay);
gpmc_cs_modify_reg(cs, GPMC_CS_CONFIG6,
GPMC_CONFIG6_CYCLE2CYCLESAMECSEN,
p->cycle2cyclesamecsen);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 080/305] IB/IWPM: Fix a potential skb leak
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (157 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 040/305] driver-core: use 'dev' argument in dev_dbg_ratelimited stub Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 115/305] wait/ptrace: assume __WALL if the child is traced Ben Hutchings
` (146 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Leon Romanovsky, Mark Bloch, Steve Wise,
Doug Ledford
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Bloch <markb@mellanox.com>
commit 5ed935e861a4cbf2158ad3386d6d26edd60d2658 upstream.
In case ibnl_put_msg fails in send_nlmsg_done,
the function returns with -ENOMEM without freeing.
This patch fixes this behavior.
Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service")
Signed-off-by: Mark Bloch <markb@mellanox.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/iwpm_util.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/infiniband/core/iwpm_util.c
+++ b/drivers/infiniband/core/iwpm_util.c
@@ -484,6 +484,7 @@ static int send_nlmsg_done(struct sk_buf
if (!(ibnl_put_msg(skb, &nlh, 0, 0, nl_client,
RDMA_NL_IWPM_MAPINFO, NLM_F_MULTI))) {
pr_warn("%s Unable to put NLMSG_DONE\n", __func__);
+ dev_kfree_skb(skb);
return -ENOMEM;
}
nlh->nlmsg_type = NLMSG_DONE;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 020/305] serial: doc: Re-add paragraph documenting uart_console_write()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (2 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 241/305] arc: unwind: warn only once if DW2_UNWIND is disabled Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 230/305] staging: iio: accel: fix error check Ben Hutchings
` (301 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Geert Uytterhoeven, Jonathan Corbet
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit d124fd3bb36ceb40438f10c897ce642386b74b72 upstream.
Commit 834392a7d92677ff ("serial: doc: Un-document non-existing
uart_write_console()") removed a paragraph about a helper function that
seemed to never exist.
Peter Hurley pointed out that the function does exist, but is called
differently. Re-add the paragraph, with the function name corrected.
Fixes: 834392a7d92677ff ("serial: doc: Un-document non-existing uart_write_console()")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/serial/driver | 5 +++++
1 file changed, 5 insertions(+)
--- a/Documentation/serial/driver
+++ b/Documentation/serial/driver
@@ -28,6 +28,11 @@ The serial core provides a few helper fu
the correct port structure (via uart_get_console) and decoding command line
arguments (uart_parse_options).
+There is also a helper function (uart_console_write) which performs a
+character by character write, translating newlines to CRLF sequences.
+Driver writers are recommended to use this function rather than implementing
+their own version.
+
Locking
-------
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 192/305] netem: fix a use after free
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (67 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 156/305] fix d_walk()/non-delayed __d_free() race Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 296/305] netfilter: x_tables: validate all offsets and sizes in a rule Ben Hutchings
` (236 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Eric Dumazet, Stephen Hemminger, Jamal Hadi Salim,
David S. Miller, WANG Cong
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 21de12ee5568fd1aec47890c72967abf791ac80a upstream.
If the packet was dropped by lower qdisc, then we must not
access it later.
Save qdisc_pkt_len(skb) in a temp variable.
Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: WANG Cong <xiyou.wangcong@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: not using qdisc_qstats_drop()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/sch_netem.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -606,14 +606,14 @@ deliver:
#endif
if (q->qdisc) {
+ unsigned int pkt_len = qdisc_pkt_len(skb);
int err = qdisc_enqueue(skb, q->qdisc);
- if (unlikely(err != NET_XMIT_SUCCESS)) {
- if (net_xmit_drop_count(err)) {
- sch->qstats.drops++;
- qdisc_tree_reduce_backlog(sch, 1,
- qdisc_pkt_len(skb));
- }
+ if (err != NET_XMIT_SUCCESS &&
+ net_xmit_drop_count(err)) {
+ sch->qstats.drops++;
+ qdisc_tree_reduce_backlog(sch, 1,
+ pkt_len);
}
goto tfifo_dequeue;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 004/305] serial: doc: Un-document non-existing uart_write_console()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (114 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 071/305] perf tools: Fix perf regs mask generation Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 031/305] arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables Ben Hutchings
` (189 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jonathan Corbet, Geert Uytterhoeven
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit 834392a7d92677ff2bdc1c709b1171ee585b55c9 upstream.
uart_write_console() never existed, not even when the "new
uart_write_console function" was documented.
Fixes: 67ab7f596b6adbae ("[SERIAL] Update serial driver documentation")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/serial/driver | 5 -----
1 file changed, 5 deletions(-)
--- a/Documentation/serial/driver
+++ b/Documentation/serial/driver
@@ -28,11 +28,6 @@ The serial core provides a few helper fu
the correct port structure (via uart_get_console) and decoding command line
arguments (uart_parse_options).
-There is also a helper function (uart_write_console) which performs a
-character by character write, translating newlines to CRLF sequences.
-Driver writers are recommended to use this function rather than implementing
-their own version.
-
Locking
-------
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 242/305] s390: fix test_fp_ctl inline assembly contraints
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (193 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 014/305] mfd: lp8788-irq: Uninitialized variable in irq handler Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 292/305] netfilter: x_tables: assert minimum target size Ben Hutchings
` (110 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Heiko Carstens, Martin Schwidefsky
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
commit bcf4dd5f9ee096bd1510f838dd4750c35df4e38b upstream.
The test_fp_ctl function is used to test if a given value is a valid
floating-point control. The inline assembly in test_fp_ctl uses an
incorrect constraint for the 'orig_fpc' variable. If the compiler
chooses the same register for 'fpc' and 'orig_fpc' the test_fp_ctl()
function always returns true. This allows user space to trigger
kernel oopses with invalid floating-point control values on the
signal stack.
This problem has been introduced with git commit 4725c86055f5bbdcdf
"s390: fix save and restore of the floating-point-control register"
Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/include/asm/switch_to.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/s390/include/asm/switch_to.h
+++ b/arch/s390/include/asm/switch_to.h
@@ -28,7 +28,7 @@ static inline int test_fp_ctl(u32 fpc)
" la %0,0\n"
"1:\n"
EX_TABLE(0b,1b)
- : "=d" (rc), "=d" (orig_fpc)
+ : "=d" (rc), "=&d" (orig_fpc)
: "d" (fpc), "0" (-EINVAL));
return rc;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 268/305] xenbus: don't BUG() on user mode induced condition
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (11 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 123/305] sfc: on MC reset, clear PIO buffer linkage in TXQs Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 188/305] kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w Ben Hutchings
` (292 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Beulich, David Vrabel, Jan Beulich
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <JBeulich@suse.com>
commit 0beef634b86a1350c31da5fcc2992f0d7c8a622b upstream.
Inability to locate a user mode specified transaction ID should not
lead to a kernel crash. For other than XS_TRANSACTION_START also
don't issue anything to xenbus if the specified ID doesn't match that
of any active transaction.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/xen/xenbus/xenbus_dev_frontend.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
rc = -ENOMEM;
goto out;
}
+ } else {
+ list_for_each_entry(trans, &u->transactions, list)
+ if (trans->handle.id == u->u.msg.tx_id)
+ break;
+ if (&trans->list == &u->transactions)
+ return -ESRCH;
}
reply = xenbus_dev_request_and_reply(&u->u.msg);
if (IS_ERR(reply)) {
- kfree(trans);
+ if (msg_type == XS_TRANSACTION_START)
+ kfree(trans);
rc = PTR_ERR(reply);
goto out;
}
@@ -330,12 +337,7 @@ static int xenbus_write_transaction(unsi
list_add(&trans->list, &u->transactions);
} else if (msg_type == XS_TRANSACTION_END) {
- list_for_each_entry(trans, &u->transactions, list)
- if (trans->handle.id == u->u.msg.tx_id)
- break;
- BUG_ON(&trans->list == &u->transactions);
list_del(&trans->list);
-
kfree(trans);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 300/305] netfilter: ip6_tables: simplify translate_compat_table args
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (274 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 129/305] hpfs: fix remount failure when there are no options changed Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 199/305] IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs Ben Hutchings
` (29 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Westphal, Pablo Neira Ayuso
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 329a0807124f12fe1c8032f95d8a8eb47047fb0e upstream.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1457,7 +1457,6 @@ compat_copy_entry_to_user(struct ip6t_en
static int
compat_find_calc_match(struct xt_entry_match *m,
- const char *name,
const struct ip6t_ip6 *ipv6,
unsigned int hookmask,
int *size)
@@ -1495,8 +1494,7 @@ check_compat_entry_size_and_hooks(struct
const unsigned char *base,
const unsigned char *limit,
const unsigned int *hook_entries,
- const unsigned int *underflows,
- const char *name)
+ const unsigned int *underflows)
{
struct xt_entry_match *ematch;
struct xt_entry_target *t;
@@ -1532,8 +1530,8 @@ check_compat_entry_size_and_hooks(struct
entry_offset = (void *)e - (void *)base;
j = 0;
xt_ematch_foreach(ematch, e) {
- ret = compat_find_calc_match(ematch, name,
- &e->ipv6, e->comefrom, &off);
+ ret = compat_find_calc_match(ematch, &e->ipv6, e->comefrom,
+ &off);
if (ret != 0)
goto release_matches;
++j;
@@ -1582,7 +1580,7 @@ release_matches:
static int
compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
- unsigned int *size, const char *name,
+ unsigned int *size,
struct xt_table_info *newinfo, unsigned char *base)
{
struct xt_entry_target *t;
@@ -1656,14 +1654,9 @@ static int compat_check_entry(struct ip6
static int
translate_compat_table(struct net *net,
- const char *name,
- unsigned int valid_hooks,
struct xt_table_info **pinfo,
void **pentry0,
- unsigned int total_size,
- unsigned int number,
- unsigned int *hook_entries,
- unsigned int *underflows)
+ const struct compat_ip6t_replace *compatr)
{
unsigned int i, j;
struct xt_table_info *newinfo, *info;
@@ -1675,8 +1668,8 @@ translate_compat_table(struct net *net,
info = *pinfo;
entry0 = *pentry0;
- size = total_size;
- info->number = number;
+ size = compatr->size;
+ info->number = compatr->num_entries;
/* Init all hooks to impossible value. */
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
@@ -1687,40 +1680,39 @@ translate_compat_table(struct net *net,
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(AF_INET6);
- xt_compat_init_offsets(AF_INET6, number);
+ xt_compat_init_offsets(AF_INET6, compatr->num_entries);
/* Walk through entries, checking offsets. */
- xt_entry_foreach(iter0, entry0, total_size) {
+ xt_entry_foreach(iter0, entry0, compatr->size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0,
- entry0 + total_size,
- hook_entries,
- underflows,
- name);
+ entry0 + compatr->size,
+ compatr->hook_entry,
+ compatr->underflow);
if (ret != 0)
goto out_unlock;
++j;
}
ret = -EINVAL;
- if (j != number) {
+ if (j != compatr->num_entries) {
duprintf("translate_compat_table: %u not %u entries\n",
- j, number);
+ j, compatr->num_entries);
goto out_unlock;
}
/* Check hooks all assigned */
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
/* Only hooks which are valid */
- if (!(valid_hooks & (1 << i)))
+ if (!(compatr->valid_hooks & (1 << i)))
continue;
if (info->hook_entry[i] == 0xFFFFFFFF) {
duprintf("Invalid hook entry %u %u\n",
- i, hook_entries[i]);
+ i, info->hook_entry[i]);
goto out_unlock;
}
if (info->underflow[i] == 0xFFFFFFFF) {
duprintf("Invalid underflow %u %u\n",
- i, underflows[i]);
+ i, info->underflow[i]);
goto out_unlock;
}
}
@@ -1730,17 +1722,17 @@ translate_compat_table(struct net *net,
if (!newinfo)
goto out_unlock;
- newinfo->number = number;
+ newinfo->number = compatr->num_entries;
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
newinfo->hook_entry[i] = info->hook_entry[i];
newinfo->underflow[i] = info->underflow[i];
}
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
- size = total_size;
- xt_entry_foreach(iter0, entry0, total_size) {
+ size = compatr->size;
+ xt_entry_foreach(iter0, entry0, compatr->size) {
ret = compat_copy_entry_from_user(iter0, &pos, &size,
- name, newinfo, entry1);
+ newinfo, entry1);
if (ret != 0)
break;
}
@@ -1750,12 +1742,12 @@ translate_compat_table(struct net *net,
goto free_newinfo;
ret = -ELOOP;
- if (!mark_source_chains(newinfo, valid_hooks, entry1))
+ if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
goto free_newinfo;
i = 0;
xt_entry_foreach(iter1, entry1, newinfo->size) {
- ret = compat_check_entry(iter1, net, name);
+ ret = compat_check_entry(iter1, net, compatr->name);
if (ret != 0)
break;
++i;
@@ -1800,7 +1792,7 @@ translate_compat_table(struct net *net,
free_newinfo:
xt_free_table_info(newinfo);
out:
- xt_entry_foreach(iter0, entry0, total_size) {
+ xt_entry_foreach(iter0, entry0, compatr->size) {
if (j-- == 0)
break;
compat_release_entry(iter0);
@@ -1843,10 +1835,7 @@ compat_do_replace(struct net *net, void
goto free_newinfo;
}
- ret = translate_compat_table(net, tmp.name, tmp.valid_hooks,
- &newinfo, &loc_cpu_entry, tmp.size,
- tmp.num_entries, tmp.hook_entry,
- tmp.underflow);
+ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
if (ret != 0)
goto free_newinfo;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 280/305] tipc: fix an infoleak in tipc_nl_compat_link_dump
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (126 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 065/305] s390/vmem: fix identity mapping Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 220/305] Input: elantech - add more IC body types to the list Ben Hutchings
` (177 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kangjie Lu, David S. Miller, Kangjie Lu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kangjie Lu <kangjielu@gmail.com>
commit 5d2be1422e02ccd697ccfcd45c85b4a26e6178e2 upstream.
link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
[carnil: Backported to 3.16 (same as bwh did for 3.2): the unpadded strcpy() is
in tipc_node_get_links() and no nlattr is involved, so use strncpy()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -417,7 +417,8 @@ struct sk_buff *tipc_node_get_links(cons
continue;
link_info.dest = htonl(n_ptr->addr);
link_info.up = htonl(tipc_link_is_up(n_ptr->links[i]));
- strcpy(link_info.str, n_ptr->links[i]->name);
+ strncpy(link_info.str, n_ptr->links[i]->name,
+ sizeof(link_info.str));
tipc_cfg_append_tlv(buf, TIPC_TLV_LINK_INFO,
&link_info, sizeof(link_info));
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 232/305] iio:ad7266: Fix broken regulator error handling
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (167 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 057/305] USB: serial: io_edgeport: fix memory leaks in probe error path Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 038/305] Fix OpenSSH pty regression on close Ben Hutchings
` (136 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Brown, Jonathan Cameron
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
commit 6b7f4e25f3309f106a5c7ff42c8231494cf285d3 upstream.
All regulator_get() variants return either a pointer to a regulator or an
ERR_PTR() so testing for NULL makes no sense and may lead to bugs if we
use NULL as a valid regulator. Fix this by using IS_ERR() as expected.
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/adc/ad7266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/adc/ad7266.c
+++ b/drivers/iio/adc/ad7266.c
@@ -397,7 +397,7 @@ static int ad7266_probe(struct spi_devic
st = iio_priv(indio_dev);
st->reg = devm_regulator_get(&spi->dev, "vref");
- if (!IS_ERR_OR_NULL(st->reg)) {
+ if (!IS_ERR(st->reg)) {
ret = regulator_enable(st->reg);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 132/305] powerpc: Fix definition of SIAR and SDAR registers
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (78 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 159/305] net/mlx5: Fix masking of reserved bits in XRCD number Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 039/305] char: Drop bogus dependency of DEVPORT on !M68K Ben Hutchings
` (225 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Thomas Huth, Michael Ellerman, Paul Mackerras
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Huth <thuth@redhat.com>
commit d23fac2b27d94aeb7b65536a50d32bfdc21fe01e upstream.
The SIAR and SDAR registers are available twice, one time as SPRs
780 / 781 (unprivileged, but read-only), and one time as the SPRs
796 / 797 (privileged, but read and write). The Linux kernel code
currently uses the unprivileged SPRs - while this is OK for reading,
writing to that register of course does not work.
Since the KVM code tries to write to this register, too (see the mtspr
in book3s_hv_rmhandlers.S), the contents of this register sometimes get
lost for the guests, e.g. during migration of a VM.
To fix this issue, simply switch to the privileged SPR numbers instead.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Acked-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/include/asm/reg.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/powerpc/include/asm/reg.h
+++ b/arch/powerpc/include/asm/reg.h
@@ -740,13 +740,13 @@
#define SPRN_PMC6 792
#define SPRN_PMC7 793
#define SPRN_PMC8 794
-#define SPRN_SIAR 780
-#define SPRN_SDAR 781
#define SPRN_SIER 784
#define SIER_SIPR 0x2000000 /* Sampled MSR_PR */
#define SIER_SIHV 0x1000000 /* Sampled MSR_HV */
#define SIER_SIAR_VALID 0x0400000 /* SIAR contents valid */
#define SIER_SDAR_VALID 0x0200000 /* SDAR contents valid */
+#define SPRN_SIAR 796
+#define SPRN_SDAR 797
#define SPRN_TACR 888
#define SPRN_TCSCR 889
#define SPRN_CSIGR 890
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 102/305] xfs: xfs_iflush_cluster fails to abort on error
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (120 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 303/305] netfilter: x_tables: introduce and use xt_copy_counters_from_user Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 23:36 ` Dave Chinner
2016-08-13 17:42 ` [PATCH 3.16 095/305] fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication Ben Hutchings
` (183 subsequent siblings)
305 siblings, 1 reply; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Christoph Hellwig, Dave Chinner, Shyam Kaushik, Dave Chinner
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Chinner <dchinner@redhat.com>
commit b1438f477934f5a4d5a44df26f3079a7575d5946 upstream.
When a failure due to an inode buffer occurs, the error handling
fails to abort the inode writeback correctly. This can result in the
inode being reclaimed whilst still in the AIL, leading to
use-after-free situations as well as filesystems that cannot be
unmounted as the inode log items left in the AIL never get removed.
Fix this by ensuring fatal errors from xfs_imap_to_bp() result in
the inode flush being aborted correctly.
Reported-by: Shyam Kaushik <shyam@zadarastorage.com>
Diagnosed-by: Shyam Kaushik <shyam@zadarastorage.com>
Tested-by: Shyam Kaushik <shyam@zadarastorage.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/xfs/xfs_inode.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -3151,7 +3151,7 @@ xfs_iflush(
struct xfs_buf **bpp)
{
struct xfs_mount *mp = ip->i_mount;
- struct xfs_buf *bp;
+ struct xfs_buf *bp = NULL;
struct xfs_dinode *dip;
int error;
@@ -3193,14 +3193,22 @@ xfs_iflush(
}
/*
- * Get the buffer containing the on-disk inode.
+ * Get the buffer containing the on-disk inode. We are doing a try-lock
+ * operation here, so we may get an EAGAIN error. In that case, we
+ * simply want to return with the inode still dirty.
+ *
+ * If we get any other error, we effectively have a corruption situation
+ * and we cannot flush the inode, so we treat it the same as failing
+ * xfs_iflush_int().
*/
error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK,
0);
- if (error || !bp) {
+ if (error == -EAGAIN) {
xfs_ifunlock(ip);
return error;
}
+ if (error)
+ goto corrupt_out;
/*
* First flush out the inode that xfs_iflush was called with.
@@ -3228,7 +3236,8 @@ xfs_iflush(
return 0;
corrupt_out:
- xfs_buf_relse(bp);
+ if (bp)
+ xfs_buf_relse(bp);
xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
cluster_corrupt_out:
error = XFS_ERROR(EFSCORRUPTED);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 164/305] iio: proximity: as3935: remove triggered buffer processing
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (215 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 195/305] base: make module_create_drivers_dir race-free Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 034/305] ext4: fix hang when processing corrupted orphaned inode list Ben Hutchings
` (88 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Matt Ranostay, Jonathan Cameron, george.mccollister
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Ranostay <mranostay@gmail.com>
commit 7d0643634ea567969bf3f3ed6193a9d6fc75653b upstream.
Triggered buffers shouldn't return processed data, and the respective
conversion was overflowing the defined .realbits for the channel.
Cc: george.mccollister@gmail.com
Signed-off-by: Matt Ranostay <mranostay@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/proximity/as3935.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/iio/proximity/as3935.c
+++ b/drivers/iio/proximity/as3935.c
@@ -213,7 +213,6 @@ static irqreturn_t as3935_trigger_handle
if (ret)
goto err_read;
val &= AS3935_DATA_MASK;
- val *= 1000;
iio_push_to_buffers_with_timestamp(indio_dev, &val, pf->timestamp);
err_read:
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 146/305] powerpc/pseries: Fix PCI config address for DDW
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (155 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 135/305] mac80211: mesh: flush mesh paths unconditionally Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 040/305] driver-core: use 'dev' argument in dev_dbg_ratelimited stub Ben Hutchings
` (148 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Guilherme G. Piccoli, Gavin Shan, Michael Ellerman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Gavin Shan <gwshan@linux.vnet.ibm.com>
commit 8a934efe94347eee843aeea65bdec8077a79e259 upstream.
In commit 8445a87f7092 "powerpc/iommu: Remove the dependency on EEH
struct in DDW mechanism", the PE address was replaced with the PCI
config address in order to remove dependency on EEH. According to PAPR
spec, firmware (pHyp or QEMU) should accept "xxBBSSxx" format PCI config
address, not "xxxxBBSS" provided by the patch. Note that "BB" is PCI bus
number and "SS" is the combination of slot and function number.
This fixes the PCI address passed to DDW RTAS calls.
Fixes: 8445a87f7092 ("powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism")
Reported-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Tested-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/platforms/pseries/iommu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/powerpc/platforms/pseries/iommu.c
+++ b/arch/powerpc/platforms/pseries/iommu.c
@@ -841,7 +841,7 @@ static int query_ddw(struct pci_dev *dev
dn = pci_device_to_OF_node(dev);
pdn = PCI_DN(dn);
buid = pdn->phb->buid;
- cfg_addr = (pdn->busno << 8) | pdn->devfn;
+ cfg_addr = ((pdn->busno << 16) | (pdn->devfn << 8));
ret = rtas_call(ddw_avail[0], 3, 5, (u32 *)query,
cfg_addr, BUID_HI(buid), BUID_LO(buid));
@@ -870,7 +870,7 @@ static int create_ddw(struct pci_dev *de
dn = pci_device_to_OF_node(dev);
pdn = PCI_DN(dn);
buid = pdn->phb->buid;
- cfg_addr = (pdn->busno << 8) | pdn->devfn;
+ cfg_addr = ((pdn->busno << 16) | (pdn->devfn << 8));
do {
/* extra outputs are LIOBN and dma-addr (hi, lo) */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 127/305] Input: pwm-beeper - fix - scheduling while atomic
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (301 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 064/305] ata: sata_dwc_460ex: remove incorrect locking Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 186/305] spi: sunxi: fix transfer timeout Ben Hutchings
` (2 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Manfred Schlaegl, Dmitry Torokhov
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Manfred Schlaegl <manfred.schlaegl@gmx.at>
commit f49cf3b8b4c841457244c461c66186a719e13bcc upstream.
Pwm config may sleep so defer it using a worker.
On a Freescale i.MX53 based board we ran into "BUG: scheduling while
atomic" because input_inject_event locks interrupts, but
imx_pwm_config_v2 sleeps.
Tested on Freescale i.MX53 SoC with 4.6.0.
Signed-off-by: Manfred Schlaegl <manfred.schlaegl@gmx.at>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/misc/pwm-beeper.c | 69 ++++++++++++++++++++++++++++-------------
1 file changed, 48 insertions(+), 21 deletions(-)
--- a/drivers/input/misc/pwm-beeper.c
+++ b/drivers/input/misc/pwm-beeper.c
@@ -20,21 +20,40 @@
#include <linux/platform_device.h>
#include <linux/pwm.h>
#include <linux/slab.h>
+#include <linux/workqueue.h>
struct pwm_beeper {
struct input_dev *input;
struct pwm_device *pwm;
+ struct work_struct work;
unsigned long period;
};
#define HZ_TO_NANOSECONDS(x) (1000000000UL/(x))
+static void __pwm_beeper_set(struct pwm_beeper *beeper)
+{
+ unsigned long period = beeper->period;
+
+ if (period) {
+ pwm_config(beeper->pwm, period / 2, period);
+ pwm_enable(beeper->pwm);
+ } else
+ pwm_disable(beeper->pwm);
+}
+
+static void pwm_beeper_work(struct work_struct *work)
+{
+ struct pwm_beeper *beeper =
+ container_of(work, struct pwm_beeper, work);
+
+ __pwm_beeper_set(beeper);
+}
+
static int pwm_beeper_event(struct input_dev *input,
unsigned int type, unsigned int code, int value)
{
- int ret = 0;
struct pwm_beeper *beeper = input_get_drvdata(input);
- unsigned long period;
if (type != EV_SND || value < 0)
return -EINVAL;
@@ -49,22 +68,31 @@ static int pwm_beeper_event(struct input
return -EINVAL;
}
- if (value == 0) {
- pwm_disable(beeper->pwm);
- } else {
- period = HZ_TO_NANOSECONDS(value);
- ret = pwm_config(beeper->pwm, period / 2, period);
- if (ret)
- return ret;
- ret = pwm_enable(beeper->pwm);
- if (ret)
- return ret;
- beeper->period = period;
- }
+ if (value == 0)
+ beeper->period = 0;
+ else
+ beeper->period = HZ_TO_NANOSECONDS(value);
+
+ schedule_work(&beeper->work);
return 0;
}
+static void pwm_beeper_stop(struct pwm_beeper *beeper)
+{
+ cancel_work_sync(&beeper->work);
+
+ if (beeper->period)
+ pwm_disable(beeper->pwm);
+}
+
+static void pwm_beeper_close(struct input_dev *input)
+{
+ struct pwm_beeper *beeper = input_get_drvdata(input);
+
+ pwm_beeper_stop(beeper);
+}
+
static int pwm_beeper_probe(struct platform_device *pdev)
{
unsigned long pwm_id = (unsigned long)dev_get_platdata(&pdev->dev);
@@ -87,6 +115,8 @@ static int pwm_beeper_probe(struct platf
goto err_free;
}
+ INIT_WORK(&beeper->work, pwm_beeper_work);
+
beeper->input = input_allocate_device();
if (!beeper->input) {
dev_err(&pdev->dev, "Failed to allocate input device\n");
@@ -106,6 +136,7 @@ static int pwm_beeper_probe(struct platf
beeper->input->sndbit[0] = BIT(SND_TONE) | BIT(SND_BELL);
beeper->input->event = pwm_beeper_event;
+ beeper->input->close = pwm_beeper_close;
input_set_drvdata(beeper->input, beeper);
@@ -135,7 +166,6 @@ static int pwm_beeper_remove(struct plat
input_unregister_device(beeper->input);
- pwm_disable(beeper->pwm);
pwm_free(beeper->pwm);
kfree(beeper);
@@ -148,8 +178,7 @@ static int pwm_beeper_suspend(struct dev
{
struct pwm_beeper *beeper = dev_get_drvdata(dev);
- if (beeper->period)
- pwm_disable(beeper->pwm);
+ pwm_beeper_stop(beeper);
return 0;
}
@@ -158,10 +187,8 @@ static int pwm_beeper_resume(struct devi
{
struct pwm_beeper *beeper = dev_get_drvdata(dev);
- if (beeper->period) {
- pwm_config(beeper->pwm, beeper->period / 2, beeper->period);
- pwm_enable(beeper->pwm);
- }
+ if (beeper->period)
+ __pwm_beeper_set(beeper);
return 0;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 247/305] NFS: Fix another OPEN_DOWNGRADE bug
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (267 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 032/305] aacraid: Relinquish CPU during timeout wait Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 002/305] ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile Ben Hutchings
` (36 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Trond Myklebust, Anna Schumaker, Olga Kornievskaia
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit e547f2628327fec6afd2e03b46f113f614cca05b upstream.
Olga Kornievskaia reports that the following test fails to trigger
an OPEN_DOWNGRADE on the wire, and only triggers the final CLOSE.
fd0 = open(foo, RDRW) -- should be open on the wire for "both"
fd1 = open(foo, RDONLY) -- should be open on the wire for "read"
close(fd0) -- should trigger an open_downgrade
read(fd1)
close(fd1)
The issue is that we're missing a check for whether or not the current
state transitioned from an O_RDWR state as opposed to having transitioned
from a combination of O_RDONLY and O_WRONLY.
Reported-by: Olga Kornievskaia <aglo@umich.edu>
Fixes: cd9288ffaea4 ("NFSv4: Fix another bug in the close/open_downgrade code")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/nfs4proc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -2620,12 +2620,11 @@ static void nfs4_close_prepare(struct rp
call_close |= is_wronly;
else if (is_wronly)
calldata->arg.fmode |= FMODE_WRITE;
+ if (calldata->arg.fmode != (FMODE_READ|FMODE_WRITE))
+ call_close |= is_rdwr;
} else if (is_rdwr)
calldata->arg.fmode |= FMODE_READ|FMODE_WRITE;
- if (calldata->arg.fmode == 0)
- call_close |= is_rdwr;
-
if (!nfs4_valid_open_stateid(state))
call_close = 0;
spin_unlock(&state->owner->so_lock);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 262/305] net/mlx5: Fix potential deadlock in command mode change
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (237 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 128/305] MIPS: fix read_msa_* & write_msa_* functions on non-MSA toolchains Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 111/305] scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands Ben Hutchings
` (66 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Saeed Mahameed, Mohamad Haj Yahia
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mohamad Haj Yahia <mohamad@mellanox.com>
commit 9cba4ebcf374c3772f6eb61f2d065294b2451b49 upstream.
Call command completion handler in case of timeout when working in
interrupts mode.
