All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 3.12 001/142] dm: flush queued bios when process blocks to avoid deadlock
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 002/142] xfs: pass total block res. as total xfs_bmapi_write() parameter Jiri Slaby
                   ` (142 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Mikulas Patocka, Mike Snitzer, Jiri Slaby

From: Mikulas Patocka <mpatocka@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d67a5f4b5947aba4bfe9a80a2b86079c215ca755 upstream.

Commit df2cb6daa4 ("block: Avoid deadlocks with bio allocation by
stacking drivers") created a workqueue for every bio set and code
in bio_alloc_bioset() that tries to resolve some low-memory deadlocks
by redirecting bios queued on current->bio_list to the workqueue if the
system is low on memory.  However other deadlocks (see below **) may
happen, without any low memory condition, because generic_make_request
is queuing bios to current->bio_list (rather than submitting them).

** the related dm-snapshot deadlock is detailed here:
https://www.redhat.com/archives/dm-devel/2016-July/msg00065.html

Fix this deadlock by redirecting any bios on current->bio_list to the
bio_set's rescue workqueue on every schedule() call.  Consequently,
when the process blocks on a mutex, the bios queued on
current->bio_list are dispatched to independent workqueus and they can
complete without waiting for the mutex to be available.

The structure blk_plug contains an entry cb_list and this list can contain
arbitrary callback functions that are called when the process blocks.
To implement this fix DM (ab)uses the onstack plug's cb_list interface
to get its flush_current_bio_list() called at schedule() time.

This fixes the snapshot deadlock - if the map method blocks,
flush_current_bio_list() will be called and it redirects bios waiting
on current->bio_list to appropriate workqueues.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1267650
Depends-on: df2cb6daa4 ("block: Avoid deadlocks with bio allocation by stacking drivers")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/md/dm.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 8c82835a4749..fafb82f383df 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1075,11 +1075,62 @@ int dm_set_target_max_io_len(struct dm_target *ti, sector_t len)
 }
 EXPORT_SYMBOL_GPL(dm_set_target_max_io_len);
 
+/*
+ * Flush current->bio_list when the target map method blocks.
+ * This fixes deadlocks in snapshot and possibly in other targets.
+ */
+struct dm_offload {
+	struct blk_plug plug;
+	struct blk_plug_cb cb;
+};
+
+static void flush_current_bio_list(struct blk_plug_cb *cb, bool from_schedule)
+{
+	struct dm_offload *o = container_of(cb, struct dm_offload, cb);
+	struct bio_list list;
+	struct bio *bio;
+
+	INIT_LIST_HEAD(&o->cb.list);
+
+	if (unlikely(!current->bio_list))
+		return;
+
+	list = *current->bio_list;
+	bio_list_init(current->bio_list);
+
+	while ((bio = bio_list_pop(&list))) {
+		struct bio_set *bs = bio->bi_pool;
+		if (unlikely(!bs) || bs == fs_bio_set) {
+			bio_list_add(current->bio_list, bio);
+			continue;
+		}
+
+		spin_lock(&bs->rescue_lock);
+		bio_list_add(&bs->rescue_list, bio);
+		queue_work(bs->rescue_workqueue, &bs->rescue_work);
+		spin_unlock(&bs->rescue_lock);
+	}
+}
+
+static void dm_offload_start(struct dm_offload *o)
+{
+	blk_start_plug(&o->plug);
+	o->cb.callback = flush_current_bio_list;
+	list_add(&o->cb.list, &current->plug->cb_list);
+}
+
+static void dm_offload_end(struct dm_offload *o)
+{
+	list_del(&o->cb.list);
+	blk_finish_plug(&o->plug);
+}
+
 static void __map_bio(struct dm_target_io *tio)
 {
 	int r;
 	sector_t sector;
 	struct mapped_device *md;
+	struct dm_offload o;
 	struct bio *clone = &tio->clone;
 	struct dm_target *ti = tio->ti;
 
@@ -1093,7 +1144,11 @@ static void __map_bio(struct dm_target_io *tio)
 	 */
 	atomic_inc(&tio->io->io_count);
 	sector = clone->bi_sector;
+
+	dm_offload_start(&o);
 	r = ti->type->map(ti, clone);
+	dm_offload_end(&o);
+
 	if (r == DM_MAPIO_REMAPPED) {
 		/* the bio has been remapped so dispatch it */
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 002/142] xfs: pass total block res. as total xfs_bmapi_write() parameter
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 001/142] dm: flush queued bios when process blocks to avoid deadlock Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 003/142] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp Jiri Slaby
                   ` (141 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Brian Foster, Dave Chinner, Nikolay Borisov, Jiri Slaby

From: Brian Foster <bfoster@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit dbd5c8c9a28899c6ca719eb21afc0afba9dd5574 upstream.

The total field from struct xfs_alloc_arg is a bit of an unknown
commodity. It is documented as the total block requirement for the
transaction and is used in this manner from most call sites by virtue of
passing the total block reservation of the transaction associated with
an allocation. Several xfs_bmapi_write() callers pass hardcoded values
of 0 or 1 for the total block requirement, which is a historical oddity
without any clear reasoning.

The xfs_iomap_write_direct() caller, for example, passes 0 for the total
block requirement. This has been determined to cause problems in the
form of ABBA deadlocks of AGF buffers due to incorrect AG selection in
the block allocator. Specifically, the xfs_alloc_space_available()
function incorrectly selects an AG that doesn't actually have sufficient
space for the allocation. This occurs because the args.total field is 0
and thus the remaining free space check on the AG doesn't actually
consider the size of the allocation request. This locks the AGF buffer,
the allocation attempt proceeds and ultimately fails (in
xfs_alloc_fix_minleft()), and xfs_alloc_vexent() moves on to the next
AG. In turn, this can lead to incorrect AG locking order (if the
allocator wraps around, attempting to lock AG 0 after acquiring AG N)
and thus deadlock if racing with another operation. This problem has
been reproduced via generic/299 on smallish (1GB) ramdisk test devices.

To avoid this problem, replace the undocumented hardcoded total
parameters from the iomap and utility callers to pass the block
reservation used for the associated transaction. This is consistent with
other xfs_bmapi_write() callers throughout XFS. The assumption is that
the total field allows the selection of an AG that can handle the entire
operation rather than simply the allocation/range being requested (e.g.,
resulting btree splits, etc.). This addresses the aforementioned
generic/299 hang by ensuring AG selection only occurs when the
allocation can be satisfied by the AG.

[nb] backport to 3.12

Reported-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Acked-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/xfs/xfs_bmap_util.c | 2 +-
 fs/xfs/xfs_iomap.c     | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
index 97f952caea74..42cb2f3ea51f 100644
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
@@ -1100,7 +1100,7 @@ xfs_alloc_file_space(
 		xfs_bmap_init(&free_list, &firstfsb);
 		error = xfs_bmapi_write(tp, ip, startoffset_fsb,
 					allocatesize_fsb, alloc_type, &firstfsb,
-					0, imapp, &nimaps, &free_list);
+					resblks, imapp, &nimaps, &free_list);
 		if (error) {
 			goto error0;
 		}
diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c
index 8d4d49b6fbf3..1d48f7a9b63e 100644
--- a/fs/xfs/xfs_iomap.c
+++ b/fs/xfs/xfs_iomap.c
@@ -217,7 +217,7 @@ xfs_iomap_write_direct(
 	xfs_bmap_init(&free_list, &firstfsb);
 	nimaps = 1;
 	error = xfs_bmapi_write(tp, ip, offset_fsb, count_fsb, bmapi_flag,
-				&firstfsb, 0, imap, &nimaps, &free_list);
+				&firstfsb, resblks, imap, &nimaps, &free_list);
 	if (error)
 		goto out_bmap_cancel;
 
@@ -762,7 +762,7 @@ xfs_iomap_write_allocate(
 			error = xfs_bmapi_write(tp, ip, map_start_fsb,
 						count_fsb,
 						XFS_BMAPI_STACK_SWITCH,
-						&first_block, 1,
+						&first_block, nres,
 						imap, &nimaps, &free_list);
 			if (error)
 				goto trans_cancel;
@@ -877,8 +877,8 @@ xfs_iomap_write_unwritten(
 		xfs_bmap_init(&free_list, &firstfsb);
 		nimaps = 1;
 		error = xfs_bmapi_write(tp, ip, offset_fsb, count_fsb,
-				  XFS_BMAPI_CONVERT, &firstfsb,
-				  1, &imap, &nimaps, &free_list);
+					XFS_BMAPI_CONVERT, &firstfsb, resblks,
+					&imap, &nimaps, &free_list);
 		if (error)
 			goto error_on_bmapi_transaction;
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 003/142] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 001/142] dm: flush queued bios when process blocks to avoid deadlock Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 002/142] xfs: pass total block res. as total xfs_bmapi_write() parameter Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 004/142] xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers Jiri Slaby
                   ` (140 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Keno Fischer, Greg Thelen, Nicholas Piggin,
	Willy Tarreau, Oleg Nesterov, Kees Cook, Andy Lutomirski,
	Michal Hocko, Hugh Dickins, Andrew Morton, Linus Torvalds,
	Ben Hutchings, Jiri Slaby

From: Keno Fischer <keno@juliacomputing.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8310d48b125d19fcd9521d83b8293e63eb1646aa upstream.

In commit 19be0eaffa3a ("mm: remove gup_flags FOLL_WRITE games from
__get_user_pages()"), the mm code was changed from unsetting FOLL_WRITE
after a COW was resolved to setting the (newly introduced) FOLL_COW
instead.  Simultaneously, the check in gup.c was updated to still allow
writes with FOLL_FORCE set if FOLL_COW had also been set.

However, a similar check in huge_memory.c was forgotten.  As a result,
remote memory writes to ro regions of memory backed by transparent huge
pages cause an infinite loop in the kernel (handle_mm_fault sets
FOLL_COW and returns 0 causing a retry, but follow_trans_huge_pmd bails
out immidiately because `(flags & FOLL_WRITE) && !pmd_write(*pmd)` is
true.

While in this state the process is stil SIGKILLable, but little else
works (e.g.  no ptrace attach, no other signals).  This is easily
reproduced with the following code (assuming thp are set to always):

    #include <assert.h>
    #include <fcntl.h>
    #include <stdint.h>
    #include <stdio.h>
    #include <string.h>
    #include <sys/mman.h>
    #include <sys/stat.h>
    #include <sys/types.h>
    #include <sys/wait.h>
    #include <unistd.h>

    #define TEST_SIZE 5 * 1024 * 1024

    int main(void) {
      int status;
      pid_t child;
      int fd = open("/proc/self/mem", O_RDWR);
      void *addr = mmap(NULL, TEST_SIZE, PROT_READ,
                        MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
      assert(addr != MAP_FAILED);
      pid_t parent_pid = getpid();
      if ((child = fork()) == 0) {
        void *addr2 = mmap(NULL, TEST_SIZE, PROT_READ | PROT_WRITE,
                           MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
        assert(addr2 != MAP_FAILED);
        memset(addr2, 'a', TEST_SIZE);
        pwrite(fd, addr2, TEST_SIZE, (uintptr_t)addr);
        return 0;
      }
      assert(child == waitpid(child, &status, 0));
      assert(WIFEXITED(status) && WEXITSTATUS(status) == 0);
      return 0;
    }

Fix this by updating follow_trans_huge_pmd in huge_memory.c analogously
to the update in gup.c in the original commit.  The same pattern exists
in follow_devmap_pmd.  However, we should not be able to reach that
check with FOLL_COW set, so add WARN_ONCE to make sure we notice if we
ever do.

[akpm@linux-foundation.org: coding-style fixes]
Link: http://lkml.kernel.org/r/20170106015025.GA38411@juliacomputing.com
Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.2:
 - Drop change to follow_devmap_pmd()
 - pmd_dirty() is not available; check the page flags as in
   can_follow_write_pte()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[mhocko:
  This has been forward ported from the 3.2 stable tree.
  And fixed to return NULL.]
Reviewed-by: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 mm/huge_memory.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 04535b64119c..59ab994d1bc4 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1222,6 +1222,18 @@ out_unlock:
 	return ret;
 }
 
+/*
+ * foll_force can write to even unwritable pmd's, but only
+ * after we've gone through a cow cycle and they are dirty.
+ */
+static inline bool can_follow_write_pmd(pmd_t pmd, struct page *page,
+					unsigned int flags)
+{
+	return pmd_write(pmd) ||
+		((flags & FOLL_FORCE) && (flags & FOLL_COW) &&
+		 page && PageAnon(page));
+}
+
 struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
 				   unsigned long addr,
 				   pmd_t *pmd,
@@ -1232,9 +1244,6 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
 
 	assert_spin_locked(&mm->page_table_lock);
 
-	if (flags & FOLL_WRITE && !pmd_write(*pmd))
-		goto out;
-
 	/* Avoid dumping huge zero page */
 	if ((flags & FOLL_DUMP) && is_huge_zero_pmd(*pmd))
 		return ERR_PTR(-EFAULT);
@@ -1245,6 +1254,10 @@ struct page *follow_trans_huge_pmd(struct vm_area_struct *vma,
 
 	page = pmd_page(*pmd);
 	VM_BUG_ON(!PageHead(page));
+
+	if (flags & FOLL_WRITE && !can_follow_write_pmd(*pmd, page, flags))
+		return NULL;
+
 	if (flags & FOLL_TOUCH) {
 		pmd_t _pmd;
 		/*
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 004/142] xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (2 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 003/142] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 005/142] USB: serial: digi_acceleport: fix OOB data sanity check Jiri Slaby
                   ` (139 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Mathias Nyman, Greg Kroah-Hartman, Jiri Slaby

From: Mathias Nyman <mathias.nyman@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 98d74f9ceaefc2b6c4a6440050163a83be0abede upstream.

PCI hotpluggable xhci controllers such as some Alpine Ridge solutions will
remove the xhci controller from the PCI bus when the last USB device is
disconnected.

Add a flag to indicate that the host is being removed to avoid queueing
configure_endpoint commands for the dropped endpoints.
For PCI hotplugged controllers this will prevent 5 second command timeouts
For static xhci controllers the configure_endpoint command is not needed
in the removal case as everything will be returned, freed, and the
controller is reset.

For now the flag is only set for PCI connected host controllers.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/xhci-pci.c | 1 +
 drivers/usb/host/xhci.c     | 6 ++++--
 drivers/usb/host/xhci.h     | 1 +
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index 6b11f6df76aa..dbde985a5690 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -281,6 +281,7 @@ static void xhci_pci_remove(struct pci_dev *dev)
 	struct xhci_hcd *xhci;
 
 	xhci = hcd_to_xhci(pci_get_drvdata(dev));
+	xhci->xhc_state |= XHCI_STATE_REMOVING;
 	if (xhci->shared_hcd) {
 		usb_remove_hcd(xhci->shared_hcd);
 		usb_put_hcd(xhci->shared_hcd);
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 04ba50b05075..f9ca915ac944 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -143,7 +143,8 @@ static int xhci_start(struct xhci_hcd *xhci)
 				"waited %u microseconds.\n",
 				XHCI_MAX_HALT_USEC);
 	if (!ret)
-		xhci->xhc_state &= ~(XHCI_STATE_HALTED | XHCI_STATE_DYING);
+		/* clear state flags. Including dying, halted or removing */
+		xhci->xhc_state = 0;
 
 	return ret;
 }
@@ -2742,7 +2743,8 @@ int xhci_check_bandwidth(struct usb_hcd *hcd, struct usb_device *udev)
 	if (ret <= 0)
 		return ret;
 	xhci = hcd_to_xhci(hcd);
-	if (xhci->xhc_state & XHCI_STATE_DYING)
+	if ((xhci->xhc_state & XHCI_STATE_DYING) ||
+		(xhci->xhc_state & XHCI_STATE_REMOVING))
 		return -ENODEV;
 
 	xhci_dbg(xhci, "%s called for udev %p\n", __func__, udev);
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index 83bfb60d19c0..50bfdc61ad8d 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1525,6 +1525,7 @@ struct xhci_hcd {
  */
 #define XHCI_STATE_DYING	(1 << 0)
 #define XHCI_STATE_HALTED	(1 << 1)
+#define XHCI_STATE_REMOVING	(1 << 2)
 	/* Statistics */
 	int			error_bitmask;
 	unsigned int		quirks;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 005/142] USB: serial: digi_acceleport: fix OOB data sanity check
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (3 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 004/142] xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 006/142] USB: serial: digi_acceleport: fix OOB-event processing Jiri Slaby
                   ` (138 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 2d380889215fe20b8523345649dee0579821800c upstream.

Make sure to check for short transfers to avoid underflow in a loop
condition when parsing the receive buffer.

Also fix an off-by-one error in the incomplete sanity check which could
lead to invalid data being parsed.

Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/digi_acceleport.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
index fd525134666b..b5dcbf563cd4 100644
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1485,16 +1485,20 @@ static int digi_read_oob_callback(struct urb *urb)
 	struct usb_serial *serial = port->serial;
 	struct tty_struct *tty;
 	struct digi_port *priv = usb_get_serial_port_data(port);
+	unsigned char *buf = urb->transfer_buffer;
 	int opcode, line, status, val;
 	int i;
 	unsigned int rts;
 
+	if (urb->actual_length < 4)
+		return -1;
+
 	/* handle each oob command */
-	for (i = 0; i < urb->actual_length - 3;) {
-		opcode = ((unsigned char *)urb->transfer_buffer)[i++];
-		line = ((unsigned char *)urb->transfer_buffer)[i++];
-		status = ((unsigned char *)urb->transfer_buffer)[i++];
-		val = ((unsigned char *)urb->transfer_buffer)[i++];
+	for (i = 0; i < urb->actual_length - 4; i += 4) {
+		opcode = buf[i];
+		line = buf[i + 1];
+		status = buf[i + 2];
+		val = buf[i + 3];
 
 		dev_dbg(&port->dev, "digi_read_oob_callback: opcode=%d, line=%d, status=%d, val=%d\n",
 			opcode, line, status, val);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 006/142] USB: serial: digi_acceleport: fix OOB-event processing
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (4 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 005/142] USB: serial: digi_acceleport: fix OOB data sanity check Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 007/142] crypto: improve gcc optimization flags for serpent and wp512 Jiri Slaby
                   ` (137 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 2e46565cf622dd0534a9d8bffe152a577b48d7aa upstream.