Avoid flushing the commands workqueue after acquiring the semaphores to
prevent a potential deadlock.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Mohamad Haj Yahia <mohamad@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: the calculation of ds is more complex]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 79 +++++++++++----------------
1 file changed, 33 insertions(+), 46 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -608,13 +608,13 @@ static int wait_func(struct mlx5_core_de
if (cmd->mode == CMD_MODE_POLLING) {
wait_for_completion(&ent->done);
- err = ent->ret;
- } else {
- if (!wait_for_completion_timeout(&ent->done, timeout))
- err = -ETIMEDOUT;
- else
- err = 0;
+ } else if (!wait_for_completion_timeout(&ent->done, timeout)) {
+ ent->ret = -ETIMEDOUT;
+ mlx5_cmd_comp_handler(dev, 1UL << ent->idx);
}
+
+ err = ent->ret;
+
if (err == -ETIMEDOUT) {
mlx5_core_warn(dev, "%s(0x%x) timeout. Will cause a leak of a command resource\n",
mlx5_command_str(msg_to_opcode(ent->in)),
@@ -663,31 +663,29 @@ static int mlx5_cmd_invoke(struct mlx5_c
goto out_free;
}
- if (!callback) {
- err = wait_func(dev, ent);
- if (err == -ETIMEDOUT)
- goto out;
-
- t1 = timespec_to_ktime(ent->ts1);
- t2 = timespec_to_ktime(ent->ts2);
- delta = ktime_sub(t2, t1);
- ds = ktime_to_ns(delta);
- op = be16_to_cpu(((struct mlx5_inbox_hdr *)in->first.data)->opcode);
- if (op < ARRAY_SIZE(cmd->stats)) {
- stats = &cmd->stats[op];
- spin_lock_irq(&stats->lock);
- stats->sum += ds;
- ++stats->n;
- spin_unlock_irq(&stats->lock);
- }
- mlx5_core_dbg_mask(dev, 1 << MLX5_CMD_TIME,
- "fw exec time for %s is %lld nsec\n",
- mlx5_command_str(op), ds);
- *status = ent->status;
- free_cmd(ent);
- }
+ if (callback)
+ goto out;
- return err;
+ err = wait_func(dev, ent);
+ if (err == -ETIMEDOUT)
+ goto out_free;
+
+ t1 = timespec_to_ktime(ent->ts1);
+ t2 = timespec_to_ktime(ent->ts2);
+ delta = ktime_sub(t2, t1);
+ ds = ktime_to_ns(delta);
+ op = be16_to_cpu(((struct mlx5_inbox_hdr *)in->first.data)->opcode);
+ if (op < ARRAY_SIZE(cmd->stats)) {
+ stats = &cmd->stats[op];
+ spin_lock_irq(&stats->lock);
+ stats->sum += ds;
+ ++stats->n;
+ spin_unlock_irq(&stats->lock);
+ }
+ mlx5_core_dbg_mask(dev, 1 << MLX5_CMD_TIME,
+ "fw exec time for %s is %lld nsec\n",
+ mlx5_command_str(op), ds);
+ *status = ent->status;
out_free:
free_cmd(ent);
@@ -1077,41 +1075,30 @@ err_dbg:
return err;
}
-void mlx5_cmd_use_events(struct mlx5_core_dev *dev)
+static void mlx5_cmd_change_mod(struct mlx5_core_dev *dev, int mode)
{
struct mlx5_cmd *cmd = &dev->cmd;
int i;
for (i = 0; i < cmd->max_reg_cmds; i++)
down(&cmd->sem);
-
down(&cmd->pages_sem);
- flush_workqueue(cmd->wq);
-
- cmd->mode = CMD_MODE_EVENTS;
+ cmd->mode = mode;
up(&cmd->pages_sem);
for (i = 0; i < cmd->max_reg_cmds; i++)
up(&cmd->sem);
}
-void mlx5_cmd_use_polling(struct mlx5_core_dev *dev)
+void mlx5_cmd_use_events(struct mlx5_core_dev *dev)
{
- struct mlx5_cmd *cmd = &dev->cmd;
- int i;
-
- for (i = 0; i < cmd->max_reg_cmds; i++)
- down(&cmd->sem);
-
- down(&cmd->pages_sem);
-
- flush_workqueue(cmd->wq);
- cmd->mode = CMD_MODE_POLLING;
+ mlx5_cmd_change_mod(dev, CMD_MODE_EVENTS);
+}
- up(&cmd->pages_sem);
- for (i = 0; i < cmd->max_reg_cmds; i++)
- up(&cmd->sem);
+void mlx5_cmd_use_polling(struct mlx5_core_dev *dev)
+{
+ mlx5_cmd_change_mod(dev, CMD_MODE_POLLING);
}
static void free_msg(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *msg)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 141/305] KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (303 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 186/305] spi: sunxi: fix transfer timeout Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 20:43 ` [PATCH 3.16 000/305] 3.16.37-rc1 review Guenter Roeck
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dmitry Vyukov, Paolo Bonzini, Radim Krčmář
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit c622a3c21ede892e370b56e1ceb9eb28f8bbda6b upstream.
Found by syzkaller:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000120
IP: [<ffffffffa0797202>] kvm_irq_map_gsi+0x12/0x90 [kvm]
PGD 6f80b067 PUD b6535067 PMD 0
Oops: 0000 [#1] SMP
CPU: 3 PID: 4988 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1
[...]
Call Trace:
[<ffffffffa0795f62>] irqfd_update+0x32/0xc0 [kvm]
[<ffffffffa0796c7c>] kvm_irqfd+0x3dc/0x5b0 [kvm]
[<ffffffffa07943f4>] kvm_vm_ioctl+0x164/0x6f0 [kvm]
[<ffffffff81241648>] do_vfs_ioctl+0x298/0x480
[<ffffffff812418a9>] SyS_ioctl+0x79/0x90
[<ffffffff817a1062>] tracesys_phase2+0x84/0x89
Code: b5 71 a7 e0 5b 41 5c 41 5d 5d f3 c3 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 8f 10 2e 00 00 31 c0 48 89 e5 <39> 91 20 01 00 00 76 6a 48 63 d2 48 8b 94 d1 28 01 00 00 48 85
RIP [<ffffffffa0797202>] kvm_irq_map_gsi+0x12/0x90 [kvm]
RSP <ffff8800926cbca8>
CR2: 0000000000000120
Testcase:
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <linux/kvm.h>
#include <fcntl.h>
#include <sys/ioctl.h>
long r[26];
int main()
{
memset(r, -1, sizeof(r));
r[2] = open("/dev/kvm", 0);
r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
struct kvm_irqfd ifd;
ifd.fd = syscall(SYS_eventfd2, 5, 0);
ifd.gsi = 3;
ifd.flags = 2;
ifd.resamplefd = ifd.fd;
r[25] = ioctl(r[3], KVM_IRQFD, &ifd);
return 0;
}
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
virt/kvm/irqchip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/virt/kvm/irqchip.c
+++ b/virt/kvm/irqchip.c
@@ -127,7 +127,7 @@ int kvm_set_irq(struct kvm *kvm, int irq
*/
idx = srcu_read_lock(&kvm->irq_srcu);
irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
- if (irq < irq_rt->nr_rt_entries)
+ if (irq_rt && irq < irq_rt->nr_rt_entries)
hlist_for_each_entry(e, &irq_rt->map[irq], link)
irq_set[i++] = *e;
srcu_read_unlock(&kvm->irq_srcu, idx);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 246/305] Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (64 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 281/305] rds: fix an infoleak in rds_inc_info_copy Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 024/305] EDAC: Increment correct counter in edac_inc_ue_error() Ben Hutchings
` (239 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, daniel, Linus Lüssing, David S. Miller
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: daniel <daniel@dd-wrt.com>
commit 0888d5f3c0f183ea6177355752ada433d370ac89 upstream.
The bridge is falsly dropping ipv6 mulitcast packets if there is:
1. No ipv6 address assigned on the brigde.
2. No external mld querier present.
3. The internal querier enabled.
When the bridge fails to build mld queries, because it has no
ipv6 address, it slilently returns, but keeps the local querier enabled.
This specific case causes confusing packet loss.
Ipv6 multicast snooping can only work if:
a) An external querier is present
OR
b) The bridge has an ipv6 address an is capable of sending own queries
Otherwise it has to forward/flood the ipv6 multicast traffic,
because snooping cannot work.
This patch fixes the issue by adding a flag to the bridge struct that
indicates that there is currently no ipv6 address assinged to the bridge
and returns a false state for the local querier in
__br_multicast_querier_exists().
Special thanks to Linus Lüssing.
Fixes: d1d81d4c3dd8 ("bridge: check return value of ipv6_dev_get_saddr()")
Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
Acked-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bridge/br_multicast.c | 4 ++++
net/bridge/br_private.h | 23 +++++++++++++++++++----
2 files changed, 23 insertions(+), 4 deletions(-)
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -452,8 +452,11 @@ static struct sk_buff *br_ip6_multicast_
if (ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0,
&ip6h->saddr)) {
kfree_skb(skb);
+ br->has_ipv6_addr = 0;
return NULL;
}
+
+ br->has_ipv6_addr = 1;
ipv6_eth_mc_map(&ip6h->daddr, eth->h_dest);
hopopt = (u8 *)(ip6h + 1);
@@ -1869,6 +1872,7 @@ void br_multicast_init(struct net_bridge
br->ip6_other_query.delay_time = 0;
br->ip6_querier.port = NULL;
#endif
+ br->has_ipv6_addr = 1;
spin_lock_init(&br->multicast_lock);
setup_timer(&br->multicast_router_timer,
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -261,6 +261,7 @@ struct net_bridge
u8 multicast_disabled:1;
u8 multicast_querier:1;
u8 multicast_query_use_ifaddr:1;
+ u8 has_ipv6_addr:1;
u32 hash_elasticity;
u32 hash_max;
@@ -497,10 +498,22 @@ static inline bool br_multicast_is_route
static inline bool
__br_multicast_querier_exists(struct net_bridge *br,
- struct bridge_mcast_other_query *querier)
+ struct bridge_mcast_other_query *querier,
+ const bool is_ipv6)
{
+ bool own_querier_enabled;
+
+ if (br->multicast_querier) {
+ if (is_ipv6 && !br->has_ipv6_addr)
+ own_querier_enabled = false;
+ else
+ own_querier_enabled = true;
+ } else {
+ own_querier_enabled = false;
+ }
+
return time_is_before_jiffies(querier->delay_time) &&
- (br->multicast_querier || timer_pending(&querier->timer));
+ (own_querier_enabled || timer_pending(&querier->timer));
}
static inline bool br_multicast_querier_exists(struct net_bridge *br,
@@ -508,10 +521,12 @@ static inline bool br_multicast_querier_
{
switch (eth->h_proto) {
case (htons(ETH_P_IP)):
- return __br_multicast_querier_exists(br, &br->ip4_other_query);
+ return __br_multicast_querier_exists(br,
+ &br->ip4_other_query, false);
#if IS_ENABLED(CONFIG_IPV6)
case (htons(ETH_P_IPV6)):
- return __br_multicast_querier_exists(br, &br->ip6_other_query);
+ return __br_multicast_querier_exists(br,
+ &br->ip6_other_query, true);
#endif
default:
return false;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 162/305] mfd: omap-usb-tll: Fix scheduling while atomic BUG
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (294 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 185/305] spi: sun4i: fix FIFO limit Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 277/305] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS Ben Hutchings
` (9 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Lee Jones, H. Nikolaus Schaller, Roger Quadros
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Roger Quadros <rogerq@ti.com>
commit b49b927f16acee626c56a1af4ab4cb062f75b5df upstream.
We shouldn't be calling clk_prepare_enable()/clk_prepare_disable()
in an atomic context.
Fixes the following issue:
[ 5.830970] ehci-omap: OMAP-EHCI Host Controller driver
[ 5.830974] driver_register 'ehci-omap'
[ 5.895849] driver_register 'wl1271_sdio'
[ 5.896870] BUG: scheduling while atomic: udevd/994/0x00000002
[ 5.896876] 4 locks held by udevd/994:
[ 5.896904] #0: (&dev->mutex){......}, at: [<c049597c>] __driver_attach+0x60/0xac
[ 5.896923] #1: (&dev->mutex){......}, at: [<c049598c>] __driver_attach+0x70/0xac
[ 5.896946] #2: (tll_lock){+.+...}, at: [<c04c2630>] omap_tll_enable+0x2c/0xd0
[ 5.896966] #3: (prepare_lock){+.+...}, at: [<c05ce9c8>] clk_prepare_lock+0x48/0xe0
[ 5.897042] Modules linked in: wlcore_sdio(+) ehci_omap(+) dwc3_omap snd_soc_ts3a225e leds_is31fl319x bq27xxx_battery_i2c tsc2007 bq27xxx_battery bq2429x_charger ina2xx tca8418_keypad as5013 leds_tca6507 twl6040_vibra gpio_twl6040 bmp085_i2c(+) palmas_gpadc usb3503 palmas_pwrbutton bmg160_i2c(+) bmp085 bma150(+) bmg160_core bmp280 input_polldev snd_soc_omap_mcbsp snd_soc_omap_mcpdm snd_soc_omap snd_pcm_dmaengine
[ 5.897048] Preemption disabled at:[< (null)>] (null)
[ 5.897051]
[ 5.897059] CPU: 0 PID: 994 Comm: udevd Not tainted 4.6.0-rc5-letux+ #233
[ 5.897062] Hardware name: Generic OMAP5 (Flattened Device Tree)
[ 5.897076] [<c010e714>] (unwind_backtrace) from [<c010af34>] (show_stack+0x10/0x14)
[ 5.897087] [<c010af34>] (show_stack) from [<c040aa7c>] (dump_stack+0x88/0xc0)
[ 5.897099] [<c040aa7c>] (dump_stack) from [<c020c558>] (__schedule_bug+0xac/0xd0)
[ 5.897111] [<c020c558>] (__schedule_bug) from [<c06f3d44>] (__schedule+0x88/0x7e4)
[ 5.897120] [<c06f3d44>] (__schedule) from [<c06f46d8>] (schedule+0x9c/0xc0)
[ 5.897129] [<c06f46d8>] (schedule) from [<c06f4904>] (schedule_preempt_disabled+0x14/0x20)
[ 5.897140] [<c06f4904>] (schedule_preempt_disabled) from [<c06f64e4>] (mutex_lock_nested+0x258/0x43c)
[ 5.897150] [<c06f64e4>] (mutex_lock_nested) from [<c05ce9c8>] (clk_prepare_lock+0x48/0xe0)
[ 5.897160] [<c05ce9c8>] (clk_prepare_lock) from [<c05d0e7c>] (clk_prepare+0x10/0x28)
[ 5.897169] [<c05d0e7c>] (clk_prepare) from [<c04c2668>] (omap_tll_enable+0x64/0xd0)
[ 5.897180] [<c04c2668>] (omap_tll_enable) from [<c04c1728>] (usbhs_runtime_resume+0x18/0x17c)
[ 5.897192] [<c04c1728>] (usbhs_runtime_resume) from [<c049d404>] (pm_generic_runtime_resume+0x2c/0x40)
[ 5.897202] [<c049d404>] (pm_generic_runtime_resume) from [<c049f180>] (__rpm_callback+0x38/0x68)
[ 5.897210] [<c049f180>] (__rpm_callback) from [<c049f220>] (rpm_callback+0x70/0x88)
[ 5.897218] [<c049f220>] (rpm_callback) from [<c04a0a00>] (rpm_resume+0x4ec/0x7ec)
[ 5.897227] [<c04a0a00>] (rpm_resume) from [<c04a0f48>] (__pm_runtime_resume+0x4c/0x64)
[ 5.897236] [<c04a0f48>] (__pm_runtime_resume) from [<c04958dc>] (driver_probe_device+0x30/0x70)
[ 5.897246] [<c04958dc>] (driver_probe_device) from [<c04959a4>] (__driver_attach+0x88/0xac)
[ 5.897256] [<c04959a4>] (__driver_attach) from [<c04940f8>] (bus_for_each_dev+0x50/0x84)
[ 5.897267] [<c04940f8>] (bus_for_each_dev) from [<c0494e40>] (bus_add_driver+0xcc/0x1e4)
[ 5.897276] [<c0494e40>] (bus_add_driver) from [<c0496914>] (driver_register+0xac/0xf4)
[ 5.897286] [<c0496914>] (driver_register) from [<c01018e0>] (do_one_initcall+0x100/0x1b8)
[ 5.897296] [<c01018e0>] (do_one_initcall) from [<c01c7a54>] (do_init_module+0x58/0x1c0)
[ 5.897304] [<c01c7a54>] (do_init_module) from [<c01c8a3c>] (SyS_finit_module+0x88/0x90)
[ 5.897313] [<c01c8a3c>] (SyS_finit_module) from [<c0107120>] (ret_fast_syscall+0x0/0x1c)
[ 5.912697] ------------[ cut here ]------------
[ 5.912711] WARNING: CPU: 0 PID: 994 at kernel/sched/core.c:2996 _raw_spin_unlock+0x28/0x58
[ 5.912717] DEBUG_LOCKS_WARN_ON(val > preempt_count())
Reported-by: H. Nikolaus Schaller <hns@goldelico.com>
Tested-by: H. Nikolaus Schaller <hns@goldelico.com>
Signed-off-by: Roger Quadros <rogerq@ti.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mfd/omap-usb-tll.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/mfd/omap-usb-tll.c
+++ b/drivers/mfd/omap-usb-tll.c
@@ -269,6 +269,8 @@ static int usbtll_omap_probe(struct plat
if (IS_ERR(tll->ch_clk[i]))
dev_dbg(dev, "can't get clock : %s\n", clkname);
+ else
+ clk_prepare(tll->ch_clk[i]);
}
pm_runtime_put_sync(dev);
@@ -301,9 +303,12 @@ static int usbtll_omap_remove(struct pla
tll_dev = NULL;
spin_unlock(&tll_lock);
- for (i = 0; i < tll->nch; i++)
- if (!IS_ERR(tll->ch_clk[i]))
+ for (i = 0; i < tll->nch; i++) {
+ if (!IS_ERR(tll->ch_clk[i])) {
+ clk_unprepare(tll->ch_clk[i]);
clk_put(tll->ch_clk[i]);
+ }
+ }
pm_runtime_disable(&pdev->dev);
return 0;
@@ -421,7 +426,7 @@ int omap_tll_enable(struct usbhs_omap_pl
if (IS_ERR(tll->ch_clk[i]))
continue;
- r = clk_prepare_enable(tll->ch_clk[i]);
+ r = clk_enable(tll->ch_clk[i]);
if (r) {
dev_err(tll_dev,
"Error enabling ch %d clock: %d\n", i, r);
@@ -449,7 +454,7 @@ int omap_tll_disable(struct usbhs_omap_p
for (i = 0; i < tll->nch; i++) {
if (omap_usb_mode_needs_tll(pdata->port_mode[i])) {
if (!IS_ERR(tll->ch_clk[i]))
- clk_disable_unprepare(tll->ch_clk[i]);
+ clk_disable(tll->ch_clk[i]);
}
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 190/305] net_sched: introduce qdisc_replace() helper
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (251 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 107/305] cifs: Create dedicated keyring for spnego operations Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 218/305] IB/mlx4: Fix memory leak if QP creation failed Ben Hutchings
` (52 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, WANG Cong, David S. Miller, Jamal Hadi Salim
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
commit 86a7996cc8a078793670d82ed97d5a99bb4e8496 upstream.
Remove nearly duplicated code and prepare for the following patch.
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/sch_generic.h | 17 +++++++++++++++++
net/sched/sch_cbq.c | 7 +------
net/sched/sch_drr.c | 6 +-----
net/sched/sch_dsmark.c | 8 +-------
net/sched/sch_hfsc.c | 6 +-----
net/sched/sch_htb.c | 9 +--------
net/sched/sch_multiq.c | 8 +-------
net/sched/sch_netem.c | 10 +---------
net/sched/sch_prio.c | 8 +-------
net/sched/sch_qfq.c | 6 +-----
net/sched/sch_red.c | 7 +------
net/sched/sch_sfb.c | 7 +------
net/sched/sch_tbf.c | 8 +-------
13 files changed, 29 insertions(+), 78 deletions(-)
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -608,6 +608,23 @@ static inline void qdisc_reset_queue(str
sch->qstats.backlog = 0;
}
+static inline struct Qdisc *qdisc_replace(struct Qdisc *sch, struct Qdisc *new,
+ struct Qdisc **pold)
+{
+ struct Qdisc *old;
+
+ sch_tree_lock(sch);
+ old = *pold;
+ *pold = new;
+ if (old != NULL) {
+ qdisc_tree_decrease_qlen(old, old->q.qlen);
+ qdisc_reset(old);
+ }
+ sch_tree_unlock(sch);
+
+ return old;
+}
+
static inline unsigned int __qdisc_queue_drop(struct Qdisc *sch,
struct sk_buff_head *list)
{
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -1643,13 +1643,8 @@ static int cbq_graft(struct Qdisc *sch,
new->reshape_fail = cbq_reshape_fail;
#endif
}
- sch_tree_lock(sch);
- *old = cl->q;
- cl->q = new;
- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
- qdisc_reset(*old);
- sch_tree_unlock(sch);
+ *old = qdisc_replace(sch, new, &cl->q);
return 0;
}
--- a/net/sched/sch_drr.c
+++ b/net/sched/sch_drr.c
@@ -224,11 +224,7 @@ static int drr_graft_class(struct Qdisc
new = &noop_qdisc;
}
- sch_tree_lock(sch);
- drr_purge_queue(cl);
- *old = cl->qdisc;
- cl->qdisc = new;
- sch_tree_unlock(sch);
+ *old = qdisc_replace(sch, new, &cl->qdisc);
return 0;
}
--- a/net/sched/sch_dsmark.c
+++ b/net/sched/sch_dsmark.c
@@ -67,13 +67,7 @@ static int dsmark_graft(struct Qdisc *sc
new = &noop_qdisc;
}
- sch_tree_lock(sch);
- *old = p->q;
- p->q = new;
- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
- qdisc_reset(*old);
- sch_tree_unlock(sch);
-
+ *old = qdisc_replace(sch, new, &p->q);
return 0;
}
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1212,11 +1212,7 @@ hfsc_graft_class(struct Qdisc *sch, unsi
new = &noop_qdisc;
}
- sch_tree_lock(sch);
- hfsc_purge_queue(sch, cl);
- *old = cl->qdisc;
- cl->qdisc = new;
- sch_tree_unlock(sch);
+ *old = qdisc_replace(sch, new, &cl->qdisc);
return 0;
}
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -1164,14 +1164,7 @@ static int htb_graft(struct Qdisc *sch,
cl->common.classid)) == NULL)
return -ENOBUFS;
- sch_tree_lock(sch);
- *old = cl->un.leaf.q;
- cl->un.leaf.q = new;
- if (*old != NULL) {
- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
- qdisc_reset(*old);
- }
- sch_tree_unlock(sch);
+ *old = qdisc_replace(sch, new, &cl->un.leaf.q);
return 0;
}
--- a/net/sched/sch_multiq.c
+++ b/net/sched/sch_multiq.c
@@ -302,13 +302,7 @@ static int multiq_graft(struct Qdisc *sc
if (new == NULL)
new = &noop_qdisc;
- sch_tree_lock(sch);
- *old = q->queues[band];
- q->queues[band] = new;
- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
- qdisc_reset(*old);
- sch_tree_unlock(sch);
-
+ *old = qdisc_replace(sch, new, &q->queues[band]);
return 0;
}
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -1050,15 +1050,7 @@ static int netem_graft(struct Qdisc *sch
{
struct netem_sched_data *q = qdisc_priv(sch);
- sch_tree_lock(sch);
- *old = q->qdisc;
- q->qdisc = new;
- if (*old) {
- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
- qdisc_reset(*old);
- }
- sch_tree_unlock(sch);
-
+ *old = qdisc_replace(sch, new, &q->qdisc);
return 0;
}
--- a/net/sched/sch_prio.c
+++ b/net/sched/sch_prio.c
@@ -266,13 +266,7 @@ static int prio_graft(struct Qdisc *sch,
if (new == NULL)
new = &noop_qdisc;
- sch_tree_lock(sch);
- *old = q->queues[band];
- q->queues[band] = new;
- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
- qdisc_reset(*old);
- sch_tree_unlock(sch);
-
+ *old = qdisc_replace(sch, new, &q->queues[band]);
return 0;
}
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -616,11 +616,7 @@ static int qfq_graft_class(struct Qdisc
new = &noop_qdisc;
}
- sch_tree_lock(sch);
- qfq_purge_queue(cl);
- *old = cl->qdisc;
- cl->qdisc = new;
- sch_tree_unlock(sch);
+ *old = qdisc_replace(sch, new, &cl->qdisc);
return 0;
}
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -313,12 +313,7 @@ static int red_graft(struct Qdisc *sch,
if (new == NULL)
new = &noop_qdisc;
- sch_tree_lock(sch);
- *old = q->qdisc;
- q->qdisc = new;
- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
- qdisc_reset(*old);
- sch_tree_unlock(sch);
+ *old = qdisc_replace(sch, new, &q->qdisc);
return 0;
}
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -612,12 +612,7 @@ static int sfb_graft(struct Qdisc *sch,
if (new == NULL)
new = &noop_qdisc;
- sch_tree_lock(sch);
- *old = q->qdisc;
- q->qdisc = new;
- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
- qdisc_reset(*old);
- sch_tree_unlock(sch);
+ *old = qdisc_replace(sch, new, &q->qdisc);
return 0;
}
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -501,13 +501,7 @@ static int tbf_graft(struct Qdisc *sch,
if (new == NULL)
new = &noop_qdisc;
- sch_tree_lock(sch);
- *old = q->qdisc;
- q->qdisc = new;
- qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
- qdisc_reset(*old);
- sch_tree_unlock(sch);
-
+ *old = qdisc_replace(sch, new, &q->qdisc);
return 0;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 274/305] fs: limit filesystem stacking depth
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (53 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 263/305] net/mlx5: Add timeout handle to commands with callback Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 094/305] fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication Ben Hutchings
` (250 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Miklos Szeredi
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@suse.cz>
commit 69c433ed2ecd2d3264efd7afec4439524b319121 upstream.
Add a simple read-only counter to super_block that indicates how deep this
is in the stack of filesystems. Previously ecryptfs was the only stackable
filesystem and it explicitly disallowed multiple layers of itself.
Overlayfs, however, can be stacked recursively and also may be stacked
on top of ecryptfs or vice versa.
To limit the kernel stack usage we must limit the depth of the
filesystem stack. Initially the limit is set to 2.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
[bwh: Backported to 3.16: drop changes to overlayfs]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ecryptfs/main.c | 7 +++++++
include/linux/fs.h | 11 +++++++++++
3 files changed, 27 insertions(+)
--- a/fs/ecryptfs/main.c
+++ b/fs/ecryptfs/main.c
@@ -576,6 +576,13 @@ static struct dentry *ecryptfs_mount(str
s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
s->s_blocksize = path.dentry->d_sb->s_blocksize;
s->s_magic = ECRYPTFS_SUPER_MAGIC;
+ s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
+
+ rc = -EINVAL;
+ if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
+ pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
+ goto out_free;
+ }
inode = ecryptfs_get_inode(path.dentry->d_inode, s);
rc = PTR_ERR(inode);
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -256,6 +256,12 @@ struct iattr {
*/
#include <linux/quota.h>
+/*
+ * Maximum number of layers of fs stack. Needs to be limited to
+ * prevent kernel stack overflow
+ */
+#define FILESYSTEM_MAX_STACK_DEPTH 2
+
/**
* enum positive_aop_returns - aop return codes with specific semantics
*
@@ -1258,6 +1264,11 @@ struct super_block {
struct list_lru s_dentry_lru ____cacheline_aligned_in_smp;
struct list_lru s_inode_lru ____cacheline_aligned_in_smp;
struct rcu_head rcu;
+
+ /*
+ * Indicates how deep in a filesystem stack this SB is
+ */
+ int s_stack_depth;
};
extern struct timespec current_fs_time(struct super_block *sb);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 029/305] crypto: s5p-sss - fix incorrect usage of scatterlists api
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (248 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 189/305] ipv6: fix endianness error in icmpv6_err Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 051/305] MIPS: Fix siginfo.h to use strict posix types Ben Hutchings
` (55 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Vladimir Zapolskiy, Herbert Xu, Krzysztof Kozlowski,
Marek Szyprowski
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit d1497977fecb9acce05988d6322ad415ef93bb39 upstream.
sg_dma_len() macro can be used only on scattelists which are mapped, so
all calls to it before dma_map_sg() are invalid. Replace them by proper
check for direct sg segment length read.
Fixes: a49e490c7a8a ("crypto: s5p-sss - add S5PV210 advanced crypto engine support")
Fixes: 9e4a1100a445 ("crypto: s5p-sss - Handle unaligned buffers")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Acked-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[bwh: Backported to 3.16: unaligned DMA is unsupported so there is a different
set of calls to replace]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/crypto/s5p-sss.c
+++ b/drivers/crypto/s5p-sss.c
@@ -265,11 +265,11 @@ static int s5p_set_outdata(struct s5p_ae
{
int err;
- if (!IS_ALIGNED(sg_dma_len(sg), AES_BLOCK_SIZE)) {
+ if (!IS_ALIGNED(sg->length, AES_BLOCK_SIZE)) {
err = -EINVAL;
goto exit;
}
- if (!sg_dma_len(sg)) {
+ if (!sg->length) {
err = -EINVAL;
goto exit;
}
@@ -291,11 +291,11 @@ static int s5p_set_indata(struct s5p_aes
{
int err;
- if (!IS_ALIGNED(sg_dma_len(sg), AES_BLOCK_SIZE)) {
+ if (!IS_ALIGNED(sg->length, AES_BLOCK_SIZE)) {
err = -EINVAL;
goto exit;
}
- if (!sg_dma_len(sg)) {
+ if (!sg->length) {
err = -EINVAL;
goto exit;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 134/305] mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (179 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 117/305] UBI: do propagate positive error codes up Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 036/305] MIPS: ath79: make bootconsole wait for both THRE and TEMT Ben Hutchings
` (124 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Martin Willi, Johannes Berg
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Martin Willi <martin@strongswan.org>
commit 62397da50bb20a6b812c949ef465d7e69fe54bb6 upstream.
A wmediumd that does not send this attribute causes a NULL pointer
dereference, as the attribute is accessed even if it does not exist.
The attribute was required but never checked ever since userspace frame
forwarding has been introduced. The issue gets more problematic once we
allow wmediumd registration from user namespaces.
Fixes: 7882513bacb1 ("mac80211_hwsim driver support userspace frame tx/rx")
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/mac80211_hwsim.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -2275,6 +2275,7 @@ static int hwsim_tx_info_frame_received_
if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] ||
!info->attrs[HWSIM_ATTR_FLAGS] ||
!info->attrs[HWSIM_ATTR_COOKIE] ||
+ !info->attrs[HWSIM_ATTR_SIGNAL] ||
!info->attrs[HWSIM_ATTR_TX_INFO])
goto out;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 181/305] ARM: 8578/1: mm: ensure pmd_present only checks the valid bit
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (70 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 138/305] ACPI / processor: Avoid reserving IO regions too early Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 005/305] ath5k: Change led pin configuration for compaq c700 laptop Ben Hutchings
` (233 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Russell King, Catalin Marinas, Steve Capper, Russell King,
Will Deacon
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will.deacon@arm.com>
commit 624531886987f0f1b5d01fb598034d039198e090 upstream.
In a subsequent patch, pmd_mknotpresent will clear the valid bit of the
pmd entry, resulting in a not-present entry from the hardware's
perspective. Unfortunately, pmd_present simply checks for a non-zero pmd
value and will therefore continue to return true even after a
pmd_mknotpresent operation. Since pmd_mknotpresent is only used for
managing huge entries, this is only an issue for the 3-level case.
This patch fixes the 3-level pmd_present implementation to take into
account the valid bit. For bisectability, the change is made before the
fix to pmd_mknotpresent.
[catalin.marinas@arm.com: comment update regarding pmd_mknotpresent patch]
Fixes: 8d9625070073 ("ARM: mm: Transparent huge page support for LPAE systems.")
Cc: Russell King <linux@armlinux.org.uk>
Cc: Steve Capper <Steve.Capper@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/include/asm/pgtable-2level.h | 1 +
arch/arm/include/asm/pgtable-3level.h | 1 +
arch/arm/include/asm/pgtable.h | 1 -
3 files changed, 2 insertions(+), 1 deletion(-)
--- a/arch/arm/include/asm/pgtable-2level.h
+++ b/arch/arm/include/asm/pgtable-2level.h
@@ -163,6 +163,7 @@ static inline pmd_t *pmd_offset(pud_t *p
#define pmd_large(pmd) (pmd_val(pmd) & 2)
#define pmd_bad(pmd) (pmd_val(pmd) & 2)
+#define pmd_present(pmd) (pmd_val(pmd))
#define copy_pmd(pmdpd,pmdps) \
do { \
--- a/arch/arm/include/asm/pgtable-3level.h
+++ b/arch/arm/include/asm/pgtable-3level.h
@@ -212,6 +212,7 @@ static inline pmd_t *pmd_offset(pud_t *p
: !!(pmd_val(pmd) & (val)))
#define pmd_isclear(pmd, val) (!(pmd_val(pmd) & (val)))
+#define pmd_present(pmd) (pmd_isset((pmd), L_PMD_SECT_VALID))
#define pmd_young(pmd) (pmd_isset((pmd), PMD_SECT_AF))
#define __HAVE_ARCH_PMD_WRITE
--- a/arch/arm/include/asm/pgtable.h
+++ b/arch/arm/include/asm/pgtable.h
@@ -182,7 +182,6 @@ extern pgd_t swapper_pg_dir[PTRS_PER_PGD
#define pgd_offset_k(addr) pgd_offset(&init_mm, addr)
#define pmd_none(pmd) (!pmd_val(pmd))
-#define pmd_present(pmd) (pmd_val(pmd))
static inline pte_t *pmd_page_vaddr(pmd_t pmd)
{
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 297/305] netfilter: x_tables: don't reject valid target size on some architectures
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (58 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 283/305] KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 058/305] USB: serial: keyspan: fix use-after-free in probe error path Ben Hutchings
` (245 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, John Stultz, Florian Westphal, Pablo Neira Ayuso
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 7b7eba0f3515fca3296b8881d583f7c1042f5226 upstream.
Quoting John Stultz:
In updating a 32bit arm device from 4.6 to Linus' current HEAD, I
noticed I was having some trouble with networking, and realized that
/proc/net/ip_tables_names was suddenly empty.
Digging through the registration process, it seems we're catching on the:
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
target_offset + sizeof(struct xt_standard_target) != next_offset)
return -EINVAL;
Where next_offset seems to be 4 bytes larger then the
offset + standard_target struct size.
next_offset needs to be aligned via XT_ALIGN (so we can access all members
of ip(6)t_entry struct).
This problem didn't show up on i686 as it only needs 4-byte alignment for
u64, but iptables userspace on other 32bit arches does insert extra padding.
Reported-by: John Stultz <john.stultz@linaro.org>
Tested-by: John Stultz <john.stultz@linaro.org>
Fixes: 7ed2abddd20cf ("netfilter: x_tables: check standard target size too")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/x_tables.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -628,7 +628,7 @@ int xt_compat_check_entry_offsets(const
return -EINVAL;
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
- target_offset + sizeof(struct compat_xt_standard_target) != next_offset)
+ COMPAT_XT_ALIGN(target_offset + sizeof(struct compat_xt_standard_target)) != next_offset)
return -EINVAL;
/* compat_xt_entry match has less strict aligment requirements,
@@ -710,7 +710,7 @@ int xt_check_entry_offsets(const void *b
return -EINVAL;
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
- target_offset + sizeof(struct xt_standard_target) != next_offset)
+ XT_ALIGN(target_offset + sizeof(struct xt_standard_target)) != next_offset)
return -EINVAL;
return xt_check_entry_match(elems, base + target_offset,
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 260/305] x86/amd_nb: Fix boot crash on non-AMD systems
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (206 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 085/305] net/mlx4_core: Fix access to uninitialized index Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 205/305] arm64: mm: remove page_mapping check in __sync_icache_dcache Ben Hutchings
` (97 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Ingo Molnar, Borislav Petkov,
Thomas Gleixner, Peter Zijlstra
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov <bp@suse.de>
commit 1ead852dd88779eda12cb09cc894a03d9abfe1ec upstream.
Fix boot crash that triggers if this driver is built into a kernel and
run on non-AMD systems.
AMD northbridges users call amd_cache_northbridges() and it returns
a negative value to signal that we weren't able to cache/detect any
northbridges on the system.
At least, it should do so as all its callers expect it to do so. But it
does return a negative value only when kmalloc() fails.
Fix it to return -ENODEV if there are no NBs cached as otherwise, amd_nb
users like amd64_edac, for example, which relies on it to know whether
it should load or not, gets loaded on systems like Intel Xeons where it
shouldn't.
Reported-and-tested-by: Tony Battersby <tonyb@cybernetics.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1466097230-5333-2-git-send-email-bp@alien8.de
Link: https://lkml.kernel.org/r/5761BEB0.9000807@cybernetics.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/amd_nb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/amd_nb.c
+++ b/arch/x86/kernel/amd_nb.c
@@ -69,8 +69,8 @@ int amd_cache_northbridges(void)
while ((misc = next_northbridge(misc, amd_nb_misc_ids)) != NULL)
i++;
- if (i == 0)
- return 0;
+ if (!i)
+ return -ENODEV;
nb = kzalloc(i * sizeof(struct amd_northbridge), GFP_KERNEL);
if (!nb)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (17 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 112/305] drm/i915: Don't leave old junk in ilk active watermarks on readout Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 18:30 ` Florian Westphal
2016-08-13 17:42 ` [PATCH 3.16 270/305] xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7 Ben Hutchings
` (286 subsequent siblings)
305 siblings, 1 reply; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Florian Westphal, Pablo Neira Ayuso, Greg Kroah-Hartman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 36472341017529e2b12573093cc0f68719300997 upstream.
When we see a jump also check that the offset gets us to beginning of
a rule (an ipt_entry).
The extra overhead is negible, even with absurd cases.
300k custom rules, 300k jumps to 'next' user chain:
[ plus one jump from INPUT to first userchain ]:
Before:
real 0m24.874s
user 0m7.532s
sys 0m16.076s
After:
real 0m27.464s
user 0m7.436s
sys 0m18.840s
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/netfilter/arp_tables.c | 16 ++++++++++++++++
net/ipv4/netfilter/ip_tables.c | 16 ++++++++++++++++
net/ipv6/netfilter/ip6_tables.c | 16 ++++++++++++++++
3 files changed, 48 insertions(+)
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -363,6 +363,19 @@ static inline bool unconditional(const s
memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
}
+static bool find_jump_target(const struct xt_table_info *t,
+ const void *entry0,
+ const struct arpt_entry *target)
+{
+ struct arpt_entry *iter;
+
+ xt_entry_foreach(iter, entry0, t->size) {
+ if (iter == target)
+ return true;
+ }
+ return false;
+}
+
/* Figures out from what hook each rule can be called: returns 0 if
* there are loops. Puts hook bitmask in comefrom.
*/
@@ -456,6 +469,10 @@ static int mark_source_chains(const stru
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct arpt_entry *)
+ (entry0 + newpos);
+ if (!find_jump_target(newinfo, entry0, e))
+ return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -439,6 +439,19 @@ ipt_do_table(struct sk_buff *skb,
#endif
}
+static bool find_jump_target(const struct xt_table_info *t,
+ const void *entry0,
+ const struct ipt_entry *target)
+{
+ struct ipt_entry *iter;
+
+ xt_entry_foreach(iter, entry0, t->size) {
+ if (iter == target)
+ return true;
+ }
+ return false;
+}
+
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
@@ -536,6 +549,10 @@ mark_source_chains(const struct xt_table
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct ipt_entry *)
+ (entry0 + newpos);
+ if (!find_jump_target(newinfo, entry0, e))
+ return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -449,6 +449,19 @@ ip6t_do_table(struct sk_buff *skb,
#endif
}
+static bool find_jump_target(const struct xt_table_info *t,
+ const void *entry0,
+ const struct ip6t_entry *target)
+{
+ struct ip6t_entry *iter;
+
+ xt_entry_foreach(iter, entry0, t->size) {
+ if (iter == target)
+ return true;
+ }
+ return false;
+}
+
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
@@ -546,6 +559,10 @@ mark_source_chains(const struct xt_table
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct ip6t_entry *)
+ (entry0 + newpos);
+ if (!find_jump_target(newinfo, entry0, e))
+ return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 161/305] crypto: caam - fix caam_jr_alloc() ret code
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (15 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 122/305] crypto: ccp - Fix AES XTS error for request sizes above 4096 Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 112/305] drm/i915: Don't leave old junk in ilk active watermarks on readout Ben Hutchings
` (288 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Herbert Xu, Catalin Vasile
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Catalin Vasile <cata.vasile@nxp.com>
commit e930c765ca5c6b039cd22ebfb4504ea7b5dab43d upstream.
caam_jr_alloc() used to return NULL if a JR device could not be
allocated for a session. In turn, every user of this function used
IS_ERR() function to verify if anything went wrong, which does NOT look
for NULL values. This made the kernel crash if the sanity check failed,
because the driver continued to think it had allocated a valid JR dev
instance to the session and at some point it tries to do a caam_jr_free()
on a NULL JR dev pointer.
This patch is a fix for this issue.
Signed-off-by: Catalin Vasile <cata.vasile@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/crypto/caam/jr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/caam/jr.c
+++ b/drivers/crypto/caam/jr.c
@@ -244,7 +244,7 @@ static void caam_jr_dequeue(unsigned lon
struct device *caam_jr_alloc(void)
{
struct caam_drv_private_jr *jrpriv, *min_jrpriv = NULL;
- struct device *dev = NULL;
+ struct device *dev = ERR_PTR(-ENODEV);
int min_tfm_cnt = INT_MAX;
int tfm_cnt;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 273/305] ALSA: compress: fix an integer overflow check
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (111 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 191/305] net_sched: update hierarchical backlog too Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 187/305] kprobes/x86: Clear TF bit in fault on single-stepping Ben Hutchings
` (192 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Takashi Iwai
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 6217e5ede23285ddfee10d2e4ba0cc2d4c046205 upstream.
I previously added an integer overflow check here but looking at it now,
it's still buggy.
The bug happens in snd_compr_allocate_buffer(). We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.
Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/compress_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -500,7 +500,7 @@ static int snd_compress_check_input(stru
{
/* first let's check the buffer parameter's */
if (params->buffer.fragment_size == 0 ||
- params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
+ params->buffer.fragments > INT_MAX / params->buffer.fragment_size)
return -EINVAL;
/* now codec parameters */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 112/305] drm/i915: Don't leave old junk in ilk active watermarks on readout
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (16 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 161/305] crypto: caam - fix caam_jr_alloc() ret code Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps Ben Hutchings
` (287 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Matt Roper, Jani Nikula, Ville Syrjälä
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit 7045c3689f148a0c95f42bae8ef3eb2829ac7de9 upstream.
When we read out the watermark state from the hardware we're supposed to
transfer that into the active watermarks, but currently we fail to any
part of the active watermarks that isn't explicitly written. Let's clear
it all upfront.
Looks like this has been like this since the beginning, when I added the
readout. No idea why I didn't clear it up.
Cc: Matt Roper <matthew.d.roper@intel.com>
Fixes: 243e6a44b9ca ("drm/i915: Init HSW watermark tracking in intel_modeset_setup_hw_state()")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1463151318-14719-2-git-send-email-ville.syrjala@linux.intel.com
(cherry picked from commit 15606534bf0a65d8a74a90fd57b8712d147dbca6)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/intel_pm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/i915/intel_pm.c
+++ b/drivers/gpu/drm/i915/intel_pm.c
@@ -2751,6 +2751,8 @@ static void ilk_pipe_wm_get_hw_state(str
if (IS_HASWELL(dev) || IS_BROADWELL(dev))
hw->wm_linetime[pipe] = I915_READ(PIPE_WM_LINETIME(pipe));
+ memset(active, 0, sizeof(*active));
+
active->pipe_enabled = intel_crtc_active(crtc);
if (active->pipe_enabled) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 090/305] drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (147 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 145/305] parisc: Fix pagefault crash in unaligned __get_user() call Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 219/305] Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 Ben Hutchings
` (156 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Lyude, Daniel Vetter
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lyude <cpaul@redhat.com>
commit 14a3842a1d5945067d1dd0788f314e14d5b18e5b upstream.
During boot time, MST devices usually send a ton of hotplug events
irregardless of whether or not any physical hotplugs actually occurred.
Hotplugs mean connectors being created/destroyed, and the number of DRM
connectors changing under us. This isn't a problem if we use
fb_helper->connector_count since we only set it once in the code,
however if we use num_connector from struct drm_mode_config we risk it's
value changing under us. On top of that, there's even a chance that
dev->mode_config.num_connector != fb_helper->connector_count. If the
number of connectors happens to increase under us, we'll end up using
the wrong array size for memcpy and start writing beyond the actual
length of the array, occasionally resulting in kernel panics.
Note: This is just polish for 4.7, Dave Airlie's drm_connector
refcounting fixed these bugs for real. But it's good enough duct-tape
for stable kernel backporting, since backporting the refcounting
changes is way too invasive.
Signed-off-by: Lyude <cpaul@redhat.com>
[danvet: Clarify why we need this.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1463065021-18280-2-git-send-email-cpaul@redhat.com
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/intel_fbdev.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/intel_fbdev.c
+++ b/drivers/gpu/drm/i915/intel_fbdev.c
@@ -323,12 +323,12 @@ static bool intel_fb_initial_config(stru
return false;
}
- save_enabled = kcalloc(dev->mode_config.num_connector, sizeof(bool),
+ save_enabled = kcalloc(fb_helper->connector_count, sizeof(bool),
GFP_KERNEL);
if (!save_enabled)
return false;
- memcpy(save_enabled, enabled, dev->mode_config.num_connector);
+ memcpy(save_enabled, enabled, fb_helper->connector_count);
for (i = 0; i < fb_helper->connector_count; i++) {
struct drm_fb_helper_connector *fb_conn;
@@ -443,7 +443,7 @@ static bool intel_fb_initial_config(stru
out:
if (fallback) {
DRM_DEBUG_KMS("Not using firmware configuration\n");
- memcpy(enabled, save_enabled, dev->mode_config.num_connector);
+ memcpy(enabled, save_enabled, fb_helper->connector_count);
kfree(save_enabled);
return false;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 303/305] netfilter: x_tables: introduce and use xt_copy_counters_from_user
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (119 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 083/305] mmc: mmc: Fix partition switch timeout for some eMMCs Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 102/305] xfs: xfs_iflush_cluster fails to abort on error Ben Hutchings
` (184 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Westphal, Pablo Neira Ayuso
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit d7591f0c41ce3e67600a982bab6989ef0f07b3ce upstream.
The three variants use same copy&pasted code, condense this into a
helper and use that.
Make sure info.name is 0-terminated.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/netfilter/x_tables.h | 3 ++
net/ipv4/netfilter/arp_tables.c | 48 +++----------------------
net/ipv4/netfilter/ip_tables.c | 48 +++----------------------
net/ipv6/netfilter/ip6_tables.c | 49 +++----------------------
net/netfilter/x_tables.c | 74 ++++++++++++++++++++++++++++++++++++++
5 files changed, 92 insertions(+), 130 deletions(-)
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -248,6 +248,9 @@ int xt_check_match(struct xt_mtchk_param
int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
bool inv_proto);
+void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
+ struct xt_counters_info *info, bool compat);
+
struct xt_table *xt_register_table(struct net *net,
const struct xt_table *table,
struct xt_table_info *bootstrap,
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1122,56 +1122,18 @@ static int do_add_counters(struct net *n
unsigned int i, curcpu;
struct xt_counters_info tmp;
struct xt_counters *paddc;
- unsigned int num_counters;
- const char *name;
- int size;
- void *ptmp;
struct xt_table *t;
const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
struct arpt_entry *iter;
unsigned int addend;
-#ifdef CONFIG_COMPAT
- struct compat_xt_counters_info compat_tmp;
- if (compat) {
- ptmp = &compat_tmp;
- size = sizeof(struct compat_xt_counters_info);
- } else
-#endif
- {
- ptmp = &tmp;
- size = sizeof(struct xt_counters_info);
- }
-
- if (copy_from_user(ptmp, user, size) != 0)
- return -EFAULT;
-
-#ifdef CONFIG_COMPAT
- if (compat) {
- num_counters = compat_tmp.num_counters;
- name = compat_tmp.name;
- } else
-#endif
- {
- num_counters = tmp.num_counters;
- name = tmp.name;
- }
-
- if (len != size + num_counters * sizeof(struct xt_counters))
- return -EINVAL;
-
- paddc = vmalloc(len - size);
- if (!paddc)
- return -ENOMEM;
-
- if (copy_from_user(paddc, user + size, len - size) != 0) {
- ret = -EFAULT;
- goto free;
- }
+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
+ if (IS_ERR(paddc))
+ return PTR_ERR(paddc);
- t = xt_find_table_lock(net, NFPROTO_ARP, name);
+ t = xt_find_table_lock(net, NFPROTO_ARP, tmp.name);
if (IS_ERR_OR_NULL(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
goto free;
@@ -1179,7 +1141,7 @@ static int do_add_counters(struct net *n
local_bh_disable();
private = t->private;
- if (private->number != num_counters) {
+ if (private->number != tmp.num_counters) {
ret = -EINVAL;
goto unlock_up_free;
}
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1309,56 +1309,18 @@ do_add_counters(struct net *net, const v
unsigned int i, curcpu;
struct xt_counters_info tmp;
struct xt_counters *paddc;
- unsigned int num_counters;
- const char *name;
- int size;
- void *ptmp;
struct xt_table *t;
const struct xt_table_info *private;
int ret = 0;
void *loc_cpu_entry;
struct ipt_entry *iter;
unsigned int addend;
-#ifdef CONFIG_COMPAT
- struct compat_xt_counters_info compat_tmp;
- if (compat) {
- ptmp = &compat_tmp;
- size = sizeof(struct compat_xt_counters_info);
- } else
-#endif
- {
- ptmp = &tmp;
- size = sizeof(struct xt_counters_info);
- }
-
- if (copy_from_user(ptmp, user, size) != 0)
- return -EFAULT;
-
-#ifdef CONFIG_COMPAT
- if (compat) {
- num_counters = compat_tmp.num_counters;
- name = compat_tmp.name;
- } else
-#endif
- {
- num_counters = tmp.num_counters;
- name = tmp.name;
- }
-
- if (len != size + num_counters * sizeof(struct xt_counters))
- return -EINVAL;
-
- paddc = vmalloc(len - size);
- if (!paddc)
- return -ENOMEM;
-
- if (copy_from_user(paddc, user + size, len - size) != 0) {
- ret = -EFAULT;
- goto free;
- }
+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
+ if (IS_ERR(paddc))
+ return PTR_ERR(paddc);
- t = xt_find_table_lock(net, AF_INET, name);
+ t = xt_find_table_lock(net, AF_INET, tmp.name);
if (IS_ERR_OR_NULL(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
goto free;
@@ -1366,7 +1328,7 @@ do_add_counters(struct net *net, const v
local_bh_disable();
private = t->private;
- if (private->number != num_counters) {
+ if (private->number != tmp.num_counters) {
ret = -EINVAL;
goto unlock_up_free;
}
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1319,56 +1319,17 @@ do_add_counters(struct net *net, const v
unsigned int i, curcpu;
struct xt_counters_info tmp;
struct xt_counters *paddc;
- unsigned int num_counters;
- char *name;
- int size;
- void *ptmp;
struct xt_table *t;
const struct xt_table_info *private;
int ret = 0;
const void *loc_cpu_entry;
struct ip6t_entry *iter;
unsigned int addend;
-#ifdef CONFIG_COMPAT
- struct compat_xt_counters_info compat_tmp;
- if (compat) {
- ptmp = &compat_tmp;
- size = sizeof(struct compat_xt_counters_info);
- } else
-#endif
- {
- ptmp = &tmp;
- size = sizeof(struct xt_counters_info);
- }
-
- if (copy_from_user(ptmp, user, size) != 0)
- return -EFAULT;
-
-#ifdef CONFIG_COMPAT
- if (compat) {
- num_counters = compat_tmp.num_counters;
- name = compat_tmp.name;
- } else
-#endif
- {
- num_counters = tmp.num_counters;
- name = tmp.name;
- }
-
- if (len != size + num_counters * sizeof(struct xt_counters))
- return -EINVAL;
-
- paddc = vmalloc(len - size);
- if (!paddc)
- return -ENOMEM;
-
- if (copy_from_user(paddc, user + size, len - size) != 0) {
- ret = -EFAULT;
- goto free;
- }
-
- t = xt_find_table_lock(net, AF_INET6, name);
+ paddc = xt_copy_counters_from_user(user, len, &tmp, compat);
+ if (IS_ERR(paddc))
+ return PTR_ERR(paddc);
+ t = xt_find_table_lock(net, AF_INET6, tmp.name);
if (IS_ERR_OR_NULL(t)) {
ret = t ? PTR_ERR(t) : -ENOENT;
goto free;
@@ -1377,7 +1338,7 @@ do_add_counters(struct net *net, const v
local_bh_disable();
private = t->private;
- if (private->number != num_counters) {
+ if (private->number != tmp.num_counters) {
ret = -EINVAL;
goto unlock_up_free;
}
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -771,6 +771,80 @@ int xt_check_target(struct xt_tgchk_para
}
EXPORT_SYMBOL_GPL(xt_check_target);
+/**
+ * xt_copy_counters_from_user - copy counters and metadata from userspace
+ *
+ * @user: src pointer to userspace memory
+ * @len: alleged size of userspace memory
+ * @info: where to store the xt_counters_info metadata
+ * @compat: true if we setsockopt call is done by 32bit task on 64bit kernel
+ *
+ * Copies counter meta data from @user and stores it in @info.
+ *
+ * vmallocs memory to hold the counters, then copies the counter data
+ * from @user to the new memory and returns a pointer to it.
+ *
+ * If @compat is true, @info gets converted automatically to the 64bit
+ * representation.
+ *
+ * The metadata associated with the counters is stored in @info.
+ *
+ * Return: returns pointer that caller has to test via IS_ERR().
+ * If IS_ERR is false, caller has to vfree the pointer.
+ */
+void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
+ struct xt_counters_info *info, bool compat)
+{
+ void *mem;
+ u64 size;
+
+#ifdef CONFIG_COMPAT
+ if (compat) {
+ /* structures only differ in size due to alignment */
+ struct compat_xt_counters_info compat_tmp;
+
+ if (len <= sizeof(compat_tmp))
+ return ERR_PTR(-EINVAL);
+
+ len -= sizeof(compat_tmp);
+ if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
+ return ERR_PTR(-EFAULT);
+
+ strlcpy(info->name, compat_tmp.name, sizeof(info->name));
+ info->num_counters = compat_tmp.num_counters;
+ user += sizeof(compat_tmp);
+ } else
+#endif
+ {
+ if (len <= sizeof(*info))
+ return ERR_PTR(-EINVAL);
+
+ len -= sizeof(*info);
+ if (copy_from_user(info, user, sizeof(*info)) != 0)
+ return ERR_PTR(-EFAULT);
+
+ info->name[sizeof(info->name) - 1] = '\0';
+ user += sizeof(*info);
+ }
+
+ size = sizeof(struct xt_counters);
+ size *= info->num_counters;
+
+ if (size != (u64)len)
+ return ERR_PTR(-EINVAL);
+
+ mem = vmalloc(len);
+ if (!mem)
+ return ERR_PTR(-ENOMEM);
+
+ if (copy_from_user(mem, user, len) == 0)
+ return mem;
+
+ vfree(mem);
+ return ERR_PTR(-EFAULT);
+}
+EXPORT_SYMBOL_GPL(xt_copy_counters_from_user);
+
#ifdef CONFIG_COMPAT
int xt_compat_target_offset(const struct xt_target *target)
{
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 008/305] xfs: disallow rw remount on fs with unknown ro-compat features
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (94 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 180/305] scsi: fix race between simultaneous decrements of ->host_failed Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 152/305] x86, build: copy ldlinux.c32 to image.iso Ben Hutchings
` (209 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dave Chinner, Bill O'Donnell, Dave Chinner, Eric Sandeen
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Sandeen <sandeen@redhat.com>
commit d0a58e833931234c44e515b5b8bede32bd4e6eed upstream.
Today, a kernel which refuses to mount a filesystem read-write
due to unknown ro-compat features can still transition to read-write
via the remount path. The old kernel is most likely none the wiser,
because it's unaware of the new feature, and isn't using it. However,
writing to the filesystem may well corrupt metadata related to that
new feature, and moving to a newer kernel which understand the feature
will have problems.
Right now the only ro-compat feature we have is the free inode btree,
which showed up in v3.16. It would be good to push this back to
all the active stable kernels, I think, so that if anyone is using
newer mkfs (which enables the finobt feature) with older kernel
releases, they'll be protected.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Bill O'Donnell <billodo@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/xfs/xfs_super.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/fs/xfs/xfs_super.c
+++ b/fs/xfs/xfs_super.c
@@ -1250,6 +1250,16 @@ xfs_fs_remount(
/* ro -> rw */
if ((mp->m_flags & XFS_MOUNT_RDONLY) && !(*flags & MS_RDONLY)) {
+ if (XFS_SB_VERSION_NUM(sbp) == XFS_SB_VERSION_5 &&
+ xfs_sb_has_ro_compat_feature(sbp,
+ XFS_SB_FEAT_RO_COMPAT_UNKNOWN)) {
+ xfs_warn(mp,
+"ro->rw transition prohibited on unknown (0x%x) ro-compat filesystem",
+ (sbp->sb_features_ro_compat &
+ XFS_SB_FEAT_RO_COMPAT_UNKNOWN));
+ return -EINVAL;
+ }
+
mp->m_flags &= ~XFS_MOUNT_RDONLY;
/*
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 254/305] batman-adv: Fix double-put of vlan object
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (28 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 231/305] iio: accel: kxsd9: fix the usage of spi_w8r8() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 056/305] USB: serial: io_edgeport: fix memory leaks in attach error path Ben Hutchings
` (275 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sven Eckelmann, David S. Miller, Marek Lindner
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit baceced93274ff2f846eae991664f9094425ffa8 upstream.
Each batadv_tt_local_entry hold a single reference to a
batadv_softif_vlan. In case a new entry cannot be added to the hash
table, the error path puts the reference, but the reference will also
now be dropped by batadv_tt_local_entry_release().
Fixes: a33d970d0b54 ("batman-adv: Fix reference counting of vlan object for tt_local_entry")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: s/_put/_free_ref/]
---
net/batman-adv/translation-table.c | 1 -
1 file changed, 1 deletion(-)
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -618,7 +618,6 @@ bool batadv_tt_local_add(struct net_devi
if (unlikely(hash_added != 0)) {
/* remove the reference for the hash */
batadv_tt_local_entry_free_ref(tt_local);
- batadv_softif_vlan_free_ref(vlan);
goto out;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 050/305] ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (224 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 070/305] powerpc/mm/hash64: Fix subpage protection with 4K HPTE config Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 288/305] netfilter: x_tables: don't move to non-existent next rule Ben Hutchings
` (79 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Krzysztof Kozlowski, Marek Szyprowski
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit 330d12764e15f6e3e94ff34cda29db96d2589c24 upstream.
MAX8997 PMIC requires interrupt and fails probing without it.
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Fixes: d105f0b1215d ("ARM: dts: Add basic dts file for Samsung Trats board")
[k.kozlowski: Write commit message, add CC-stable]
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
[bwh: Backported to 3.16: adjust indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/exynos4210-trats.dts | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/arm/boot/dts/exynos4210-trats.dts
+++ b/arch/arm/boot/dts/exynos4210-trats.dts
@@ -188,6 +188,8 @@
compatible = "maxim,max8997-pmic";
reg = <0x66>;
+ interrupt-parent = <&gpx0>;
+ interrupts = <7 0>;
max8997,pmic-buck1-uses-gpio-dvs;
max8997,pmic-buck2-uses-gpio-dvs;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 182/305] ARM: 8579/1: mm: Fix definition of pmd_mknotpresent
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (221 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 108/305] Input: uinput - handle compat ioctl for UI_SET_PHYS Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 113/305] mmc: longer timeout for long read time quirk Ben Hutchings
` (82 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Will Deacon, Russell King, Steve Capper,
Kirill A. Shutemov, Russell King, Catalin Marinas
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Steve Capper <steve.capper@arm.com>
commit 56530f5d2ddc9b9fade7ef8db9cb886e9dc689b5 upstream.
Currently pmd_mknotpresent will use a zero entry to respresent an
invalidated pmd.
Unfortunately this definition clashes with pmd_none, thus it is
possible for a race condition to occur if zap_pmd_range sees pmd_none
whilst __split_huge_pmd_locked is running too with pmdp_invalidate
just called.
This patch fixes the race condition by modifying pmd_mknotpresent to
create non-zero faulting entries (as is done in other architectures),
removing the ambiguity with pmd_none.
[catalin.marinas@arm.com: using L_PMD_SECT_VALID instead of PMD_TYPE_SECT]
Fixes: 8d9625070073 ("ARM: mm: Transparent huge page support for LPAE systems.")
Reported-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Signed-off-by: Steve Capper <steve.capper@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[bwh: Backported to 3.16: also convert from a macro to a function, as done
earlier upstream]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/arm/include/asm/pgtable-3level.h
+++ b/arch/arm/include/asm/pgtable-3level.h
@@ -243,8 +243,11 @@ PMD_BIT_FUNC(mkyoung, |= PMD_SECT_AF);
#define pfn_pmd(pfn,prot) (__pmd(((phys_addr_t)(pfn) << PAGE_SHIFT) | pgprot_val(prot)))
#define mk_pmd(page,prot) pfn_pmd(page_to_pfn(page),prot)
-/* represent a notpresent pmd by zero, this is used by pmdp_invalidate */
-#define pmd_mknotpresent(pmd) (__pmd(0))
+/* represent a notpresent pmd by faulting entry, this is used by pmdp_invalidate */
+static inline pmd_t pmd_mknotpresent(pmd_t pmd)
+{
+ return __pmd(pmd_val(pmd) & ~L_PMD_SECT_VALID);
+}
static inline pmd_t pmd_modify(pmd_t pmd, pgprot_t newprot)
{
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 279/305] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (36 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 103/305] xfs: fix inode validity check in xfs_iflush_cluster Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 060/305] USB: serial: quatech2: fix use-after-free in probe error path Ben Hutchings
` (267 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Kangjie Lu, Takashi Iwai, Kangjie Lu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kangjie Lu <kangjielu@gmail.com>
commit e4ec8cc8039a7063e24204299b462bd1383184a5 upstream.
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1286,6 +1286,7 @@ static void snd_timer_user_tinterrupt(st
}
if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
tu->last_resolution != resolution) {
+ memset(&r1, 0, sizeof(r1));
r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
r1.tstamp = tstamp;
r1.val = resolution;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 121/305] ALSA: hda - Fix headset mic detection problem for one Dell machine
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (278 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 003/305] ARM: dts: kirkwood: add kirkwood-nsa320.dtb to Makefile Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 298/305] netfilter: arp_tables: simplify translate_compat_table args Ben Hutchings
` (25 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Hui Wang
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hui Wang <hui.wang@canonical.com>
commit 86c72d1ce91d804e4fa8d90b316a89597dd220f1 upstream.
Add the pin configuration value of this machine into the pin_quirk
table to make DELL1_MIC_NO_PRESENCE apply to this machine.
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_realtek.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5103,6 +5103,9 @@ static const struct hda_model_fixup alc2
static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ {0x14, 0x90170130},
+ {0x21, 0x02211040}),
+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
{0x12, 0x90a60140},
{0x14, 0x90170110},
{0x17, 0x40000000},
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 198/305] KEYS: potential uninitialized variable
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (292 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 255/305] batman-adv: Fix ICMP RR ethernet access after skb_linearize Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 185/305] spi: sun4i: fix FIFO limit Ben Hutchings
` (11 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, David Howells, Linus Torvalds
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 38327424b40bcebe2de92d07312c89360ac9229a upstream.
If __key_link_begin() failed then "edit" would be uninitialized. I've
added a check to fix that.
This allows a random user to crash the kernel, though it's quite
difficult to achieve. There are three ways it can be done as the user
would have to cause an error to occur in __key_link():
(1) Cause the kernel to run out of memory. In practice, this is difficult
to achieve without ENOMEM cropping up elsewhere and aborting the
attempt.
(2) Revoke the destination keyring between the keyring ID being looked up
and it being tested for revocation. In practice, this is difficult to
time correctly because the KEYCTL_REJECT function can only be used
from the request-key upcall process. Further, users can only make use
of what's in /sbin/request-key.conf, though this does including a
rejection debugging test - which means that the destination keyring
has to be the caller's session keyring in practice.
(3) Have just enough key quota available to create a key, a new session
keyring for the upcall and a link in the session keyring, but not then
sufficient quota to create a link in the nominated destination keyring
so that it fails with EDQUOT.
The bug can be triggered using option (3) above using something like the
following:
echo 80 >/proc/sys/kernel/keys/root_maxbytes
keyctl request2 user debug:fred negate @t
The above sets the quota to something much lower (80) to make the bug
easier to trigger, but this is dependent on the system. Note also that
the name of the keyring created contains a random number that may be
between 1 and 10 characters in size, so may throw the test off by
changing the amount of quota used.
Assuming the failure occurs, something like the following will be seen:
kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
------------[ cut here ]------------
kernel BUG at ../mm/slab.c:2821!
...
RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092
RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
...