A recent change claimed to fix an off-by-one error in the OOB-port
completion handler, but instead introduced such an error. This could
specifically led to modem-status changes going unnoticed, effectively
breaking TIOCMGET.

Note that the offending commit fixes a loop-condition underflow and is
marked for stable, but should not be backported without this fix.

Reported-by: Ben Hutchings <ben@decadent.org.uk>
Fixes: 2d380889215f ("USB: serial: digi_acceleport: fix OOB data sanity
check")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/digi_acceleport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
index b5dcbf563cd4..9c07bbc4f8a7 100644
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1494,7 +1494,7 @@ static int digi_read_oob_callback(struct urb *urb)
 		return -1;
 
 	/* handle each oob command */
-	for (i = 0; i < urb->actual_length - 4; i += 4) {
+	for (i = 0; i < urb->actual_length - 3; i += 4) {
 		opcode = buf[i];
 		line = buf[i + 1];
 		status = buf[i + 2];
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 007/142] crypto: improve gcc optimization flags for serpent and wp512
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (5 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 006/142] USB: serial: digi_acceleport: fix OOB-event processing Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 008/142] MIPS: ip27: Disable qlge driver in defconfig Jiri Slaby
                   ` (136 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Arnd Bergmann, Ralf Baechle, Herbert Xu, Jiri Slaby

From: Arnd Bergmann <arnd@arndb.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7d6e9105026788c497f0ab32fa16c82f4ab5ff61 upstream.

An ancient gcc bug (first reported in 2003) has apparently resurfaced
on MIPS, where kernelci.org reports an overly large stack frame in the
whirlpool hash algorithm:

crypto/wp512.c:987:1: warning: the frame size of 1112 bytes is larger than 1024 bytes [-Wframe-larger-than=]

With some testing in different configurations, I'm seeing large
variations in stack frames size up to 1500 bytes for what should have
around 300 bytes at most. I also checked the reference implementation,
which is essentially the same code but also comes with some test and
benchmarking infrastructure.

It seems that recent compiler versions on at least arm, arm64 and powerpc
have a partial fix for this problem, but enabling "-fsched-pressure", but
even with that fix they suffer from the issue to a certain degree. Some
testing on arm64 shows that the time needed to hash a given amount of
data is roughly proportional to the stack frame size here, which makes
sense given that the wp512 implementation is doing lots of loads for
table lookups, and the problem with the overly large stack is a result
of doing a lot more loads and stores for spilled registers (as seen from
inspecting the object code).

Disabling -fschedule-insns consistently fixes the problem for wp512,
in my collection of cross-compilers, the results are consistently better
or identical when comparing the stack sizes in this function, though
some architectures (notable x86) have schedule-insns disabled by
default.

The four columns are:
default: -O2
press:	 -O2 -fsched-pressure
nopress: -O2 -fschedule-insns -fno-sched-pressure
nosched: -O2 -no-schedule-insns (disables sched-pressure)

				default	press	nopress	nosched
alpha-linux-gcc-4.9.3		1136	848	1136	176
am33_2.0-linux-gcc-4.9.3	2100	2076	2100	2104
arm-linux-gnueabi-gcc-4.9.3	848	848	1048	352
cris-linux-gcc-4.9.3		272	272	272	272
frv-linux-gcc-4.9.3		1128	1000	1128	280
hppa64-linux-gcc-4.9.3		1128	336	1128	184
hppa-linux-gcc-4.9.3		644	308	644	276
i386-linux-gcc-4.9.3		352	352	352	352
m32r-linux-gcc-4.9.3		720	656	720	268
microblaze-linux-gcc-4.9.3	1108	604	1108	256
mips64-linux-gcc-4.9.3		1328	592	1328	208
mips-linux-gcc-4.9.3		1096	624	1096	240
powerpc64-linux-gcc-4.9.3	1088	432	1088	160
powerpc-linux-gcc-4.9.3		1080	584	1080	224
s390-linux-gcc-4.9.3		456	456	624	360
sh3-linux-gcc-4.9.3		292	292	292	292
sparc64-linux-gcc-4.9.3		992	240	992	208
sparc-linux-gcc-4.9.3		680	592	680	312
x86_64-linux-gcc-4.9.3		224	240	272	224
xtensa-linux-gcc-4.9.3		1152	704	1152	304

aarch64-linux-gcc-7.0.0		224	224	1104	208
arm-linux-gnueabi-gcc-7.0.1	824	824	1048	352
mips-linux-gcc-7.0.0		1120	648	1120	272
x86_64-linux-gcc-7.0.1		240	240	304	240

arm-linux-gnueabi-gcc-4.4.7	840			392
arm-linux-gnueabi-gcc-4.5.4	784	728	784	320
arm-linux-gnueabi-gcc-4.6.4	736	728	736	304
arm-linux-gnueabi-gcc-4.7.4	944	784	944	352
arm-linux-gnueabi-gcc-4.8.5	464	464	760	352
arm-linux-gnueabi-gcc-4.9.3	848	848	1048	352
arm-linux-gnueabi-gcc-5.3.1	824	824	1064	336
arm-linux-gnueabi-gcc-6.1.1	808	808	1056	344
arm-linux-gnueabi-gcc-7.0.1	824	824	1048	352

Trying the same test for serpent-generic, the picture is a bit different,
and while -fno-schedule-insns is generally better here than the default,
-fsched-pressure wins overall, so I picked that instead.

				default	press	nopress	nosched
alpha-linux-gcc-4.9.3		1392	864	1392	960
am33_2.0-linux-gcc-4.9.3	536	524	536	528
arm-linux-gnueabi-gcc-4.9.3	552	552	776	536
cris-linux-gcc-4.9.3		528	528	528	528
frv-linux-gcc-4.9.3		536	400	536	504
hppa64-linux-gcc-4.9.3		524	208	524	480
hppa-linux-gcc-4.9.3		768	472	768	508
i386-linux-gcc-4.9.3		564	564	564	564
m32r-linux-gcc-4.9.3		712	576	712	532
microblaze-linux-gcc-4.9.3	724	392	724	512
mips64-linux-gcc-4.9.3		720	384	720	496
mips-linux-gcc-4.9.3		728	384	728	496
powerpc64-linux-gcc-4.9.3	704	304	704	480
powerpc-linux-gcc-4.9.3		704	296	704	480
s390-linux-gcc-4.9.3		560	560	592	536
sh3-linux-gcc-4.9.3		540	540	540	540
sparc64-linux-gcc-4.9.3		544	352	544	496
sparc-linux-gcc-4.9.3		544	344	544	496
x86_64-linux-gcc-4.9.3		528	536	576	528
xtensa-linux-gcc-4.9.3		752	544	752	544

aarch64-linux-gcc-7.0.0		432	432	656	480
arm-linux-gnueabi-gcc-7.0.1	616	616	808	536
mips-linux-gcc-7.0.0		720	464	720	488
x86_64-linux-gcc-7.0.1		536	528	600	536

arm-linux-gnueabi-gcc-4.4.7	592			440
arm-linux-gnueabi-gcc-4.5.4	776	448	776	544
arm-linux-gnueabi-gcc-4.6.4	776	448	776	544
arm-linux-gnueabi-gcc-4.7.4	768	448	768	544
arm-linux-gnueabi-gcc-4.8.5	488	488	776	544
arm-linux-gnueabi-gcc-4.9.3	552	552	776	536
arm-linux-gnueabi-gcc-5.3.1	552	552	776	536
arm-linux-gnueabi-gcc-6.1.1	560	560	776	536
arm-linux-gnueabi-gcc-7.0.1	616	616	808	536

I did not do any runtime tests with serpent, so it is possible that stack
frame size does not directly correlate with runtime performance here and
it actually makes things worse, but it's more likely to help here, and
the reduced stack frame size is probably enough reason to apply the patch,
especially given that the crypto code is often used in deep call chains.

Link: https://kernelci.org/build/id/58797d7559b5149efdf6c3a9/logs/
Link: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=11488
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 crypto/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/Makefile b/crypto/Makefile
index e0ec1c0e0eee..017bd0704c73 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -52,6 +52,7 @@ obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o
 obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o
 obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o
 obj-$(CONFIG_CRYPTO_WP512) += wp512.o
+CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns)  # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
 obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o
 obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o
 obj-$(CONFIG_CRYPTO_ECB) += ecb.o
@@ -72,6 +73,7 @@ obj-$(CONFIG_CRYPTO_BLOWFISH_COMMON) += blowfish_common.o
 obj-$(CONFIG_CRYPTO_TWOFISH) += twofish_generic.o
 obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o
 obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o
+CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure)  # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
 obj-$(CONFIG_CRYPTO_AES) += aes_generic.o
 obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o
 obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 008/142] MIPS: ip27: Disable qlge driver in defconfig
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (6 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 007/142] crypto: improve gcc optimization flags for serpent and wp512 Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 009/142] MIPS: ip22: Fix ip28 build for modern gcc Jiri Slaby
                   ` (135 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Arnd Bergmann, Ralf Baechle, linux-mips,
	James Hogan, Jiri Slaby

From: Arnd Bergmann <arnd@arndb.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b617649468390713db1515ea79fc772d2eb897a8 upstream.

One of the last remaining failures in kernelci.org is for a gcc bug:

drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: error: insn does not satisfy its constraints:
drivers/net/ethernet/qlogic/qlge/qlge_main.c:4819:1: internal compiler error: in extract_constrain_insn, at recog.c:2190

This is apparently broken in gcc-6 but fixed in gcc-7, and I cannot
reproduce the problem here. However, it is clear that ip27_defconfig
does not actually need this driver as the platform has only PCI-X but
not PCIe, and the qlge adapter in turn is PCIe-only.

The driver was originally enabled in 2010 along with lots of other
drivers.

Fixes: 59d302b342e5 ("MIPS: IP27: Make defconfig useful again.")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/15197/
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/mips/configs/ip27_defconfig | 1 -
 1 file changed, 1 deletion(-)

diff --git a/arch/mips/configs/ip27_defconfig b/arch/mips/configs/ip27_defconfig
index 0e36abcd39cc..7446284dd7b3 100644
--- a/arch/mips/configs/ip27_defconfig
+++ b/arch/mips/configs/ip27_defconfig
@@ -206,7 +206,6 @@ CONFIG_MLX4_EN=m
 # CONFIG_MLX4_DEBUG is not set
 CONFIG_TEHUTI=m
 CONFIG_BNX2X=m
-CONFIG_QLGE=m
 CONFIG_SFC=m
 CONFIG_BE2NET=m
 CONFIG_LIBERTAS_THINFIRM=m
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 009/142] MIPS: ip22: Fix ip28 build for modern gcc
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (7 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 008/142] MIPS: ip27: Disable qlge driver in defconfig Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 010/142] mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy Jiri Slaby
                   ` (134 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Arnd Bergmann, linux-mips, Ralf Baechle, Jiri Slaby

From: Arnd Bergmann <arnd@arndb.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 23ca9b522383d3b9b7991d8586db30118992af4a upstream.

kernelci reports a failure of the ip28_defconfig build after upgrading its
gcc version:

arch/mips/sgi-ip22/Platform:29: *** gcc doesn't support needed option -mr10k-cache-barrier=store.  Stop.

The problem apparently is that the -mr10k-cache-barrier=store option is now
rejected for CPUs other than r10k. Explicitly including the CPU in the
check fixes this and is safe because both options were introduced in
gcc-4.4.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/15049/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/mips/sgi-ip22/Platform | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/mips/sgi-ip22/Platform b/arch/mips/sgi-ip22/Platform
index b7a4b7e04c38..e8f6b3a42a48 100644
--- a/arch/mips/sgi-ip22/Platform
+++ b/arch/mips/sgi-ip22/Platform
@@ -25,7 +25,7 @@ endif
 # Simplified: what IP22 does at 128MB+ in ksegN, IP28 does at 512MB+ in xkphys
 #
 ifdef CONFIG_SGI_IP28
-  ifeq ($(call cc-option-yn,-mr10k-cache-barrier=store), n)
+  ifeq ($(call cc-option-yn,-march=r10000 -mr10k-cache-barrier=store), n)
       $(error gcc doesn't support needed option -mr10k-cache-barrier=store)
   endif
 endif
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 010/142] mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (8 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 009/142] MIPS: ip22: Fix ip28 build for modern gcc Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 011/142] MIPS: ralink: Cosmetic change to prom_init() Jiri Slaby
                   ` (133 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Arnd Bergmann, Brian Norris, Jiri Slaby

From: Arnd Bergmann <arnd@arndb.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 906b268477bc03daaa04f739844c120fe4dbc991 upstream.

kernelci.org reports a warning for this driver, as it copies a local
variable into a 'const char *' string:

    drivers/mtd/maps/pmcmsp-flash.c:149:30: warning: passing argument 1 of 'strncpy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]

Using kstrndup() simplifies the code and avoids the warning.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/mtd/maps/pmcmsp-flash.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/mtd/maps/pmcmsp-flash.c b/drivers/mtd/maps/pmcmsp-flash.c
index f9fa3fad728e..2051f28ddac6 100644
--- a/drivers/mtd/maps/pmcmsp-flash.c
+++ b/drivers/mtd/maps/pmcmsp-flash.c
@@ -139,15 +139,13 @@ static int __init init_msp_flash(void)
 		}
 
 		msp_maps[i].bankwidth = 1;
-		msp_maps[i].name = kmalloc(7, GFP_KERNEL);
+		msp_maps[i].name = kstrndup(flash_name, 7, GFP_KERNEL);
 		if (!msp_maps[i].name) {
 			iounmap(msp_maps[i].virt);
 			kfree(msp_parts[i]);
 			goto cleanup_loop;
 		}
 
-		msp_maps[i].name = strncpy(msp_maps[i].name, flash_name, 7);
-
 		for (j = 0; j < pcnt; j++) {
 			part_name[5] = '0' + i;
 			part_name[7] = '0' + j;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 011/142] MIPS: ralink: Cosmetic change to prom_init().
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (9 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 010/142] mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 012/142] cpmac: remove hopeless #warning Jiri Slaby
                   ` (132 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Crispin, linux-mips, Ralf Baechle, Jiri Slaby

From: John Crispin <john@phrozen.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 9c48568b3692f1a56cbf1935e4eea835e6b185b1 upstream.

Over the years the code has been changed various times leading to
argc/argv being defined in a different function to where we actually
use the variables. Clean this up by moving them to prom_init_cmdline().

Signed-off-by: John Crispin <john@phrozen.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14902/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/mips/ralink/prom.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/arch/mips/ralink/prom.c b/arch/mips/ralink/prom.c
index 9c64f029d047..87312dfcee38 100644
--- a/arch/mips/ralink/prom.c
+++ b/arch/mips/ralink/prom.c
@@ -24,8 +24,10 @@ const char *get_system_type(void)
 	return soc_info.sys_type;
 }
 
-static __init void prom_init_cmdline(int argc, char **argv)
+static __init void prom_init_cmdline(void)
 {
+	int argc;
+	char **argv;
 	int i;
 
 	pr_debug("prom: fw_arg0=%08x fw_arg1=%08x fw_arg2=%08x fw_arg3=%08x\n",
@@ -54,14 +56,11 @@ static __init void prom_init_cmdline(int argc, char **argv)
 
 void __init prom_init(void)
 {
-	int argc;
-	char **argv;
-
 	prom_soc_init(&soc_info);
 
 	pr_info("SoC Type: %s\n", get_system_type());
 
-	prom_init_cmdline(argc, argv);
+	prom_init_cmdline();
 }
 
 void __init prom_free_prom_memory(void)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 012/142] cpmac: remove hopeless #warning
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (10 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 011/142] MIPS: ralink: Cosmetic change to prom_init() Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 013/142] MIPS: DEC: Avoid la pseudo-instruction in delay slots Jiri Slaby
                   ` (131 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Arnd Bergmann, David S . Miller, Jiri Slaby

From: Arnd Bergmann <arnd@arndb.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d43e6fb4ac4abfe4ef7c102833ed02330ad701e0 upstream.

The #warning was present 10 years ago when the driver first got merged.
As the platform is rather obsolete by now, it seems very unlikely that
the warning will cause anyone to fix the code properly.

kernelci.org reports the warning for every build in the meantime, so
I think it's better to just turn it into a code comment to reduce
noise.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/ethernet/ti/cpmac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/ti/cpmac.c b/drivers/net/ethernet/ti/cpmac.c
index 97f3e626b535..b4febe5aac3d 100644
--- a/drivers/net/ethernet/ti/cpmac.c
+++ b/drivers/net/ethernet/ti/cpmac.c
@@ -1242,7 +1242,7 @@ int cpmac_init(void)
 		goto fail_alloc;
 	}
 
-#warning FIXME: unhardcode gpio&reset bits
+	/* FIXME: unhardcode gpio&reset bits */
 	ar7_gpio_disable(26);
 	ar7_gpio_disable(27);
 	ar7_device_reset(AR7_RESET_BIT_CPMAC_LO);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 013/142] MIPS: DEC: Avoid la pseudo-instruction in delay slots
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (11 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 012/142] cpmac: remove hopeless #warning Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 014/142] tracing: Add #undef to fix compile error Jiri Slaby
                   ` (130 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Ralf Baechle, Jiri Slaby

From: Ralf Baechle <ralf@linux-mips.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3021773c7c3e75e20b693931a19362681e744ea9 upstream.