Call Trace:
kfree+0xde/0x1bc
assoc_array_cancel_edit+0x1f/0x36
__key_link_end+0x55/0x63
key_reject_and_link+0x124/0x155
keyctl_reject_key+0xb6/0xe0
keyctl_negate_key+0x10/0x12
SyS_keyctl+0x9f/0xe7
do_syscall_64+0x63/0x13a
entry_SYSCALL64_slow_path+0x25/0x25
Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/keys/key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -575,7 +575,7 @@ int key_reject_and_link(struct key *key,
mutex_unlock(&key_construction_mutex);
- if (keyring)
+ if (keyring && link_ret == 0)
__key_link_end(keyring, &key->index_key, edit);
/* wake up anyone waiting for a key to be constructed */
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 087/305] PCI: Disable all BAR sizing for devices with non-compliant BARs
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (231 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 163/305] iio: proximity: as3935: correct IIO_CHAN_INFO_RAW output Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 047/305] ACPI / sysfs: fix error code in get_status() Ben Hutchings
` (72 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Prarit Bhargava, Ingo Molnar, H. Peter Anvin,
Bjorn Helgaas, Andi Kleen, Thomas Gleixner
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Prarit Bhargava <prarit@redhat.com>
commit ad67b437f187ea818b2860524d10f878fadfdd99 upstream.
b84106b4e229 ("PCI: Disable IO/MEM decoding for devices with non-compliant
BARs") disabled BAR sizing for BARs 0-5 of devices that don't comply with
the PCI spec. But it didn't do anything for expansion ROM BARs, so we
still try to size them, resulting in warnings like this on Broadwell-EP:
pci 0000:ff:12.0: BAR 6: failed to assign [mem size 0x00000001 pref]
Move the non-compliant BAR check from __pci_read_base() up to
pci_read_bases() so it applies to the expansion ROM BAR as well as
to BARs 0-5.
Note that direct callers of __pci_read_base(), like sriov_init(), will now
bypass this check. We haven't had reports of devices with broken SR-IOV
BARs yet.
[bhelgaas: changelog]
Fixes: b84106b4e229 ("PCI: Disable IO/MEM decoding for devices with non-compliant BARs")
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Thomas Gleixner <tglx@linutronix.de>
CC: Ingo Molnar <mingo@redhat.com>
CC: "H. Peter Anvin" <hpa@zytor.com>
CC: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/probe.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -176,9 +176,6 @@ int __pci_read_base(struct pci_dev *dev,
struct pci_bus_region region, inverted_region;
bool bar_too_big = false, bar_too_high = false, bar_invalid = false;
- if (dev->non_compliant_bars)
- return 0;
-
mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
/* No printks while decoding is disabled! */
@@ -330,6 +327,9 @@ static void pci_read_bases(struct pci_de
{
unsigned int pos, reg;
+ if (dev->non_compliant_bars)
+ return;
+
for (pos = 0; pos < howmany; pos++) {
struct resource *res = &dev->resource[pos];
reg = PCI_BASE_ADDRESS_0 + (pos << 2);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 179/305] iio: Fix error handling in iio_trigger_attach_poll_func
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (33 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 028/305] alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 042/305] mcb: Fixed bar number assignment for the gdd Ben Hutchings
` (270 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Crestez Dan Leonard, Jonathan Cameron
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Crestez Dan Leonard <leonard.crestez@intel.com>
commit 99543823357966ac938d9a310947e731b67338e6 upstream.
When attaching a pollfunc iio_trigger_attach_poll_func will allocate a
virtual irq and call the driver's set_trigger_state function. Fix error
handling to undo previous steps if any fails.
In particular this fixes handling errors from a driver's
set_trigger_state function. When using triggered buffers a failure to
enable the trigger used to make the buffer unusable.
Signed-off-by: Crestez Dan Leonard <leonard.crestez@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/industrialio-trigger.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/iio/industrialio-trigger.c
+++ b/drivers/iio/industrialio-trigger.c
@@ -203,22 +203,35 @@ static int iio_trigger_attach_poll_func(
/* Prevent the module from being removed whilst attached to a trigger */
__module_get(pf->indio_dev->info->driver_module);
+
+ /* Get irq number */
pf->irq = iio_trigger_get_irq(trig);
+ if (pf->irq < 0)
+ goto out_put_module;
+
+ /* Request irq */
ret = request_threaded_irq(pf->irq, pf->h, pf->thread,
pf->type, pf->name,
pf);
- if (ret < 0) {
- module_put(pf->indio_dev->info->driver_module);
- return ret;
- }
+ if (ret < 0)
+ goto out_put_irq;
+ /* Enable trigger in driver */
if (trig->ops && trig->ops->set_trigger_state && notinuse) {
ret = trig->ops->set_trigger_state(trig, true);
if (ret < 0)
- module_put(pf->indio_dev->info->driver_module);
+ goto out_free_irq;
}
return ret;
+
+out_free_irq:
+ free_irq(pf->irq, pf);
+out_put_irq:
+ iio_trigger_put_irq(trig, pf->irq);
+out_put_module:
+ module_put(pf->indio_dev->info->driver_module);
+ return ret;
}
static int iio_trigger_detach_poll_func(struct iio_trigger *trig,
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 220/305] Input: elantech - add more IC body types to the list
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (127 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 280/305] tipc: fix an infoleak in tipc_nl_compat_link_dump Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 243/305] net: bgmac: Start transmit queue in bgmac_open Ben Hutchings
` (176 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Patrick Lessard, Dmitry Torokhov
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 226ba707744a51acb4244724e09caacb1d96aed9 upstream.
The touchpad in HP Pavilion 14-ab057ca reports it's version as 12 and
according to Elan both 11 and 12 are valid IC types and should be
identified as hw_version 4.
Reported-by: Patrick Lessard <Patrick.Lessard@cogeco.com>
Tested-by: Patrick Lessard <Patrick.Lessard@cogeco.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/mouse/elantech.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1450,13 +1450,7 @@ static int elantech_set_properties(struc
case 5:
etd->hw_version = 3;
break;
- case 6:
- case 7:
- case 8:
- case 9:
- case 10:
- case 13:
- case 14:
+ case 6 ... 14:
etd->hw_version = 4;
break;
default:
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 207/305] net/mlx4_en: Fix the return value of a failure in VLAN VID add/kill
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (285 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 104/305] xfs: skip stale inodes in xfs_iflush_cluster Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 124/305] dma-debug: avoid spinlock recursion when disabling dma-debug Ben Hutchings
` (18 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tariq Toukan, Kamal Heib, David S. Miller
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kamal Heib <kamalh@mellanox.com>
commit 93c098af09455ea7bdc6f0f6b08f6ac14fa06cf4 upstream.
Modify mlx4_en_vlan_rx_[add/kill]_vid to return error value in case of
failure.
Fixes: 8e586137e6b6 ('net: make vlan ndo_vlan_rx_[add/kill]_vid return error value')
Signed-off-by: Kamal Heib <kamalh@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -424,14 +424,18 @@ static int mlx4_en_vlan_rx_add_vid(struc
mutex_lock(&mdev->state_lock);
if (mdev->device_up && priv->port_up) {
err = mlx4_SET_VLAN_FLTR(mdev->dev, priv);
- if (err)
+ if (err) {
en_err(priv, "Failed configuring VLAN filter\n");
+ goto out;
+ }
}
- if (mlx4_register_vlan(mdev->dev, priv->port, vid, &idx))
- en_dbg(HW, priv, "failed adding vlan %d\n", vid);
- mutex_unlock(&mdev->state_lock);
+ err = mlx4_register_vlan(mdev->dev, priv->port, vid, &idx);
+ if (err)
+ en_dbg(HW, priv, "Failed adding vlan %d\n", vid);
- return 0;
+out:
+ mutex_unlock(&mdev->state_lock);
+ return err;
}
static int mlx4_en_vlan_rx_kill_vid(struct net_device *dev,
@@ -439,7 +443,7 @@ static int mlx4_en_vlan_rx_kill_vid(stru
{
struct mlx4_en_priv *priv = netdev_priv(dev);
struct mlx4_en_dev *mdev = priv->mdev;
- int err;
+ int err = 0;
en_dbg(HW, priv, "Killing VID:%d\n", vid);
@@ -456,7 +460,7 @@ static int mlx4_en_vlan_rx_kill_vid(stru
}
mutex_unlock(&mdev->state_lock);
- return 0;
+ return err;
}
static void mlx4_en_u64_to_mac(unsigned char dst_mac[ETH_ALEN + 2], u64 src_mac)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 007/305] iommu/vt-d: Improve fault handler error messages
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (43 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 082/305] i40e: fix an uninitialized variable bug Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 275/305] proc: prevent stacking filesystems on top Ben Hutchings
` (260 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Williamson, Joerg Roedel, Joe Perches
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
commit a0fe14d7dcf5db2f101b4fe8689ecabb255ab7d3 upstream.
Remove new line in error logs, avoid duplicate and explicit pr_fmt.
Suggested-by: Joe Perches <joe@perches.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Fixes: 0ac2491f57af ('x86, dmar: move page fault handling code to dmar.c')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iommu/dmar.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
--- a/drivers/iommu/dmar.c
+++ b/drivers/iommu/dmar.c
@@ -1459,18 +1459,14 @@ static int dmar_fault_do_one(struct inte
reason = dmar_get_fault_reason(fault_reason, &fault_type);
if (fault_type == INTR_REMAP)
- pr_err("INTR-REMAP: Request device [[%02x:%02x.%d] "
- "fault index %llx\n"
- "INTR-REMAP:[fault reason %02d] %s\n",
- (source_id >> 8), PCI_SLOT(source_id & 0xFF),
+ pr_err("[INTR-REMAP] Request device [%02x:%02x.%d] fault index %llx [fault reason %02d] %s\n",
+ source_id >> 8, PCI_SLOT(source_id & 0xFF),
PCI_FUNC(source_id & 0xFF), addr >> 48,
fault_reason, reason);
else
- pr_err("DMAR:[%s] Request device [%02x:%02x.%d] "
- "fault addr %llx \n"
- "DMAR:[fault reason %02d] %s\n",
- (type ? "DMA Read" : "DMA Write"),
- (source_id >> 8), PCI_SLOT(source_id & 0xFF),
+ pr_err("[%s] Request device [%02x:%02x.%d] fault addr %llx [fault reason %02d] %s\n",
+ type ? "DMA Read" : "DMA Write",
+ source_id >> 8, PCI_SLOT(source_id & 0xFF),
PCI_FUNC(source_id & 0xFF), addr, fault_reason, reason);
return 0;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 238/305] USB: don't free bandwidth_mutex too early
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (219 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 053/305] MIPS: Don't unwind to user mode with EVA Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 108/305] Input: uinput - handle compat ioctl for UI_SET_PHYS Ben Hutchings
` (84 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chung-Geol Kim, Greg Kroah-Hartman, Alan Stern
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit ab2a4bf83902c170d29ba130a8abb5f9d90559e1 upstream.
The USB core contains a bug that can show up when a USB-3 host
controller is removed. If the primary (USB-2) hcd structure is
released before the shared (USB-3) hcd, the core will try to do a
double-free of the common bandwidth_mutex.
The problem was described in graphical form by Chung-Geol Kim, who
first reported it:
=================================================
At *remove USB(3.0) Storage
sequence <1> --> <5> ((Problem Case))
=================================================
VOLD
------------------------------------|------------
(uevent)
________|_________
|<1> |
|dwc3_otg_sm_work |
|usb_put_hcd |
|peer_hcd(kref=2)|
|__________________|
________|_________
|<2> |
|New USB BUS #2 |
| |
|peer_hcd(kref=1) |
| |
--(Link)-bandXX_mutex|
| |__________________|
|
___________________ |
|<3> | |
|dwc3_otg_sm_work | |
|usb_put_hcd | |
|primary_hcd(kref=1)| |
|___________________| |
_________|_________ |
|<4> | |
|New USB BUS #1 | |
|hcd_release | |
|primary_hcd(kref=0)| |
| | |
|bandXX_mutex(free) |<-
|___________________|
(( VOLD ))
______|___________
|<5> |
| SCSI |
|usb_put_hcd |
|peer_hcd(kref=0) |
|*hcd_release |
|bandXX_mutex(free*)|<- double free
|__________________|
=================================================
This happens because hcd_release() frees the bandwidth_mutex whenever
it sees a primary hcd being released (which is not a very good idea
in any case), but in the course of releasing the primary hcd, it
changes the pointers in the shared hcd in such a way that the shared
hcd will appear to be primary when it gets released.
This patch fixes the problem by changing hcd_release() so that it
deallocates the bandwidth_mutex only when the _last_ hcd structure
referencing it is released. The patch also removes an unnecessary
test, so that when an hcd is released, both the shared_hcd and
primary_hcd pointers in the hcd's peer will be cleared.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Chung-Geol Kim <chunggeol.kim@samsung.com>
Tested-by: Chung-Geol Kim <chunggeol.kim@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: free only usb_hcd::bandwidth_mutex, not
usb_hcd::address0_mutex too]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -2518,24 +2518,22 @@ EXPORT_SYMBOL_GPL(usb_create_hcd);
* Don't deallocate the bandwidth_mutex until the last shared usb_hcd is
* deallocated.
*
- * Make sure to only deallocate the bandwidth_mutex when the primary HCD is
- * freed. When hcd_release() is called for either hcd in a peer set
- * invalidate the peer's ->shared_hcd and ->primary_hcd pointers to
- * block new peering attempts
+ * Make sure to deallocate the bandwidth_mutex only when the last HCD is
+ * freed. When hcd_release() is called for either hcd in a peer set,
+ * invalidate the peer's ->shared_hcd and ->primary_hcd pointers.
*/
static void hcd_release(struct kref *kref)
{
struct usb_hcd *hcd = container_of (kref, struct usb_hcd, kref);
mutex_lock(&usb_port_peer_mutex);
- if (usb_hcd_is_primary_hcd(hcd))
- kfree(hcd->bandwidth_mutex);
if (hcd->shared_hcd) {
struct usb_hcd *peer = hcd->shared_hcd;
peer->shared_hcd = NULL;
- if (peer->primary_hcd == hcd)
- peer->primary_hcd = NULL;
+ peer->primary_hcd = NULL;
+ } else {
+ kfree(hcd->bandwidth_mutex);
}
mutex_unlock(&usb_port_peer_mutex);
kfree(hcd);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 295/305] netfilter: x_tables: check for bogus target offset
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (174 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 088/305] netlink: Fix dump skb leak/double free Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 197/305] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing Ben Hutchings
` (129 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Westphal, Pablo Neira Ayuso
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit ce683e5f9d045e5d67d1312a42b359cb2ab2a13c upstream.
We're currently asserting that targetoff + targetsize <= nextoff.
Extend it to also check that targetoff is >= sizeof(xt_entry).
Since this is generic code, add an argument pointing to the start of the
match/target, we can then derive the base structure size from the delta.
We also need the e->elems pointer in a followup change to validate matches.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/linux/netfilter/x_tables.h | 4 ++--
net/ipv4/netfilter/arp_tables.c | 5 +++--
net/ipv4/netfilter/ip_tables.c | 5 +++--
net/ipv6/netfilter/ip6_tables.c | 5 +++--
net/netfilter/x_tables.c | 17 +++++++++++++++--
5 files changed, 26 insertions(+), 10 deletions(-)
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -239,7 +239,7 @@ void xt_unregister_match(struct xt_match
int xt_register_matches(struct xt_match *match, unsigned int n);
void xt_unregister_matches(struct xt_match *match, unsigned int n);
-int xt_check_entry_offsets(const void *base,
+int xt_check_entry_offsets(const void *base, const char *elems,
unsigned int target_offset,
unsigned int next_offset);
@@ -435,7 +435,7 @@ void xt_compat_target_from_user(struct x
unsigned int *size);
int xt_compat_target_to_user(const struct xt_entry_target *t,
void __user **dstptr, unsigned int *size);
-int xt_compat_check_entry_offsets(const void *base,
+int xt_compat_check_entry_offsets(const void *base, const char *elems,
unsigned int target_offset,
unsigned int next_offset);
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -583,7 +583,8 @@ static inline int check_entry_size_and_h
if (!arp_checkentry(&e->arp))
return -EINVAL;
- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
+ e->next_offset);
if (err)
return err;
@@ -1245,7 +1246,7 @@ check_compat_entry_size_and_hooks(struct
if (!arp_checkentry(&e->arp))
return -EINVAL;
- ret = xt_compat_check_entry_offsets(e, e->target_offset,
+ ret = xt_compat_check_entry_offsets(e, e->elems, e->target_offset,
e->next_offset);
if (ret)
return ret;
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -743,7 +743,8 @@ check_entry_size_and_hooks(struct ipt_en
if (!ip_checkentry(&e->ip))
return -EINVAL;
- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
+ e->next_offset);
if (err)
return err;
@@ -1510,7 +1511,7 @@ check_compat_entry_size_and_hooks(struct
if (!ip_checkentry(&e->ip))
return -EINVAL;
- ret = xt_compat_check_entry_offsets(e,
+ ret = xt_compat_check_entry_offsets(e, e->elems,
e->target_offset, e->next_offset);
if (ret)
return ret;
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -754,7 +754,8 @@ check_entry_size_and_hooks(struct ip6t_e
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- err = xt_check_entry_offsets(e, e->target_offset, e->next_offset);
+ err = xt_check_entry_offsets(e, e->elems, e->target_offset,
+ e->next_offset);
if (err)
return err;
@@ -1522,7 +1523,7 @@ check_compat_entry_size_and_hooks(struct
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
- ret = xt_compat_check_entry_offsets(e,
+ ret = xt_compat_check_entry_offsets(e, e->elems,
e->target_offset, e->next_offset);
if (ret)
return ret;
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -565,14 +565,17 @@ struct compat_xt_standard_target {
compat_uint_t verdict;
};
-/* see xt_check_entry_offsets */
-int xt_compat_check_entry_offsets(const void *base,
+int xt_compat_check_entry_offsets(const void *base, const char *elems,
unsigned int target_offset,
unsigned int next_offset)
{
+ long size_of_base_struct = elems - (const char *)base;
const struct compat_xt_entry_target *t;
const char *e = base;
+ if (target_offset < size_of_base_struct)
+ return -EINVAL;
+
if (target_offset + sizeof(*t) > next_offset)
return -EINVAL;
@@ -596,12 +599,16 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs
* xt_check_entry_offsets - validate arp/ip/ip6t_entry
*
* @base: pointer to arp/ip/ip6t_entry
+ * @elems: pointer to first xt_entry_match, i.e. ip(6)t_entry->elems
* @target_offset: the arp/ip/ip6_t->target_offset
* @next_offset: the arp/ip/ip6_t->next_offset
*
* validates that target_offset and next_offset are sane.
* Also see xt_compat_check_entry_offsets for CONFIG_COMPAT version.
*
+ * This function does not validate the targets or matches themselves, it
+ * only tests that all the offsets and sizes are correct.
+ *
* The arp/ip/ip6t_entry structure @base must have passed following tests:
* - it must point to a valid memory location
* - base to base + next_offset must be accessible, i.e. not exceed allocated
@@ -610,12 +617,18 @@ EXPORT_SYMBOL(xt_compat_check_entry_offs
* Return: 0 on success, negative errno on failure.
*/
int xt_check_entry_offsets(const void *base,
+ const char *elems,
unsigned int target_offset,
unsigned int next_offset)
{
+ long size_of_base_struct = elems - (const char *)base;
const struct xt_entry_target *t;
const char *e = base;
+ /* target start is within the ip/ip6/arpt_entry struct */
+ if (target_offset < size_of_base_struct)
+ return -EINVAL;
+
if (target_offset + sizeof(*t) > next_offset)
return -EINVAL;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 233/305] iio:ad7266: Fix support for optional regulators
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (281 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 201/305] hwmon: (dell-smm) Restrict fan control and serial number to CAP_SYS_ADMIN by default Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 256/305] batman-adv: Clean up untagged vlan when destroying via rtnl-link Ben Hutchings
` (22 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mark Brown, Jonathan Cameron
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
commit e5511c816e5ac4909bdd38e85ac344e2b9b8e984 upstream.
The ad7266 driver attempts to support deciding between the use of internal
and external power supplies by checking to see if an error is returned when
requesting the regulator. This doesn't work with the current code since the
driver uses a normal regulator_get() which is for non-optional supplies
and so assumes that if a regulator is not provided by the platform then
this is a bug in the platform integration and so substitutes a dummy
regulator. Use regulator_get_optional() instead which indicates to the
framework that the regulator may be absent and provides a dummy regulator
instead.
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/adc/ad7266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/adc/ad7266.c
+++ b/drivers/iio/adc/ad7266.c
@@ -396,7 +396,7 @@ static int ad7266_probe(struct spi_devic
st = iio_priv(indio_dev);
- st->reg = devm_regulator_get(&spi->dev, "vref");
+ st->reg = devm_regulator_get_optional(&spi->dev, "vref");
if (!IS_ERR(st->reg)) {
ret = regulator_enable(st->reg);
if (ret)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 071/305] perf tools: Fix perf regs mask generation
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (113 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 187/305] kprobes/x86: Clear TF bit in fault on single-stepping Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 004/305] serial: doc: Un-document non-existing uart_write_console() Ben Hutchings
` (190 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michael Ellerman, Naveen N. Rao, Arnaldo Carvalho de Melo
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
commit f47822078dece7189cad0a5f472f148e5e916736 upstream.
On some architectures (powerpc in particular), the number of registers
exceeds what can be represented in an integer bitmask. Ensure we
generate the proper bitmask on such platforms.
Fixes: 71ad0f5e4 ("perf tools: Support for DWARF CFI unwinding on post processing")
Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/perf/util/perf_regs.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/tools/perf/util/perf_regs.c
+++ b/tools/perf/util/perf_regs.c
@@ -7,18 +7,18 @@ int perf_reg_value(u64 *valp, struct reg
int i, idx = 0;
u64 mask = regs->mask;
- if (regs->cache_mask & (1 << id))
+ if (regs->cache_mask & (1ULL << id))
goto out;
- if (!(mask & (1 << id)))
+ if (!(mask & (1ULL << id)))
return -EINVAL;
for (i = 0; i < id; i++) {
- if (mask & (1 << i))
+ if (mask & (1ULL << i))
idx++;
}
- regs->cache_mask |= (1 << id);
+ regs->cache_mask |= (1ULL << id);
regs->cache_regs[id] = regs->regs[idx];
out:
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 114/305] sunrpc: fix stripping of padded MIC tokens
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (191 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 160/305] uvc: Forward compat ioctls to their handlers directly Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 014/305] mfd: lp8788-irq: Uninitialized variable in irq handler Ben Hutchings
` (112 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Tomáš Trnka, J. Bruce Fields, Jeff Layton
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tomáš Trnka <ttrnka@mail.muni.cz>
commit c0cb8bf3a8e4bd82e640862cdd8891400405cb89 upstream.
The length of the GSS MIC token need not be a multiple of four bytes.
It is then padded by XDR to a multiple of 4 B, but unwrap_integ_data()
would previously only trim mic.len + 4 B. The remaining up to three
bytes would then trigger a check in nfs4svc_decode_compoundargs(),
leading to a "garbage args" error and mount failure:
nfs4svc_decode_compoundargs: compound not properly padded!
nfsd: failed to decode arguments!
This would prevent older clients using the pre-RFC 4121 MIC format
(37-byte MIC including a 9-byte OID) from mounting exports from v3.9+
servers using krb5i.
The trimming was introduced by commit 4c190e2f913f ("sunrpc: trim off
trailing checksum before returning decrypted or integrity authenticated
buffer").
Fixes: 4c190e2f913f "unrpc: trim off trailing checksum..."
Signed-off-by: Tomáš Trnka <ttrnka@mail.muni.cz>
Acked-by: Jeff Layton <jlayton@poochiereds.net>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sunrpc/auth_gss/svcauth_gss.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -855,8 +855,8 @@ unwrap_integ_data(struct svc_rqst *rqstp
goto out;
if (svc_getnl(&buf->head[0]) != seq)
goto out;
- /* trim off the mic at the end before returning */
- xdr_buf_trim(buf, mic.len + 4);
+ /* trim off the mic and padding at the end before returning */
+ xdr_buf_trim(buf, round_up_to_quad(mic.len) + 4);
stat = 0;
out:
kfree(mic.data);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 193/305] net_sched: fix pfifo_head_drop behavior vs backlog
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (172 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 209/305] mm: Export migrate_page_move_mapping and migrate_page_copy Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 088/305] netlink: Fix dump skb leak/double free Ben Hutchings
` (131 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, WANG Cong, David S. Miller, Jamal Hadi Salim, Eric Dumazet
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 6c0d54f1897d229748d4f41ef919078db6db2123 upstream.
When the qdisc is full, we drop a packet at the head of the queue,
queue the current skb and return NET_XMIT_CN
Now we track backlog on upper qdiscs, we need to call
qdisc_tree_reduce_backlog(), even if the qlen did not change.
Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: WANG Cong <xiyou.wangcong@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sched/sch_fifo.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/sched/sch_fifo.c
+++ b/net/sched/sch_fifo.c
@@ -37,14 +37,18 @@ static int pfifo_enqueue(struct sk_buff
static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc *sch)
{
+ unsigned int prev_backlog;
+
if (likely(skb_queue_len(&sch->q) < sch->limit))
return qdisc_enqueue_tail(skb, sch);
+ prev_backlog = sch->qstats.backlog;
/* queue full, remove one skb to fulfill the limit */
__qdisc_queue_drop_head(sch, &sch->q);
sch->qstats.drops++;
qdisc_enqueue_tail(skb, sch);
+ qdisc_tree_reduce_backlog(sch, 0, prev_backlog - sch->qstats.backlog);
return NET_XMIT_CN;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 025/305] ext4: fix data exposure after a crash
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (290 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 125/305] Input: xpad - prevent spurious input from wired Xbox 360 controllers Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 255/305] batman-adv: Fix ICMP RR ethernet access after skb_linearize Ben Hutchings
` (13 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Theodore Ts'o, HUANG Weller (CM/ESW12-CN), Jan Kara
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 06bd3c36a733ac27962fea7d6f47168841376824 upstream.
Huang has reported that in his powerfail testing he is seeing stale
block contents in some of recently allocated blocks although he mounts
ext4 in data=ordered mode. After some investigation I have found out
that indeed when delayed allocation is used, we don't add inode to
transaction's list of inodes needing flushing before commit. Originally
we were doing that but commit f3b59291a69d removed the logic with a
flawed argument that it is not needed.
The problem is that although for delayed allocated blocks we write their
contents immediately after allocating them, there is no guarantee that
the IO scheduler or device doesn't reorder things and thus transaction
allocating blocks and attaching them to inode can reach stable storage
before actual block contents. Actually whenever we attach freshly
allocated blocks to inode using a written extent, we should add inode to
transaction's ordered inode list to make sure we properly wait for block
contents to be written before committing the transaction. So that is
what we do in this patch. This also handles other cases where stale data
exposure was possible - like filling hole via mmap in
data=ordered,nodelalloc mode.
The only exception to the above rule are extending direct IO writes where
blkdev_direct_IO() waits for IO to complete before increasing i_size and
thus stale data exposure is not possible. For now we don't complicate
the code with optimizing this special case since the overhead is pretty
low. In case this is observed to be a performance problem we can always
handle it using a special flag to ext4_map_blocks().
Fixes: f3b59291a69d0b734be1fc8be489fef2dd846d3d
Reported-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
Tested-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16:
- Drop check for EXT4_GET_BLOCKS_ZERO flag
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ext4/inode.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -708,6 +708,20 @@ has_zeroout:
ret = check_block_validity(inode, map);
if (ret != 0)
return ret;
+
+ /*
+ * Inodes with freshly allocated blocks where contents will be
+ * visible after transaction commit must be on transaction's
+ * ordered data list.
+ */
+ if (map->m_flags & EXT4_MAP_NEW &&
+ !(map->m_flags & EXT4_MAP_UNWRITTEN) &&
+ !IS_NOQUOTA(inode) &&
+ ext4_should_order_data(inode)) {
+ ret = ext4_jbd2_file_inode(handle, inode);
+ if (ret)
+ return ret;
+ }
}
return retval;
}
@@ -1101,15 +1115,6 @@ static int ext4_write_end(struct file *f
int i_size_changed = 0;
trace_ext4_write_end(inode, pos, len, copied);
- if (ext4_test_inode_state(inode, EXT4_STATE_ORDERED_MODE)) {
- ret = ext4_jbd2_file_inode(handle, inode);
- if (ret) {
- unlock_page(page);
- page_cache_release(page);
- goto errout;
- }
- }
-
if (ext4_has_inline_data(inode)) {
ret = ext4_write_inline_data_end(inode, pos, len,
copied, page);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 263/305] net/mlx5: Add timeout handle to commands with callback
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (52 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 171/305] HID: elo: kill not flush the work Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 274/305] fs: limit filesystem stacking depth Ben Hutchings
` (251 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mohamad Haj Yahia, Saeed Mahameed, David S. Miller
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mohamad Haj Yahia <mohamad@mellanox.com>
commit 65ee67084589c1783a74b4a4a5db38d7264ec8b5 upstream.
The current implementation does not handle timeout in case of command
with callback request, and this can lead to deadlock if the command
doesn't get fw response.
Add delayed callback timeout work before posting the command to fw.
In case of real fw command completion we will cancel the delayed work.
In case of fw command timeout the callback timeout handler will be
called and it will simulate fw completion with timeout error.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Mohamad Haj Yahia <mohamad@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 38 ++++++++++++++++++++++-----
include/linux/mlx5/driver.h | 1 +
2 files changed, 32 insertions(+), 7 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
@@ -509,11 +509,36 @@ static void dump_command(struct mlx5_cor
pr_debug("\n");
}
+static u16 msg_to_opcode(struct mlx5_cmd_msg *in)
+{
+ struct mlx5_inbox_hdr *hdr = (struct mlx5_inbox_hdr *)(in->first.data);
+
+ return be16_to_cpu(hdr->opcode);
+}
+
+static void cb_timeout_handler(struct work_struct *work)
+{
+ struct delayed_work *dwork = container_of(work, struct delayed_work,
+ work);
+ struct mlx5_cmd_work_ent *ent = container_of(dwork,
+ struct mlx5_cmd_work_ent,
+ cb_timeout_work);
+ struct mlx5_core_dev *dev = container_of(ent->cmd, struct mlx5_core_dev,
+ cmd);
+
+ ent->ret = -ETIMEDOUT;
+ mlx5_core_warn(dev, "%s(0x%x) timeout. Will cause a leak of a command resource\n",
+ mlx5_command_str(msg_to_opcode(ent->in)),
+ msg_to_opcode(ent->in));
+ mlx5_cmd_comp_handler(dev, 1UL << ent->idx);
+}
+
static void cmd_work_handler(struct work_struct *work)
{
struct mlx5_cmd_work_ent *ent = container_of(work, struct mlx5_cmd_work_ent, work);
struct mlx5_cmd *cmd = ent->cmd;
struct mlx5_core_dev *dev = container_of(cmd, struct mlx5_core_dev, cmd);
+ unsigned long cb_timeout = msecs_to_jiffies(MLX5_CMD_TIMEOUT_MSEC);
struct mlx5_cmd_layout *lay;
struct semaphore *sem;
@@ -550,6 +575,9 @@ static void cmd_work_handler(struct work
dump_command(dev, ent, 1);
ktime_get_ts(&ent->ts1);
+ if (ent->callback)
+ schedule_delayed_work(&ent->cb_timeout_work, cb_timeout);
+
/* ring doorbell after the descriptor is valid */
wmb();
iowrite32be(1 << ent->idx, &dev->iseg->cmd_dbell);
@@ -593,13 +621,6 @@ static const char *deliv_status_to_str(u
}
}
-static u16 msg_to_opcode(struct mlx5_cmd_msg *in)
-{
- struct mlx5_inbox_hdr *hdr = (struct mlx5_inbox_hdr *)(in->first.data);
-
- return be16_to_cpu(hdr->opcode);
-}
-
static int wait_func(struct mlx5_core_dev *dev, struct mlx5_cmd_work_ent *ent)
{
unsigned long timeout = msecs_to_jiffies(MLX5_CMD_TIMEOUT_MSEC);
@@ -654,6 +675,7 @@ static int mlx5_cmd_invoke(struct mlx5_c
if (!callback)
init_completion(&ent->done);
+ INIT_DELAYED_WORK(&ent->cb_timeout_work, cb_timeout_handler);
INIT_WORK(&ent->work, cmd_work_handler);
if (page_queue) {
cmd_work_handler(&ent->work);
@@ -1132,6 +1154,8 @@ void mlx5_cmd_comp_handler(struct mlx5_c
struct semaphore *sem;
ent = cmd->ent_arr[i];
+ if (ent->callback)
+ cancel_delayed_work(&ent->cb_timeout_work);
if (ent->page_queue)
sem = &cmd->pages_sem;
else
--- a/include/linux/mlx5/driver.h
+++ b/include/linux/mlx5/driver.h
@@ -594,6 +594,7 @@ struct mlx5_cmd_work_ent {
void *uout;
int uout_size;
mlx5_cmd_cbk_t callback;
+ struct delayed_work cb_timeout_work;
void *context;
int idx;
struct completion done;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 140/305] ARM: fix PTRACE_SETVFPREGS on SMP systems
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (107 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 131/305] powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 301/305] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval Ben Hutchings
` (196 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Will Deacon, Simon Marchi, Russell King
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@armlinux.org.uk>
commit e2dfb4b880146bfd4b6aa8e138c0205407cebbaf upstream.