When expanding the la or dla pseudo-instruction in a delay slot the GNU
assembler will complain should the pseudo-instruction expand to multiple
actual instructions, since only the first of them will be in the delay
slot leading to the pseudo-instruction being only partially executed if
the branch is taken. Use of PTR_LA in the dec int-handler.S leads to
such warnings:

  arch/mips/dec/int-handler.S: Assembler messages:
  arch/mips/dec/int-handler.S:149: Warning: macro instruction expanded into multiple instructions in a branch delay slot
  arch/mips/dec/int-handler.S:198: Warning: macro instruction expanded into multiple instructions in a branch delay slot

Avoid this by open coding the PTR_LA macros.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/mips/dec/int-handler.S | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/arch/mips/dec/int-handler.S b/arch/mips/dec/int-handler.S
index 22afed16ccde..a6087a0b951e 100644
--- a/arch/mips/dec/int-handler.S
+++ b/arch/mips/dec/int-handler.S
@@ -146,7 +146,25 @@
 		/*
 		 * Find irq with highest priority
 		 */
-		 PTR_LA t1,cpu_mask_nr_tbl
+		# open coded PTR_LA t1, cpu_mask_nr_tbl
+#if (_MIPS_SZPTR == 32)
+		# open coded la t1, cpu_mask_nr_tbl
+		lui	t1, %hi(cpu_mask_nr_tbl)
+		addiu	t1, %lo(cpu_mask_nr_tbl)
+
+#endif
+#if (_MIPS_SZPTR == 64)
+		# open coded dla t1, cpu_mask_nr_tbl
+		.set	push
+		.set	noat
+		lui	t1, %highest(cpu_mask_nr_tbl)
+		lui	AT, %hi(cpu_mask_nr_tbl)
+		daddiu	t1, t1, %higher(cpu_mask_nr_tbl)
+		daddiu	AT, AT, %lo(cpu_mask_nr_tbl)
+		dsll	t1, 32
+		daddu	t1, t1, AT
+		.set	pop
+#endif
 1:		lw	t2,(t1)
 		nop
 		and	t2,t0
@@ -195,7 +213,25 @@
 		/*
 		 * Find irq with highest priority
 		 */
-		 PTR_LA t1,asic_mask_nr_tbl
+		# open coded PTR_LA t1,asic_mask_nr_tbl
+#if (_MIPS_SZPTR == 32)
+		# open coded la t1, asic_mask_nr_tbl
+		lui	t1, %hi(asic_mask_nr_tbl)
+		addiu	t1, %lo(asic_mask_nr_tbl)
+
+#endif
+#if (_MIPS_SZPTR == 64)
+		# open coded dla t1, asic_mask_nr_tbl
+		.set	push
+		.set	noat
+		lui	t1, %highest(asic_mask_nr_tbl)
+		lui	AT, %hi(asic_mask_nr_tbl)
+		daddiu	t1, t1, %higher(asic_mask_nr_tbl)
+		daddiu	AT, AT, %lo(asic_mask_nr_tbl)
+		dsll	t1, 32
+		daddu	t1, t1, AT
+		.set	pop
+#endif
 2:		lw	t2,(t1)
 		nop
 		and	t2,t0
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 014/142] tracing: Add #undef to fix compile error
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (12 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 013/142] MIPS: DEC: Avoid la pseudo-instruction in delay slots Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 015/142] usb: dwc3: gadget: make Set Endpoint Configuration macros safe Jiri Slaby
                   ` (129 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Rik van Riel, Steven Rostedt, Jiri Slaby

From: Rik van Riel <riel@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit bf7165cfa23695c51998231c4efa080fe1d3548d upstream.

There are several trace include files that define TRACE_INCLUDE_FILE.

Include several of them in the same .c file (as I currently have in
some code I am working on), and the compile will blow up with a
"warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls"

Every other include file in include/trace/events/ avoids that issue
by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h
should have one, too.

Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com

Fixes: b8007ef74222 ("tracing: Separate raw syscall from syscall tracer")
Signed-off-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/trace/events/syscalls.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/trace/events/syscalls.h b/include/trace/events/syscalls.h
index 5a4c04a75b3d..55c9b99ff9a6 100644
--- a/include/trace/events/syscalls.h
+++ b/include/trace/events/syscalls.h
@@ -1,5 +1,6 @@
 #undef TRACE_SYSTEM
 #define TRACE_SYSTEM raw_syscalls
+#undef TRACE_INCLUDE_FILE
 #define TRACE_INCLUDE_FILE syscalls
 
 #if !defined(_TRACE_EVENTS_SYSCALLS_H) || defined(TRACE_HEADER_MULTI_READ)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 015/142] usb: dwc3: gadget: make Set Endpoint Configuration macros safe
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (13 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 014/142] tracing: Add #undef to fix compile error Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 016/142] usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers Jiri Slaby
                   ` (128 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Felipe Balbi, Jiri Slaby

From: Felipe Balbi <felipe.balbi@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7369090a9fb57c3fc705ce355d2e4523a5a24716 upstream.

Some gadget drivers are bad, bad boys. We notice
that ADB was passing bad Burst Size which caused top
bits of param0 to be overwritten which confused DWC3
when running this command.

In order to avoid future issues, we're going to make
sure values passed by macros are always safe for the
controller. Note that ADB still needs a fix to *not*
pass bad values.

Reported-by: Mohamed Abbas <mohamed.abbas@intel.com>
Sugested-by: Adam Andruszak <adam.andruszak@intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/dwc3/gadget.h | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/dwc3/gadget.h b/drivers/usb/dwc3/gadget.h
index ac62558231be..2809d7e9a063 100644
--- a/drivers/usb/dwc3/gadget.h
+++ b/drivers/usb/dwc3/gadget.h
@@ -28,23 +28,23 @@ struct dwc3;
 #define gadget_to_dwc(g)	(container_of(g, struct dwc3, gadget))
 
 /* DEPCFG parameter 1 */
-#define DWC3_DEPCFG_INT_NUM(n)		((n) << 0)
+#define DWC3_DEPCFG_INT_NUM(n)		(((n) & 0x1f) << 0)
 #define DWC3_DEPCFG_XFER_COMPLETE_EN	(1 << 8)
 #define DWC3_DEPCFG_XFER_IN_PROGRESS_EN	(1 << 9)
 #define DWC3_DEPCFG_XFER_NOT_READY_EN	(1 << 10)
 #define DWC3_DEPCFG_FIFO_ERROR_EN	(1 << 11)
 #define DWC3_DEPCFG_STREAM_EVENT_EN	(1 << 13)
-#define DWC3_DEPCFG_BINTERVAL_M1(n)	((n) << 16)
+#define DWC3_DEPCFG_BINTERVAL_M1(n)	(((n) & 0xff) << 16)
 #define DWC3_DEPCFG_STREAM_CAPABLE	(1 << 24)
-#define DWC3_DEPCFG_EP_NUMBER(n)	((n) << 25)
+#define DWC3_DEPCFG_EP_NUMBER(n)	(((n) & 0x1f) << 25)
 #define DWC3_DEPCFG_BULK_BASED		(1 << 30)
 #define DWC3_DEPCFG_FIFO_BASED		(1 << 31)
 
 /* DEPCFG parameter 0 */
-#define DWC3_DEPCFG_EP_TYPE(n)		((n) << 1)
-#define DWC3_DEPCFG_MAX_PACKET_SIZE(n)	((n) << 3)
-#define DWC3_DEPCFG_FIFO_NUMBER(n)	((n) << 17)
-#define DWC3_DEPCFG_BURST_SIZE(n)	((n) << 22)
+#define DWC3_DEPCFG_EP_TYPE(n)		(((n) & 0x3) << 1)
+#define DWC3_DEPCFG_MAX_PACKET_SIZE(n)	(((n) & 0x7ff) << 3)
+#define DWC3_DEPCFG_FIFO_NUMBER(n)	(((n) & 0x1f) << 17)
+#define DWC3_DEPCFG_BURST_SIZE(n)	(((n) & 0xf) << 22)
 #define DWC3_DEPCFG_DATA_SEQ_NUM(n)	((n) << 26)
 /* This applies for core versions earlier than 1.94a */
 #define DWC3_DEPCFG_IGN_SEQ_NUM		(1 << 31)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 016/142] usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (14 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 015/142] usb: dwc3: gadget: make Set Endpoint Configuration macros safe Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 017/142] USB: serial: safe_serial: fix information leak in completion handler Jiri Slaby
                   ` (127 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Guenter Roeck, Mathias Nyman, Jiri Slaby

From: Guenter Roeck <linux@roeck-us.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 upstream.

Upstream commit 98d74f9ceaef ("xhci: fix 10 second timeout on removal of
PCI hotpluggable xhci controllers") fixes a problem with hot pluggable PCI
xhci controllers which can result in excessive timeouts, to the point where
the system reports a deadlock.

The same problem is seen with hot pluggable xhci controllers using the
xhci-plat driver, such as the driver used for Type-C ports on rk3399.
Similar to hot-pluggable PCI controllers, the driver for this chip
removes the xhci controller from the system when the Type-C cable is
disconnected.

The solution for PCI devices works just as well for non-PCI devices
and avoids the problem.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/xhci-plat.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
index bb50d309b8e6..bc8e584dfdf3 100644
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -185,6 +185,8 @@ static int xhci_plat_remove(struct platform_device *dev)
 	struct usb_hcd	*hcd = platform_get_drvdata(dev);
 	struct xhci_hcd	*xhci = hcd_to_xhci(hcd);
 
+	xhci->xhc_state |= XHCI_STATE_REMOVING;
+
 	usb_remove_hcd(xhci->shared_hcd);
 	usb_put_hcd(xhci->shared_hcd);
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 017/142] USB: serial: safe_serial: fix information leak in completion handler
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (15 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 016/142] usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 018/142] USB: serial: omninet: fix reference leaks at open Jiri Slaby
                   ` (126 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 upstream.

Add missing sanity check to the bulk-in completion handler to avoid an
integer underflow that could be triggered by a malicious device.

This avoids leaking up to 56 bytes from after the URB transfer buffer to
user space.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/safe_serial.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/serial/safe_serial.c b/drivers/usb/serial/safe_serial.c
index ba895989d8c4..246cdefa0e88 100644
--- a/drivers/usb/serial/safe_serial.c
+++ b/drivers/usb/serial/safe_serial.c
@@ -206,6 +206,11 @@ static void safe_process_read_urb(struct urb *urb)
 	if (!safe)
 		goto out;
 
+	if (length < 2) {
+		dev_err(&port->dev, "malformed packet\n");
+		return;
+	}
+
 	fcs = fcs_compute10(data, length, CRC10_INITFCS);
 	if (fcs) {
 		dev_err(&port->dev, "%s - bad CRC %x\n", __func__, fcs);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 018/142] USB: serial: omninet: fix reference leaks at open
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (16 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 017/142] USB: serial: safe_serial: fix information leak in completion handler Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 019/142] USB: iowarrior: fix NULL-deref at probe Jiri Slaby
                   ` (125 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 30572418b445d85fcfe6c8fe84c947d2606767d8 upstream.

This driver needlessly took another reference to the tty on open, a
reference which was then never released on close. This lead to not just
a leak of the tty, but also a driver reference leak that prevented the
driver from being unloaded after a port had once been opened.

Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/omninet.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/drivers/usb/serial/omninet.c b/drivers/usb/serial/omninet.c
index 24720f656387..8028e5ffe80d 100644
--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -143,12 +143,6 @@ static int omninet_port_remove(struct usb_serial_port *port)
 
 static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port)
 {
-	struct usb_serial	*serial = port->serial;
-	struct usb_serial_port	*wport;
-
-	wport = serial->port[1];
-	tty_port_tty_set(&wport->port, tty);
-
 	return usb_serial_generic_open(tty, port);
 }
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 019/142] USB: iowarrior: fix NULL-deref at probe
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (17 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 018/142] USB: serial: omninet: fix reference leaks at open Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 020/142] USB: iowarrior: fix NULL-deref in write Jiri Slaby
                   ` (124 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream.

Make sure to check for the required interrupt-in endpoint to avoid
dereferencing a NULL-pointer should a malicious device lack such an
endpoint.

Note that a fairly recent change purported to fix this issue, but added
an insufficient test on the number of endpoints only, a test which can
now be removed.

Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/misc/iowarrior.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index 4c24ba0a6574..6dda72ef6ccf 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -792,12 +792,6 @@ static int iowarrior_probe(struct usb_interface *interface,
 	iface_desc = interface->cur_altsetting;
 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
 
-	if (iface_desc->desc.bNumEndpoints < 1) {
-		dev_err(&interface->dev, "Invalid number of endpoints\n");
-		retval = -EINVAL;
-		goto error;
-	}
-
 	/* set up the endpoint information */
 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
 		endpoint = &iface_desc->endpoint[i].desc;
@@ -808,6 +802,13 @@ static int iowarrior_probe(struct usb_interface *interface,
 			/* this one will match for the IOWarrior56 only */
 			dev->int_out_endpoint = endpoint;
 	}
+
+	if (!dev->int_in_endpoint) {
+		dev_err(&interface->dev, "no interrupt-in endpoint found\n");
+		retval = -ENODEV;
+		goto error;
+	}
+
 	/* we have to check the report_size often, so remember it in the endianness suitable for our machine */
 	dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
 	if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 020/142] USB: iowarrior: fix NULL-deref in write
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (18 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 019/142] USB: iowarrior: fix NULL-deref at probe Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 021/142] USB: serial: io_ti: fix NULL-deref in interrupt callback Jiri Slaby
                   ` (123 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit de46e56653de7b3b54baa625bd582635008b8d05 upstream.

Make sure to verify that we have the required interrupt-out endpoint for
IOWarrior56 devices to avoid dereferencing a NULL-pointer in write
should a malicious device lack such an endpoint.

Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/misc/iowarrior.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index 6dda72ef6ccf..05aa716cf6b5 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -809,6 +809,14 @@ static int iowarrior_probe(struct usb_interface *interface,
 		goto error;
 	}
 
+	if (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) {
+		if (!dev->int_out_endpoint) {
+			dev_err(&interface->dev, "no interrupt-out endpoint found\n");
+			retval = -ENODEV;
+			goto error;
+		}
+	}
+
 	/* we have to check the report_size often, so remember it in the endianness suitable for our machine */
 	dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
 	if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 021/142] USB: serial: io_ti: fix NULL-deref in interrupt callback
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (19 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 020/142] USB: iowarrior: fix NULL-deref in write Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 022/142] USB: serial: io_ti: fix information leak in completion handler Jiri Slaby
                   ` (122 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 0b1d250afb8eb9d65afb568bac9b9f9253a82b49 upstream.

Fix a NULL-pointer dereference in the interrupt callback should a
malicious device send data containing a bad port number by adding the
missing sanity check.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/io_ti.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index d569d773e1ce..2e4589a7b982 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1572,6 +1572,12 @@ static void edge_interrupt_callback(struct urb *urb)
 	function    = TIUMP_GET_FUNC_FROM_CODE(data[0]);
 	dev_dbg(dev, "%s - port_number %d, function %d, info 0x%x\n", __func__,
 		port_number, function, data[1]);
+
+	if (port_number >= edge_serial->serial->num_ports) {
+		dev_err(dev, "bad port number %d\n", port_number);
+		goto exit;
+	}
+
 	port = edge_serial->serial->port[port_number];
 	edge_port = usb_get_serial_port_data(port);
 	if (!edge_port) {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 022/142] USB: serial: io_ti: fix information leak in completion handler
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (20 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 021/142] USB: serial: io_ti: fix NULL-deref in interrupt callback Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 023/142] mvsas: fix misleading indentation Jiri Slaby
                   ` (121 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 654b404f2a222f918af9b0cd18ad469d0c941a8e upstream.

Add missing sanity check to the bulk-in completion handler to avoid an
integer underflow that can be triggered by a malicious device.

This avoids leaking 128 kB of memory content from after the URB transfer
buffer to user space.

Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/io_ti.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index 2e4589a7b982..e527a2780855 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1658,7 +1658,7 @@ static void edge_bulk_in_callback(struct urb *urb)
 
 	port_number = edge_port->port->port_number;
 
-	if (edge_port->lsr_event) {
+	if (urb->actual_length > 0 && edge_port->lsr_event) {
 		edge_port->lsr_event = 0;
 		dev_dbg(dev, "%s ===== Port %u LSR Status = %02x, Data = %02x ======\n",
 			__func__, port_number, edge_port->lsr_mask, *data);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 023/142] mvsas: fix misleading indentation
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (21 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 022/142] USB: serial: io_ti: fix information leak in completion handler Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 024/142] locking/static_keys: Add static_key_{en,dis}able() helpers Jiri Slaby
                   ` (120 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Luis de Bethencourt, Martin K . Petersen, Jiri Slaby

From: Luis de Bethencourt <luisbg@osg.samsung.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7789cd39274c51bf475411fe22a8ee7255082809 upstream.

Fix a smatch warning:
drivers/scsi/mvsas/mv_sas.c:740 mvs_task_prep() warn: curly braces intended?

The code is correct, the indention is misleading. When the device is not
ready we want to return SAS_PHY_DOWN. But current indentation makes it
look like we only do so in the else branch of if (mvi_dev).

Signed-off-by: Luis de Bethencourt <luisbg@osg.samsung.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/scsi/mvsas/mv_sas.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
index 783288db47c0..cecf1a3f25e3 100644
--- a/drivers/scsi/mvsas/mv_sas.c
+++ b/drivers/scsi/mvsas/mv_sas.c
@@ -737,8 +737,8 @@ static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf
 			mv_dprintk("device %016llx not ready.\n",
 				SAS_ADDR(dev->sas_addr));
 
-			rc = SAS_PHY_DOWN;
-			return rc;
+		rc = SAS_PHY_DOWN;
+		return rc;
 	}
 	tei.port = dev->port->lldd_port;
 	if (tei.port && !tei.port->port_attached && !tmf) {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 024/142] locking/static_keys: Add static_key_{en,dis}able() helpers
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (22 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 023/142] mvsas: fix misleading indentation Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 025/142] vxlan: correctly validate VXLAN ID against VXLAN_N_VID Jiri Slaby
                   ` (119 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Peter Zijlstra, Andrew Morton, Linus Torvalds,
	Paul E . McKenney, Thomas Gleixner, Ingo Molnar, Jiri Slaby

From: Peter Zijlstra <peterz@infradead.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e33886b38cc82a9fc3b2d655dfc7f50467594138 upstream.