PTRACE_SETVFPREGS fails to properly mark the VFP register set to be
reloaded, because it undoes one of the effects of vfp_flush_hwstate().
Specifically vfp_flush_hwstate() sets thread->vfpstate.hard.cpu to
an invalid CPU number, but vfp_set() overwrites this with the original
CPU number, thereby rendering the hardware state as apparently "valid",
even though the software state is more recent.
Fix this by reverting the previous change.
Fixes: 8130b9d7b9d8 ("ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers")
Acked-by: Will Deacon <will.deacon@arm.com>
Tested-by: Simon Marchi <simon.marchi@ericsson.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/kernel/ptrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -733,8 +733,8 @@ static int vfp_set(struct task_struct *t
if (ret)
return ret;
- vfp_flush_hwstate(thread);
thread->vfpstate.hard = new_vfp;
+ vfp_flush_hwstate(thread);
return 0;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 271/305] ecryptfs: don't allow mmap when the lower fs doesn't support it
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (244 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 203/305] can: at91_can: RX queue could get stuck at high bus load Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 261/305] bonding: prevent out of bound accesses Ben Hutchings
` (59 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jeff Mahoney, Tyler Hicks
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Mahoney <jeffm@suse.com>
commit f0fe970df3838c202ef6c07a4c2b36838ef0a88b upstream.
There are legitimate reasons to disallow mmap on certain files, notably
in sysfs or procfs. We shouldn't emulate mmap support on file systems
that don't offer support natively.
CVE-2016-1583
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/ecryptfs/file.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/fs/ecryptfs/file.c
+++ b/fs/ecryptfs/file.c
@@ -177,6 +177,19 @@ out:
return rc;
}
+static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma)
+{
+ struct file *lower_file = ecryptfs_file_to_lower(file);
+ /*
+ * Don't allow mmap on top of file systems that don't support it
+ * natively. If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs
+ * allows recursive mounting, this will need to be extended.
+ */
+ if (!lower_file->f_op->mmap)
+ return -ENODEV;
+ return generic_file_mmap(file, vma);
+}
+
/**
* ecryptfs_open
* @inode: inode speciying file to open
@@ -374,7 +387,7 @@ const struct file_operations ecryptfs_ma
#ifdef CONFIG_COMPAT
.compat_ioctl = ecryptfs_compat_ioctl,
#endif
- .mmap = generic_file_mmap,
+ .mmap = ecryptfs_mmap,
.open = ecryptfs_open,
.flush = ecryptfs_flush,
.release = ecryptfs_release,
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 255/305] batman-adv: Fix ICMP RR ethernet access after skb_linearize
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (291 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 025/305] ext4: fix data exposure after a crash Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 198/305] KEYS: potential uninitialized variable Ben Hutchings
` (12 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Sven Eckelmann, Marek Lindner
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 3b55e4422087f9f7b241031d758a0c65584e4297 upstream.
The skb_linearize may reallocate the skb. This makes the calculated pointer
for ethhdr invalid. But it the pointer is used later to fill in the RR
field of the batadv_icmp_packet_rr packet.
Instead re-evaluate eth_hdr after the skb_linearize+skb_cow to fix the
pointer and avoid the invalid read.
Fixes: da6b8c20a5b8 ("batman-adv: generalize batman-adv icmp packet handling")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/routing.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -344,6 +344,7 @@ int batadv_recv_icmp_packet(struct sk_bu
if (skb_cow(skb, ETH_HLEN) < 0)
goto out;
+ ethhdr = eth_hdr(skb);
icmph = (struct batadv_icmp_header *)skb->data;
icmp_packet_rr = (struct batadv_icmp_packet_rr *)icmph;
if (icmp_packet_rr->rr_cur >= BATADV_RR_LEN)
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 093/305] fs/cifs: correctly to anonymous authentication for the LANMAN authentication
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (271 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 021/305] Bluetooth: vhci: Fix race at creating hci device Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 149/305] IB/mlx5: Return PORT_ERR in Active to Initializing tranisition Ben Hutchings
` (32 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Stefan Metzmacher, Steve French
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
commit fa8f3a354bb775ec586e4475bcb07f7dece97e0c upstream.
Only server which map unknown users to guest will allow
access using a non-null LMChallengeResponse.
For Samba it's the "map to guest = bad user" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11913
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -632,22 +632,24 @@ ssetup_ntlmssp_authenticate:
pSMB->req.hdr.Flags2 &= ~SMBFLG2_UNICODE;
- /* no capabilities flags in old lanman negotiation */
-
- pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
-
- /* Calculate hash with password and copy into bcc_ptr.
- * Encryption Key (stored as in cryptkey) gets used if the
- * security mode bit in Negottiate Protocol response states
- * to use challenge/response method (i.e. Password bit is 1).
- */
-
- rc = calc_lanman_hash(ses->password, ses->server->cryptkey,
- ses->server->sec_mode & SECMODE_PW_ENCRYPT ?
- true : false, lnm_session_key);
-
- memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
- bcc_ptr += CIFS_AUTH_RESP_SIZE;
+ if (ses->user_name != NULL) {
+ /* no capabilities flags in old lanman negotiation */
+ pSMB->old_req.PasswordLength = cpu_to_le16(CIFS_AUTH_RESP_SIZE);
+
+ /* Calculate hash with password and copy into bcc_ptr.
+ * Encryption Key (stored as in cryptkey) gets used if the
+ * security mode bit in Negottiate Protocol response states
+ * to use challenge/response method (i.e. Password bit is 1).
+ */
+ rc = calc_lanman_hash(ses->password, ses->server->cryptkey,
+ ses->server->sec_mode & SECMODE_PW_ENCRYPT ?
+ true : false, lnm_session_key);
+
+ memcpy(bcc_ptr, (char *)lnm_session_key, CIFS_AUTH_RESP_SIZE);
+ bcc_ptr += CIFS_AUTH_RESP_SIZE;
+ } else {
+ pSMB->old_req.PasswordLength = 0;
+ }
/* can not sign if LANMAN negotiated so no need
to calculate signing key? but what if server
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 072/305] rtlwifi: Fix logic error in enter/exit power-save mode
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (151 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 100/305] batman-adv: Fix unexpected free of bcast_own on add_if error Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 239/305] ALSA: echoaudio: Fix memory allocation Ben Hutchings
` (152 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, wang yanqing, Kalle Valo, Larry Finger
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: wang yanqing <udknight@gmail.com>
commit 873ffe154ae074c46ed2d72dbd9a2a99f06f55b4 upstream.
In commit a269913c52ad ("rtlwifi: Rework rtl_lps_leave() and
rtl_lps_enter() to use work queue"), the tests for enter/exit
power-save mode were inverted. With this change applied, the
wifi connection becomes much more stable.
Fixes: a269913c52ad ("rtlwifi: Rework rtl_lps_leave() and rtl_lps_enter() to use work queue")
Signed-off-by: Wang YanQing <udknight@gmail.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16:
- We only set a flag here to be used later, but it was also set the wrong way
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/wireless/rtlwifi/base.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/rtlwifi/base.c
+++ b/drivers/net/wireless/rtlwifi/base.c
@@ -1401,9 +1401,9 @@ void rtl_watchdog_wq_callback(void *data
if (((rtlpriv->link_info.num_rx_inperiod +
rtlpriv->link_info.num_tx_inperiod) > 8) ||
(rtlpriv->link_info.num_rx_inperiod > 2))
- rtlpriv->enter_ps = true;
- else
rtlpriv->enter_ps = false;
+ else
+ rtlpriv->enter_ps = true;
/* LeisurePS only work in infra mode. */
schedule_work(&rtlpriv->works.lps_change_work);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 294/305] netfilter: x_tables: check standard target size too
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (97 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 168/305] usb: f_fs: off by one bug in _ffs_func_bind() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 229/305] fs/nilfs2: fix potential underflow in call to crc32_le Ben Hutchings
` (206 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Westphal, Pablo Neira Ayuso
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44 upstream.
We have targets and standard targets -- the latter carries a verdict.
The ip/ip6tables validation functions will access t->verdict for the
standard targets to fetch the jump offset or verdict for chainloop
detection, but this happens before the targets get checked/validated.
Thus we also need to check for verdict presence here, else t->verdict
can point right after a blob.
Spotted with UBSAN while testing malformed blobs.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/x_tables.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -559,6 +559,13 @@ int xt_compat_match_to_user(const struct
}
EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
+/* non-compat version may have padding after verdict */
+struct compat_xt_standard_target {
+ struct compat_xt_entry_target t;
+ compat_uint_t verdict;
+};
+
+/* see xt_check_entry_offsets */
int xt_compat_check_entry_offsets(const void *base,
unsigned int target_offset,
unsigned int next_offset)
@@ -576,6 +583,10 @@ int xt_compat_check_entry_offsets(const
if (target_offset + t->u.target_size > next_offset)
return -EINVAL;
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
+ target_offset + sizeof(struct compat_xt_standard_target) != next_offset)
+ return -EINVAL;
+
return 0;
}
EXPORT_SYMBOL(xt_compat_check_entry_offsets);
@@ -615,6 +626,10 @@ int xt_check_entry_offsets(const void *b
if (target_offset + t->u.target_size > next_offset)
return -EINVAL;
+ if (strcmp(t->u.user.name, XT_STANDARD_TARGET) == 0 &&
+ target_offset + sizeof(struct xt_standard_target) != next_offset)
+ return -EINVAL;
+
return 0;
}
EXPORT_SYMBOL(xt_check_entry_offsets);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 064/305] ata: sata_dwc_460ex: remove incorrect locking
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (300 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 236/305] KVM: arm/arm64: Stop leaking vcpu pid references Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 127/305] Input: pwm-beeper - fix - scheduling while atomic Ben Hutchings
` (3 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Christian Lamparter, Mans Rullgard, Tejun Heo
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mans Rullgard <mans@mansr.com>
commit 55e610cdd28c0ad3dce0652030c0296d549673f3 upstream.
This lock is already taken in ata_scsi_queuecmd() a few levels up the
call stack so attempting to take it here is an error. Moreover, it is
pointless in the first place since it only protects a single, atomic
assignment.
Enabling lock debugging gives the following output:
=============================================
[ INFO: possible recursive locking detected ]
4.4.0-rc5+ #189 Not tainted
---------------------------------------------
kworker/u2:3/37 is trying to acquire lock:
(&(&host->lock)->rlock){-.-...}, at: [<90283294>] sata_dwc_exec_command_by_tag.constprop.14+0x44/0x8c
but task is already holding lock:
(&(&host->lock)->rlock){-.-...}, at: [<902761ac>] ata_scsi_queuecmd+0x2c/0x330
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&(&host->lock)->rlock);
lock(&(&host->lock)->rlock);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by kworker/u2:3/37:
#0: ("events_unbound"){.+.+.+}, at: [<9003a0a4>] process_one_work+0x12c/0x430
#1: ((&entry->work)){+.+.+.}, at: [<9003a0a4>] process_one_work+0x12c/0x430
#2: (&bdev->bd_mutex){+.+.+.}, at: [<9011fd54>] __blkdev_get+0x50/0x380
#3: (&(&host->lock)->rlock){-.-...}, at: [<902761ac>] ata_scsi_queuecmd+0x2c/0x330
stack backtrace:
CPU: 0 PID: 37 Comm: kworker/u2:3 Not tainted 4.4.0-rc5+ #189
Workqueue: events_unbound async_run_entry_fn
Stack : 90b38e30 00000021 00000003 9b2a6040 00000000 9005f3f0 904fc8dc 00000025
906b96e4 00000000 90528648 9b3336c4 904fc8dc 9009bf18 00000002 00000004
00000000 00000000 9b3336c4 9b3336e4 904fc8dc 9003d074 00000000 90500000
9005e738 00000000 00000000 00000000 00000000 00000000 00000000 00000000
6e657665 755f7374 756f626e 0000646e 00000000 00000000 9b00ca00 9b025000
...
Call Trace:
[<90009d6c>] show_stack+0x88/0xa4
[<90057744>] __lock_acquire+0x1ce8/0x2154
[<900583e4>] lock_acquire+0x64/0x8c
[<9045ff10>] _raw_spin_lock_irqsave+0x54/0x78
[<90283294>] sata_dwc_exec_command_by_tag.constprop.14+0x44/0x8c
[<90283484>] sata_dwc_qc_issue+0x1a8/0x24c
[<9026b39c>] ata_qc_issue+0x1f0/0x410
[<90273c6c>] ata_scsi_translate+0xb4/0x200
[<90276234>] ata_scsi_queuecmd+0xb4/0x330
[<9025800c>] scsi_dispatch_cmd+0xd0/0x128
[<90259934>] scsi_request_fn+0x58c/0x638
[<901a3e50>] __blk_run_queue+0x40/0x5c
[<901a83d4>] blk_queue_bio+0x27c/0x28c
[<901a5914>] generic_make_request+0xf0/0x188
[<901a5a54>] submit_bio+0xa8/0x194
[<9011adcc>] submit_bh_wbc.isra.23+0x15c/0x17c
[<9011c908>] block_read_full_page+0x3e4/0x428
[<9009e2e0>] do_read_cache_page+0xac/0x210
[<9009fd90>] read_cache_page+0x18/0x24
[<901bbd18>] read_dev_sector+0x38/0xb0
[<901bd174>] msdos_partition+0xb4/0x5c0
[<901bcb8c>] check_partition+0x140/0x274
[<901bba60>] rescan_partitions+0xa0/0x2b0
[<9011ff68>] __blkdev_get+0x264/0x380
[<901201ac>] blkdev_get+0x128/0x36c
[<901b9378>] add_disk+0x3c0/0x4bc
[<90268268>] sd_probe_async+0x100/0x224
[<90043a44>] async_run_entry_fn+0x50/0x124
[<9003a11c>] process_one_work+0x1a4/0x430
[<9003a4f4>] worker_thread+0x14c/0x4fc
[<900408f4>] kthread+0xd0/0xe8
[<90004338>] ret_from_kernel_thread+0x14/0x1c
Fixes: 62936009f35a ("[libata] Add 460EX on-chip SATA driver, sata_dwc_460ex")
Tested-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: Mans Rullgard <mans@mansr.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/sata_dwc_460ex.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/ata/sata_dwc_460ex.c
+++ b/drivers/ata/sata_dwc_460ex.c
@@ -1392,15 +1392,13 @@ static void sata_dwc_exec_command_by_tag
struct ata_taskfile *tf,
u8 tag, u32 cmd_issued)
{
- unsigned long flags;
struct sata_dwc_device_port *hsdevp = HSDEVP_FROM_AP(ap);
dev_dbg(ap->dev, "%s cmd(0x%02x): %s tag=%d\n", __func__, tf->command,
ata_get_cmd_descript(tf->command), tag);
- spin_lock_irqsave(&ap->host->lock, flags);
hsdevp->cmd_issued[tag] = cmd_issued;
- spin_unlock_irqrestore(&ap->host->lock, flags);
+
/*
* Clear SError before executing a new command.
* sata_dwc_scr_write and read can not be used here. Clearing the PM
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 245/305] mac80211: Fix mesh estab_plinks counting in STA removal case
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (102 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 177/305] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 097/305] sunrpc: Update RPCBIND_MAXNETIDLEN Ben Hutchings
` (201 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jouni Malinen, Johannes Berg
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Malinen <j@w1.fi>
commit 126e7557328a1cd576be4fca95b133a2695283ff upstream.
If a user space program (e.g., wpa_supplicant) deletes a STA entry that
is currently in NL80211_PLINK_ESTAB state, the number of established
plinks counter was not decremented and this could result in rejecting
new plink establishment before really hitting the real maximum plink
limit. For !user_mpm case, this decrementation is handled by
mesh_plink_deactive().
Fix this by decrementing estab_plinks on STA deletion
(mesh_sta_cleanup() gets called from there) so that the counter has a
correct value and the Beacon frame advertisement in Mesh Configuration
element shows the proper value for capability to accept additional
peers.
Signed-off-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
[bwh: Backported to 3.16: plink_state field is in struct sta_info]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/mac80211/mesh.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -148,14 +148,17 @@ u32 mesh_accept_plinks_update(struct iee
void mesh_sta_cleanup(struct sta_info *sta)
{
struct ieee80211_sub_if_data *sdata = sta->sdata;
- u32 changed;
+ u32 changed = 0;
/*
* maybe userspace handles peer allocation and peering, but in either
* case the beacon is still generated by the kernel and we might need
* an update.
*/
- changed = mesh_accept_plinks_update(sdata);
+ if (sdata->u.mesh.user_mpm &&
+ sta->plink_state == NL80211_PLINK_ESTAB)
+ changed |= mesh_plink_dec_estab_count(sdata);
+ changed |= mesh_accept_plinks_update(sdata);
if (!sdata->u.mesh.user_mpm) {
changed |= mesh_plink_deactivate(sta);
del_timer_sync(&sta->plink_timer);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 191/305] net_sched: update hierarchical backlog too
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (110 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 169/305] usb: gadget: fix spinlock dead lock in gadgetfs Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 273/305] ALSA: compress: fix an integer overflow check Ben Hutchings
` (193 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, WANG Cong, David S. Miller, Jamal Hadi Salim
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: WANG Cong <xiyou.wangcong@gmail.com>
commit 2ccccf5fb43ff62b2b96cc58d95fc0b3596516e4 upstream.
When the bottom qdisc decides to, for example, drop some packet,
it calls qdisc_tree_decrease_qlen() to update the queue length
for all its ancestors, we need to update the backlog too to
keep the stats on root qdisc accurate.
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/codel.h | 4 ++++
include/net/sch_generic.h | 5 +++--
net/sched/sch_api.c | 8 +++++---
net/sched/sch_cbq.c | 5 +++--
net/sched/sch_choke.c | 6 ++++--
net/sched/sch_codel.c | 10 ++++++----
net/sched/sch_drr.c | 3 ++-
net/sched/sch_fq.c | 4 +++-
net/sched/sch_fq_codel.c | 17 ++++++++++++-----
net/sched/sch_hfsc.c | 3 ++-
net/sched/sch_hhf.c | 10 +++++++---
net/sched/sch_htb.c | 10 ++++++----
net/sched/sch_multiq.c | 8 +++++---
net/sched/sch_netem.c | 3 ++-
net/sched/sch_pie.c | 5 +++--
net/sched/sch_prio.c | 7 ++++---
net/sched/sch_qfq.c | 3 ++-
net/sched/sch_red.c | 3 ++-
net/sched/sch_sfb.c | 3 ++-
net/sched/sch_sfq.c | 16 +++++++++-------
net/sched/sch_tbf.c | 7 +++++--
21 files changed, 91 insertions(+), 49 deletions(-)
--- a/include/net/codel.h
+++ b/include/net/codel.h
@@ -158,11 +158,13 @@ struct codel_vars {
* struct codel_stats - contains codel shared variables and stats
* @maxpacket: largest packet we've seen so far
* @drop_count: temp count of dropped packets in dequeue()
+ * @drop_len: bytes of dropped packets in dequeue()
* ecn_mark: number of packets we ECN marked instead of dropping
*/
struct codel_stats {
u32 maxpacket;
u32 drop_count;
+ u32 drop_len;
u32 ecn_mark;
};
@@ -297,6 +299,7 @@ static struct sk_buff *codel_dequeue(str
vars->rec_inv_sqrt);
goto end;
}
+ stats->drop_len += qdisc_pkt_len(skb);
qdisc_drop(skb, sch);
stats->drop_count++;
skb = dequeue_func(vars, sch);
@@ -319,6 +322,7 @@ static struct sk_buff *codel_dequeue(str
if (params->ecn && INET_ECN_set_ce(skb)) {
stats->ecn_mark++;
} else {
+ stats->drop_len += qdisc_pkt_len(skb);
qdisc_drop(skb, sch);
stats->drop_count++;
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -368,7 +368,8 @@ struct Qdisc *dev_graft_qdisc(struct net
struct Qdisc *qdisc);
void qdisc_reset(struct Qdisc *qdisc);
void qdisc_destroy(struct Qdisc *qdisc);
-void qdisc_tree_decrease_qlen(struct Qdisc *qdisc, unsigned int n);
+void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, unsigned int n,
+ unsigned int len);
struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
const struct Qdisc_ops *ops);
struct Qdisc *qdisc_create_dflt(struct netdev_queue *dev_queue,
@@ -617,7 +618,7 @@ static inline struct Qdisc *qdisc_replac
old = *pold;
*pold = new;
if (old != NULL) {
- qdisc_tree_decrease_qlen(old, old->q.qlen);
+ qdisc_tree_reduce_backlog(old, old->q.qlen, old->qstats.backlog);
qdisc_reset(old);
}
sch_tree_unlock(sch);
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -737,14 +737,15 @@ static u32 qdisc_alloc_handle(struct net
return 0;
}
-void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n)
+void qdisc_tree_reduce_backlog(struct Qdisc *sch, unsigned int n,
+ unsigned int len)
{
const struct Qdisc_class_ops *cops;
unsigned long cl;
u32 parentid;
int drops;
- if (n == 0)
+ if (n == 0 && len == 0)
return;
drops = max_t(int, n, 0);
while ((parentid = sch->parent)) {
@@ -763,10 +764,11 @@ void qdisc_tree_decrease_qlen(struct Qdi
cops->put(sch, cl);
}
sch->q.qlen -= n;
+ sch->qstats.backlog -= len;
sch->qstats.drops += drops;
}
}
-EXPORT_SYMBOL(qdisc_tree_decrease_qlen);
+EXPORT_SYMBOL(qdisc_tree_reduce_backlog);
static void notify_and_destroy(struct net *net, struct sk_buff *skb,
struct nlmsghdr *n, u32 clid,
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -1927,7 +1927,7 @@ static int cbq_delete(struct Qdisc *sch,
{
struct cbq_sched_data *q = qdisc_priv(sch);
struct cbq_class *cl = (struct cbq_class *)arg;
- unsigned int qlen;
+ unsigned int qlen, backlog;
if (cl->filters || cl->children || cl == &q->link)
return -EBUSY;
@@ -1935,8 +1935,9 @@ static int cbq_delete(struct Qdisc *sch,
sch_tree_lock(sch);
qlen = cl->q->q.qlen;
+ backlog = cl->q->qstats.backlog;
qdisc_reset(cl->q);
- qdisc_tree_decrease_qlen(cl->q, qlen);
+ qdisc_tree_reduce_backlog(cl->q, qlen, backlog);
if (cl->next_alive)
cbq_deactivate_class(cl);
--- a/net/sched/sch_choke.c
+++ b/net/sched/sch_choke.c
@@ -128,8 +128,8 @@ static void choke_drop_by_idx(struct Qdi
choke_zap_tail_holes(q);
sch->qstats.backlog -= qdisc_pkt_len(skb);
+ qdisc_tree_reduce_backlog(sch, 1, qdisc_pkt_len(skb));
qdisc_drop(skb, sch);
- qdisc_tree_decrease_qlen(sch, 1);
--sch->q.qlen;
}
@@ -437,6 +437,7 @@ static int choke_change(struct Qdisc *sc
old = q->tab;
if (old) {
unsigned int oqlen = sch->q.qlen, tail = 0;
+ unsigned dropped = 0;
while (q->head != q->tail) {
struct sk_buff *skb = q->tab[q->head];
@@ -448,11 +449,12 @@ static int choke_change(struct Qdisc *sc
ntab[tail++] = skb;
continue;
}
+ dropped += qdisc_pkt_len(skb);
sch->qstats.backlog -= qdisc_pkt_len(skb);
--sch->q.qlen;
qdisc_drop(skb, sch);
}
- qdisc_tree_decrease_qlen(sch, oqlen - sch->q.qlen);
+ qdisc_tree_reduce_backlog(sch, oqlen - sch->q.qlen, dropped);
q->head = 0;
q->tail = tail;
}
--- a/net/sched/sch_codel.c
+++ b/net/sched/sch_codel.c
@@ -79,12 +79,13 @@ static struct sk_buff *codel_qdisc_deque
skb = codel_dequeue(sch, &q->params, &q->vars, &q->stats, dequeue);
- /* We cant call qdisc_tree_decrease_qlen() if our qlen is 0,
+ /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
* or HTB crashes. Defer it for next round.
*/
if (q->stats.drop_count && sch->q.qlen) {
- qdisc_tree_decrease_qlen(sch, q->stats.drop_count);
+ qdisc_tree_reduce_backlog(sch, q->stats.drop_count, q->stats.drop_len);
q->stats.drop_count = 0;
+ q->stats.drop_len = 0;
}
if (skb)
qdisc_bstats_update(sch, skb);
@@ -115,7 +116,7 @@ static int codel_change(struct Qdisc *sc
{
struct codel_sched_data *q = qdisc_priv(sch);
struct nlattr *tb[TCA_CODEL_MAX + 1];
- unsigned int qlen;
+ unsigned int qlen, dropped = 0;
int err;
if (!opt)
@@ -149,10 +150,11 @@ static int codel_change(struct Qdisc *sc
while (sch->q.qlen > sch->limit) {
struct sk_buff *skb = __skb_dequeue(&sch->q);
+ dropped += qdisc_pkt_len(skb);
sch->qstats.backlog -= qdisc_pkt_len(skb);
qdisc_drop(skb, sch);
}
- qdisc_tree_decrease_qlen(sch, qlen - sch->q.qlen);
+ qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, dropped);
sch_tree_unlock(sch);
return 0;
--- a/net/sched/sch_drr.c
+++ b/net/sched/sch_drr.c
@@ -53,9 +53,10 @@ static struct drr_class *drr_find_class(
static void drr_purge_queue(struct drr_class *cl)
{
unsigned int len = cl->qdisc->q.qlen;
+ unsigned int backlog = cl->qdisc->qstats.backlog;
qdisc_reset(cl->qdisc);
- qdisc_tree_decrease_qlen(cl->qdisc, len);
+ qdisc_tree_reduce_backlog(cl->qdisc, len, backlog);
}
static const struct nla_policy drr_policy[TCA_DRR_MAX + 1] = {
--- a/net/sched/sch_fq.c
+++ b/net/sched/sch_fq.c
@@ -646,6 +646,7 @@ static int fq_change(struct Qdisc *sch,
struct fq_sched_data *q = qdisc_priv(sch);
struct nlattr *tb[TCA_FQ_MAX + 1];
int err, drop_count = 0;
+ unsigned drop_len = 0;
u32 fq_log;
if (!opt)
@@ -711,10 +712,11 @@ static int fq_change(struct Qdisc *sch,
if (!skb)
break;
+ drop_len += qdisc_pkt_len(skb);
kfree_skb(skb);
drop_count++;
}
- qdisc_tree_decrease_qlen(sch, drop_count);
+ qdisc_tree_reduce_backlog(sch, drop_count, drop_len);
sch_tree_unlock(sch);
return err;
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -170,7 +170,7 @@ static unsigned int fq_codel_drop(struct
static int fq_codel_enqueue(struct sk_buff *skb, struct Qdisc *sch)
{
struct fq_codel_sched_data *q = qdisc_priv(sch);
- unsigned int idx;
+ unsigned int idx, prev_backlog;
struct fq_codel_flow *flow;
int uninitialized_var(ret);
@@ -198,6 +198,7 @@ static int fq_codel_enqueue(struct sk_bu
if (++sch->q.qlen <= sch->limit)
return NET_XMIT_SUCCESS;
+ prev_backlog = sch->qstats.backlog;
q->drop_overlimit++;
/* Return Congestion Notification only if we dropped a packet
* from this flow.
@@ -206,7 +207,7 @@ static int fq_codel_enqueue(struct sk_bu
return NET_XMIT_CN;
/* As we dropped a packet, better let upper stack know this */
- qdisc_tree_decrease_qlen(sch, 1);
+ qdisc_tree_reduce_backlog(sch, 1, prev_backlog - sch->qstats.backlog);
return NET_XMIT_SUCCESS;
}
@@ -236,6 +237,7 @@ static struct sk_buff *fq_codel_dequeue(
struct fq_codel_flow *flow;
struct list_head *head;
u32 prev_drop_count, prev_ecn_mark;
+ unsigned int prev_backlog;
begin:
head = &q->new_flows;
@@ -254,6 +256,7 @@ begin:
prev_drop_count = q->cstats.drop_count;
prev_ecn_mark = q->cstats.ecn_mark;
+ prev_backlog = sch->qstats.backlog;
skb = codel_dequeue(sch, &q->cparams, &flow->cvars, &q->cstats,
dequeue);
@@ -271,12 +274,14 @@ begin:
}
qdisc_bstats_update(sch, skb);
flow->deficit -= qdisc_pkt_len(skb);
- /* We cant call qdisc_tree_decrease_qlen() if our qlen is 0,
+ /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
* or HTB crashes. Defer it for next round.
*/
if (q->cstats.drop_count && sch->q.qlen) {
- qdisc_tree_decrease_qlen(sch, q->cstats.drop_count);
+ qdisc_tree_reduce_backlog(sch, q->cstats.drop_count,
+ q->cstats.drop_len);
q->cstats.drop_count = 0;
+ q->cstats.drop_len = 0;
}
return skb;
}
@@ -344,11 +349,13 @@ static int fq_codel_change(struct Qdisc
while (sch->q.qlen > sch->limit) {
struct sk_buff *skb = fq_codel_dequeue(sch);
+ q->cstats.drop_len += qdisc_pkt_len(skb);
kfree_skb(skb);
q->cstats.drop_count++;
}
- qdisc_tree_decrease_qlen(sch, q->cstats.drop_count);
+ qdisc_tree_reduce_backlog(sch, q->cstats.drop_count, q->cstats.drop_len);
q->cstats.drop_count = 0;
+ q->cstats.drop_len = 0;
sch_tree_unlock(sch);
return 0;
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -895,9 +895,10 @@ static void
hfsc_purge_queue(struct Qdisc *sch, struct hfsc_class *cl)
{
unsigned int len = cl->qdisc->q.qlen;
+ unsigned int backlog = cl->qdisc->qstats.backlog;
qdisc_reset(cl->qdisc);
- qdisc_tree_decrease_qlen(cl->qdisc, len);
+ qdisc_tree_reduce_backlog(cl->qdisc, len, backlog);
}
static void
--- a/net/sched/sch_hhf.c
+++ b/net/sched/sch_hhf.c
@@ -390,6 +390,7 @@ static int hhf_enqueue(struct sk_buff *s
struct hhf_sched_data *q = qdisc_priv(sch);
enum wdrr_bucket_idx idx;
struct wdrr_bucket *bucket;
+ unsigned int prev_backlog;
idx = hhf_classify(skb, sch);
@@ -417,6 +418,7 @@ static int hhf_enqueue(struct sk_buff *s
if (++sch->q.qlen <= sch->limit)
return NET_XMIT_SUCCESS;
+ prev_backlog = sch->qstats.backlog;
q->drop_overlimit++;
/* Return Congestion Notification only if we dropped a packet from this
* bucket.
@@ -425,7 +427,7 @@ static int hhf_enqueue(struct sk_buff *s
return NET_XMIT_CN;
/* As we dropped a packet, better let upper stack know this. */
- qdisc_tree_decrease_qlen(sch, 1);
+ qdisc_tree_reduce_backlog(sch, 1, prev_backlog - sch->qstats.backlog);
return NET_XMIT_SUCCESS;
}
@@ -535,7 +537,7 @@ static int hhf_change(struct Qdisc *sch,
{
struct hhf_sched_data *q = qdisc_priv(sch);
struct nlattr *tb[TCA_HHF_MAX + 1];
- unsigned int qlen;
+ unsigned int qlen, prev_backlog;
int err;
u64 non_hh_quantum;
u32 new_quantum = q->quantum;
@@ -585,12 +587,14 @@ static int hhf_change(struct Qdisc *sch,
}
qlen = sch->q.qlen;
+ prev_backlog = sch->qstats.backlog;
while (sch->q.qlen > sch->limit) {
struct sk_buff *skb = hhf_dequeue(sch);
kfree_skb(skb);
}
- qdisc_tree_decrease_qlen(sch, qlen - sch->q.qlen);
+ qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen,
+ prev_backlog - sch->qstats.backlog);
sch_tree_unlock(sch);
return 0;
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -1266,7 +1266,6 @@ static int htb_delete(struct Qdisc *sch,
{
struct htb_sched *q = qdisc_priv(sch);
struct htb_class *cl = (struct htb_class *)arg;
- unsigned int qlen;
struct Qdisc *new_q = NULL;
int last_child = 0;
@@ -1286,9 +1285,11 @@ static int htb_delete(struct Qdisc *sch,
sch_tree_lock(sch);
if (!cl->level) {
- qlen = cl->un.leaf.q->q.qlen;
+ unsigned int qlen = cl->un.leaf.q->q.qlen;
+ unsigned int backlog = cl->un.leaf.q->qstats.backlog;
+
qdisc_reset(cl->un.leaf.q);
- qdisc_tree_decrease_qlen(cl->un.leaf.q, qlen);
+ qdisc_tree_reduce_backlog(cl->un.leaf.q, qlen, backlog);
}
/* delete from hash and active; remainder in destroy_class */
@@ -1421,10 +1422,11 @@ static int htb_change_class(struct Qdisc
sch_tree_lock(sch);
if (parent && !parent->level) {
unsigned int qlen = parent->un.leaf.q->q.qlen;
+ unsigned int backlog = parent->un.leaf.q->qstats.backlog;
/* turn parent into inner node */
qdisc_reset(parent->un.leaf.q);
- qdisc_tree_decrease_qlen(parent->un.leaf.q, qlen);
+ qdisc_tree_reduce_backlog(parent->un.leaf.q, qlen, backlog);
qdisc_destroy(parent->un.leaf.q);
if (parent->prio_activity)
htb_deactivate(q, parent);
--- a/net/sched/sch_multiq.c
+++ b/net/sched/sch_multiq.c
@@ -217,7 +217,8 @@ static int multiq_tune(struct Qdisc *sch
if (q->queues[i] != &noop_qdisc) {
struct Qdisc *child = q->queues[i];
q->queues[i] = &noop_qdisc;
- qdisc_tree_decrease_qlen(child, child->q.qlen);
+ qdisc_tree_reduce_backlog(child, child->q.qlen,
+ child->qstats.backlog);
qdisc_destroy(child);
}
}
@@ -237,8 +238,9 @@ static int multiq_tune(struct Qdisc *sch
q->queues[i] = child;
if (old != &noop_qdisc) {
- qdisc_tree_decrease_qlen(old,
- old->q.qlen);
+ qdisc_tree_reduce_backlog(old,
+ old->q.qlen,
+ old->qstats.backlog);
qdisc_destroy(old);
}
sch_tree_unlock(sch);
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -611,7 +611,8 @@ deliver:
if (unlikely(err != NET_XMIT_SUCCESS)) {
if (net_xmit_drop_count(err)) {
sch->qstats.drops++;
- qdisc_tree_decrease_qlen(sch, 1);
+ qdisc_tree_reduce_backlog(sch, 1,
+ qdisc_pkt_len(skb));
}
}
goto tfifo_dequeue;
--- a/net/sched/sch_pie.c
+++ b/net/sched/sch_pie.c
@@ -183,7 +183,7 @@ static int pie_change(struct Qdisc *sch,
{
struct pie_sched_data *q = qdisc_priv(sch);
struct nlattr *tb[TCA_PIE_MAX + 1];
- unsigned int qlen;
+ unsigned int qlen, dropped = 0;
int err;
if (!opt)
@@ -232,10 +232,11 @@ static int pie_change(struct Qdisc *sch,
while (sch->q.qlen > sch->limit) {
struct sk_buff *skb = __skb_dequeue(&sch->q);
+ dropped += qdisc_pkt_len(skb);
sch->qstats.backlog -= qdisc_pkt_len(skb);
qdisc_drop(skb, sch);
}
- qdisc_tree_decrease_qlen(sch, qlen - sch->q.qlen);
+ qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, dropped);
sch_tree_unlock(sch);
return 0;
--- a/net/sched/sch_prio.c
+++ b/net/sched/sch_prio.c
@@ -189,7 +189,7 @@ static int prio_tune(struct Qdisc *sch,
struct Qdisc *child = q->queues[i];
q->queues[i] = &noop_qdisc;
if (child != &noop_qdisc) {
- qdisc_tree_decrease_qlen(child, child->q.qlen);
+ qdisc_tree_reduce_backlog(child, child->q.qlen, child->qstats.backlog);
qdisc_destroy(child);
}
}
@@ -208,8 +208,9 @@ static int prio_tune(struct Qdisc *sch,
q->queues[i] = child;
if (old != &noop_qdisc) {
- qdisc_tree_decrease_qlen(old,
- old->q.qlen);
+ qdisc_tree_reduce_backlog(old,
+ old->q.qlen,
+ old->qstats.backlog);
qdisc_destroy(old);
}
sch_tree_unlock(sch);
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -221,9 +221,10 @@ static struct qfq_class *qfq_find_class(
static void qfq_purge_queue(struct qfq_class *cl)
{
unsigned int len = cl->qdisc->q.qlen;
+ unsigned int backlog = cl->qdisc->qstats.backlog;
qdisc_reset(cl->qdisc);
- qdisc_tree_decrease_qlen(cl->qdisc, len);
+ qdisc_tree_reduce_backlog(cl->qdisc, len, backlog);
}
static const struct nla_policy qfq_policy[TCA_QFQ_MAX + 1] = {
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -210,7 +210,8 @@ static int red_change(struct Qdisc *sch,
q->flags = ctl->flags;
q->limit = ctl->limit;
if (child) {
- qdisc_tree_decrease_qlen(q->qdisc, q->qdisc->q.qlen);
+ qdisc_tree_reduce_backlog(q->qdisc, q->qdisc->q.qlen,
+ q->qdisc->qstats.backlog);
qdisc_destroy(q->qdisc);
q->qdisc = child;
}
--- a/net/sched/sch_sfb.c
+++ b/net/sched/sch_sfb.c
@@ -516,7 +516,8 @@ static int sfb_change(struct Qdisc *sch,
sch_tree_lock(sch);
- qdisc_tree_decrease_qlen(q->qdisc, q->qdisc->q.qlen);
+ qdisc_tree_reduce_backlog(q->qdisc, q->qdisc->q.qlen,
+ q->qdisc->qstats.backlog);
qdisc_destroy(q->qdisc);
q->qdisc = child;
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -372,7 +372,7 @@ static int
sfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
{
struct sfq_sched_data *q = qdisc_priv(sch);
- unsigned int hash;
+ unsigned int hash, dropped;
sfq_index x, qlen;
struct sfq_slot *slot;
int uninitialized_var(ret);
@@ -487,7 +487,7 @@ enqueue:
return NET_XMIT_SUCCESS;
qlen = slot->qlen;
- sfq_drop(sch);
+ dropped = sfq_drop(sch);
/* Return Congestion Notification only if we dropped a packet
* from this flow.
*/
@@ -495,7 +495,7 @@ enqueue:
return NET_XMIT_CN;
/* As we dropped a packet, better let upper stack know this */
- qdisc_tree_decrease_qlen(sch, 1);
+ qdisc_tree_reduce_backlog(sch, 1, dropped);
return NET_XMIT_SUCCESS;
}
@@ -563,6 +563,7 @@ static void sfq_rehash(struct Qdisc *sch
struct sfq_slot *slot;
struct sk_buff_head list;
int dropped = 0;
+ unsigned int drop_len = 0;
__skb_queue_head_init(&list);
@@ -590,6 +591,7 @@ static void sfq_rehash(struct Qdisc *sch
x = q->dep[0].next; /* get a free slot */
if (x >= SFQ_MAX_FLOWS) {
drop: sch->qstats.backlog -= qdisc_pkt_len(skb);
+ drop_len += qdisc_pkt_len(skb);
kfree_skb(skb);
dropped++;
continue;
@@ -619,7 +621,7 @@ drop: sch->qstats.backlog -= qdisc_pk
}
}
sch->q.qlen -= dropped;
- qdisc_tree_decrease_qlen(sch, dropped);
+ qdisc_tree_reduce_backlog(sch, dropped, drop_len);
}
static void sfq_perturbation(unsigned long arg)
@@ -643,7 +645,7 @@ static int sfq_change(struct Qdisc *sch,
struct sfq_sched_data *q = qdisc_priv(sch);
struct tc_sfq_qopt *ctl = nla_data(opt);
struct tc_sfq_qopt_v1 *ctl_v1 = NULL;
- unsigned int qlen;
+ unsigned int qlen, dropped = 0;
struct red_parms *p = NULL;
if (opt->nla_len < nla_attr_size(sizeof(*ctl)))
@@ -692,8 +694,8 @@ static int sfq_change(struct Qdisc *sch,
qlen = sch->q.qlen;
while (sch->q.qlen > q->limit)
- sfq_drop(sch);
- qdisc_tree_decrease_qlen(sch, qlen - sch->q.qlen);
+ dropped += sfq_drop(sch);
+ qdisc_tree_reduce_backlog(sch, qlen - sch->q.qlen, dropped);
del_timer(&q->perturb_timer);
if (q->perturb_period) {
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -160,6 +160,7 @@ static int tbf_segment(struct sk_buff *s
struct tbf_sched_data *q = qdisc_priv(sch);
struct sk_buff *segs, *nskb;
netdev_features_t features = netif_skb_features(skb);
+ unsigned int len = 0, prev_len = qdisc_pkt_len(skb);
int ret, nb;
segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
@@ -172,6 +173,7 @@ static int tbf_segment(struct sk_buff *s
nskb = segs->next;
segs->next = NULL;
qdisc_skb_cb(segs)->pkt_len = segs->len;
+ len += segs->len;
ret = qdisc_enqueue(segs, q->qdisc);
if (ret != NET_XMIT_SUCCESS) {
if (net_xmit_drop_count(ret))
@@ -183,7 +185,7 @@ static int tbf_segment(struct sk_buff *s
}
sch->q.qlen += nb;
if (nb > 1)
- qdisc_tree_decrease_qlen(sch, 1 - nb);
+ qdisc_tree_reduce_backlog(sch, 1 - nb, prev_len - len);
consume_skb(skb);
return nb > 0 ? NET_XMIT_SUCCESS : NET_XMIT_DROP;
}
@@ -398,7 +400,8 @@ static int tbf_change(struct Qdisc *sch,
sch_tree_lock(sch);
if (child) {
- qdisc_tree_decrease_qlen(q->qdisc, q->qdisc->q.qlen);
+ qdisc_tree_reduce_backlog(q->qdisc, q->qdisc->q.qlen,
+ q->qdisc->qstats.backlog);
qdisc_destroy(q->qdisc);
q->qdisc = child;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 002/305] ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (268 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 247/305] NFS: Fix another OPEN_DOWNGRADE bug Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 173/305] USB: quirks: Fix entries on wrong list in 3.16.y Ben Hutchings
` (35 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Heinrich Schuchardt, Gregory CLEMENT
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
commit fc5c796e12511a7c027b5a4438719dde2f796208 upstream.
Commit 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology
NAS devices") created the new file kirkwood-ds112.dts but did not
add it to the Makefile.
Fixes: 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/boot/dts/Makefile
+++ b/arch/arm/boot/dts/Makefile
@@ -102,6 +102,7 @@ kirkwood := \
kirkwood-ds109.dtb \
kirkwood-ds110jv10.dtb \
kirkwood-ds111.dtb \
+ kirkwood-ds112.dtb \
kirkwood-ds209.dtb \
kirkwood-ds210.dtb \
kirkwood-ds212.dtb \
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 187/305] kprobes/x86: Clear TF bit in fault on single-stepping
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (112 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 273/305] ALSA: compress: fix an integer overflow check Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 071/305] perf tools: Fix perf regs mask generation Ben Hutchings
` (191 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Zijlstra, H. Peter Anvin, Steven Rostedt,
Stephane Eranian, Thomas Gleixner, Brian Gerst, Borislav Petkov,
Arnaldo Carvalho de Melo, Ingo Molnar, Masami Hiramatsu,
Alexander Shishkin, systemtap, Jiri Olsa, Vince Weaver,
Linus Torvalds, Andy Lutomirski, Denys Vlasenko,
Ananth N Mavinakayanahalli
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu <mhiramat@kernel.org>
commit dcfc47248d3f7d28df6f531e6426b933de94370d upstream.
Fix kprobe_fault_handler() to clear the TF (trap flag) bit of
the flags register in the case of a fault fixup on single-stepping.
If we put a kprobe on the instruction which caused a
page fault (e.g. actual mov instructions in copy_user_*),
that fault happens on the single-stepping buffer. In this
case, kprobes resets running instance so that the CPU can
retry execution on the original ip address.
However, current code forgets to reset the TF bit. Since this
fault happens with TF bit set for enabling single-stepping,
when it retries, it causes a debug exception and kprobes
can not handle it because it already reset itself.
On the most of x86-64 platform, it can be easily reproduced
by using kprobe tracer. E.g.
# cd /sys/kernel/debug/tracing
# echo p copy_user_enhanced_fast_string+5 > kprobe_events
# echo 1 > events/kprobes/enable
And you'll see a kernel panic on do_debug(), since the debug
trap is not handled by kprobes.
To fix this problem, we just need to clear the TF bit when
resetting running kprobe.
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: systemtap@sourceware.org
Link: http://lkml.kernel.org/r/20160611140648.25885.37482.stgit@devbox
[ Updated the comments. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/kprobes/core.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -931,7 +931,19 @@ int kprobe_fault_handler(struct pt_regs
* normal page fault.
*/
regs->ip = (unsigned long)cur->addr;
+ /*
+ * Trap flag (TF) has been set here because this fault
+ * happened where the single stepping will be done.
+ * So clear it by resetting the current kprobe:
+ */
+ regs->flags &= ~X86_EFLAGS_TF;
+
+ /*
+ * If the TF flag was set before the kprobe hit,
+ * don't touch it:
+ */
regs->flags |= kcb->kprobe_old_flags;
+
if (kcb->kprobe_status == KPROBE_REENTER)
restore_previous_kprobe(kcb);
else
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 305/305] Revert "netfilter: ensure number of counters is >0 in do_replace()"
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (21 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 054/305] MIPS: Avoid using unwind_stack() with usermode Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 257/305] qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag() Ben Hutchings
` (282 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Pablo Neira Ayuso, Bernhard Thaler
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bernhard Thaler <bernhard.thaler@wvnet.at>
commit d26e2c9ffa385dd1b646f43c1397ba12af9ed431 upstream.
This partially reverts commit 1086bbe97a07 ("netfilter: ensure number of
counters is >0 in do_replace()") in net/bridge/netfilter/ebtables.c.
Setting rules with ebtables does not work any more with 1086bbe97a07 place.
There is an error message and no rules set in the end.
e.g.
~# ebtables -t nat -A POSTROUTING --src 12:34:56:78:9a:bc -j DROP
Unable to update the kernel. Two possible causes:
1. Multiple ebtables programs were executing simultaneously. The ebtables
userspace tool doesn't by default support multiple ebtables programs
running
Reverting the ebtables part of 1086bbe97a07 makes this work again.
Signed-off-by: Bernhard Thaler <bernhard.thaler@wvnet.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bridge/netfilter/ebtables.c | 4 ----
1 file changed, 4 deletions(-)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1105,8 +1105,6 @@ static int do_replace(struct net *net, c
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
- if (tmp.num_counters == 0)
- return -EINVAL;
tmp.name[sizeof(tmp.name) - 1] = 0;
@@ -2152,8 +2150,6 @@ static int compat_copy_ebt_replace_from_
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
return -ENOMEM;
- if (tmp.num_counters == 0)
- return -EINVAL;
memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 058/305] USB: serial: keyspan: fix use-after-free in probe error path
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (59 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 297/305] netfilter: x_tables: don't reject valid target size on some architectures Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 226/305] nfsd: check permissions when setting ACLs Ben Hutchings
` (244 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold, Greg Kroah-Hartman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 35be1a71d70775e7bd7e45fa6d2897342ff4c9d2 upstream.
The interface instat and indat URBs were submitted in attach, but never
unlinked in release before deallocating the corresponding transfer
buffers.
In the case of a late probe error (e.g. due to failed minor allocation),
disconnect would not have been called before release, causing the
buffers to be freed while the URBs are still in use. We'd also end up
with active URBs for an unbound interface.
Fixes: f9c99bb8b3a1 ("USB: usb-serial: replace shutdown with disconnect,
release")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/keyspan.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -2376,6 +2376,10 @@ static void keyspan_release(struct usb_s
s_priv = usb_get_serial_data(serial);
+ /* Make sure to unlink the URBs submitted in attach. */
+ usb_kill_urb(s_priv->instat_urb);
+ usb_kill_urb(s_priv->indat_urb);
+
usb_free_urb(s_priv->instat_urb);
usb_free_urb(s_priv->indat_urb);
usb_free_urb(s_priv->glocont_urb);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 009/305] drm/gma500: Fix possible out of bounds read
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (260 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 099/305] batman-adv: fix skb deref after free Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 076/305] MIPS: math-emu: Fix jalr emulation when rd == $0 Ben Hutchings
` (43 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Itai Handler, Patrik Jakobsson
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Itai Handler <itai_handler@hotmail.com>
commit 7ccca1d5bf69fdd1d3c5fcf84faf1659a6e0ad11 upstream.
Fix possible out of bounds read, by adding missing comma.
The code may read pass the end of the dsi_errors array
when the most significant bit (bit #31) in the intr_stat register
is set.
This bug has been detected using CppCheck (static analysis tool).
Signed-off-by: Itai Handler <itai_handler@hotmail.com>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c
+++ b/drivers/gpu/drm/gma500/mdfld_dsi_pkg_sender.c
@@ -85,7 +85,7 @@ static const char *const dsi_errors[] =
"RX Prot Violation",
"HS Generic Write FIFO Full",
"LP Generic Write FIFO Full",
- "Generic Read Data Avail"
+ "Generic Read Data Avail",
"Special Packet Sent",
"Tearing Effect",
};
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 204/305] tracing: Handle NULL formats in hold_module_trace_bprintk_format()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (45 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 275/305] proc: prevent stacking filesystems on top Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 074/305] powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism Ben Hutchings
` (258 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Namhyung Kim, Steven Rostedt (Red Hat), xingzhen
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
commit 70c8217acd4383e069fe1898bbad36ea4fcdbdcc upstream.
If a task uses a non constant string for the format parameter in
trace_printk(), then the trace_printk_fmt variable is set to NULL. This
variable is then saved in the __trace_printk_fmt section.
The function hold_module_trace_bprintk_format() checks to see if duplicate
formats are used by modules, and reuses them if so (saves them to the list
if it is new). But this function calls lookup_format() that does a strcmp()
to the value (which is now NULL) and can cause a kernel oops.
This wasn't an issue till 3debb0a9ddb ("tracing: Fix trace_printk() to print
when not using bprintk()") which added "__used" to the trace_printk_fmt
variable, and before that, the kernel simply optimized it out (no NULL value
was saved).
The fix is simply to handle the NULL pointer in lookup_format() and have the
caller ignore the value if it was NULL.
Link: http://lkml.kernel.org/r/1464769870-18344-1-git-send-email-zhengjun.xing@intel.com
Reported-by: xingzhen <zhengjun.xing@intel.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Fixes: 3debb0a9ddb ("tracing: Fix trace_printk() to print when not using bprintk()")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/trace/trace_printk.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_printk.c
+++ b/kernel/trace/trace_printk.c
@@ -38,6 +38,10 @@ struct trace_bprintk_fmt {
static inline struct trace_bprintk_fmt *lookup_format(const char *fmt)
{
struct trace_bprintk_fmt *pos;
+
+ if (!fmt)
+ return ERR_PTR(-EINVAL);
+
list_for_each_entry(pos, &trace_bprintk_fmt_list, list) {
if (!strcmp(pos->fmt, fmt))
return pos;
@@ -59,7 +63,8 @@ void hold_module_trace_bprintk_format(co
for (iter = start; iter < end; iter++) {
struct trace_bprintk_fmt *tb_fmt = lookup_format(*iter);
if (tb_fmt) {
- *iter = tb_fmt->fmt;
+ if (!IS_ERR(tb_fmt))
+ *iter = tb_fmt->fmt;
continue;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 054/305] MIPS: Avoid using unwind_stack() with usermode
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (20 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 178/305] usb: musb: Stop bulk endpoint while queue is rotated Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 305/305] Revert "netfilter: ensure number of counters is >0 in do_replace()" Ben Hutchings
` (283 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, linux-mips, Leonid Yegoshin, James Hogan, Ralf Baechle
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <james.hogan@imgtec.com>
commit 81a76d7119f63c359750e4adeff922a31ad1135f upstream.
When showing backtraces in response to traps, for example crashes and
address errors (usually unaligned accesses) when they are set in debugfs
to be reported, unwind_stack will be used if the PC was in the kernel
text address range. However since EVA it is possible for user and kernel
address ranges to overlap, and even without EVA userland can still
trigger an address error by jumping to a KSeg0 address.
Adjust the check to also ensure that it was running in kernel mode. I
don't believe any harm can come of this problem, since unwind_stack() is
sufficiently defensive, however it is only meant for unwinding kernel
code, so to be correct it should use the raw backtracing instead.
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Leonid Yegoshin <Leonid.Yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/11701/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
(cherry picked from commit d2941a975ac745c607dfb590e92bb30bc352dad9)
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/traps.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -140,7 +140,7 @@ static void show_backtrace(struct task_s
if (!task)
task = current;
- if (raw_show_trace || !__kernel_text_address(pc)) {
+ if (raw_show_trace || user_mode(regs) || !__kernel_text_address(pc)) {
show_raw_backtrace(sp);
return;
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 099/305] batman-adv: fix skb deref after free
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (259 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 216/305] IB/mlx4: Fix error flow when sending mads under SRIOV Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 009/305] drm/gma500: Fix possible out of bounds read Ben Hutchings
` (44 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Florian Westphal, Antonio Quartulli, Marek Lindner, Sven Eckelmann
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 63d443efe8be2c1d02b30d7e4edeb9aa085352b3 upstream.
batadv_send_skb_to_orig() calls dev_queue_xmit() so we can't use skb->len.
Fixes: 953324776d6d ("batman-adv: network coding - buffer unicast packets before forward")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/routing.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -568,6 +568,7 @@ static int batadv_route_unicast_packet(s
struct batadv_unicast_packet *unicast_packet;
struct ethhdr *ethhdr = eth_hdr(skb);
int res, hdr_len, ret = NET_RX_DROP;
+ unsigned int len;
unicast_packet = (struct batadv_unicast_packet *)skb->data;
@@ -608,6 +609,7 @@ static int batadv_route_unicast_packet(s
if (hdr_len > 0)
batadv_skb_set_priority(skb, hdr_len);
+ len = skb->len;
res = batadv_send_skb_to_orig(skb, orig_node, recv_if);
/* translate transmit result into receive result */
@@ -615,7 +617,7 @@ static int batadv_route_unicast_packet(s
/* skb was transmitted and consumed */
batadv_inc_counter(bat_priv, BATADV_CNT_FORWARD);
batadv_add_counter(bat_priv, BATADV_CNT_FORWARD_BYTES,
- skb->len + ETH_HLEN);
+ len + ETH_HLEN);
ret = NET_RX_SUCCESS;
} else if (res == NET_XMIT_POLICED) {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 276/305] USB: usbfs: fix potential infoleak in devio
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (4 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 230/305] staging: iio: accel: fix error check Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 269/305] xenbus: don't bail early from xenbus_dev_request_and_reply() Ben Hutchings
` (299 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Kangjie Lu, Kangjie Lu
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kangjie Lu <kangjielu@gmail.com>
commit 681fef8380eb818c0b845fca5d2ab1dcbab114ee upstream.
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
are padding bytes which are not initialized and leaked to userland
via “copy_to_user”.
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/devio.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1202,10 +1202,11 @@ static int proc_getdriver(struct usb_dev
static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
{
- struct usbdevfs_connectinfo ci = {
- .devnum = ps->dev->devnum,
- .slow = ps->dev->speed == USB_SPEED_LOW
- };
+ struct usbdevfs_connectinfo ci;
+
+ memset(&ci, 0, sizeof(ci));
+ ci.devnum = ps->dev->devnum;
+ ci.slow = ps->dev->speed == USB_SPEED_LOW;
if (copy_to_user(arg, &ci, sizeof(ci)))
return -EFAULT;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 015/305] [media] cx23885: uninitialized variable in cx23885_av_work_handler()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (49 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 045/305] USB: serial: option: add even more ZTE device ids Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 172/305] usb: xhci-plat: properly handle probe deferral for devm_clk_get() Ben Hutchings
` (254 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Mauro Carvalho Chehab, Hans Verkuil, Dan Carpenter
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 60587bd0680507f48ae3a7360983228fd207de8a upstream.
The "handled" variable could be uninitialized if the
interrupt_service_routine() call back hasn't been implimented or if it
has been implemented but doesn't initialize "handled" to zero at the
start. For example, adv76xx_isr() only sets "handled" to true.
Fixes: 44b153ca639f ('[media] m5mols: Add ISO sensitivity controls')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/pci/cx23885/cx23885-av.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/pci/cx23885/cx23885-av.c
+++ b/drivers/media/pci/cx23885/cx23885-av.c
@@ -29,7 +29,7 @@ void cx23885_av_work_handler(struct work
{
struct cx23885_dev *dev =
container_of(work, struct cx23885_dev, cx25840_work);
- bool handled;
+ bool handled = false;
v4l2_subdev_call(dev->sd_cx25840, core, interrupt_service_routine,
PCI_MSK_AV_CORE, &handled);
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 084/305] blk-mq: fix undefined behaviour in order_to_size()
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (9 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 258/305] ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift() Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 123/305] sfc: on MC reset, clear PIO buffer linkage in TXQs Ben Hutchings
` (294 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Meelis Roos, Jens Axboe, Bartlomiej Zolnierkiewicz
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
commit b3a834b1596ac668df206aa2bb1f191c31f5f5e4 upstream.
When this_order variable in blk_mq_init_rq_map() becomes zero
the code incorrectly decrements the variable and passes the result
to order_to_size() helper causing undefined behaviour:
UBSAN: Undefined behaviour in block/blk-mq.c:1459:27
shift exponent 4294967295 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-rc6-00072-g33656a1 #22
Fix the code by checking this_order variable for not having the zero
value first.
Reported-by: Meelis Roos <mroos@linux.ee>
Fixes: 320ae51feed5 ("blk-mq: new multi-queue block IO queueing mechanism")
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
block/blk-mq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1385,7 +1385,7 @@ static struct blk_mq_tags *blk_mq_init_r
int to_do;
void *p;
- while (left < order_to_size(this_order - 1) && this_order)
+ while (this_order && left < order_to_size(this_order - 1))
this_order--;
do {
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 236/305] KVM: arm/arm64: Stop leaking vcpu pid references
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (299 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 150/305] IB/mlx5: Fix returned values of query QP Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 064/305] ata: sata_dwc_460ex: remove incorrect locking Ben Hutchings
` (4 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, James Morse, Christoffer Dall, Marc Zyngier
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Morse <james.morse@arm.com>
commit 591d215afcc2f94e8e2c69a63c924c044677eb31 upstream.
kvm provides kvm_vcpu_uninit(), which amongst other things, releases the
last reference to the struct pid of the task that was last running the vcpu.
On arm64 built with CONFIG_DEBUG_KMEMLEAK, starting a guest with kvmtool,
then killing it with SIGKILL results (after some considerable time) in:
> cat /sys/kernel/debug/kmemleak
> unreferenced object 0xffff80007d5ea080 (size 128):
> comm "lkvm", pid 2025, jiffies 4294942645 (age 1107.776s)
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffff8000001b30ec>] create_object+0xfc/0x278
> [<ffff80000071da34>] kmemleak_alloc+0x34/0x70
> [<ffff80000019fa2c>] kmem_cache_alloc+0x16c/0x1d8
> [<ffff8000000d0474>] alloc_pid+0x34/0x4d0
> [<ffff8000000b5674>] copy_process.isra.6+0x79c/0x1338
> [<ffff8000000b633c>] _do_fork+0x74/0x320
> [<ffff8000000b66b0>] SyS_clone+0x18/0x20
> [<ffff800000085cb0>] el0_svc_naked+0x24/0x28
> [<ffffffffffffffff>] 0xffffffffffffffff
On x86 kvm_vcpu_uninit() is called on the path from kvm_arch_destroy_vm(),
on arm no equivalent call is made. Add the call to kvm_arch_vcpu_free().
Signed-off-by: James Morse <james.morse@arm.com>
Fixes: 749cf76c5a36 ("KVM: ARM: Initial skeleton to compile KVM support")
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/kvm/arm.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -258,6 +258,7 @@ void kvm_arch_vcpu_free(struct kvm_vcpu
{
kvm_mmu_free_memory_caches(vcpu);
kvm_timer_vcpu_terminate(vcpu);
+ kvm_vcpu_uninit(vcpu);
kmem_cache_free(kvm_vcpu_cache, vcpu);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 017/305] drm/i915: Prevent machine death on Ivybridge context switching
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (201 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 143/305] ALSA: hda - Fix headset mic detection problem for Dell machine Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 286/305] tcp: make challenge acks less predictable Ben Hutchings
` (102 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Daniel Vetter, Chris Wilson, Ville Syrjälä
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chris Wilson <chris@chris-wilson.co.uk>
commit e9135c4f08d9acb0f3da3ad2643b669dee3217c2 upstream.
Two concurrent writes into the same register cacheline has the chance of
killing the machine on Ivybridge and other gen7. This includes LRI
emitted from the command parser. The MI_SET_CONTEXT itself serves as
serialising barrier and prevents the pair of register writes in the first
packet from triggering the fault. However, if a second switch-context
immediately occurs then we may have two adjacent blocks of LRI to the
same registers which may then trigger the hang. To counteract this we
need to insert a delay after the second register write using SRM.