Add two helpers to make it easier to treat the refcount as boolean.

[js] do not involve WARN_ON_ONCE as it causes build failures

Suggested-by: Jason Baron <jasonbaron0@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/linux/jump_label.h | 16 ++++++++++++++++
 kernel/sched/core.c        |  6 ++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/include/linux/jump_label.h b/include/linux/jump_label.h
index 9216e465289a..6fdea8105f45 100644
--- a/include/linux/jump_label.h
+++ b/include/linux/jump_label.h
@@ -188,4 +188,20 @@ static inline bool static_key_enabled(struct static_key *key)
 	return static_key_count(key) > 0;
 }
 
+static inline void static_key_enable(struct static_key *key)
+{
+	int count = static_key_count(key);
+
+	if (!count)
+		static_key_slow_inc(key);
+}
+
+static inline void static_key_disable(struct static_key *key)
+{
+	int count = static_key_count(key);
+
+	if (count)
+		static_key_slow_dec(key);
+}
+
 #endif	/* _LINUX_JUMP_LABEL_H */
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 426193802b1f..602b6c08c47d 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -179,14 +179,12 @@ struct static_key sched_feat_keys[__SCHED_FEAT_NR] = {
 
 static void sched_feat_disable(int i)
 {
-	if (static_key_enabled(&sched_feat_keys[i]))
-		static_key_slow_dec(&sched_feat_keys[i]);
+	static_key_disable(&sched_feat_keys[i]);
 }
 
 static void sched_feat_enable(int i)
 {
-	if (!static_key_enabled(&sched_feat_keys[i]))
-		static_key_slow_inc(&sched_feat_keys[i]);
+	static_key_enable(&sched_feat_keys[i]);
 }
 #else
 static void sched_feat_disable(int i) { };
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 025/142] vxlan: correctly validate VXLAN ID against VXLAN_N_VID
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (23 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 024/142] locking/static_keys: Add static_key_{en,dis}able() helpers Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 026/142] ipv4: mask tos for input route Jiri Slaby
                   ` (118 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Matthias Schiffer, David S . Miller, Jiri Slaby

From: Matthias Schiffer <mschiffer@universe-factory.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 4e37d6911f36545b286d15073f6f2222f840e81c ]

The incorrect check caused an off-by-one error: the maximum VID 0xffffff
was unusable.

Fixes: d342894c5d2f ("vxlan: virtual extensible lan")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Acked-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/vxlan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 73790abf0c2a..47cb0d06c165 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2243,7 +2243,7 @@ static int vxlan_validate(struct nlattr *tb[], struct nlattr *data[])
 
 	if (data[IFLA_VXLAN_ID]) {
 		__u32 id = nla_get_u32(data[IFLA_VXLAN_ID]);
-		if (id >= VXLAN_VID_MASK)
+		if (id >= VXLAN_N_VID)
 			return -ERANGE;
 	}
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 026/142] ipv4: mask tos for input route
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (24 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 025/142] vxlan: correctly validate VXLAN ID against VXLAN_N_VID Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 027/142] l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv Jiri Slaby
                   ` (117 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Julian Anastasov, David S . Miller, Jiri Slaby

From: Julian Anastasov <ja@ssi.bg>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 6e28099d38c0e50d62c1afc054e37e573adf3d21 ]

Restore the lost masking of TOS in input route code to
allow ip rules to match it properly.

Problem [1] noticed by Shmulik Ladkani <shmulik.ladkani@gmail.com>

[1] http://marc.info/?t=137331755300040&r=1&w=2

Fixes: 89aef8921bfb ("ipv4: Delete routing cache.")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/ipv4/route.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index fd2811086257..1b180691086c 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1881,6 +1881,7 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr,
 {
 	int res;
 
+	tos &= IPTOS_RT_MASK;
 	rcu_read_lock();
 
 	/* Multicast recognition logic is moved from route cache to here.
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 027/142] l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (25 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 026/142] ipv4: mask tos for input route Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 028/142] net: don't call strlen() on the user buffer in packet_bind_spkt() Jiri Slaby
                   ` (116 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Paul Hüber, David S . Miller, Jiri Slaby

From: Paul Hüber <phueber@kernsp.in>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 51fb60eb162ab84c5edf2ae9c63cf0b878e5547e ]

l2tp_ip_backlog_recv may not return -1 if the packet gets dropped.
The return value is passed up to ip_local_deliver_finish, which treats
negative values as an IP protocol number for resubmission.

Signed-off-by: Paul Hüber <phueber@kernsp.in>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/l2tp/l2tp_ip.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index b69b762159ad..c44b3742ae36 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -383,7 +383,7 @@ static int l2tp_ip_backlog_recv(struct sock *sk, struct sk_buff *skb)
 drop:
 	IP_INC_STATS(sock_net(sk), IPSTATS_MIB_INDISCARDS);
 	kfree_skb(skb);
-	return -1;
+	return 0;
 }
 
 /* Userspace will call sendmsg() on the tunnel socket to send L2TP
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 028/142] net: don't call strlen() on the user buffer in packet_bind_spkt()
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (26 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 027/142] l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 029/142] net: net_enable_timestamp() can be called from irq contexts Jiri Slaby
                   ` (115 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alexander Potapenko, David S . Miller, Jiri Slaby

From: Alexander Potapenko <glider@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 540e2894f7905538740aaf122bd8e0548e1c34a4 ]

KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of
uninitialized memory in packet_bind_spkt():
Acked-by: Eric Dumazet <edumazet@google.com>

==================================================================
BUG: KMSAN: use of unitialized memory
CPU: 0 PID: 1074 Comm: packet Not tainted 4.8.0-rc6+ #1891
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
 0000000000000000 ffff88006b6dfc08 ffffffff82559ae8 ffff88006b6dfb48
 ffffffff818a7c91 ffffffff85b9c870 0000000000000092 ffffffff85b9c550
 0000000000000000 0000000000000092 00000000ec400911 0000000000000002
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82559ae8>] dump_stack+0x238/0x290 lib/dump_stack.c:51
 [<ffffffff818a6626>] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1003
 [<ffffffff818a783b>] __msan_warning+0x5b/0xb0
mm/kmsan/kmsan_instr.c:424
 [<     inline     >] strlen lib/string.c:484
 [<ffffffff8259b58d>] strlcpy+0x9d/0x200 lib/string.c:144
 [<ffffffff84b2eca4>] packet_bind_spkt+0x144/0x230
net/packet/af_packet.c:3132
 [<ffffffff84242e4d>] SYSC_bind+0x40d/0x5f0 net/socket.c:1370
 [<ffffffff84242a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
 [<ffffffff8515991b>] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.o:?
chained origin: 00000000eba00911
 [<ffffffff810bb787>] save_stack_trace+0x27/0x50
arch/x86/kernel/stacktrace.c:67
 [<     inline     >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322
 [<     inline     >] kmsan_save_stack mm/kmsan/kmsan.c:334
 [<ffffffff818a59f8>] kmsan_internal_chain_origin+0x118/0x1e0
mm/kmsan/kmsan.c:527
 [<ffffffff818a7773>] __msan_set_alloca_origin4+0xc3/0x130
mm/kmsan/kmsan_instr.c:380
 [<ffffffff84242b69>] SYSC_bind+0x129/0x5f0 net/socket.c:1356
 [<ffffffff84242a22>] SyS_bind+0x82/0xa0 net/socket.c:1356
 [<ffffffff8515991b>] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.o:?
origin description: ----address@SYSC_bind (origin=00000000eb400911)
==================================================================
(the line numbers are relative to 4.8-rc6, but the bug persists
upstream)

, when I run the following program as root:

=====================================
 #include <string.h>
 #include <sys/socket.h>
 #include <netpacket/packet.h>
 #include <net/ethernet.h>

 int main() {
   struct sockaddr addr;
   memset(&addr, 0xff, sizeof(addr));
   addr.sa_family = AF_PACKET;
   int fd = socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ALL));
   bind(fd, &addr, sizeof(addr));
   return 0;
 }
=====================================

This happens because addr.sa_data copied from the userspace is not
zero-terminated, and copying it with strlcpy() in packet_bind_spkt()
results in calling strlen() on the kernel copy of that non-terminated
buffer.

Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/packet/af_packet.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index dfea5968a582..b56a9fdbf2a3 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2582,7 +2582,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
 			    int addr_len)
 {
 	struct sock *sk = sock->sk;
-	char name[15];
+	char name[sizeof(uaddr->sa_data) + 1];
 	struct net_device *dev;
 	int err = -ENODEV;
 
@@ -2592,7 +2592,11 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
 
 	if (addr_len != sizeof(struct sockaddr))
 		return -EINVAL;
-	strlcpy(name, uaddr->sa_data, sizeof(name));
+	/* uaddr->sa_data comes from the userspace, it's not guaranteed to be
+	 * zero-terminated.
+	 */
+	memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data));
+	name[sizeof(uaddr->sa_data)] = 0;
 
 	dev = dev_get_by_name(sock_net(sk), name);
 	if (dev)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 029/142] net: net_enable_timestamp() can be called from irq contexts
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (27 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 028/142] net: don't call strlen() on the user buffer in packet_bind_spkt() Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 030/142] dccp: Unlock sock before calling sk_free() Jiri Slaby
                   ` (114 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Eric Dumazet, David S . Miller, Jiri Slaby

From: Eric Dumazet <edumazet@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 13baa00ad01bb3a9f893e3a08cbc2d072fc0c15d ]

It is now very clear that silly TCP listeners might play with
enabling/disabling timestamping while new children are added
to their accept queue.

Meaning net_enable_timestamp() can be called from BH context
while current state of the static key is not enabled.

Lets play safe and allow all contexts.

The work queue is scheduled only under the problematic cases,
which are the static key enable/disable transition, to not slow down
critical paths.

This extends and improves what we did in commit 5fa8bbda38c6 ("net: use
a work queue to defer net_disable_timestamp() work")

Fixes: b90e5794c5bd ("net: dont call jump_label_dec from irq context")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/core/dev.c | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 349ee899b3f0..a8574b4264cb 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1595,27 +1595,54 @@ EXPORT_SYMBOL(call_netdevice_notifiers);
 static struct static_key netstamp_needed __read_mostly;
 #ifdef HAVE_JUMP_LABEL
 static atomic_t netstamp_needed_deferred;
+static atomic_t netstamp_wanted;
 static void netstamp_clear(struct work_struct *work)
 {
 	int deferred = atomic_xchg(&netstamp_needed_deferred, 0);
+	int wanted;
 
-	while (deferred--)
-		static_key_slow_dec(&netstamp_needed);
+	wanted = atomic_add_return(deferred, &netstamp_wanted);
+	if (wanted > 0)
+		static_key_enable(&netstamp_needed);
+	else
+		static_key_disable(&netstamp_needed);
 }
 static DECLARE_WORK(netstamp_work, netstamp_clear);
 #endif
 
 void net_enable_timestamp(void)
 {
+#ifdef HAVE_JUMP_LABEL
+	int wanted;
+
+	while (1) {
+		wanted = atomic_read(&netstamp_wanted);
+		if (wanted <= 0)
+			break;
+		if (atomic_cmpxchg(&netstamp_wanted, wanted, wanted + 1) == wanted)
+			return;
+	}
+	atomic_inc(&netstamp_needed_deferred);
+	schedule_work(&netstamp_work);
+#else
 	static_key_slow_inc(&netstamp_needed);
+#endif
 }
 EXPORT_SYMBOL(net_enable_timestamp);
 
 void net_disable_timestamp(void)
 {
 #ifdef HAVE_JUMP_LABEL
-	/* net_disable_timestamp() can be called from non process context */
-	atomic_inc(&netstamp_needed_deferred);
+	int wanted;
+
+	while (1) {
+		wanted = atomic_read(&netstamp_wanted);
+		if (wanted <= 1)
+			break;
+		if (atomic_cmpxchg(&netstamp_wanted, wanted, wanted - 1) == wanted)
+			return;
+	}
+	atomic_dec(&netstamp_needed_deferred);
 	schedule_work(&netstamp_work);
 #else
 	static_key_slow_dec(&netstamp_needed);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 030/142] dccp: Unlock sock before calling sk_free()
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (28 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 029/142] net: net_enable_timestamp() can be called from irq contexts Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 031/142] tcp: fix various issues for sockets morphing to listen state Jiri Slaby
                   ` (113 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Arnaldo Carvalho de Melo, Cong Wang, Eric Dumazet,
	Gerrit Renker, Thomas Gleixner, David S . Miller, Jiri Slaby

From: Arnaldo Carvalho de Melo <acme@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit d5afb6f9b6bb2c57bd0c05e76e12489dc0d037d9 ]

The code where sk_clone() came from created a new socket and locked it,
but then, on the error path didn't unlock it.

This problem stayed there for a long while, till b0691c8ee7c2 ("net:
Unlock sock before calling sk_free()") fixed it, but unfortunately the
callers of sk_clone() (now sk_clone_locked()) were not audited and the
one in dccp_create_openreq_child() remained.

Now in the age of the syskaller fuzzer, this was finally uncovered, as
reported by Dmitry:

 ---- 8< ----

I've got the following report while running syzkaller fuzzer on
86292b33d4b7 ("Merge branch 'akpm' (patches from Andrew)")

  [ BUG: held lock freed! ]
  4.10.0+ #234 Not tainted
  -------------------------
  syz-executor6/6898 is freeing memory
  ffff88006286cac0-ffff88006286d3b7, with a lock still held there!
   (slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>] spin_lock
  include/linux/spinlock.h:299 [inline]
   (slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>]
  sk_clone_lock+0x3d9/0x12c0 net/core/sock.c:1504
  5 locks held by syz-executor6/6898:
   #0:  (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff839a34b4>] lock_sock
  include/net/sock.h:1460 [inline]
   #0:  (sk_lock-AF_INET6){+.+.+.}, at: [<ffffffff839a34b4>]
  inet_stream_connect+0x44/0xa0 net/ipv4/af_inet.c:681
   #1:  (rcu_read_lock){......}, at: [<ffffffff83bc1c2a>]
  inet6_csk_xmit+0x12a/0x5d0 net/ipv6/inet6_connection_sock.c:126
   #2:  (rcu_read_lock){......}, at: [<ffffffff8369b424>] __skb_unlink
  include/linux/skbuff.h:1767 [inline]
   #2:  (rcu_read_lock){......}, at: [<ffffffff8369b424>] __skb_dequeue
  include/linux/skbuff.h:1783 [inline]
   #2:  (rcu_read_lock){......}, at: [<ffffffff8369b424>]
  process_backlog+0x264/0x730 net/core/dev.c:4835
   #3:  (rcu_read_lock){......}, at: [<ffffffff83aeb5c0>]
  ip6_input_finish+0x0/0x1700 net/ipv6/ip6_input.c:59
   #4:  (slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>] spin_lock
  include/linux/spinlock.h:299 [inline]
   #4:  (slock-AF_INET6){+.-...}, at: [<ffffffff8362c2c9>]
  sk_clone_lock+0x3d9/0x12c0 net/core/sock.c:1504

Fix it just like was done by b0691c8ee7c2 ("net: Unlock sock before calling
sk_free()").

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20170301153510.GE15145@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/dccp/minisocks.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index 662071b249cc..e47b15dd9b39 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -140,6 +140,7 @@ struct sock *dccp_create_openreq_child(struct sock *sk,
 			/* It is still raw copy of parent, so invalidate
 			 * destructor and make plain sk_free() */
 			newsk->sk_destruct = NULL;
+			bh_unlock_sock(newsk);
 			sk_free(newsk);
 			return NULL;
 		}
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 031/142] tcp: fix various issues for sockets morphing to listen state
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (29 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 030/142] dccp: Unlock sock before calling sk_free() Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 032/142] uapi: fix linux/packet_diag.h userspace compilation error Jiri Slaby
                   ` (112 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Eric Dumazet, David S . Miller, Jiri Slaby

From: Eric Dumazet <edumazet@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 02b2faaf0af1d85585f6d6980e286d53612acfc2 ]

Dmitry Vyukov reported a divide by 0 triggered by syzkaller, exploiting
tcp_disconnect() path that was never really considered and/or used
before syzkaller ;)

I was not able to reproduce the bug, but it seems issues here are the
three possible actions that assumed they would never trigger on a
listener.