This is easiest to reproduce with something like
igt/gem_ctx_switch/interruptible that triggers back-to-back context
switches (with no operations in between them in the command stream,
which requires the execbuf operation to be interrupted after the
MI_SET_CONTEXT) but can be observed sporadically elsewhere when running
interruptible igt. No reports from the wild though, so it must be of low
enough frequency that no one has correlated the random machine freezes
with i915.ko
The issue was introduced with
commit 2c550183476dfa25641309ae9a28d30feed14379 [v3.19]
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date: Tue Dec 16 10:02:27 2014 +0000
drm/i915: Disable PSMI sleep messages on all rings around context switches
Testcase: igt/gem_ctx_switch/render-interruptible #ivb
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Daniel Vetter <daniel@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1460565315-7748-11-git-send-email-chris@chris-wilson.co.uk
[bwh: Backported to 3.16:
- Pass ring, not engine, to intel_ring_emit()
- Register type is u32 not i915_reg_t
- MI_STORE_REGISTER_MEM is a function-macro]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/i915/i915_gem_context.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/i915_gem_context.c
+++ b/drivers/gpu/drm/i915/i915_gem_context.c
@@ -566,7 +566,7 @@ mi_set_context(struct intel_engine_cs *r
len = 4;
if (INTEL_INFO(ring->dev)->gen >= 7)
- len += 2 + (num_rings ? 4*num_rings + 2 : 0);
+ len += 2 + (num_rings ? 4*num_rings + 6 : 0);
ret = intel_ring_begin(ring, len);
if (ret)
@@ -605,15 +605,25 @@ mi_set_context(struct intel_engine_cs *r
if (INTEL_INFO(ring->dev)->gen >= 7) {
if (num_rings) {
struct intel_engine_cs *signaller;
+ u32 last_reg = 0; /* keep gcc quiet */
intel_ring_emit(ring, MI_LOAD_REGISTER_IMM(num_rings));
for_each_ring(signaller, to_i915(ring->dev), i) {
if (signaller == ring)
continue;
- intel_ring_emit(ring, RING_PSMI_CTL(signaller->mmio_base));
+ last_reg = RING_PSMI_CTL(signaller->mmio_base);
+ intel_ring_emit(ring, last_reg);
intel_ring_emit(ring, _MASKED_BIT_DISABLE(GEN6_PSMI_SLEEP_MSG_DISABLE));
}
+
+ /* Insert a delay before the next switch! */
+ intel_ring_emit(ring,
+ MI_STORE_REGISTER_MEM(1) |
+ MI_SRM_LRM_GLOBAL_GTT);
+ intel_ring_emit(ring, last_reg);
+ intel_ring_emit(ring, ring->scratch.gtt_offset);
+ intel_ring_emit(ring, MI_NOOP);
}
intel_ring_emit(ring, MI_ARB_ON_OFF | MI_ARB_ENABLE);
}
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 235/305] powerpc/tm: Always reclaim in start_thread() for exec() class syscalls
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (239 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 111/305] scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 037/305] Revert "tty: Fix pty master poll() after slave closes v2" Ben Hutchings
` (64 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Cyril Bur, Michael Ellerman
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cyril Bur <cyrilbur@gmail.com>
commit 8e96a87c5431c256feb65bcfc5aec92d9f7839b6 upstream.
Userspace can quite legitimately perform an exec() syscall with a
suspended transaction. exec() does not return to the old process, rather
it load a new one and starts that, the expectation therefore is that the
new process starts not in a transaction. Currently exec() is not treated
any differently to any other syscall which creates problems.
Firstly it could allow a new process to start with a suspended
transaction for a binary that no longer exists. This means that the
checkpointed state won't be valid and if the suspended transaction were
ever to be resumed and subsequently aborted (a possibility which is
exceedingly likely as exec()ing will likely doom the transaction) the
new process will jump to invalid state.
Secondly the incorrect attempt to keep the transactional state while
still zeroing state for the new process creates at least two TM Bad
Things. The first triggers on the rfid to return to userspace as
start_thread() has given the new process a 'clean' MSR but the suspend
will still be set in the hardware MSR. The second TM Bad Thing triggers
in __switch_to() as the processor is still transactionally suspended but
__switch_to() wants to zero the TM sprs for the new process.
This is an example of the outcome of calling exec() with a suspended
transaction. Note the first 700 is likely the first TM bad thing
decsribed earlier only the kernel can't report it as we've loaded
userspace registers. c000000000009980 is the rfid in
fast_exception_return()
Bad kernel stack pointer 3fffcfa1a370 at c000000000009980
Oops: Bad kernel stack pointer, sig: 6 [#1]
CPU: 0 PID: 2006 Comm: tm-execed Not tainted
NIP: c000000000009980 LR: 0000000000000000 CTR: 0000000000000000
REGS: c00000003ffefd40 TRAP: 0700 Not tainted
MSR: 8000000300201031 <SF,ME,IR,DR,LE,TM[SE]> CR: 00000000 XER: 00000000
CFAR: c0000000000098b4 SOFTE: 0
PACATMSCRATCH: b00000010000d033
GPR00: 0000000000000000 00003fffcfa1a370 0000000000000000 0000000000000000
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 00003fff966611c0 0000000000000000 0000000000000000 0000000000000000
NIP [c000000000009980] fast_exception_return+0xb0/0xb8
LR [0000000000000000] (null)
Call Trace:
Instruction dump:
f84d0278 e9a100d8 7c7b03a6 e84101a0 7c4ff120 e8410170 7c5a03a6 e8010070
e8410080 e8610088 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed023b
Kernel BUG at c000000000043e80 [verbose debug info unavailable]
Unexpected TM Bad Thing exception at c000000000043e80 (msr 0x201033)
Oops: Unrecoverable exception, sig: 6 [#2]
CPU: 0 PID: 2006 Comm: tm-execed Tainted: G D
task: c0000000fbea6d80 ti: c00000003ffec000 task.ti: c0000000fb7ec000
NIP: c000000000043e80 LR: c000000000015a24 CTR: 0000000000000000
REGS: c00000003ffef7e0 TRAP: 0700 Tainted: G D
MSR: 8000000300201033 <SF,ME,IR,DR,RI,LE,TM[SE]> CR: 28002828 XER: 00000000
CFAR: c000000000015a20 SOFTE: 0
PACATMSCRATCH: b00000010000d033
GPR00: 0000000000000000 c00000003ffefa60 c000000000db5500 c0000000fbead000
GPR04: 8000000300001033 2222222222222222 2222222222222222 00000000ff160000
GPR08: 0000000000000000 800000010000d033 c0000000fb7e3ea0 c00000000fe00004
GPR12: 0000000000002200 c00000000fe00000 0000000000000000 0000000000000000
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR20: 0000000000000000 0000000000000000 c0000000fbea7410 00000000ff160000
GPR24: c0000000ffe1f600 c0000000fbea8700 c0000000fbea8700 c0000000fbead000
GPR28: c000000000e20198 c0000000fbea6d80 c0000000fbeab680 c0000000fbea6d80
NIP [c000000000043e80] tm_restore_sprs+0xc/0x1c
LR [c000000000015a24] __switch_to+0x1f4/0x420
Call Trace:
Instruction dump:
7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8
4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020
This fixes CVE-2016-5828.
Fixes: bc2a9408fa65 ("powerpc: Hook in new transactional memory code")
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/process.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -1237,6 +1237,16 @@ void start_thread(struct pt_regs *regs,
current->thread.regs = regs - 1;
}
+#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ /*
+ * Clear any transactional state, we're exec()ing. The cause is
+ * not important as there will never be a recheckpoint so it's not
+ * user visible.
+ */
+ if (MSR_TM_SUSPENDED(mfmsr()))
+ tm_reclaim_current(0);
+#endif
+
memset(regs->gpr, 0, sizeof(regs->gpr));
regs->ctr = 0;
regs->link = 0;
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 111/305] scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (238 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 262/305] net/mlx5: Fix potential deadlock in command mode change Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 235/305] powerpc/tm: Always reclaim in start_thread() for exec() class syscalls Ben Hutchings
` (65 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin K. Petersen, James E.J. Bottomley,
Sebastian Parschauer, James Bottomley, Jack Wang
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Bottomley <James.Bottomley@HansenPartnership.com>
commit a621bac3044ed6f7ec5fa0326491b2d4838bfa93 upstream.
When SCSI was written, all commands coming from the filesystem
(REQ_TYPE_FS commands) had data. This meant that our signal for needing
to complete the command was the number of bytes completed being equal to
the number of bytes in the request. Unfortunately, with the advent of
flush barriers, we can now get zero length REQ_TYPE_FS commands, which
confuse this logic because they satisfy the condition every time. This
means they never get retried even for retryable conditions, like UNIT
ATTENTION because we complete them early assuming they're done. Fix
this by special casing the early completion condition to recognise zero
length commands with errors and let them drop through to the retry code.
Reported-by: Sebastian Parschauer <s.parschauer@gmx.de>
Signed-off-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
Tested-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/scsi_lib.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -775,9 +775,12 @@ void scsi_io_completion(struct scsi_cmnd
}
/*
- * If we finished all bytes in the request we are done now.
+ * special case: failed zero length commands always need to
+ * drop down into the retry code. Otherwise, if we finished
+ * all bytes in the request we are done now.
*/
- if (!blk_end_request(req, error, good_bytes))
+ if (!(blk_rq_bytes(req) == 0 && error) &&
+ !blk_end_request(req, error, good_bytes))
goto next_command;
/*
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 249/305] powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (80 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 039/305] char: Drop bogus dependency of DEVPORT on !M68K Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 096/305] remove directory incorrectly tries to set delete on close on non-empty directories Ben Hutchings
` (223 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Neuling, Michael Ellerman, Cyril Bur
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Neuling <mikey@neuling.org>
commit 190ce8693c23eae09ba5f303a83bf2fbeb6478b1 upstream.
Currently we have 2 segments that are bolted for the kernel linear
mapping (ie 0xc000... addresses). This is 0 to 1TB and also the kernel
stacks. Anything accessed outside of these regions may need to be
faulted in. (In practice machines with TM always have 1T segments)
If a machine has < 2TB of memory we never fault on the kernel linear
mapping as these two segments cover all physical memory. If a machine
has > 2TB of memory, there may be structures outside of these two
segments that need to be faulted in. This faulting can occur when
running as a guest as the hypervisor may remove any SLB that's not
bolted.
When we treclaim and trecheckpoint we have a window where we need to
run with the userspace GPRs. This means that we no longer have a valid
stack pointer in r1. For this window we therefore clear MSR RI to
indicate that any exceptions taken at this point won't be able to be
handled. This means that we can't take segment misses in this RI=0
window.
In this RI=0 region, we currently access the thread_struct for the
process being context switched to or from. This thread_struct access
may cause a segment fault since it's not guaranteed to be covered by
the two bolted segment entries described above.
We've seen this with a crash when running as a guest with > 2TB of
memory on PowerVM:
Unrecoverable exception 4100 at c00000000004f138
Oops: Unrecoverable exception, sig: 6 [#1]
SMP NR_CPUS=2048 NUMA pSeries
CPU: 1280 PID: 7755 Comm: kworker/1280:1 Tainted: G X 4.4.13-46-default #1
task: c000189001df4210 ti: c000189001d5c000 task.ti: c000189001d5c000
NIP: c00000000004f138 LR: 0000000010003a24 CTR: 0000000010001b20
REGS: c000189001d5f730 TRAP: 4100 Tainted: G X (4.4.13-46-default)
MSR: 8000000100001031 <SF,ME,IR,DR,LE> CR: 24000048 XER: 00000000
CFAR: c00000000004ed18 SOFTE: 0
GPR00: ffffffffc58d7b60 c000189001d5f9b0 00000000100d7d00 000000003a738288
GPR04: 0000000000002781 0000000000000006 0000000000000000 c0000d1f4d889620
GPR08: 000000000000c350 00000000000008ab 00000000000008ab 00000000100d7af0
GPR12: 00000000100d7ae8 00003ffe787e67a0 0000000000000000 0000000000000211
GPR16: 0000000010001b20 0000000000000000 0000000000800000 00003ffe787df110
GPR20: 0000000000000001 00000000100d1e10 0000000000000000 00003ffe787df050
GPR24: 0000000000000003 0000000000010000 0000000000000000 00003fffe79e2e30
GPR28: 00003fffe79e2e68 00000000003d0f00 00003ffe787e67a0 00003ffe787de680
NIP [c00000000004f138] restore_gprs+0xd0/0x16c
LR [0000000010003a24] 0x10003a24
Call Trace:
[c000189001d5f9b0] [c000189001d5f9f0] 0xc000189001d5f9f0 (unreliable)
[c000189001d5fb90] [c00000000001583c] tm_recheckpoint+0x6c/0xa0
[c000189001d5fbd0] [c000000000015c40] __switch_to+0x2c0/0x350
[c000189001d5fc30] [c0000000007e647c] __schedule+0x32c/0x9c0
[c000189001d5fcb0] [c0000000007e6b58] schedule+0x48/0xc0
[c000189001d5fce0] [c0000000000deabc] worker_thread+0x22c/0x5b0
[c000189001d5fd80] [c0000000000e7000] kthread+0x110/0x130
[c000189001d5fe30] [c000000000009538] ret_from_kernel_thread+0x5c/0xa4
Instruction dump:
7cb103a6 7cc0e3a6 7ca222a6 78a58402 38c00800 7cc62838 08860000 7cc000a6
38a00006 78c60022 7cc62838 0b060000 <e8c701a0> 7ccff120 e8270078 e8a70098
---[ end trace 602126d0a1dedd54 ]---
This fixes this by copying the required data from the thread_struct to
the stack before we clear MSR RI. Then once we clear RI, we only access
the stack, guaranteeing there's no segment miss.
We also tighten the region over which we set RI=0 on the treclaim()
path. This may have a slight performance impact since we're adding an
mtmsr instruction.
Fixes: 090b9284d725 ("powerpc/tm: Clear MSR RI in non-recoverable TM code")
Signed-off-by: Michael Neuling <mikey@neuling.org>
Reviewed-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/tm.S | 61 ++++++++++++++++++++++++++++++++++--------------
1 file changed, 44 insertions(+), 17 deletions(-)
--- a/arch/powerpc/kernel/tm.S
+++ b/arch/powerpc/kernel/tm.S
@@ -110,17 +110,11 @@ _GLOBAL(tm_reclaim)
std r3, STK_PARAM(R3)(r1)
SAVE_NVGPRS(r1)
- /* We need to setup MSR for VSX register save instructions. Here we
- * also clear the MSR RI since when we do the treclaim, we won't have a
- * valid kernel pointer for a while. We clear RI here as it avoids
- * adding another mtmsr closer to the treclaim. This makes the region
- * maked as non-recoverable wider than it needs to be but it saves on
- * inserting another mtmsrd later.
- */
+ /* We need to setup MSR for VSX register save instructions. */
mfmsr r14
mr r15, r14
ori r15, r15, MSR_FP
- li r16, MSR_RI
+ li r16, 0
ori r16, r16, MSR_EE /* IRQs hard off */
andc r15, r15, r16
oris r15, r15, MSR_VEC@h
@@ -176,7 +170,17 @@ dont_backup_fp:
1: tdeqi r6, 0
EMIT_BUG_ENTRY 1b,__FILE__,__LINE__,0
- /* The moment we treclaim, ALL of our GPRs will switch
+ /* Clear MSR RI since we are about to change r1, EE is already off. */
+ li r4, 0
+ mtmsrd r4, 1
+
+ /*
+ * BE CAREFUL HERE:
+ * At this point we can't take an SLB miss since we have MSR_RI
+ * off. Load only to/from the stack/paca which are in SLB bolted regions
+ * until we turn MSR RI back on.
+ *
+ * The moment we treclaim, ALL of our GPRs will switch
* to user register state. (FPRs, CCR etc. also!)
* Use an sprg and a tm_scratch in the PACA to shuffle.
*/
@@ -197,6 +201,11 @@ dont_backup_fp:
/* Store the PPR in r11 and reset to decent value */
std r11, GPR11(r1) /* Temporary stash */
+
+ /* Reset MSR RI so we can take SLB faults again */
+ li r11, MSR_RI
+ mtmsrd r11, 1
+
mfspr r11, SPRN_PPR
HMT_MEDIUM
@@ -397,11 +406,6 @@ restore_gprs:
ld r5, THREAD_TM_DSCR(r3)
ld r6, THREAD_TM_PPR(r3)
- /* Clear the MSR RI since we are about to change R1. EE is already off
- */
- li r4, 0
- mtmsrd r4, 1
-
REST_GPR(0, r7) /* GPR0 */
REST_2GPRS(2, r7) /* GPR2-3 */
REST_GPR(4, r7) /* GPR4 */
@@ -439,10 +443,33 @@ restore_gprs:
ld r6, _CCR(r7)
mtcr r6
- REST_GPR(1, r7) /* GPR1 */
- REST_GPR(5, r7) /* GPR5-7 */
REST_GPR(6, r7)
- ld r7, GPR7(r7)
+
+ /*
+ * Store r1 and r5 on the stack so that we can access them
+ * after we clear MSR RI.
+ */
+
+ REST_GPR(5, r7)
+ std r5, -8(r1)
+ ld r5, GPR1(r7)
+ std r5, -16(r1)
+
+ REST_GPR(7, r7)
+
+ /* Clear MSR RI since we are about to change r1. EE is already off */
+ li r5, 0
+ mtmsrd r5, 1
+
+ /*
+ * BE CAREFUL HERE:
+ * At this point we can't take an SLB miss since we have MSR_RI
+ * off. Load only to/from the stack/paca which are in SLB bolted regions
+ * until we turn MSR RI back on.
+ */
+
+ ld r5, -8(r1)
+ ld r1, -16(r1)
/* Commit register state as checkpointed state: */
TRECHKPT
^ permalink raw reply [flat|nested] 321+ messages in thread
* [PATCH 3.16 032/305] aacraid: Relinquish CPU during timeout wait
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (266 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 194/305] drm/i915/ilk: Don't disable SSC source if it's in use Ben Hutchings
@ 2016-08-13 17:42 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 247/305] NFS: Fix another OPEN_DOWNGRADE bug Ben Hutchings
` (37 subsequent siblings)
305 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 17:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Raghava Aditya Renukunta, Martin K. Petersen, Johannes Thumshirn
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
commit 07beca2be24cc710461c0b131832524c9ee08910 upstream.
aac_fib_send has a special function case for initial commands during
driver initialization using wait < 0(pseudo sync mode). In this case,
the command does not sleep but rather spins checking for timeout.This
loop is calls cpu_relax() in an attempt to allow other processes/threads
to use the CPU, but this function does not relinquish the CPU and so the
command will hog the processor. This was observed in a KDUMP
"crashkernel" and that prevented the "command thread" (which is
responsible for completing the command from being timed out) from
starting because it could not get the CPU.
Fixed by replacing "cpu_relax()" call with "schedule()"
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/aacraid/commsup.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -590,10 +590,10 @@ int aac_fib_send(u16 command, struct fib
}
return -EFAULT;
}
- /* We used to udelay() here but that absorbed
- * a CPU when a timeout occured. Not very
- * useful. */
- cpu_relax();
+ /*
+ * Allow other processes / CPUS to use core
+ */
+ schedule();
}
} else if (down_interruptible(&fibptr->event_wait)) {
/* Do nothing ... satisfy
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps
2016-08-13 17:42 ` [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps Ben Hutchings
@ 2016-08-13 18:30 ` Florian Westphal
2016-08-13 18:51 ` Ben Hutchings
2016-11-12 2:29 ` Ben Hutchings
0 siblings, 2 replies; 321+ messages in thread
From: Florian Westphal @ 2016-08-13 18:30 UTC (permalink / raw)
To: Ben Hutchings
Cc: linux-kernel, stable, akpm, Florian Westphal, Pablo Neira Ayuso,
Greg Kroah-Hartman
Ben Hutchings <ben@decadent.org.uk> wrote:
> 3.16.37-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Florian Westphal <fw@strlen.de>
>
> commit 36472341017529e2b12573093cc0f68719300997 upstream.
[..]
> The extra overhead is negible, even with absurd cases.
Not true, the overhead is huge and increases restore time for
large rulesets from mere seconds to minutes, see
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f4dc77713f8016d2e8a3295e1c9c53a21f296def
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps
2016-08-13 18:30 ` Florian Westphal
@ 2016-08-13 18:51 ` Ben Hutchings
2016-08-13 20:35 ` Florian Westphal
2016-11-12 2:29 ` Ben Hutchings
1 sibling, 1 reply; 321+ messages in thread
From: Ben Hutchings @ 2016-08-13 18:51 UTC (permalink / raw)
To: Florian Westphal
Cc: linux-kernel, stable, akpm, Pablo Neira Ayuso, Greg Kroah-Hartman
[-- Attachment #1: Type: text/plain, Size: 1015 bytes --]
On Sat, 2016-08-13 at 20:30 +0200, Florian Westphal wrote:
> > Ben Hutchings <ben@decadent.org.uk> wrote:
> >
> > 3.16.37-rc1 review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > > > From: Florian Westphal <fw@strlen.de>
> >
> > commit 36472341017529e2b12573093cc0f68719300997 upstream.
>
> [..]
>
> >
> > The extra overhead is negible, even with absurd cases.
>
> Not true, the overhead is huge and increases restore time for
> large rulesets from mere seconds to minutes, see
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f4dc77713f8016d2e8a3295e1c9c53a21f296def
So do you think I should add that to this update or defer the netfilter
changes to the next update?
Ben.
--
Ben Hutchings
Everything should be made as simple as possible, but not simpler.
- Albert
Einstein
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps
2016-08-13 18:51 ` Ben Hutchings
@ 2016-08-13 20:35 ` Florian Westphal
0 siblings, 0 replies; 321+ messages in thread
From: Florian Westphal @ 2016-08-13 20:35 UTC (permalink / raw)
To: Ben Hutchings
Cc: Florian Westphal, linux-kernel, stable, akpm, Pablo Neira Ayuso,
Greg Kroah-Hartman
Ben Hutchings <ben@decadent.org.uk> wrote:
> On Sat, 2016-08-13 at 20:30 +0200, Florian Westphal wrote:
> > > Ben Hutchings <ben@decadent.org.uk> wrote:
> > >
> > > 3.16.37-rc1 review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > > > From: Florian Westphal <fw@strlen.de>
> > >
> > > commit 36472341017529e2b12573093cc0f68719300997 upstream.
> >
> > [..]
> >
> > >
> > > The extra overhead is negible, even with absurd cases.
> >
> > Not true, the overhead is huge and increases restore time for
> > large rulesets from mere seconds to minutes, see
> >
> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f4dc77713f8016d2e8a3295e1c9c53a21f296def
>
> So do you think I should add that to this update or defer the netfilter
> changes to the next update?
Depends on what your focus is for 3.16.
If your focus is to better not break anything I would just drop
this patch and apply it for the next round with the fix
(f4dc77713f8016d2e8a3295e1c9c53a21f296def) on top once it had more
soak time.
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps
@ 2016-08-13 20:35 ` Florian Westphal
0 siblings, 0 replies; 321+ messages in thread
From: Florian Westphal @ 2016-08-13 20:35 UTC (permalink / raw)
To: Ben Hutchings
Cc: Florian Westphal, linux-kernel, stable, akpm, Pablo Neira Ayuso,
Greg Kroah-Hartman
Ben Hutchings <ben@decadent.org.uk> wrote:
> On Sat, 2016-08-13 at 20:30 +0200, Florian Westphal wrote:
> > > Ben Hutchings <ben@decadent.org.uk> wrote:
> > >
> > > 3.16.37-rc1 review patch.ᅵᅵIf anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > > > From: Florian Westphal <fw@strlen.de>
> > >
> > > commit 36472341017529e2b12573093cc0f68719300997 upstream.
> >
> > [..]
> >
> > >
> > > The extra overhead is negible, even with absurd cases.
> >
> > Not true, the overhead is huge and increases restore time for
> > large rulesets from mere seconds to minutes, see
> >
> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f4dc77713f8016d2e8a3295e1c9c53a21f296def
>
> So do you think I should add that to this update or defer the netfilter
> changes to the next update?
Depends on what your focus is for 3.16.
If your focus is to better not break anything I would just drop
this patch and apply it for the next round with the fix
(f4dc77713f8016d2e8a3295e1c9c53a21f296def) on top once it had more
soak time.
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 000/305] 3.16.37-rc1 review
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
` (304 preceding siblings ...)
2016-08-13 17:42 ` [PATCH 3.16 141/305] KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi Ben Hutchings
@ 2016-08-13 20:43 ` Guenter Roeck
2016-08-14 7:57 ` Ben Hutchings
305 siblings, 1 reply; 321+ messages in thread
From: Guenter Roeck @ 2016-08-13 20:43 UTC (permalink / raw)
To: Ben Hutchings, linux-kernel, stable; +Cc: torvalds, akpm
On 08/13/2016 10:42 AM, Ben Hutchings wrote:
> This is the start of the stable review cycle for the 3.16.37 release.
> There are 305 patches in this series, which will be posted as responses
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> As I've accumulated an unusually long patch series, I'm allowing a
> longer time for review. Responses should be made by Sat Aug 20
> 00:00:00 UTC 2016. Anything received after that time might be too
> late.
>
Build results:
total: 139 pass: 139 fail: 0
Qemu test results:
total: 98 pass: 98 fail: 0
Details are available at http://kerneltests.org/builders.
Guenter
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 102/305] xfs: xfs_iflush_cluster fails to abort on error
2016-08-13 17:42 ` [PATCH 3.16 102/305] xfs: xfs_iflush_cluster fails to abort on error Ben Hutchings
@ 2016-08-13 23:36 ` Dave Chinner
2016-08-16 19:45 ` Ben Hutchings
0 siblings, 1 reply; 321+ messages in thread
From: Dave Chinner @ 2016-08-13 23:36 UTC (permalink / raw)
To: Ben Hutchings
Cc: linux-kernel, stable, akpm, Christoph Hellwig, Shyam Kaushik,
Dave Chinner
On Sat, Aug 13, 2016 at 06:42:51PM +0100, Ben Hutchings wrote:
> 3.16.37-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Dave Chinner <dchinner@redhat.com>
>
> commit b1438f477934f5a4d5a44df26f3079a7575d5946 upstream.
>
> When a failure due to an inode buffer occurs, the error handling
> fails to abort the inode writeback correctly. This can result in the
> inode being reclaimed whilst still in the AIL, leading to
> use-after-free situations as well as filesystems that cannot be
> unmounted as the inode log items left in the AIL never get removed.
>
> Fix this by ensuring fatal errors from xfs_imap_to_bp() result in
> the inode flush being aborted correctly.
....
>
> /*
> - * Get the buffer containing the on-disk inode.
> + * Get the buffer containing the on-disk inode. We are doing a try-lock
> + * operation here, so we may get an EAGAIN error. In that case, we
> + * simply want to return with the inode still dirty.
> + *
> + * If we get any other error, we effectively have a corruption situation
> + * and we cannot flush the inode, so we treat it the same as failing
> + * xfs_iflush_int().
> */
> error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK,
> 0);
> - if (error || !bp) {
> + if (error == -EAGAIN) {
Wrong. As was pointed out for other -stable trees after users
reported regressions, the error signs in XFS changed from positive
to negative in 3.17-rc1.
-Dave.
--
Dave Chinner
david@fromorbit.com
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 000/305] 3.16.37-rc1 review
2016-08-13 20:43 ` [PATCH 3.16 000/305] 3.16.37-rc1 review Guenter Roeck
@ 2016-08-14 7:57 ` Ben Hutchings
0 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-14 7:57 UTC (permalink / raw)
To: Guenter Roeck, linux-kernel, stable; +Cc: torvalds, akpm
[-- Attachment #1: Type: text/plain, Size: 921 bytes --]
On Sat, 2016-08-13 at 13:43 -0700, Guenter Roeck wrote:
> On 08/13/2016 10:42 AM, Ben Hutchings wrote:
> >
> > This is the start of the stable review cycle for the 3.16.37
> > release.
> > There are 305 patches in this series, which will be posted as
> > responses
> > to this one. If anyone has any issues with these being applied,
> > please
> > let me know.
> >
> > As I've accumulated an unusually long patch series, I'm allowing a
> > longer time for review. Responses should be made by Sat Aug 20
> > 00:00:00 UTC 2016. Anything received after that time might be too
> > late.
> >
>
> Build results:
> total: 139 pass: 139 fail: 0
> Qemu test results:
> total: 98 pass: 98 fail: 0
>
> Details are available at http://kerneltests.org/builders.
Thanks for checking.
Ben.
--
Ben Hutchings
Make three consecutive correct guesses and you will be considered an
expert.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 304/305] netfilter: ensure number of counters is >0 in do_replace()
2016-08-13 17:42 ` [PATCH 3.16 304/305] netfilter: ensure number of counters is >0 in do_replace() Ben Hutchings
@ 2016-08-14 15:06 ` Dave Jones
2016-08-14 23:00 ` Ben Hutchings
0 siblings, 1 reply; 321+ messages in thread
From: Dave Jones @ 2016-08-14 15:06 UTC (permalink / raw)
To: Ben Hutchings; +Cc: linux-kernel, stable, akpm, Pablo Neira Ayuso
On Sat, Aug 13, 2016 at 06:42:51PM +0100, Ben Hutchings wrote:
> 3.16.37-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Dave Jones <davej@codemonkey.org.uk>
>
> commit 1086bbe97a074844188c6c988fa0b1a98c3ccbb9 upstream.
Make sure you grab the follow-up patch in d26e2c9ffa385dd1b646f43c1397ba12af9ed431
Dave
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 304/305] netfilter: ensure number of counters is >0 in do_replace()
2016-08-14 15:06 ` Dave Jones
@ 2016-08-14 23:00 ` Ben Hutchings
0 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-14 23:00 UTC (permalink / raw)
To: Dave Jones; +Cc: linux-kernel, stable, akpm, Pablo Neira Ayuso
[-- Attachment #1: Type: text/plain, Size: 623 bytes --]
On Sun, 2016-08-14 at 11:06 -0400, Dave Jones wrote:
> On Sat, Aug 13, 2016 at 06:42:51PM +0100, Ben Hutchings wrote:
> > 3.16.37-rc1 review patch. If anyone has any objections, please
> let me know.
> >
> > ------------------
> >
> > From: Dave Jones <davej@codemonkey.org.uk>
> >
> > commit 1086bbe97a074844188c6c988fa0b1a98c3ccbb9 upstream.
>
> Make sure you grab the follow-up patch in d26e2c9ffa385dd1b646f43c1397ba12af9ed431
Yes, that's the next in the series, thanks.
Ben.
--
Ben Hutchings
Make three consecutive correct guesses and you will be considered an
expert.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 321+ messages in thread
* RE: [PATCH 3.16 197/305] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
2016-08-13 17:42 ` [PATCH 3.16 197/305] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing Ben Hutchings
@ 2016-08-16 7:34 ` SebastienOcquidant
0 siblings, 0 replies; 321+ messages in thread
From: SebastienOcquidant @ 2016-08-16 7:34 UTC (permalink / raw)
To: ben, linux-kernel, stable; +Cc: akpm, rogerq
Ok No problem.
Sebastien
-----------------------------
Eaton Industries (France) S.A.S ~ Siège social: 110 Rue Blaise Pascal, Immeuble Le Viséo - Bâtiment A Innovallée, 38330, Montbonnot-St.-Martin, France ~ Lieu d'enregistrement au registre du commerce: Grenoble ~ Numéro d'enregistrement: 509 653 176 ~ Capital social souscrit et liberé:€ 16215441 ~ Numéro de TVA: FR47509653176\r
-----------------------------
-----Message d'origine-----
De : Ben Hutchings [mailto:ben@decadent.org.uk]
Envoyé : samedi 13 août 2016 19:43
À : linux-kernel@vger.kernel.org; stable@vger.kernel.org
Cc : akpm@linux-foundation.org; Roger Quadros; Ocquidant, Sebastien
Objet : [PATCH 3.16 197/305] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
3.16.37-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Ocquidant, Sebastien" <sebastienocquidant@eaton.com>
commit 8f50b8e57442d28e41bb736c173d8a2490549a82 upstream.
In the omap gpmc driver it can be noticed that GPMC_CONFIG4_OEEXTRADELAY is overwritten by the WEEXTRADELAY value from the device tree and GPMC_CONFIG4_WEEXTRADELAY is not updated by the value from the device tree.
As a consequence, the memory accesses cannot be configured properly when the extra delay are needed for OE and WE.
Fix the update of GPMC_CONFIG4_WEEXTRADELAY with the value from the device tree file and prevents GPMC_CONFIG4_OEXTRADELAY being overwritten by the WEXTRADELAY value from the device tree.
Signed-off-by: Ocquidant, Sebastien <sebastienocquidant@eaton.com>
Signed-off-by: Roger Quadros <rogerq@ti.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-omap2/gpmc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/mach-omap2/gpmc.c
+++ b/arch/arm/mach-omap2/gpmc.c
@@ -274,7 +274,7 @@ static void gpmc_cs_bool_timings(int cs,
gpmc_cs_modify_reg(cs, GPMC_CS_CONFIG4,
GPMC_CONFIG4_OEEXTRADELAY, p->oe_extra_delay);
gpmc_cs_modify_reg(cs, GPMC_CS_CONFIG4,
- GPMC_CONFIG4_OEEXTRADELAY, p->we_extra_delay);
+ GPMC_CONFIG4_WEEXTRADELAY, p->we_extra_delay);
gpmc_cs_modify_reg(cs, GPMC_CS_CONFIG6,
GPMC_CONFIG6_CYCLE2CYCLESAMECSEN,
p->cycle2cyclesamecsen);
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 102/305] xfs: xfs_iflush_cluster fails to abort on error
2016-08-13 23:36 ` Dave Chinner
@ 2016-08-16 19:45 ` Ben Hutchings
2016-08-17 2:02 ` Dave Chinner
0 siblings, 1 reply; 321+ messages in thread
From: Ben Hutchings @ 2016-08-16 19:45 UTC (permalink / raw)
To: Dave Chinner
Cc: linux-kernel, stable, akpm, Christoph Hellwig, Shyam Kaushik,
Dave Chinner
[-- Attachment #1: Type: text/plain, Size: 1898 bytes --]
On Sun, 2016-08-14 at 09:36 +1000, Dave Chinner wrote:
> On Sat, Aug 13, 2016 at 06:42:51PM +0100, Ben Hutchings wrote:
> >
> > 3.16.37-rc1 review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > > > From: Dave Chinner <dchinner@redhat.com>
> >
> > commit b1438f477934f5a4d5a44df26f3079a7575d5946 upstream.
> >
> > When a failure due to an inode buffer occurs, the error handling
> > fails to abort the inode writeback correctly. This can result in the
> > inode being reclaimed whilst still in the AIL, leading to
> > use-after-free situations as well as filesystems that cannot be
> > unmounted as the inode log items left in the AIL never get removed.
> >
> > Fix this by ensuring fatal errors from xfs_imap_to_bp() result in
> > the inode flush being aborted correctly.
> ....
> >
> >
> > > > /*
> > > > - * Get the buffer containing the on-disk inode.
> > > > + * Get the buffer containing the on-disk inode. We are doing a try-lock
> > > > + * operation here, so we may get an EAGAIN error. In that case, we
> > > > + * simply want to return with the inode still dirty.
> > > > + *
> > > > + * If we get any other error, we effectively have a corruption situation
> > > > + * and we cannot flush the inode, so we treat it the same as failing
> > > > + * xfs_iflush_int().
> > > > */
> > > > error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK,
> > > > 0);
> > > > - if (error || !bp) {
> > > > + if (error == -EAGAIN) {
>
> Wrong. As was pointed out for other -stable trees after users
> reported regressions, the error signs in XFS changed from positive
> to negative in 3.17-rc1.
OK, so do I just need to delete the minus sign there?
Ben.
--
Ben Hutchings
If at first you don't succeed, you're doing about average.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps
2016-08-13 20:35 ` Florian Westphal
(?)
@ 2016-08-16 23:51 ` Ben Hutchings
-1 siblings, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-08-16 23:51 UTC (permalink / raw)
To: Florian Westphal
Cc: linux-kernel, stable, akpm, Pablo Neira Ayuso, Greg Kroah-Hartman
[-- Attachment #1: Type: text/plain, Size: 1559 bytes --]
On Sat, 2016-08-13 at 22:35 +0200, Florian Westphal wrote:
> > Ben Hutchings <ben@decadent.org.uk> wrote:
> >
> > On Sat, 2016-08-13 at 20:30 +0200, Florian Westphal wrote:
> > >
> > > >
> > > > > > > > Ben Hutchings <ben@decadent.org.uk> wrote:
> > > >
> > > > 3.16.37-rc1 review patch. If anyone has any objections, please let me know.
> > > >
> > > > ------------------
> > > >
> > > > >
> > > > > >
> > > > > > > > > > > > From: Florian Westphal <fw@strlen.de>
> > > >
> > > > commit 36472341017529e2b12573093cc0f68719300997 upstream.
> > >
> > > [..]
> > >
> > > >
> > > >
> > > > The extra overhead is negible, even with absurd cases.
> > >
> > > Not true, the overhead is huge and increases restore time for
> > > large rulesets from mere seconds to minutes, see
> > >
> > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f4dc77713f8016d2e8a3295e1c9c53a21f296def
> >
> > So do you think I should add that to this update or defer the netfilter
> > changes to the next update?
>
> Depends on what your focus is for 3.16.
>
> If your focus is to better not break anything I would just drop
> this patch and apply it for the next round with the fix
> (f4dc77713f8016d2e8a3295e1c9c53a21f296def) on top once it had more
> soak time.
I thought there were more that depended on this one, but in fact
dropping just this seems to work. So that's what I've done for now.
Thanks.
Ben.
--
Ben Hutchings
If at first you don't succeed, you're doing about average.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 102/305] xfs: xfs_iflush_cluster fails to abort on error
2016-08-16 19:45 ` Ben Hutchings
@ 2016-08-17 2:02 ` Dave Chinner
0 siblings, 0 replies; 321+ messages in thread
From: Dave Chinner @ 2016-08-17 2:02 UTC (permalink / raw)
To: Ben Hutchings
Cc: Dave Chinner, linux-kernel, stable, akpm, Christoph Hellwig,
Shyam Kaushik
On Tue, Aug 16, 2016 at 08:45:02PM +0100, Ben Hutchings wrote:
> On Sun, 2016-08-14 at 09:36 +1000, Dave Chinner wrote:
> > On Sat, Aug 13, 2016 at 06:42:51PM +0100, Ben Hutchings wrote:
> > >
> > > 3.16.37-rc1 review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > > > From: Dave Chinner <dchinner@redhat.com>
> > >
> > > commit b1438f477934f5a4d5a44df26f3079a7575d5946 upstream.
> > >
> > > When a failure due to an inode buffer occurs, the error handling
> > > fails to abort the inode writeback correctly. This can result in the
> > > inode being reclaimed whilst still in the AIL, leading to
> > > use-after-free situations as well as filesystems that cannot be
> > > unmounted as the inode log items left in the AIL never get removed.
> > >
> > > Fix this by ensuring fatal errors from xfs_imap_to_bp() result in
> > > the inode flush being aborted correctly.
> > ....
> > >
> > >
> > > > > /*
> > > > > - * Get the buffer containing the on-disk inode.
> > > > > + * Get the buffer containing the on-disk inode. We are doing a try-lock
> > > > > + * operation here, so we may get an EAGAIN error. In that case, we
> > > > > + * simply want to return with the inode still dirty.
> > > > > + *
> > > > > + * If we get any other error, we effectively have a corruption situation
> > > > > + * and we cannot flush the inode, so we treat it the same as failing
> > > > > + * xfs_iflush_int().
> > > > > */
> > > > > error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK,
> > > > > 0);
> > > > > - if (error || !bp) {
> > > > > + if (error == -EAGAIN) {
> >
> > Wrong. As was pointed out for other -stable trees after users
> > reported regressions, the error signs in XFS changed from positive
> > to negative in 3.17-rc1.
>
> OK, so do I just need to delete the minus sign there?
Yes.
-Dave.
--
Dave Chinner
dchinner@redhat.com
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 102/305] xfs: xfs_iflush_cluster fails to abort on error
@ 2016-08-17 2:02 ` Dave Chinner
0 siblings, 0 replies; 321+ messages in thread
From: Dave Chinner @ 2016-08-17 2:02 UTC (permalink / raw)
To: Ben Hutchings
Cc: Dave Chinner, linux-kernel, stable, akpm, Christoph Hellwig,
Shyam Kaushik
On Tue, Aug 16, 2016 at 08:45:02PM +0100, Ben Hutchings wrote:
> On Sun, 2016-08-14 at 09:36 +1000, Dave Chinner wrote:
> > On Sat, Aug 13, 2016 at 06:42:51PM +0100, Ben Hutchings wrote:
> > >
> > > 3.16.37-rc1 review patch.��If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > > > From: Dave Chinner <dchinner@redhat.com>
> > >
> > > commit b1438f477934f5a4d5a44df26f3079a7575d5946 upstream.
> > >
> > > When a failure due to an inode buffer occurs, the error handling
> > > fails to abort the inode writeback correctly. This can result in the
> > > inode being reclaimed whilst still in the AIL, leading to
> > > use-after-free situations as well as filesystems that cannot be
> > > unmounted as the inode log items left in the AIL never get removed.
> > >
> > > Fix this by ensuring fatal errors from xfs_imap_to_bp() result in
> > > the inode flush being aborted correctly.
> > ....
> > >
> > > �
> > > > > � /*
> > > > > - �* Get the buffer containing the on-disk inode.
> > > > > + �* Get the buffer containing the on-disk inode. We are doing a try-lock
> > > > > + �* operation here, so we may get��an EAGAIN error. In that case, we
> > > > > + �* simply want to return with the inode still dirty.
> > > > > + �*
> > > > > + �* If we get any other error, we effectively have a corruption situation
> > > > > + �* and we cannot flush the inode, so we treat it the same as failing
> > > > > + �* xfs_iflush_int().
> > > > > � �*/
> > > > > � error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK,
> > > > > � �������0);
> > > > > - if (error || !bp) {
> > > > > + if (error == -EAGAIN) {
> >
> > Wrong. As was pointed out for other -stable trees after users
> > reported regressions, the error signs in XFS changed from positive
> > to negative in 3.17-rc1.
>
> OK, so do I just need to delete the minus sign there?
Yes.
-Dave.
--
Dave Chinner
dchinner@redhat.com
^ permalink raw reply [flat|nested] 321+ messages in thread
* Re: [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps
2016-08-13 18:30 ` Florian Westphal
2016-08-13 18:51 ` Ben Hutchings
@ 2016-11-12 2:29 ` Ben Hutchings
1 sibling, 0 replies; 321+ messages in thread
From: Ben Hutchings @ 2016-11-12 2:29 UTC (permalink / raw)
To: Florian Westphal
Cc: linux-kernel, stable, akpm, Pablo Neira Ayuso, Greg Kroah-Hartman
[-- Attachment #1: Type: text/plain, Size: 821 bytes --]
On Sat, 2016-08-13 at 20:30 +0200, Florian Westphal wrote:
> Ben Hutchings <ben@decadent.org.uk> wrote:
> > 3.16.37-rc1 review patch. If anyone has any objections, please let
> > me know.
> >
> > ------------------
> >
> > From: Florian Westphal <fw@strlen.de>
> >
> > commit 36472341017529e2b12573093cc0f68719300997 upstream.
>
> [..]
>
> > The extra overhead is negible, even with absurd cases.
>
> Not true, the overhead is huge and increases restore time for
> large rulesets from mere seconds to minutes, see
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commi
> t/?id=f4dc77713f8016d2e8a3295e1c9c53a21f296def
I've queued both of these up for the next update.
Ben.
--
Ben Hutchings
If you seem to know what you are doing, you'll be given more to do.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 321+ messages in thread
end of thread, other threads:[~2016-11-12 2:29 UTC | newest]
Thread overview: 321+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-13 17:42 [PATCH 3.16 000/305] 3.16.37-rc1 review Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 227/305] Fix reconnect to not defer smb3 session reconnect long after socket reconnect Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 016/305] ipv6, token: allow for clearing the current device token Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 241/305] arc: unwind: warn only once if DW2_UNWIND is disabled Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 020/305] serial: doc: Re-add paragraph documenting uart_console_write() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 230/305] staging: iio: accel: fix error check Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 276/305] USB: usbfs: fix potential infoleak in devio Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 269/305] xenbus: don't bail early from xenbus_dev_request_and_reply() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 272/305] tmpfs: fix regression hang in fallocate undo Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 118/305] UBI: fix missing brace control flow Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 258/305] ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 084/305] blk-mq: fix undefined behaviour in order_to_size() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 123/305] sfc: on MC reset, clear PIO buffer linkage in TXQs Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 268/305] xenbus: don't BUG() on user mode induced condition Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 188/305] kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 225/305] posix_acl: Add set_posix_acl Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 122/305] crypto: ccp - Fix AES XTS error for request sizes above 4096 Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 161/305] crypto: caam - fix caam_jr_alloc() ret code Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 112/305] drm/i915: Don't leave old junk in ilk active watermarks on readout Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 289/305] netfilter: x_tables: validate targets of jumps Ben Hutchings
2016-08-13 18:30 ` Florian Westphal
2016-08-13 18:51 ` Ben Hutchings
2016-08-13 20:35 ` Florian Westphal
2016-08-13 20:35 ` Florian Westphal
2016-08-16 23:51 ` Ben Hutchings
2016-11-12 2:29 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 270/305] xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7 Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 178/305] usb: musb: Stop bulk endpoint while queue is rotated Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 054/305] MIPS: Avoid using unwind_stack() with usermode Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 305/305] Revert "netfilter: ensure number of counters is >0 in do_replace()" Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 257/305] qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 035/305] ext4: clean up error handling when orphan list is corrupted Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 013/305] ARM: OMAP2+: hwmod: fix _idle() hwmod state sanity check sequence Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 043/305] tty: vt, return error when con_startup fails Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 217/305] IB/mlx4: Verify port number in flow steering create flow Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 231/305] iio: accel: kxsd9: fix the usage of spi_w8r8() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 254/305] batman-adv: Fix double-put of vlan object Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 056/305] USB: serial: io_edgeport: fix memory leaks in attach error path Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 081/305] IB/core: Fix a potential array overrun in CMA and SA agent Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 155/305] cpufreq: intel_pstate: Fix ->set_policy() interface for no_turbo Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 028/305] alpha/PCI: Call iomem_is_exclusive() for IORESOURCE_MEM, but not IORESOURCE_IO Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 179/305] iio: Fix error handling in iio_trigger_attach_poll_func Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 042/305] mcb: Fixed bar number assignment for the gdd Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 103/305] xfs: fix inode validity check in xfs_iflush_cluster Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 279/305] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 060/305] USB: serial: quatech2: fix use-after-free in probe error path Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 284/305] s390/sclp_ctl: fix potential information leak with /dev/sclp Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 119/305] UBI: Fix static volume checks when Fastmap is used Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 278/305] ALSA: timer: Fix leak in events via snd_timer_user_ccallback Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 222/305] cifs: dynamic allocation of ntlmssp blob Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 082/305] i40e: fix an uninitialized variable bug Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 007/305] iommu/vt-d: Improve fault handler error messages Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 275/305] proc: prevent stacking filesystems on top Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 204/305] tracing: Handle NULL formats in hold_module_trace_bprintk_format() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 074/305] powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 208/305] ubi: Make recover_peb power cut aware Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 045/305] USB: serial: option: add even more ZTE device ids Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 015/305] [media] cx23885: uninitialized variable in cx23885_av_work_handler() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 172/305] usb: xhci-plat: properly handle probe deferral for devm_clk_get() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 171/305] HID: elo: kill not flush the work Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 263/305] net/mlx5: Add timeout handle to commands with callback Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 274/305] fs: limit filesystem stacking depth Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 094/305] fs/cifs: correctly to anonymous authentication for the NTLM(v1) authentication Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 012/305] cpuidle: Indicate when a device has been unregistered Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 073/305] sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded systems Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 283/305] KVM: PPC: Book3S HV: Save/restore TM state in H_CEDE Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 297/305] netfilter: x_tables: don't reject valid target size on some architectures Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 058/305] USB: serial: keyspan: fix use-after-free in probe error path Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 226/305] nfsd: check permissions when setting ACLs Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 291/305] netfilter: x_tables: kill check_entry helper Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 055/305] MIPS: Adjust set_pte() SMP fix to handle R10000_LLSC_WAR Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 281/305] rds: fix an infoleak in rds_inc_info_copy Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 246/305] Bridge: Fix ipv6 mc snooping if bridge has no ipv6 address Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 024/305] EDAC: Increment correct counter in edac_inc_ue_error() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 156/305] fix d_walk()/non-delayed __d_free() race Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 192/305] netem: fix a use after free Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 296/305] netfilter: x_tables: validate all offsets and sizes in a rule Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 138/305] ACPI / processor: Avoid reserving IO regions too early Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 181/305] ARM: 8578/1: mm: ensure pmd_present only checks the valid bit Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 005/305] ath5k: Change led pin configuration for compaq c700 laptop Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 196/305] kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 252/305] batman-adv: replace WARN with rate limited output on non-existing VLAN Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 206/305] pinctrl: single: Fix missing flush of posted write for a wakeirq Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 202/305] can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 052/305] MIPS: BMIPS: Fix PRID_IMP_BMIPS5000 masking for BMIPS5200 Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 159/305] net/mlx5: Fix masking of reserved bits in XRCD number Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 132/305] powerpc: Fix definition of SIAR and SDAR registers Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 039/305] char: Drop bogus dependency of DEVPORT on !M68K Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 249/305] powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0 Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 096/305] remove directory incorrectly tries to set delete on close on non-empty directories Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 213/305] xen/pciback: Fix conf_space read/write overlap check Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 200/305] isa: Call isa_bus_init before dependent ISA bus drivers register Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 282/305] KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 044/305] USB: serial: option: add more ZTE device ids Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 026/305] crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 130/305] hpfs: implement the show_options method Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 259/305] x86/power/64: Fix kernel text mapping corruption during image restoration Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 030/305] btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 153/305] tcp: record TLP and ER timer stats in v6 stats Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 240/305] ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame) Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 165/305] iio: proximity: as3935: fix buffer stack trashing Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 180/305] scsi: fix race between simultaneous decrements of ->host_failed Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 008/305] xfs: disallow rw remount on fs with unknown ro-compat features Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 152/305] x86, build: copy ldlinux.c32 to image.iso Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 168/305] usb: f_fs: off by one bug in _ffs_func_bind() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 294/305] netfilter: x_tables: check standard target size too Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 229/305] fs/nilfs2: fix potential underflow in call to crc32_le Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 183/305] crypto: ux500 - memmove the right size Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 106/305] net: ehea: avoid null pointer dereference Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 177/305] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 245/305] mac80211: Fix mesh estab_plinks counting in STA removal case Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 097/305] sunrpc: Update RPCBIND_MAXNETIDLEN Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 144/305] of: irq: fix of_irq_get[_byname]() kernel-doc Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 010/305] Bluetooth: vhci: fix open_timeout vs. hdev race Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 131/305] powerpc/pseries/eeh: Handle RTAS delay requests in configure_bridge Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 140/305] ARM: fix PTRACE_SETVFPREGS on SMP systems Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 301/305] netfilter: x_tables: xt_compat_match_from_user doesn't need a retval Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 169/305] usb: gadget: fix spinlock dead lock in gadgetfs Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 191/305] net_sched: update hierarchical backlog too Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 273/305] ALSA: compress: fix an integer overflow check Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 187/305] kprobes/x86: Clear TF bit in fault on single-stepping Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 071/305] perf tools: Fix perf regs mask generation Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 004/305] serial: doc: Un-document non-existing uart_write_console() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 031/305] arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 158/305] net/mlx5: Fix the size of modify QP mailbox Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 210/305] UBIFS: Implement ->migratepage() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 083/305] mmc: mmc: Fix partition switch timeout for some eMMCs Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 303/305] netfilter: x_tables: introduce and use xt_copy_counters_from_user Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 102/305] xfs: xfs_iflush_cluster fails to abort on error Ben Hutchings
2016-08-13 23:36 ` Dave Chinner
2016-08-16 19:45 ` Ben Hutchings
2016-08-17 2:02 ` Dave Chinner
2016-08-17 2:02 ` Dave Chinner
2016-08-13 17:42 ` [PATCH 3.16 095/305] fs/cifs: correctly to anonymous authentication for the NTLM(v2) authentication Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 214/305] IB/mlx5: Fix post send fence logic Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 147/305] mnt: fs_fully_visible test the proper mount for MNT_LOCKED Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 175/305] usb: quirks: Add no-lpm quirk for Acer C120 LED Projector Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 065/305] s390/vmem: fix identity mapping Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 280/305] tipc: fix an infoleak in tipc_nl_compat_link_dump Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 220/305] Input: elantech - add more IC body types to the list Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 243/305] net: bgmac: Start transmit queue in bgmac_open Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 176/305] USB: xhci: Add broken streams quirk for Frescologic device id 1009 Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 011/305] Bluetooth: vhci: purge unhandled skbs Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 001/305] regmap: cache: Fix typo in cache_bypass parameter description Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 133/305] powerpc: Use privileged SPR number for MMCR2 Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 290/305] netfilter: x_tables: add and use xt_check_entry_offsets Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 266/305] ALSA: timer: Fix negative queue usage by racy accesses Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 027/305] PCI: Supply CPU physical address (not bus address) to iomem_is_exclusive() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 062/305] MIPS: KVM: Fix timer IRQ race when writing CP0_Compare Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 059/305] USB: serial: mxuport: fix use-after-free in probe error path Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 139/305] drm/nouveau/fbcon: fix out-of-bounds memory accesses Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 126/305] Input: pwm-beeper - remove useless call to pwm_config() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 116/305] xen/events: Don't move disabled irqs Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 293/305] netfilter: x_tables: add compat version of xt_check_entry_offsets Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 075/305] MIPS: Fix race condition in lazy cache flushing Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 105/305] crypto: public_key: select CRYPTO_AKCIPHER Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 033/305] aacraid: Fix for aac_command_thread hang Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 157/305] gpio: bcm-kona: fix bcm_kona_gpio_reset() warnings Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 145/305] parisc: Fix pagefault crash in unaligned __get_user() call Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 090/305] drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 219/305] Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 136/305] arm64: Provide "model name" in /proc/cpuinfo for PER_LINUX32 tasks Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 100/305] batman-adv: Fix unexpected free of bcast_own on add_if error Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 072/305] rtlwifi: Fix logic error in enter/exit power-save mode Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 239/305] ALSA: echoaudio: Fix memory allocation Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 287/305] misc: mic: Fix for double fetch security bug in VOP driver Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 135/305] mac80211: mesh: flush mesh paths unconditionally Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 146/305] powerpc/pseries: Fix PCI config address for DDW Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 040/305] driver-core: use 'dev' argument in dev_dbg_ratelimited stub Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 080/305] IB/IWPM: Fix a potential skb leak Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 115/305] wait/ptrace: assume __WALL if the child is traced Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 092/305] fs/cifs: correctly to anonymous authentication via NTLMSSP Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 066/305] irqchip/gic: Ensure ordering between read of INTACK and shared data Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 211/305] powerpc/bpf/jit: Disable classic BPF JIT on ppc64le Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 018/305] scsi: Add intermediate STARGET_REMOVE state to scsi_target_state Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 265/305] net: bcmsysport: Device stats are unsigned long Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 049/305] arm64: Ensure pmd_present() returns false after pmd_mknotpresent() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 063/305] gcov: disable tree-loop-im to reduce stack usage Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 057/305] USB: serial: io_edgeport: fix memory leaks in probe error path Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 232/305] iio:ad7266: Fix broken regulator error handling Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 038/305] Fix OpenSSH pty regression on close Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 019/305] Revert "scsi: fix soft lockup in scsi_remove_target() on module removal" Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 302/305] netfilter: x_tables: do compat validation via translate_table Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 209/305] mm: Export migrate_page_move_mapping and migrate_page_copy Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 193/305] net_sched: fix pfifo_head_drop behavior vs backlog Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 088/305] netlink: Fix dump skb leak/double free Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 295/305] netfilter: x_tables: check for bogus target offset Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 197/305] memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing Ben Hutchings
2016-08-16 7:34 ` SebastienOcquidant
2016-08-13 17:42 ` [PATCH 3.16 167/305] usb: dwc3: exynos: Fix deferred probing storm Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 110/305] tuntap: correctly wake up process during uninit Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 117/305] UBI: do propagate positive error codes up Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 134/305] mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 036/305] MIPS: ath79: make bootconsole wait for both THRE and TEMT Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 221/305] cifs: use CIFS_MAX_DOMAINNAME_LEN when converting the domain name Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 068/305] kbuild: move -Wunused-const-variable to W=1 warning level Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 098/305] cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 267/305] qeth: delete napi struct when removing a qeth device Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 148/305] IB/IPoIB: Fix race between ipoib_remove_one to sysfs functions Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 228/305] tmpfs: don't undo fallocate past its last page Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 109/305] PM / sleep: Handle failures in device_suspend_late() consistently Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 253/305] batman-adv: Fix use-after-free/double-free of tt_req_node Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 067/305] arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 160/305] uvc: Forward compat ioctls to their handlers directly Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 114/305] sunrpc: fix stripping of padded MIC tokens Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 014/305] mfd: lp8788-irq: Uninitialized variable in irq handler Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 242/305] s390: fix test_fp_ctl inline assembly contraints Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 292/305] netfilter: x_tables: assert minimum target size Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 006/305] iommu/vt-d: Ratelimit fault handler Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 250/305] net: phy: Manage fixed PHY address space using IDA Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 077/305] ring-buffer: Use long for nr_pages to avoid overflow failures Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 223/305] HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 137/305] scsi: Add QEMU CD-ROM to VPD Inquiry Blacklist Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 143/305] ALSA: hda - Fix headset mic detection problem for Dell machine Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 017/305] drm/i915: Prevent machine death on Ivybridge context switching Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 286/305] tcp: make challenge acks less predictable Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 041/305] USB: serial: option: add support for Cinterion PH8 and AHxx Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 264/305] block: fix use-after-free in sys_ioprio_get() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 085/305] net/mlx4_core: Fix access to uninitialized index Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 260/305] x86/amd_nb: Fix boot crash on non-AMD systems Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 205/305] arm64: mm: remove page_mapping check in __sync_icache_dcache Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 086/305] x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 154/305] of: fix autoloading due to broken modalias with no 'compatible' Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 170/305] usb: gadget: avoid exposing kernel stack Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 079/305] RDMA/iw_cxgb4: Always wake up waiter in c4iw_peer_abort_intr() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 061/305] MIPS: KVM: Fix timer IRQ race when freezing timer Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 069/305] powerpc/mm/hash64: Factor out hash preload psize check Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 195/305] base: make module_create_drivers_dir race-free Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 164/305] iio: proximity: as3935: remove triggered buffer processing Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 034/305] ext4: fix hang when processing corrupted orphaned inode list Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 023/305] PM / Runtime: Fix error path in pm_runtime_force_resume() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 053/305] MIPS: Don't unwind to user mode with EVA Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 238/305] USB: don't free bandwidth_mutex too early Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 108/305] Input: uinput - handle compat ioctl for UI_SET_PHYS Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 182/305] ARM: 8579/1: mm: Fix definition of pmd_mknotpresent Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 113/305] mmc: longer timeout for long read time quirk Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 070/305] powerpc/mm/hash64: Fix subpage protection with 4K HPTE config Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 050/305] ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 288/305] netfilter: x_tables: don't move to non-existent next rule Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 215/305] IB/mlx4: Fix the SQ size of an RC QP Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 212/305] can: fix oops caused by wrong rtnl dellink usage Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 046/305] cpufreq: Fix GOV_LIMITS handling for the userspace governor Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 285/305] audit: fix a double fetch in audit_log_single_execve_arg() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 163/305] iio: proximity: as3935: correct IIO_CHAN_INFO_RAW output Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 087/305] PCI: Disable all BAR sizing for devices with non-compliant BARs Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 047/305] ACPI / sysfs: fix error code in get_status() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 101/305] batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 234/305] iio:ad7266: Fix probe deferral for vref Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 089/305] sched/preempt: Fix preempt_count manipulations Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 128/305] MIPS: fix read_msa_* & write_msa_* functions on non-MSA toolchains Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 262/305] net/mlx5: Fix potential deadlock in command mode change Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 111/305] scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 235/305] powerpc/tm: Always reclaim in start_thread() for exec() class syscalls Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 037/305] Revert "tty: Fix pty master poll() after slave closes v2" Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 299/305] netfilter: ip_tables: simplify translate_compat_table args Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 174/305] usb: quirks: Fix sorting Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 203/305] can: at91_can: RX queue could get stuck at high bus load Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 271/305] ecryptfs: don't allow mmap when the lower fs doesn't support it Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 261/305] bonding: prevent out of bound accesses Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 166/305] iio:st_pressure: fix sampling gains (bring inline with ABI) Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 189/305] ipv6: fix endianness error in icmpv6_err Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 029/305] crypto: s5p-sss - fix incorrect usage of scatterlists api Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 051/305] MIPS: Fix siginfo.h to use strict posix types Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 107/305] cifs: Create dedicated keyring for spnego operations Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 190/305] net_sched: introduce qdisc_replace() helper Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 218/305] IB/mlx4: Fix memory leak if QP creation failed Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 224/305] ALSA: dummy: Fix a use-after-free at closing Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 078/305] ring-buffer: Prevent overflow of size in ring_buffer_resize() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 120/305] RDMA/cxgb3: device driver frees DMA memory with different size Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 151/305] IB/IPoIB: Don't update neigh validity for unresolved entries Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 022/305] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 216/305] IB/mlx4: Fix error flow when sending mads under SRIOV Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 099/305] batman-adv: fix skb deref after free Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 009/305] drm/gma500: Fix possible out of bounds read Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 076/305] MIPS: math-emu: Fix jalr emulation when rd == $0 Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 237/305] make nfs_atomic_open() call d_drop() on all ->open_context() errors Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 251/305] batman-adv: Fix memory leak on tt add with invalid vlan Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 048/305] ext4: fix oops on corrupted filesystem Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 194/305] drm/i915/ilk: Don't disable SSC source if it's in use Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 032/305] aacraid: Relinquish CPU during timeout wait Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 247/305] NFS: Fix another OPEN_DOWNGRADE bug Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 002/305] ARM: dts: kirkwood: add kirkwood-ds112.dtb to Makefile Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 173/305] USB: quirks: Fix entries on wrong list in 3.16.y Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 021/305] Bluetooth: vhci: Fix race at creating hci device Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 093/305] fs/cifs: correctly to anonymous authentication for the LANMAN authentication Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 149/305] IB/mlx5: Return PORT_ERR in Active to Initializing tranisition Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 129/305] hpfs: fix remount failure when there are no options changed Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 300/305] netfilter: ip6_tables: simplify translate_compat_table args Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 199/305] IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 248/305] ipr: Clear interrupt on croc/crocodile when running with LSI Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 003/305] ARM: dts: kirkwood: add kirkwood-nsa320.dtb to Makefile Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 121/305] ALSA: hda - Fix headset mic detection problem for one Dell machine Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 298/305] netfilter: arp_tables: simplify translate_compat_table args Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 201/305] hwmon: (dell-smm) Restrict fan control and serial number to CAP_SYS_ADMIN by default Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 233/305] iio:ad7266: Fix support for optional regulators Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 256/305] batman-adv: Clean up untagged vlan when destroying via rtnl-link Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 304/305] netfilter: ensure number of counters is >0 in do_replace() Ben Hutchings
2016-08-14 15:06 ` Dave Jones
2016-08-14 23:00 ` Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 104/305] xfs: skip stale inodes in xfs_iflush_cluster Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 207/305] net/mlx4_en: Fix the return value of a failure in VLAN VID add/kill Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 124/305] dma-debug: avoid spinlock recursion when disabling dma-debug Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 244/305] net: bgmac: Remove superflous netif_carrier_on() Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 142/305] KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 125/305] Input: xpad - prevent spurious input from wired Xbox 360 controllers Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 025/305] ext4: fix data exposure after a crash Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 255/305] batman-adv: Fix ICMP RR ethernet access after skb_linearize Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 198/305] KEYS: potential uninitialized variable Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 185/305] spi: sun4i: fix FIFO limit Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 162/305] mfd: omap-usb-tll: Fix scheduling while atomic BUG Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 277/305] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 184/305] drm/radeon: fix asic initialization for virtualized environments Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 091/305] drm/fb_helper: Fix references to dev->mode_config.num_connector Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 150/305] IB/mlx5: Fix returned values of query QP Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 236/305] KVM: arm/arm64: Stop leaking vcpu pid references Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 064/305] ata: sata_dwc_460ex: remove incorrect locking Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 127/305] Input: pwm-beeper - fix - scheduling while atomic Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 186/305] spi: sunxi: fix transfer timeout Ben Hutchings
2016-08-13 17:42 ` [PATCH 3.16 141/305] KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi Ben Hutchings
2016-08-13 20:43 ` [PATCH 3.16 000/305] 3.16.37-rc1 review Guenter Roeck
2016-08-14 7:57 ` Ben Hutchings
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.