1) tcp_write_timer_handler
2) tcp_delack_timer_handler
3) MTU reduction

Only IPv6 MTU reduction was properly testing TCP_CLOSE and TCP_LISTEN
 states from tcp_v6_mtu_reduced()

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/ipv4/tcp_ipv4.c  | 7 +++++--
 net/ipv4/tcp_timer.c | 6 ++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 12504f57fd7b..c67d89ccadf7 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -271,10 +271,13 @@ EXPORT_SYMBOL(tcp_v4_connect);
  */
 void tcp_v4_mtu_reduced(struct sock *sk)
 {
-	struct dst_entry *dst;
 	struct inet_sock *inet = inet_sk(sk);
-	u32 mtu = tcp_sk(sk)->mtu_info;
+	struct dst_entry *dst;
+	u32 mtu;
 
+	if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
+		return;
+	mtu = tcp_sk(sk)->mtu_info;
 	dst = inet_csk_update_pmtu(sk, mtu);
 	if (!dst)
 		return;
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 4b85e6f636c9..722367a6d817 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -201,7 +201,8 @@ void tcp_delack_timer_handler(struct sock *sk)
 
 	sk_mem_reclaim_partial(sk);
 
-	if (sk->sk_state == TCP_CLOSE || !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
+	if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
+	    !(icsk->icsk_ack.pending & ICSK_ACK_TIMER))
 		goto out;
 
 	if (time_after(icsk->icsk_ack.timeout, jiffies)) {
@@ -480,7 +481,8 @@ void tcp_write_timer_handler(struct sock *sk)
 	struct inet_connection_sock *icsk = inet_csk(sk);
 	int event;
 
-	if (sk->sk_state == TCP_CLOSE || !icsk->icsk_pending)
+	if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
+	    !icsk->icsk_pending)
 		goto out;
 
 	if (time_after(icsk->icsk_timeout, jiffies)) {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 032/142] uapi: fix linux/packet_diag.h userspace compilation error
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (30 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 031/142] tcp: fix various issues for sockets morphing to listen state Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 033/142] ipv6: avoid write to a possibly cloned skb Jiri Slaby
                   ` (111 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dmitry V. Levin, David S . Miller, Jiri Slaby

From: "Dmitry V. Levin" <ldv@altlinux.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 745cb7f8a5de0805cade3de3991b7a95317c7c73 ]

Replace MAX_ADDR_LEN with its numeric value to fix the following
linux/packet_diag.h userspace compilation error:

/usr/include/linux/packet_diag.h:67:17: error: 'MAX_ADDR_LEN' undeclared here (not in a function)
  __u8 pdmc_addr[MAX_ADDR_LEN];

This is not the first case in the UAPI where the numeric value
of MAX_ADDR_LEN is used instead of symbolic one, uapi/linux/if_link.h
already does the same:

$ grep MAX_ADDR_LEN include/uapi/linux/if_link.h
	__u8 mac[32]; /* MAX_ADDR_LEN */

There are no UAPI headers besides these two that use MAX_ADDR_LEN.

Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Acked-by: Pavel Emelyanov <xemul@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/uapi/linux/packet_diag.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/uapi/linux/packet_diag.h b/include/uapi/linux/packet_diag.h
index b2cc0cd9c4d9..1a9de73e845d 100644
--- a/include/uapi/linux/packet_diag.h
+++ b/include/uapi/linux/packet_diag.h
@@ -63,7 +63,7 @@ struct packet_diag_mclist {
 	__u32	pdmc_count;
 	__u16	pdmc_type;
 	__u16	pdmc_alen;
-	__u8	pdmc_addr[MAX_ADDR_LEN];
+	__u8	pdmc_addr[32]; /* MAX_ADDR_LEN */
 };
 
 struct packet_diag_ring {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 033/142] ipv6: avoid write to a possibly cloned skb
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (31 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 032/142] uapi: fix linux/packet_diag.h userspace compilation error Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 034/142] dccp/tcp: fix routing redirect race Jiri Slaby
                   ` (110 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Florian Westphal, Hannes Frederic Sowa,
	David S . Miller, Jiri Slaby

From: Florian Westphal <fw@strlen.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 79e49503efe53a8c51d8b695bedc8a346c5e4a87 ]

ip6_fragment, in case skb has a fraglist, checks if the
skb is cloned.  If it is, it will move to the 'slow path' and allocates
new skbs for each fragment.

However, right before entering the slowpath loop, it updates the
nexthdr value of the last ipv6 extension header to NEXTHDR_FRAGMENT,
to account for the fragment header that will be inserted in the new
ipv6-fragment skbs.

In case original skb is cloned this munges nexthdr value of another
skb.  Avoid this by doing the nexthdr update for each of the new fragment
skbs separately.

This was observed with tcpdump on a bridge device where netfilter ipv6
reassembly is active:  tcpdump shows malformed fragment headers as
the l4 header (icmpv6, tcp, etc). is decoded as a fragment header.

Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Reported-by: Andreas Karis <akaris@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/ipv6/ip6_output.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index f5f86850a305..c5db1d52d542 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -716,7 +716,6 @@ slow_path:
 	 *	Fragment the datagram.
 	 */
 
-	*prevhdr = NEXTHDR_FRAGMENT;
 	hroom = LL_RESERVED_SPACE(rt->dst.dev);
 	troom = rt->dst.dev->needed_tailroom;
 
@@ -724,6 +723,8 @@ slow_path:
 	 *	Keep copying data until we run out.
 	 */
 	while(left > 0)	{
+		u8 *fragnexthdr_offset;
+
 		len = left;
 		/* IF: it doesn't fit, use 'mtu' - the data space left */
 		if (len > mtu)
@@ -770,6 +771,10 @@ slow_path:
 		 */
 		skb_copy_from_linear_data(skb, skb_network_header(frag), hlen);
 
+		fragnexthdr_offset = skb_network_header(frag);
+		fragnexthdr_offset += prevhdr - skb_network_header(skb);
+		*fragnexthdr_offset = NEXTHDR_FRAGMENT;
+
 		/*
 		 *	Build fragment header.
 		 */
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 034/142] dccp/tcp: fix routing redirect race
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (32 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 033/142] ipv6: avoid write to a possibly cloned skb Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 035/142] dccp: fix memory leak during tear-down of unsuccessful connection request Jiri Slaby
                   ` (109 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Jon Maxwell, Eric Garver, Hannes Sowa,
	David S . Miller, Jiri Slaby

From: Jon Maxwell <jmaxwell37@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 45caeaa5ac0b4b11784ac6f932c0ad4c6b67cda0 ]

As Eric Dumazet pointed out this also needs to be fixed in IPv6.
v2: Contains the IPv6 tcp/Ipv6 dccp patches as well.

We have seen a few incidents lately where a dst_enty has been freed
with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that
dst_entry. If the conditions/timings are right a crash then ensues when the
freed dst_entry is referenced later on. A Common crashing back trace is:

 #8 [] page_fault at ffffffff8163e648
    [exception RIP: __tcp_ack_snd_check+74]
.
.
 #9 [] tcp_rcv_established at ffffffff81580b64
#10 [] tcp_v4_do_rcv at ffffffff8158b54a
#11 [] tcp_v4_rcv at ffffffff8158cd02
#12 [] ip_local_deliver_finish at ffffffff815668f4
#13 [] ip_local_deliver at ffffffff81566bd9
#14 [] ip_rcv_finish at ffffffff8156656d
#15 [] ip_rcv at ffffffff81566f06
#16 [] __netif_receive_skb_core at ffffffff8152b3a2
#17 [] __netif_receive_skb at ffffffff8152b608
#18 [] netif_receive_skb at ffffffff8152b690
#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3]
#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3]
#21 [] net_rx_action at ffffffff8152bac2
#22 [] __do_softirq at ffffffff81084b4f
#23 [] call_softirq at ffffffff8164845c
#24 [] do_softirq at ffffffff81016fc5
#25 [] irq_exit at ffffffff81084ee5
#26 [] do_IRQ at ffffffff81648ff8

Of course it may happen with other NIC drivers as well.

It's found the freed dst_entry here:

 224 static bool tcp_in_quickack_mode(struct sock *sk)↩
 225 {↩
 226 ▹       const struct inet_connection_sock *icsk = inet_csk(sk);↩
 227 ▹       const struct dst_entry *dst = __sk_dst_get(sk);↩
 228 ↩
 229 ▹       return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩
 230 ▹       ▹       (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩
 231 }↩

But there are other backtraces attributed to the same freed dst_entry in
netfilter code as well.

All the vmcores showed 2 significant clues:

- Remote hosts behind the default gateway had always been redirected to a
different gateway. A rtable/dst_entry will be added for that host. Making
more dst_entrys with lower reference counts. Making this more probable.

- All vmcores showed a postitive LockDroppedIcmps value, e.g:

LockDroppedIcmps                  267

A closer look at the tcp_v4_err() handler revealed that do_redirect() will run
regardless of whether user space has the socket locked. This can result in a
race condition where the same dst_entry cached in sk->sk_dst_entry can be
decremented twice for the same socket via:

do_redirect()->__sk_dst_check()-> dst_release().

Which leads to the dst_entry being prematurely freed with another socket
pointing to it via sk->sk_dst_cache and a subsequent crash.

To fix this skip do_redirect() if usespace has the socket locked. Instead let
the redirect take place later when user space does not have the socket
locked.

The dccp/IPv6 code is very similar in this respect, so fixing it there too.

As Eric Garver pointed out the following commit now invalidates routes. Which
can set the dst->obsolete flag so that ipv4_dst_check() returns null and
triggers the dst_release().

Fixes: ceb3320610d6 ("ipv4: Kill routes during PMTU/redirect updates.")
Cc: Eric Garver <egarver@redhat.com>
Cc: Hannes Sowa <hsowa@redhat.com>
Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/dccp/ipv4.c     | 3 ++-
 net/dccp/ipv6.c     | 8 +++++---
 net/ipv4/tcp_ipv4.c | 3 ++-
 net/ipv6/tcp_ipv6.c | 8 +++++---
 4 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 4332b7c25af0..67f0f0652641 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -263,7 +263,8 @@ static void dccp_v4_err(struct sk_buff *skb, u32 info)
 
 	switch (type) {
 	case ICMP_REDIRECT:
-		dccp_do_redirect(skb, sk);
+		if (!sock_owned_by_user(sk))
+			dccp_do_redirect(skb, sk);
 		goto out;
 	case ICMP_SOURCE_QUENCH:
 		/* Just silently ignore these. */
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 736fdedf9c85..c3ae00de1740 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -132,10 +132,12 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
 	np = inet6_sk(sk);
 
 	if (type == NDISC_REDIRECT) {
-		struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
+		if (!sock_owned_by_user(sk)) {
+			struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
 
-		if (dst)
-			dst->ops->redirect(dst, sk, skb);
+			if (dst)
+				dst->ops->redirect(dst, sk, skb);
+		}
 		goto out;
 	}
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index c67d89ccadf7..129af2aa04d9 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -393,7 +393,8 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
 
 	switch (type) {
 	case ICMP_REDIRECT:
-		do_redirect(icmp_skb, sk);
+		if (!sock_owned_by_user(sk))
+			do_redirect(icmp_skb, sk);
 		goto out;
 	case ICMP_SOURCE_QUENCH:
 		/* Just silently ignore these. */
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index e5bafd576a13..7bec37d485d4 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -386,10 +386,12 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
 	np = inet6_sk(sk);
 
 	if (type == NDISC_REDIRECT) {
-		struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
+		if (!sock_owned_by_user(sk)) {
+			struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
 
-		if (dst)
-			dst->ops->redirect(dst, sk, skb);
+			if (dst)
+				dst->ops->redirect(dst, sk, skb);
+		}
 		goto out;
 	}
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 035/142] dccp: fix memory leak during tear-down of unsuccessful connection request
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (33 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 034/142] dccp/tcp: fix routing redirect race Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 036/142] net sched actions: decrement module reference count after table flush Jiri Slaby
                   ` (108 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Hannes Frederic Sowa, David S . Miller, Jiri Slaby

From: Hannes Frederic Sowa <hannes@stressinduktion.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 72ef9c4125c7b257e3a714d62d778ab46583d6a3 ]

This patch fixes a memory leak, which happens if the connection request
is not fulfilled between parsing the DCCP options and handling the SYN
(because e.g. the backlog is full), because we forgot to free the
list of ack vectors.

Reported-by: Jianwen Ji <jiji@redhat.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/dccp/ccids/ccid2.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
index f053198e730c..5e3a7302f774 100644
--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -749,6 +749,7 @@ static void ccid2_hc_tx_exit(struct sock *sk)
 	for (i = 0; i < hc->tx_seqbufc; i++)
 		kfree(hc->tx_seqbuf[i]);
 	hc->tx_seqbufc = 0;
+	dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks);
 }
 
 static void ccid2_hc_rx_packet_recv(struct sock *sk, struct sk_buff *skb)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 036/142] net sched actions: decrement module reference count after table flush.
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (34 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 035/142] dccp: fix memory leak during tear-down of unsuccessful connection request Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 037/142] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI Jiri Slaby
                   ` (107 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Roman Mashak, Jamal Hadi Salim, David S . Miller,
	Jiri Slaby

From: Roman Mashak <mrv@mojatatu.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit edb9d1bff4bbe19b8ae0e71b1f38732591a9eeb2 ]

When tc actions are loaded as a module and no actions have been installed,
flushing them would result in actions removed from the memory, but modules
reference count not being decremented, so that the modules would not be
unloaded.

Following is example with GACT action:

% sudo modprobe act_gact
% lsmod
Module                  Size  Used by
act_gact               16384  0
%
% sudo tc actions ls action gact
%
% sudo tc actions flush action gact
% lsmod
Module                  Size  Used by
act_gact               16384  1
% sudo tc actions flush action gact
% lsmod
Module                  Size  Used by
act_gact               16384  2
% sudo rmmod act_gact
rmmod: ERROR: Module act_gact is in use
....

After the fix:
% lsmod
Module                  Size  Used by
act_gact               16384  0
%
% sudo tc actions add action pass index 1
% sudo tc actions add action pass index 2
% sudo tc actions add action pass index 3
% lsmod
Module                  Size  Used by
act_gact               16384  3
%
% sudo tc actions flush action gact
% lsmod
Module                  Size  Used by
act_gact               16384  0
%
% sudo tc actions flush action gact
% lsmod
Module                  Size  Used by
act_gact               16384  0
% sudo rmmod act_gact
% lsmod
Module                  Size  Used by
%

Fixes: f97017cdefef ("net-sched: Fix actions flushing")
Signed-off-by: Roman Mashak <mrv@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/sched/act_api.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 15d46b9166de..0a31f2c51e94 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -814,10 +814,8 @@ static int tca_action_flush(struct net *net, struct nlattr *nla,
 		goto out_module_put;
 
 	err = a->ops->walk(skb, &dcb, RTM_DELACTION, a);
-	if (err < 0)
+	if (err <= 0)
 		goto out_module_put;
-	if (err == 0)
-		goto noflush_out;
 
 	nla_nest_end(skb, nest);
 
@@ -835,7 +833,6 @@ static int tca_action_flush(struct net *net, struct nlattr *nla,
 out_module_put:
 	module_put(a->ops->owner);
 err_out:
-noflush_out:
 	kfree_skb(skb);
 	kfree(a);
 	return err;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 037/142] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (35 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 036/142] net sched actions: decrement module reference count after table flush Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 038/142] futex: Add missing error handling to FUTEX_REQUEUE_PI Jiri Slaby
                   ` (106 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Peter Zijlstra, juri.lelli, bigeasy, xlpang,
	rostedt, mathieu.desnoyers, jdesfossez, dvhart, bristot,
	Thomas Gleixner, Jiri Slaby

From: Peter Zijlstra <peterz@infradead.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c236c8e95a3d395b0494e7108f0d41cf36ec107c upstream.

While working on the futex code, I stumbled over this potential
use-after-free scenario. Dmitry triggered it later with syzkaller.

pi_mutex is a pointer into pi_state, which we drop the reference on in
unqueue_me_pi(). So any access to that pointer after that is bad.

Since other sites already do rt_mutex_unlock() with hb->lock held, see
for example futex_lock_pi(), simply move the unlock before
unqueue_me_pi().

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Darren Hart <dvhart@linux.intel.com>
Cc: juri.lelli@arm.com
Cc: bigeasy@linutronix.de
Cc: xlpang@redhat.com
Cc: rostedt@goodmis.org
Cc: mathieu.desnoyers@efficios.com
Cc: jdesfossez@efficios.com
Cc: dvhart@infradead.org
Cc: bristot@redhat.com
Link: http://lkml.kernel.org/r/20170304093558.801744246@infradead.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 kernel/futex.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/kernel/futex.c b/kernel/futex.c
index 9c6394afd10f..9667d9233289 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2415,7 +2415,6 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
 {
 	struct hrtimer_sleeper timeout, *to = NULL;
 	struct rt_mutex_waiter rt_waiter;
-	struct rt_mutex *pi_mutex = NULL;
 	struct futex_hash_bucket *hb;
 	union futex_key key2 = FUTEX_KEY_INIT;
 	struct futex_q q = futex_q_init;
@@ -2505,6 +2504,8 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
 			spin_unlock(q.lock_ptr);
 		}
 	} else {
+		struct rt_mutex *pi_mutex;
+
 		/*
 		 * We have been woken up by futex_unlock_pi(), a timeout, or a
 		 * signal.  futex_unlock_pi() will not destroy the lock_ptr nor
@@ -2528,18 +2529,19 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
 		if (res)
 			ret = (res < 0) ? res : 0;
 
+		/*
+		 * If fixup_pi_state_owner() faulted and was unable to handle
+		 * the fault, unlock the rt_mutex and return the fault to
+		 * userspace.
+		 */
+		if (ret && rt_mutex_owner(pi_mutex) == current)
+			rt_mutex_unlock(pi_mutex);
+
 		/* Unqueue and drop the lock. */
 		unqueue_me_pi(&q);
 	}
 
-	/*
-	 * If fixup_pi_state_owner() faulted and was unable to handle the
-	 * fault, unlock the rt_mutex and return the fault to userspace.
-	 */
-	if (ret == -EFAULT) {
-		if (pi_mutex && rt_mutex_owner(pi_mutex) == current)
-			rt_mutex_unlock(pi_mutex);
-	} else if (ret == -EINTR) {
+	if (ret == -EINTR) {
 		/*
 		 * We've already been requeued, but cannot restart by calling
 		 * futex_lock_pi() directly. We could restart this syscall, but
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 038/142] futex: Add missing error handling to FUTEX_REQUEUE_PI
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (36 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 037/142] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI Jiri Slaby
@ 2017-04-10 15:31 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 039/142] give up on gcc ilog2() constant optimizations Jiri Slaby
                   ` (105 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:31 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Peter Zijlstra, juri.lelli, bigeasy, xlpang,
	rostedt, mathieu.desnoyers, jdesfossez, dvhart, bristot,
	Thomas Gleixner, Jiri Slaby

From: Peter Zijlstra <peterz@infradead.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 9bbb25afeb182502ca4f2c4f3f88af0681b34cae upstream.

Thomas spotted that fixup_pi_state_owner() can return errors and we
fail to unlock the rt_mutex in that case.

Reported-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Darren Hart <dvhart@linux.intel.com>
Cc: juri.lelli@arm.com
Cc: bigeasy@linutronix.de
Cc: xlpang@redhat.com
Cc: rostedt@goodmis.org
Cc: mathieu.desnoyers@efficios.com
Cc: jdesfossez@efficios.com
Cc: dvhart@infradead.org
Cc: bristot@redhat.com
Link: http://lkml.kernel.org/r/20170304093558.867401760@infradead.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 kernel/futex.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/futex.c b/kernel/futex.c
index 9667d9233289..566e2e0e56cf 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2496,6 +2496,8 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
 		if (q.pi_state && (q.pi_state->owner != current)) {
 			spin_lock(q.lock_ptr);
 			ret = fixup_pi_state_owner(uaddr2, &q, current);
+			if (ret && rt_mutex_owner(&q.pi_state->pi_mutex) == current)
+				rt_mutex_unlock(&q.pi_state->pi_mutex);
 			/*
 			 * Drop the reference to the pi state which
 			 * the requeue_pi() code acquired for us.
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 039/142] give up on gcc ilog2() constant optimizations
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (37 preceding siblings ...)
  2017-04-10 15:31 ` [PATCH 3.12 038/142] futex: Add missing error handling to FUTEX_REQUEUE_PI Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 040/142] cancel the setfilesize transation when io error happen Jiri Slaby
                   ` (104 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Linus Torvalds, John Stultz, Thomas Gleixner,
	Ard Biesheuvel, Jiri Slaby

From: Linus Torvalds <torvalds@linux-foundation.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 474c90156c8dcc2fa815e6716cc9394d7930cb9c upstream.

gcc-7 has an "optimization" pass that completely screws up, and
generates the code expansion for the (impossible) case of calling
ilog2() with a zero constant, even when the code gcc compiles does not
actually have a zero constant.

And we try to generate a compile-time error for anybody doing ilog2() on
a constant where that doesn't make sense (be it zero or negative).  So
now gcc7 will fail the build due to our sanity checking, because it
created that constant-zero case that didn't actually exist in the source
code.

There's a whole long discussion on the kernel mailing about how to work
around this gcc bug.  The gcc people themselevs have discussed their
"feature" in

   https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785

but it's all water under the bridge, because while it looked at one
point like it would be solved by the time gcc7 was released, that was
not to be.

So now we have to deal with this compiler braindamage.

And the only simple approach seems to be to just delete the code that
tries to warn about bad uses of ilog2().

So now "ilog2()" will just return 0 not just for the value 1, but for
any non-positive value too.

It's not like I can recall anybody having ever actually tried to use
this function on any invalid value, but maybe the sanity check just
meant that such code never made it out in public.

[js] no tools/include/linux/log2.h copy of that yet

Reported-by: Laura Abbott <labbott@redhat.com>
Cc: John Stultz <john.stultz@linaro.org>,
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/linux/log2.h | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/include/linux/log2.h b/include/linux/log2.h
index fd7ff3d91e6a..f38fae23bdac 100644
--- a/include/linux/log2.h
+++ b/include/linux/log2.h
@@ -16,12 +16,6 @@
 #include <linux/bitops.h>
 
 /*
- * deal with unrepresentable constant logarithms
- */
-extern __attribute__((const, noreturn))
-int ____ilog2_NaN(void);
-
-/*
  * non-constant log of base 2 calculators
  * - the arch may override these in asm/bitops.h if they can be implemented
  *   more efficiently than using fls() and fls64()
@@ -85,7 +79,7 @@ unsigned long __rounddown_pow_of_two(unsigned long n)
 #define ilog2(n)				\
 (						\
 	__builtin_constant_p(n) ? (		\
-		(n) < 1 ? ____ilog2_NaN() :	\
+		(n) < 2 ? 0 :			\
 		(n) & (1ULL << 63) ? 63 :	\
 		(n) & (1ULL << 62) ? 62 :	\
 		(n) & (1ULL << 61) ? 61 :	\
@@ -148,10 +142,7 @@ unsigned long __rounddown_pow_of_two(unsigned long n)
 		(n) & (1ULL <<  4) ?  4 :	\
 		(n) & (1ULL <<  3) ?  3 :	\
 		(n) & (1ULL <<  2) ?  2 :	\
-		(n) & (1ULL <<  1) ?  1 :	\
-		(n) & (1ULL <<  0) ?  0 :	\
-		____ilog2_NaN()			\
-				   ) :		\
+		1 ) :				\
 	(sizeof(n) <= 4) ?			\
 	__ilog2_u32(n) :			\
 	__ilog2_u64(n)				\
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 040/142] cancel the setfilesize transation when io error happen
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (38 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 039/142] give up on gcc ilog2() constant optimizations Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 041/142] xfs: fix up xfs_swap_extent_forks inline extent handling Jiri Slaby
                   ` (103 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Zhaohongjiang, Dave Chinner, Nikolay Borisov, Jiri Slaby

From: Zhaohongjiang <zhaohongjiang@huawei.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

Commit 5cb13dcd0fac071b45c4bebe1801a08ff0d89cad upstream.

When I ran xfstest/073 case, the remount process was blocked to wait
transactions to be zero. I found there was a io error happened, and
the setfilesize transaction was not released properly. We should add
the changes to cancel the io error in this case.

Reproduction steps:
1. dd if=/dev/zero of=xfs1.img bs=1M count=2048
2. mkfs.xfs xfs1.img
3. losetup -f ./xfs1.img /dev/loop0
4. mount -t xfs /dev/loop0 /home/test_dir/
5. mkdir /home/test_dir/test
6. mkfs.xfs -dfile,name=image,size=2g
7. mount -t xfs -o loop image /home/test_dir/test
8. cp a file bigger than 2g to /home/test_dir/test
9. mount -t xfs -o remount,ro /home/test_dir/test

[ dchinner: moved io error detection to xfs_setfilesize_ioend() after
  transaction context restoration. ]

[ nborisov: Adjusted context for 3.12 ]

Signed-off-by: Zhao Hongjiang <zhaohongjiang@huawei.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/xfs/xfs_aops.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
index ab28ad576b16..6394e3f51553 100644
--- a/fs/xfs/xfs_aops.c
+++ b/fs/xfs/xfs_aops.c
@@ -150,6 +150,12 @@ xfs_setfilesize(
 	rwsem_acquire_read(&VFS_I(ip)->i_sb->s_writers.lock_map[SB_FREEZE_FS-1],
 			   0, 1, _THIS_IP_);
 
+	/* we abort the update if there was an IO error */
+	if (ioend->io_error) {
+		xfs_trans_cancel(tp, 0);
+		return ioend->io_error;
+	}
+
 	xfs_ilock(ip, XFS_ILOCK_EXCL);
 	isize = xfs_new_eof(ip, ioend->io_offset + ioend->io_size);
 	if (!isize) {
@@ -205,14 +211,17 @@ xfs_end_io(
 		ioend->io_error = -EIO;
 		goto done;
 	}
-	if (ioend->io_error)
-		goto done;
 
 	/*
 	 * For unwritten extents we need to issue transactions to convert a
 	 * range to normal written extens after the data I/O has finished.
+	 * Detecting and handling completion IO errors is done individually
+	 * for each case as different cleanup operations need to be performed
+	 * on error.
 	 */
 	if (ioend->io_type == XFS_IO_UNWRITTEN) {
+		if (ioend->io_error)
+			goto done;
 		error = xfs_iomap_write_unwritten(ip, ioend->io_offset,
 						  ioend->io_size);
 	} else if (ioend->io_isdirect && xfs_ioend_is_append(ioend)) {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 041/142] xfs: fix up xfs_swap_extent_forks inline extent handling
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (39 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 040/142] cancel the setfilesize transation when io error happen Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 042/142] xfs: don't allow di_size with high bit set Jiri Slaby
                   ` (102 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Eric Sandeen, Eric Sandeen, Dave Chinner,
	Nikolay Borisov, Jiri Slaby

From: Eric Sandeen <sandeen@sandeen.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 4dfce57db6354603641132fac3c887614e3ebe81 upstream.

There have been several reports over the years of NULL pointer
dereferences in xfs_trans_log_inode during xfs_fsr processes,
when the process is doing an fput and tearing down extents
on the temporary inode, something like:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
PID: 29439  TASK: ffff880550584fa0  CPU: 6   COMMAND: "xfs_fsr"
    [exception RIP: xfs_trans_log_inode+0x10]
 #9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs]

As it turns out, this is because the i_itemp pointer, along
with the d_ops pointer, has been overwritten with zeros
when we tear down the extents during truncate.  When the in-core
inode fork on the temporary inode used by xfs_fsr was originally
set up during the extent swap, we mistakenly looked at di_nextents
to determine whether all extents fit inline, but this misses extents
generated by speculative preallocation; we should be using if_bytes
instead.

This mistake corrupts the in-memory inode, and code in
xfs_iext_remove_inline eventually gets bad inputs, causing
it to memmove and memset incorrect ranges; this became apparent
because the two values in ifp->if_u2.if_inline_ext[1] contained
what should have been in d_ops and i_itemp; they were memmoved due
to incorrect array indexing and then the original locations
were zeroed with memset, again due to an array overrun.

Fix this by properly using i_df.if_bytes to determine the number
of extents, not di_nextents.

Thanks to dchinner for looking at this with me and spotting the
root cause.

[nborisov: Backported to 3.12]

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/xfs/xfs_bmap_util.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
index 42cb2f3ea51f..51df0cf5ea62 100644
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
@@ -1776,6 +1776,7 @@ xfs_swap_extents(
 	xfs_trans_t	*tp;
 	xfs_bstat_t	*sbp = &sxp->sx_stat;
 	xfs_ifork_t	*tempifp, *ifp, *tifp;
+	xfs_extnum_t	nextents;
 	int		src_log_flags, target_log_flags;
 	int		error = 0;
 	int		aforkblks = 0;
@@ -1984,7 +1985,8 @@ xfs_swap_extents(
 		 * pointer.  Otherwise it's already NULL or
 		 * pointing to the extent.
 		 */
-		if (ip->i_d.di_nextents <= XFS_INLINE_EXTS) {
+		nextents = ip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t);
+		if (nextents <= XFS_INLINE_EXTS) {
 			ifp->if_u1.if_extents =
 				ifp->if_u2.if_inline_ext;
 		}
@@ -2003,7 +2005,8 @@ xfs_swap_extents(
 		 * pointer.  Otherwise it's already NULL or
 		 * pointing to the extent.
 		 */
-		if (tip->i_d.di_nextents <= XFS_INLINE_EXTS) {
+		nextents = tip->i_df.if_bytes / (uint)sizeof(xfs_bmbt_rec_t);
+		if (nextents <= XFS_INLINE_EXTS) {
 			tifp->if_u1.if_extents =
 				tifp->if_u2.if_inline_ext;
 		}
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 042/142] xfs: don't allow di_size with high bit set
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (40 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 041/142] xfs: fix up xfs_swap_extent_forks inline extent handling Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 043/142] netlink: remove mmapped netlink support Jiri Slaby
                   ` (101 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Darrick J. Wong, Dave Chinner, Nikolay Borisov, Jiri Slaby

From: "Darrick J. Wong" <darrick.wong@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

Commit ef388e2054feedaeb05399ed654bdb06f385d294 upstream.

The on-disk field di_size is used to set i_size, which is a signed
integer of loff_t.  If the high bit of di_size is set, we'll end up with
a negative i_size, which will cause all sorts of problems.  Since the
VFS won't let us create a file with such length, we should catch them
here in the verifier too.

[nborisov: Backported to 3.12]

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/xfs/xfs_inode_buf.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/xfs/xfs_inode_buf.c b/fs/xfs/xfs_inode_buf.c
index 03d237a0f58b..1c62be0b0d0f 100644
--- a/fs/xfs/xfs_inode_buf.c
+++ b/fs/xfs/xfs_inode_buf.c
@@ -301,6 +301,14 @@ xfs_dinode_verify(
 	if (dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC))
 		return false;
 
+	/* don't allow invalid i_size */
+	if (be64_to_cpu(dip->di_size) & (1ULL << 63))
+		return false;
+
+	/* No zero-length symlinks. */
+	if (S_ISLNK(be16_to_cpu(dip->di_mode)) && dip->di_size == 0)
+		return false;
+
 	/* only version 3 or greater inodes are extensively verified here */
 	if (dip->di_version < 3)
 		return true;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 043/142] netlink: remove mmapped netlink support
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (41 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 042/142] xfs: don't allow di_size with high bit set Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 044/142] crypto: ghash-clmulni - Fix load failure Jiri Slaby
                   ` (100 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Florian Westphal, Daniel Borkmann,
	Ken-ichirou MATSUZAWA, Pablo Neira Ayuso, Patrick McHardy,
	Thomas Graf, David S . Miller, Jiri Slaby

From: Florian Westphal <fw@strlen.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d1b4c689d4130bcfd3532680b64db562300716b6 upstream.

mmapped netlink has a number of unresolved issues:

- TX zerocopy support had to be disabled more than a year ago via
  commit 4682a0358639b29cf ("netlink: Always copy on mmap TX.")
  because the content of the mmapped area can change after netlink
  attribute validation but before message processing.

- RX support was implemented mainly to speed up nfqueue dumping packet
  payload to userspace.  However, since commit ae08ce0021087a5d812d2
  ("netfilter: nfnetlink_queue: zero copy support") we avoid one copy
  with the socket-based interface too (via the skb_zerocopy helper).

The other problem is that skbs attached to mmaped netlink socket
behave different from normal skbs:

- they don't have a shinfo area, so all functions that use skb_shinfo()
(e.g. skb_clone) cannot be used.

- reserving headroom prevents userspace from seeing the content as
it expects message to start at skb->head.
See for instance
commit aa3a022094fa ("netlink: not trim skb for mmaped socket when dump").

- skbs handed e.g. to netlink_ack must have non-NULL skb->sk, else we
crash because it needs the sk to check if a tx ring is attached.

Also not obvious, leads to non-intuitive bug fixes such as 7c7bdf359
("netfilter: nfnetlink: use original skbuff when acking batches").

mmaped netlink also didn't play nicely with the skb_zerocopy helper
used by nfqueue and openvswitch.  Daniel Borkmann fixed this via
commit 6bb0fef489f6 ("netlink, mmap: fix edge-case leakages in nf queue
zero-copy")' but at the cost of also needing to provide remaining
length to the allocation function.

nfqueue also has problems when used with mmaped rx netlink:
- mmaped netlink doesn't allow use of nfqueue batch verdict messages.
  Problem is that in the mmap case, the allocation time also determines
  the ordering in which the frame will be seen by userspace (A
  allocating before B means that A is located in earlier ring slot,
  but this also means that B might get a lower sequence number then A
  since seqno is decided later.  To fix this we would need to extend the
  spinlocked region to also cover the allocation and message setup which
  isn't desirable.
- nfqueue can now be configured to queue large (GSO) skbs to userspace.
  Queing GSO packets is faster than having to force a software segmentation
  in the kernel, so this is a desirable option.  However, with a mmap based
  ring one has to use 64kb per ring slot element, else mmap has to fall back
  to the socket path (NL_MMAP_STATUS_COPY) for all large packets.

To use the mmap interface, userspace not only has to probe for mmap netlink
support, it also has to implement a recv/socket receive path in order to
handle messages that exceed the size of an rx ring element.

Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/uapi/linux/netlink.h      |   4 +
 include/uapi/linux/netlink_diag.h |   2 +
 net/netlink/Kconfig               |   9 -
 net/netlink/af_netlink.c          | 726 +-------------------------------------
 net/netlink/af_netlink.h          |  15 -
 net/netlink/diag.c                |  39 --
 6 files changed, 14 insertions(+), 781 deletions(-)

diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h
index 1a85940f8ab7..8a8135c4e99a 100644
--- a/include/uapi/linux/netlink.h
+++ b/include/uapi/linux/netlink.h
@@ -106,8 +106,10 @@ struct nlmsgerr {
 #define NETLINK_PKTINFO		3
 #define NETLINK_BROADCAST_ERROR	4
 #define NETLINK_NO_ENOBUFS	5
+#ifndef __KERNEL__
 #define NETLINK_RX_RING		6
 #define NETLINK_TX_RING		7
+#endif
 
 struct nl_pktinfo {
 	__u32	group;
@@ -130,6 +132,7 @@ struct nl_mmap_hdr {
 	__u32		nm_gid;
 };
 
+#ifndef __KERNEL__
 enum nl_mmap_status {
 	NL_MMAP_STATUS_UNUSED,
 	NL_MMAP_STATUS_RESERVED,
@@ -141,6 +144,7 @@ enum nl_mmap_status {
 #define NL_MMAP_MSG_ALIGNMENT		NLMSG_ALIGNTO
 #define NL_MMAP_MSG_ALIGN(sz)		__ALIGN_KERNEL(sz, NL_MMAP_MSG_ALIGNMENT)
 #define NL_MMAP_HDRLEN			NL_MMAP_MSG_ALIGN(sizeof(struct nl_mmap_hdr))
+#endif
 
 #define NET_MAJOR 36		/* Major 36 is reserved for networking 						*/
 
diff --git a/include/uapi/linux/netlink_diag.h b/include/uapi/linux/netlink_diag.h
index 4e31db4eea41..01d7ff3b92dc 100644
--- a/include/uapi/linux/netlink_diag.h
+++ b/include/uapi/linux/netlink_diag.h
@@ -47,6 +47,8 @@ enum {
 
 #define NDIAG_SHOW_MEMINFO	0x00000001 /* show memory info of a socket */
 #define NDIAG_SHOW_GROUPS	0x00000002 /* show groups of a netlink socket */
+#ifndef __KERNEL__
 #define NDIAG_SHOW_RING_CFG	0x00000004 /* show ring configuration */
+#endif
 
 #endif
diff --git a/net/netlink/Kconfig b/net/netlink/Kconfig
index 2c5e95e9bfbd..5d6e8c05b3d4 100644
--- a/net/netlink/Kconfig
+++ b/net/netlink/Kconfig
@@ -2,15 +2,6 @@
 # Netlink Sockets
 #
 
-config NETLINK_MMAP
-	bool "NETLINK: mmaped IO"
-	---help---
-	  This option enables support for memory mapped netlink IO. This
-	  reduces overhead by avoiding copying data between kernel- and
-	  userspace.
-
-	  If unsure, say N.
-
 config NETLINK_DIAG
 	tristate "NETLINK: socket monitoring interface"
 	default n
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index bb04abe72d76..e60743f93ca3 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -219,7 +219,7 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
 
 	dev_hold(dev);
 
-	if (netlink_skb_is_mmaped(skb) || is_vmalloc_addr(skb->head))
+	if (is_vmalloc_addr(skb->head))
 		nskb = netlink_to_full_skb(skb, GFP_ATOMIC);
 	else
 		nskb = skb_clone(skb, GFP_ATOMIC);
@@ -284,599 +284,8 @@ static void netlink_rcv_wake(struct sock *sk)
 		wake_up_interruptible(&nlk->wait);
 }
 
-#ifdef CONFIG_NETLINK_MMAP
-static bool netlink_rx_is_mmaped(struct sock *sk)
-{
-	return nlk_sk(sk)->rx_ring.pg_vec != NULL;
-}
-
-static bool netlink_tx_is_mmaped(struct sock *sk)
-{
-	return nlk_sk(sk)->tx_ring.pg_vec != NULL;
-}
-
-static __pure struct page *pgvec_to_page(const void *addr)
-{
-	if (is_vmalloc_addr(addr))
-		return vmalloc_to_page(addr);
-	else
-		return virt_to_page(addr);
-}
-
-static void free_pg_vec(void **pg_vec, unsigned int order, unsigned int len)
-{
-	unsigned int i;
-
-	for (i = 0; i < len; i++) {
-		if (pg_vec[i] != NULL) {
-			if (is_vmalloc_addr(pg_vec[i]))
-				vfree(pg_vec[i]);
-			else
-				free_pages((unsigned long)pg_vec[i], order);
-		}
-	}
-	kfree(pg_vec);
-}
-
-static void *alloc_one_pg_vec_page(unsigned long order)
-{
-	void *buffer;
-	gfp_t gfp_flags = GFP_KERNEL | __GFP_COMP | __GFP_ZERO |
-			  __GFP_NOWARN | __GFP_NORETRY;
-
-	buffer = (void *)__get_free_pages(gfp_flags, order);
-	if (buffer != NULL)
-		return buffer;
-
-	buffer = vzalloc((1 << order) * PAGE_SIZE);
-	if (buffer != NULL)
-		return buffer;
-
-	gfp_flags &= ~__GFP_NORETRY;
-	return (void *)__get_free_pages(gfp_flags, order);
-}
-
-static void **alloc_pg_vec(struct netlink_sock *nlk,
-			   struct nl_mmap_req *req, unsigned int order)
-{
-	unsigned int block_nr = req->nm_block_nr;
-	unsigned int i;
-	void **pg_vec;
-
-	pg_vec = kcalloc(block_nr, sizeof(void *), GFP_KERNEL);
-	if (pg_vec == NULL)
-		return NULL;
-
-	for (i = 0; i < block_nr; i++) {
-		pg_vec[i] = alloc_one_pg_vec_page(order);
-		if (pg_vec[i] == NULL)
-			goto err1;
-	}
-
-	return pg_vec;
-err1:
-	free_pg_vec(pg_vec, order, block_nr);
-	return NULL;
-}
-
-
-static void
-__netlink_set_ring(struct sock *sk, struct nl_mmap_req *req, bool tx_ring, void **pg_vec,
-		   unsigned int order)
-{
-	struct netlink_sock *nlk = nlk_sk(sk);
-	struct sk_buff_head *queue;
-	struct netlink_ring *ring;
-
-	queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue;
-	ring  = tx_ring ? &nlk->tx_ring : &nlk->rx_ring;
-
-	spin_lock_bh(&queue->lock);
-
-	ring->frame_max		= req->nm_frame_nr - 1;
-	ring->head		= 0;
-	ring->frame_size	= req->nm_frame_size;
-	ring->pg_vec_pages	= req->nm_block_size / PAGE_SIZE;
-
-	swap(ring->pg_vec_len, req->nm_block_nr);
-	swap(ring->pg_vec_order, order);
-	swap(ring->pg_vec, pg_vec);
-
-	__skb_queue_purge(queue);
-	spin_unlock_bh(&queue->lock);
-
-	WARN_ON(atomic_read(&nlk->mapped));
-
-	if (pg_vec)
-		free_pg_vec(pg_vec, order, req->nm_block_nr);
-}
-
-static int netlink_set_ring(struct sock *sk, struct nl_mmap_req *req,
-			    bool tx_ring)
-{
-	struct netlink_sock *nlk = nlk_sk(sk);
-	struct netlink_ring *ring;
-	void **pg_vec = NULL;
-	unsigned int order = 0;
-
-	ring  = tx_ring ? &nlk->tx_ring : &nlk->rx_ring;
-
-	if (atomic_read(&nlk->mapped))
-		return -EBUSY;
-	if (atomic_read(&ring->pending))
-		return -EBUSY;
-
-	if (req->nm_block_nr) {
-		if (ring->pg_vec != NULL)
-			return -EBUSY;
-
-		if ((int)req->nm_block_size <= 0)
-			return -EINVAL;
-		if (!IS_ALIGNED(req->nm_block_size, PAGE_SIZE))
-			return -EINVAL;
-		if (req->nm_frame_size < NL_MMAP_HDRLEN)
-			return -EINVAL;
-		if (!IS_ALIGNED(req->nm_frame_size, NL_MMAP_MSG_ALIGNMENT))
-			return -EINVAL;
-
-		ring->frames_per_block = req->nm_block_size /
-					 req->nm_frame_size;
-		if (ring->frames_per_block == 0)
-			return -EINVAL;
-		if (ring->frames_per_block * req->nm_block_nr !=
-		    req->nm_frame_nr)
-			return -EINVAL;
-
-		order = get_order(req->nm_block_size);
-		pg_vec = alloc_pg_vec(nlk, req, order);
-		if (pg_vec == NULL)
-			return -ENOMEM;
-	} else {
-		if (req->nm_frame_nr)
-			return -EINVAL;
-	}
-
-	mutex_lock(&nlk->pg_vec_lock);
-	if (atomic_read(&nlk->mapped) == 0) {
-		__netlink_set_ring(sk, req, tx_ring, pg_vec, order);
-		mutex_unlock(&nlk->pg_vec_lock);
-		return 0;
-	}
-
-	mutex_unlock(&nlk->pg_vec_lock);
-
-	if (pg_vec)
-		free_pg_vec(pg_vec, order, req->nm_block_nr);
-
-	return -EBUSY;
-}
-
-static void netlink_mm_open(struct vm_area_struct *vma)
-{
-	struct file *file = vma->vm_file;
-	struct socket *sock = file->private_data;
-	struct sock *sk = sock->sk;
-
-	if (sk)
-		atomic_inc(&nlk_sk(sk)->mapped);
-}
-
-static void netlink_mm_close(struct vm_area_struct *vma)
-{
-	struct file *file = vma->vm_file;
-	struct socket *sock = file->private_data;
-	struct sock *sk = sock->sk;
-
-	if (sk)
-		atomic_dec(&nlk_sk(sk)->mapped);
-}
-
-static const struct vm_operations_struct netlink_mmap_ops = {
-	.open	= netlink_mm_open,
-	.close	= netlink_mm_close,
-};
-
-static int netlink_mmap(struct file *file, struct socket *sock,
-			struct vm_area_struct *vma)
-{
-	struct sock *sk = sock->sk;
-	struct netlink_sock *nlk = nlk_sk(sk);
-	struct netlink_ring *ring;
-	unsigned long start, size, expected;
-	unsigned int i;
-	int err = -EINVAL;
-
-	if (vma->vm_pgoff)
-		return -EINVAL;
-
-	mutex_lock(&nlk->pg_vec_lock);
-
-	expected = 0;
-	for (ring = &nlk->rx_ring; ring <= &nlk->tx_ring; ring++) {
-		if (ring->pg_vec == NULL)
-			continue;
-		expected += ring->pg_vec_len * ring->pg_vec_pages * PAGE_SIZE;
-	}
-
-	if (expected == 0)
-		goto out;
-
-	size = vma->vm_end - vma->vm_start;
-	if (size != expected)
-		goto out;
-
-	start = vma->vm_start;
-	for (ring = &nlk->rx_ring; ring <= &nlk->tx_ring; ring++) {
-		if (ring->pg_vec == NULL)
-			continue;
-
-		for (i = 0; i < ring->pg_vec_len; i++) {
-			struct page *page;
-			void *kaddr = ring->pg_vec[i];
-			unsigned int pg_num;
-
-			for (pg_num = 0; pg_num < ring->pg_vec_pages; pg_num++) {
-				page = pgvec_to_page(kaddr);
-				err = vm_insert_page(vma, start, page);
-				if (err < 0)
-					goto out;
-				start += PAGE_SIZE;
-				kaddr += PAGE_SIZE;
-			}
-		}
-	}
-
-	atomic_inc(&nlk->mapped);
-	vma->vm_ops = &netlink_mmap_ops;
-	err = 0;
-out:
-	mutex_unlock(&nlk->pg_vec_lock);
-	return err;
-}
-
-static void netlink_frame_flush_dcache(const struct nl_mmap_hdr *hdr, unsigned int nm_len)
-{
-#if ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE == 1
-	struct page *p_start, *p_end;
-
-	/* First page is flushed through netlink_{get,set}_status */
-	p_start = pgvec_to_page(hdr + PAGE_SIZE);
-	p_end   = pgvec_to_page((void *)hdr + NL_MMAP_HDRLEN + nm_len - 1);
-	while (p_start <= p_end) {
-		flush_dcache_page(p_start);
-		p_start++;
-	}
-#endif
-}
-
-static enum nl_mmap_status netlink_get_status(const struct nl_mmap_hdr *hdr)
-{
-	smp_rmb();
-	flush_dcache_page(pgvec_to_page(hdr));
-	return hdr->nm_status;
-}
-
-static void netlink_set_status(struct nl_mmap_hdr *hdr,
-			       enum nl_mmap_status status)
-{
-	smp_mb();
-	hdr->nm_status = status;
-	flush_dcache_page(pgvec_to_page(hdr));
-}
-
-static struct nl_mmap_hdr *
-__netlink_lookup_frame(const struct netlink_ring *ring, unsigned int pos)
-{
-	unsigned int pg_vec_pos, frame_off;
-
-	pg_vec_pos = pos / ring->frames_per_block;
-	frame_off  = pos % ring->frames_per_block;
-
-	return ring->pg_vec[pg_vec_pos] + (frame_off * ring->frame_size);
-}
-
-static struct nl_mmap_hdr *
-netlink_lookup_frame(const struct netlink_ring *ring, unsigned int pos,
-		     enum nl_mmap_status status)
-{
-	struct nl_mmap_hdr *hdr;
-
-	hdr = __netlink_lookup_frame(ring, pos);
-	if (netlink_get_status(hdr) != status)
-		return NULL;
-
-	return hdr;
-}
-
-static struct nl_mmap_hdr *
-netlink_current_frame(const struct netlink_ring *ring,
-		      enum nl_mmap_status status)
-{
-	return netlink_lookup_frame(ring, ring->head, status);
-}
-
-static struct nl_mmap_hdr *
-netlink_previous_frame(const struct netlink_ring *ring,
-		       enum nl_mmap_status status)
-{
-	unsigned int prev;
-
-	prev = ring->head ? ring->head - 1 : ring->frame_max;
-	return netlink_lookup_frame(ring, prev, status);
-}
-
-static void netlink_increment_head(struct netlink_ring *ring)
-{
-	ring->head = ring->head != ring->frame_max ? ring->head + 1 : 0;
-}
-
-static void netlink_forward_ring(struct netlink_ring *ring)
-{
-	unsigned int head = ring->head, pos = head;
-	const struct nl_mmap_hdr *hdr;
-
-	do {
-		hdr = __netlink_lookup_frame(ring, pos);
-		if (hdr->nm_status == NL_MMAP_STATUS_UNUSED)
-			break;
-		if (hdr->nm_status != NL_MMAP_STATUS_SKIP)
-			break;
-		netlink_increment_head(ring);
-	} while (ring->head != head);
-}
-
-static bool netlink_dump_space(struct netlink_sock *nlk)
-{
-	struct netlink_ring *ring = &nlk->rx_ring;
-	struct nl_mmap_hdr *hdr;
-	unsigned int n;
-
-	hdr = netlink_current_frame(ring, NL_MMAP_STATUS_UNUSED);
-	if (hdr == NULL)
-		return false;
-
-	n = ring->head + ring->frame_max / 2;
-	if (n > ring->frame_max)
-		n -= ring->frame_max;
-
-	hdr = __netlink_lookup_frame(ring, n);
-
-	return hdr->nm_status == NL_MMAP_STATUS_UNUSED;
-}
-
-static unsigned int netlink_poll(struct file *file, struct socket *sock,
-				 poll_table *wait)
-{
-	struct sock *sk = sock->sk;
-	struct netlink_sock *nlk = nlk_sk(sk);
-	unsigned int mask;
-	int err;
-
-	if (nlk->rx_ring.pg_vec != NULL) {
-		/* Memory mapped sockets don't call recvmsg(), so flow control
-		 * for dumps is performed here. A dump is allowed to continue
-		 * if at least half the ring is unused.
-		 */
-		while (nlk->cb_running && netlink_dump_space(nlk)) {
-			err = netlink_dump(sk);
-			if (err < 0) {
-				sk->sk_err = -err;
-				sk->sk_error_report(sk);
-				break;
-			}
-		}
-		netlink_rcv_wake(sk);
-	}
-
-	mask = datagram_poll(file, sock, wait);
-
-	spin_lock_bh(&sk->sk_receive_queue.lock);
-	if (nlk->rx_ring.pg_vec) {
-		netlink_forward_ring(&nlk->rx_ring);
-		if (!netlink_previous_frame(&nlk->rx_ring, NL_MMAP_STATUS_UNUSED))
-			mask |= POLLIN | POLLRDNORM;
-	}
-	spin_unlock_bh(&sk->sk_receive_queue.lock);
-
-	spin_lock_bh(&sk->sk_write_queue.lock);
-	if (nlk->tx_ring.pg_vec) {
-		if (netlink_current_frame(&nlk->tx_ring, NL_MMAP_STATUS_UNUSED))
-			mask |= POLLOUT | POLLWRNORM;
-	}
-	spin_unlock_bh(&sk->sk_write_queue.lock);
-
-	return mask;
-}
-
-static struct nl_mmap_hdr *netlink_mmap_hdr(struct sk_buff *skb)
-{
-	return (struct nl_mmap_hdr *)(skb->head - NL_MMAP_HDRLEN);
-}
-
-static void netlink_ring_setup_skb(struct sk_buff *skb, struct sock *sk,
-				   struct netlink_ring *ring,
-				   struct nl_mmap_hdr *hdr)
-{
-	unsigned int size;
-	void *data;
-
-	size = ring->frame_size - NL_MMAP_HDRLEN;
-	data = (void *)hdr + NL_MMAP_HDRLEN;
-
-	skb->head	= data;
-	skb->data	= data;
-	skb_reset_tail_pointer(skb);
-	skb->end	= skb->tail + size;
-	skb->len	= 0;
-
-	skb->destructor	= netlink_skb_destructor;
-	NETLINK_CB(skb).flags |= NETLINK_SKB_MMAPED;
-	NETLINK_CB(skb).sk = sk;
-}
-
-static int netlink_mmap_sendmsg(struct sock *sk, struct msghdr *msg,
-				u32 dst_portid, u32 dst_group,
-				struct sock_iocb *siocb)
-{
-	struct netlink_sock *nlk = nlk_sk(sk);
-	struct netlink_ring *ring;
-	struct nl_mmap_hdr *hdr;
-	struct sk_buff *skb;
-	unsigned int maxlen;
-	int err = 0, len = 0;
-
-	mutex_lock(&nlk->pg_vec_lock);
-
-	ring   = &nlk->tx_ring;
-	maxlen = ring->frame_size - NL_MMAP_HDRLEN;
-
-	do {
-		unsigned int nm_len;
-
-		hdr = netlink_current_frame(ring, NL_MMAP_STATUS_VALID);
-		if (hdr == NULL) {
-			if (!(msg->msg_flags & MSG_DONTWAIT) &&
-			    atomic_read(&nlk->tx_ring.pending))
-				schedule();
-			continue;
-		}
-
-		nm_len = ACCESS_ONCE(hdr->nm_len);
-		if (nm_len > maxlen) {
-			err = -EINVAL;
-			goto out;
-		}
-
-		netlink_frame_flush_dcache(hdr, nm_len);
-
-		skb = alloc_skb(nm_len, GFP_KERNEL);
-		if (skb == NULL) {
-			err = -ENOBUFS;
-			goto out;
-		}
-		__skb_put(skb, nm_len);
-		memcpy(skb->data, (void *)hdr + NL_MMAP_HDRLEN, nm_len);
-		netlink_set_status(hdr, NL_MMAP_STATUS_UNUSED);
-
-		netlink_increment_head(ring);
-
-		NETLINK_CB(skb).portid	  = nlk->portid;
-		NETLINK_CB(skb).dst_group = dst_group;
-		NETLINK_CB(skb).creds	  = siocb->scm->creds;
-
-		err = security_netlink_send(sk, skb);
-		if (err) {
-			kfree_skb(skb);
-			goto out;
-		}
-
-		if (unlikely(dst_group)) {
-			atomic_inc(&skb->users);
-			netlink_broadcast(sk, skb, dst_portid, dst_group,
-					  GFP_KERNEL);
-		}
-		err = netlink_unicast(sk, skb, dst_portid,
-				      msg->msg_flags & MSG_DONTWAIT);
-		if (err < 0)
-			goto out;
-		len += err;
-
-	} while (hdr != NULL ||
-		 (!(msg->msg_flags & MSG_DONTWAIT) &&
-		  atomic_read(&nlk->tx_ring.pending)));
-
-	if (len > 0)
-		err = len;
-out:
-	mutex_unlock(&nlk->pg_vec_lock);
-	return err;
-}
-
-static void netlink_queue_mmaped_skb(struct sock *sk, struct sk_buff *skb)
-{
-	struct nl_mmap_hdr *hdr;
-
-	hdr = netlink_mmap_hdr(skb);
-	hdr->nm_len	= skb->len;
-	hdr->nm_group	= NETLINK_CB(skb).dst_group;
-	hdr->nm_pid	= NETLINK_CB(skb).creds.pid;
-	hdr->nm_uid	= from_kuid(sk_user_ns(sk), NETLINK_CB(skb).creds.uid);
-	hdr->nm_gid	= from_kgid(sk_user_ns(sk), NETLINK_CB(skb).creds.gid);
-	netlink_frame_flush_dcache(hdr, hdr->nm_len);
-	netlink_set_status(hdr, NL_MMAP_STATUS_VALID);
-
-	NETLINK_CB(skb).flags |= NETLINK_SKB_DELIVERED;
-	kfree_skb(skb);
-}
-
-static void netlink_ring_set_copied(struct sock *sk, struct sk_buff *skb)
-{
-	struct netlink_sock *nlk = nlk_sk(sk);
-	struct netlink_ring *ring = &nlk->rx_ring;
-	struct nl_mmap_hdr *hdr;
-
-	spin_lock_bh(&sk->sk_receive_queue.lock);
-	hdr = netlink_current_frame(ring, NL_MMAP_STATUS_UNUSED);
-	if (hdr == NULL) {
-		spin_unlock_bh(&sk->sk_receive_queue.lock);
-		kfree_skb(skb);
-		netlink_overrun(sk);
-		return;
-	}
-	netlink_increment_head(ring);
-	__skb_queue_tail(&sk->sk_receive_queue, skb);
-	spin_unlock_bh(&sk->sk_receive_queue.lock);
-
-	hdr->nm_len	= skb->len;
-	hdr->nm_group	= NETLINK_CB(skb).dst_group;
-	hdr->nm_pid	= NETLINK_CB(skb).creds.pid;
-	hdr->nm_uid	= from_kuid(sk_user_ns(sk), NETLINK_CB(skb).creds.uid);
-	hdr->nm_gid	= from_kgid(sk_user_ns(sk), NETLINK_CB(skb).creds.gid);
-	netlink_set_status(hdr, NL_MMAP_STATUS_COPY);
-}
-
-#else /* CONFIG_NETLINK_MMAP */
-#define netlink_rx_is_mmaped(sk)	false
-#define netlink_tx_is_mmaped(sk)	false
-#define netlink_mmap			sock_no_mmap
-#define netlink_poll			datagram_poll
-#define netlink_mmap_sendmsg(sk, msg, dst_portid, dst_group, siocb)	0
-#endif /* CONFIG_NETLINK_MMAP */
-
 static void netlink_skb_destructor(struct sk_buff *skb)
 {
-#ifdef CONFIG_NETLINK_MMAP
-	struct nl_mmap_hdr *hdr;
-	struct netlink_ring *ring;
-	struct sock *sk;
-
-	/* If a packet from the kernel to userspace was freed because of an
-	 * error without being delivered to userspace, the kernel must reset
-	 * the status. In the direction userspace to kernel, the status is
-	 * always reset here after the packet was processed and freed.
-	 */
-	if (netlink_skb_is_mmaped(skb)) {
-		hdr = netlink_mmap_hdr(skb);
-		sk = NETLINK_CB(skb).sk;
-
-		if (NETLINK_CB(skb).flags & NETLINK_SKB_TX) {
-			netlink_set_status(hdr, NL_MMAP_STATUS_UNUSED);
-			ring = &nlk_sk(sk)->tx_ring;
-		} else {
-			if (!(NETLINK_CB(skb).flags & NETLINK_SKB_DELIVERED)) {
-				hdr->nm_len = 0;
-				netlink_set_status(hdr, NL_MMAP_STATUS_VALID);
-			}
-			ring = &nlk_sk(sk)->rx_ring;
-		}
-
-		WARN_ON(atomic_read(&ring->pending) == 0);
-		atomic_dec(&ring->pending);
-		sock_put(sk);
-
-		skb->head = NULL;
-	}
-#endif
 	if (is_vmalloc_addr(skb->head)) {
 		if (!skb->cloned ||
 		    !atomic_dec_return(&(skb_shinfo(skb)->dataref)))
@@ -910,18 +319,6 @@ static void netlink_sock_destruct(struct sock *sk)
 	}
 
 	skb_queue_purge(&sk->sk_receive_queue);
-#ifdef CONFIG_NETLINK_MMAP
-	if (1) {
-		struct nl_mmap_req req;
-
-		memset(&req, 0, sizeof(req));
-		if (nlk->rx_ring.pg_vec)
-			__netlink_set_ring(sk, &req, false, NULL, 0);
-		memset(&req, 0, sizeof(req));
-		if (nlk->tx_ring.pg_vec)
-			__netlink_set_ring(sk, &req, true, NULL, 0);
-	}
-#endif /* CONFIG_NETLINK_MMAP */
 
 	if (!sock_flag(sk, SOCK_DEAD)) {
 		printk(KERN_ERR "Freeing alive netlink socket %p\n", sk);
@@ -1194,9 +591,6 @@ static int __netlink_create(struct net *net, struct socket *sock,
 		mutex_init(nlk->cb_mutex);
 	}
 	init_waitqueue_head(&nlk->wait);
-#ifdef CONFIG_NETLINK_MMAP
-	mutex_init(&nlk->pg_vec_lock);
-#endif
 
 	sk->sk_destruct = netlink_sock_destruct;
 	sk->sk_protocol = protocol;
@@ -1674,8 +1068,7 @@ int netlink_attachskb(struct sock *sk, struct sk_buff *skb,
 	nlk = nlk_sk(sk);
 
 	if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf ||
-	     test_bit(NETLINK_CONGESTED, &nlk->state)) &&
-	    !netlink_skb_is_mmaped(skb)) {
+	     test_bit(NETLINK_CONGESTED, &nlk->state))) {
 		DECLARE_WAITQUEUE(wait, current);
 		if (!*timeo) {
 			if (!ssk || netlink_is_kernel(ssk))
@@ -1713,14 +1106,7 @@ static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb)
 
 	netlink_deliver_tap(skb);
 
-#ifdef CONFIG_NETLINK_MMAP
-	if (netlink_skb_is_mmaped(skb))
-		netlink_queue_mmaped_skb(sk, skb);
-	else if (netlink_rx_is_mmaped(sk))
-		netlink_ring_set_copied(sk, skb);
-	else
-#endif /* CONFIG_NETLINK_MMAP */
-		skb_queue_tail(&sk->sk_receive_queue, skb);
+	skb_queue_tail(&sk->sk_receive_queue, skb);
 	sk->sk_data_ready(sk, len);
 	return len;
 }
@@ -1744,9 +1130,6 @@ static struct sk_buff *netlink_trim(struct sk_buff *skb, gfp_t allocation)
 	int delta;
 
 	WARN_ON(skb->sk != NULL);
-	if (netlink_skb_is_mmaped(skb))
-		return skb;
-
 	delta = skb->end - skb->tail;
 	if (is_vmalloc_addr(skb->head) || delta * 2 < skb->truesize)
 		return skb;
@@ -1829,62 +1212,6 @@ EXPORT_SYMBOL(netlink_unicast);
 struct sk_buff *netlink_alloc_skb(struct sock *ssk, unsigned int size,
 				  u32 dst_portid, gfp_t gfp_mask)
 {
-#ifdef CONFIG_NETLINK_MMAP
-	struct sock *sk = NULL;
-	struct sk_buff *skb;
-	struct netlink_ring *ring;
-	struct nl_mmap_hdr *hdr;
-	unsigned int maxlen;
-
-	sk = netlink_getsockbyportid(ssk, dst_portid);
-	if (IS_ERR(sk))
-		goto out;
-
-	ring = &nlk_sk(sk)->rx_ring;
-	/* fast-path without atomic ops for common case: non-mmaped receiver */
-	if (ring->pg_vec == NULL)
-		goto out_put;
-
-	skb = alloc_skb_head(gfp_mask);
-	if (skb == NULL)
-		goto err1;
-
-	spin_lock_bh(&sk->sk_receive_queue.lock);
-	/* check again under lock */
-	if (ring->pg_vec == NULL)
-		goto out_free;
-
-	maxlen = ring->frame_size - NL_MMAP_HDRLEN;
-	if (maxlen < size)
-		goto out_free;
-
-	netlink_forward_ring(ring);
-	hdr = netlink_current_frame(ring, NL_MMAP_STATUS_UNUSED);
-	if (hdr == NULL)
-		goto err2;
-	netlink_ring_setup_skb(skb, sk, ring, hdr);
-	netlink_set_status(hdr, NL_MMAP_STATUS_RESERVED);
-	atomic_inc(&ring->pending);
-	netlink_increment_head(ring);
-
-	spin_unlock_bh(&sk->sk_receive_queue.lock);
-	return skb;
-
-err2:
-	kfree_skb(skb);
-	spin_unlock_bh(&sk->sk_receive_queue.lock);
-	netlink_overrun(sk);
-err1:
-	sock_put(sk);
-	return NULL;
-
-out_free:
-	kfree_skb(skb);
-	spin_unlock_bh(&sk->sk_receive_queue.lock);
-out_put:
-	sock_put(sk);
-out:
-#endif
 	return alloc_skb(size, gfp_mask);
 }
 EXPORT_SYMBOL_GPL(netlink_alloc_skb);
@@ -2149,8 +1476,7 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
 	if (level != SOL_NETLINK)
 		return -ENOPROTOOPT;
 
-	if (optname != NETLINK_RX_RING && optname != NETLINK_TX_RING &&
-	    optlen >= sizeof(int) &&
+	if (optlen >= sizeof(int) &&
 	    get_user(val, (unsigned int __user *)optval))
 		return -EFAULT;
 
@@ -2199,25 +1525,6 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
 		}
 		err = 0;
 		break;
-#ifdef CONFIG_NETLINK_MMAP
-	case NETLINK_RX_RING:
-	case NETLINK_TX_RING: {
-		struct nl_mmap_req req;
-
-		/* Rings might consume more memory than queue limits, require
-		 * CAP_NET_ADMIN.
-		 */
-		if (!capable(CAP_NET_ADMIN))
-			return -EPERM;
-		if (optlen < sizeof(req))
-			return -EINVAL;
-		if (copy_from_user(&req, optval, sizeof(req)))
-			return -EFAULT;
-		err = netlink_set_ring(sk, &req,
-				       optname == NETLINK_TX_RING);
-		break;
-	}
-#endif /* CONFIG_NETLINK_MMAP */
 	default:
 		err = -ENOPROTOOPT;
 	}
@@ -2330,13 +1637,6 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
 			goto out;
 	}
 
-	if (netlink_tx_is_mmaped(sk) &&
-	    msg->msg_iov->iov_base == NULL) {
-		err = netlink_mmap_sendmsg(sk, msg, dst_portid, dst_group,
-					   siocb);
-		goto out;
-	}
-
 	err = -EMSGSIZE;
 	if (len > sk->sk_sndbuf - 32)
 		goto out;
@@ -2671,8 +1971,7 @@ static int netlink_dump(struct sock *sk)
 	cb = &nlk->cb;
 	alloc_size = max_t(int, cb->min_dump_alloc, NLMSG_GOODSIZE);
 
-	if (!netlink_rx_is_mmaped(sk) &&
-	    atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
+	if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
 		goto errout_skb;
 	skb = netlink_alloc_skb(sk, alloc_size, nlk->portid, GFP_KERNEL);
 	if (!skb)
@@ -2730,16 +2029,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
 	struct netlink_sock *nlk;
 	int ret;
 
-	/* Memory mapped dump requests need to be copied to avoid looping
-	 * on the pending state in netlink_mmap_sendmsg() while the CB hold
-	 * a reference to the skb.
-	 */
-	if (netlink_skb_is_mmaped(skb)) {
-		skb = skb_copy(skb, GFP_KERNEL);
-		if (skb == NULL)
-			return -ENOBUFS;
-	} else
-		atomic_inc(&skb->users);
+	atomic_inc(&skb->users);
 
 	sk = netlink_lookup(sock_net(ssk), ssk->sk_protocol, NETLINK_CB(skb).portid);
 	if (sk == NULL) {
@@ -3075,7 +2365,7 @@ static const struct proto_ops netlink_ops = {
 	.socketpair =	sock_no_socketpair,
 	.accept =	sock_no_accept,
 	.getname =	netlink_getname,
-	.poll =		netlink_poll,
+	.poll =		datagram_poll,
 	.ioctl =	sock_no_ioctl,
 	.listen =	sock_no_listen,
 	.shutdown =	sock_no_shutdown,
@@ -3083,7 +2373,7 @@ static const struct proto_ops netlink_ops = {
 	.getsockopt =	netlink_getsockopt,
 	.sendmsg =	netlink_sendmsg,
 	.recvmsg =	netlink_recvmsg,
-	.mmap =		netlink_mmap,
+	.mmap =		sock_no_mmap,
 	.sendpage =	sock_no_sendpage,
 };
 
diff --git a/net/netlink/af_netlink.h b/net/netlink/af_netlink.h
index dcc89c74b514..4a12e9ee6052 100644
--- a/net/netlink/af_netlink.h
+++ b/net/netlink/af_netlink.h
@@ -39,12 +39,6 @@ struct netlink_sock {
 	void			(*netlink_rcv)(struct sk_buff *skb);
 	void			(*netlink_bind)(int group);
 	struct module		*module;
-#ifdef CONFIG_NETLINK_MMAP
-	struct mutex		pg_vec_lock;
-	struct netlink_ring	rx_ring;
-	struct netlink_ring	tx_ring;
-	atomic_t		mapped;
-#endif /* CONFIG_NETLINK_MMAP */
 };
 
 static inline struct netlink_sock *nlk_sk(struct sock *sk)
@@ -65,15 +59,6 @@ struct nl_portid_hash {
 	u32			rnd;
 };
 
-static inline bool netlink_skb_is_mmaped(const struct sk_buff *skb)
-{
-#ifdef CONFIG_NETLINK_MMAP
-	return NETLINK_CB(skb).flags & NETLINK_SKB_MMAPED;
-#else
-	return false;
-#endif /* CONFIG_NETLINK_MMAP */
-}
-
 struct netlink_table {
 	struct nl_portid_hash	hash;
 	struct hlist_head	mc_list;
diff --git a/net/netlink/diag.c b/net/netlink/diag.c
index 1af29624b92f..5ffb1d1cf402 100644
--- a/net/netlink/diag.c
+++ b/net/netlink/diag.c
@@ -7,41 +7,6 @@
 
 #include "af_netlink.h"
 
-#ifdef CONFIG_NETLINK_MMAP
-static int sk_diag_put_ring(struct netlink_ring *ring, int nl_type,
-			    struct sk_buff *nlskb)
-{
-	struct netlink_diag_ring ndr;
-
-	ndr.ndr_block_size = ring->pg_vec_pages << PAGE_SHIFT;
-	ndr.ndr_block_nr   = ring->pg_vec_len;
-	ndr.ndr_frame_size = ring->frame_size;
-	ndr.ndr_frame_nr   = ring->frame_max + 1;
-
-	return nla_put(nlskb, nl_type, sizeof(ndr), &ndr);
-}
-
-static int sk_diag_put_rings_cfg(struct sock *sk, struct sk_buff *nlskb)
-{
-	struct netlink_sock *nlk = nlk_sk(sk);
-	int ret;
-
-	mutex_lock(&nlk->pg_vec_lock);
-	ret = sk_diag_put_ring(&nlk->rx_ring, NETLINK_DIAG_RX_RING, nlskb);
-	if (!ret)
-		ret = sk_diag_put_ring(&nlk->tx_ring, NETLINK_DIAG_TX_RING,
-				       nlskb);
-	mutex_unlock(&nlk->pg_vec_lock);
-
-	return ret;
-}
-#else
-static int sk_diag_put_rings_cfg(struct sock *sk, struct sk_buff *nlskb)
-{
-	return 0;
-}
-#endif
-
 static int sk_diag_dump_groups(struct sock *sk, struct sk_buff *nlskb)
 {
 	struct netlink_sock *nlk = nlk_sk(sk);
@@ -86,10 +51,6 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
 	    sock_diag_put_meminfo(sk, skb, NETLINK_DIAG_MEMINFO))
 		goto out_nlmsg_trim;
 
-	if ((req->ndiag_show & NDIAG_SHOW_RING_CFG) &&
-	    sk_diag_put_rings_cfg(sk, skb))
-		goto out_nlmsg_trim;
-
 	return nlmsg_end(skb, nlh);
 
 out_nlmsg_trim:
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 044/142] crypto: ghash-clmulni - Fix load failure
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (42 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 043/142] netlink: remove mmapped netlink support Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 045/142] crypto: cryptd - Assign statesize properly Jiri Slaby
                   ` (99 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Wang, Rui Y, Herbert Xu, Sumit Semwal, Jiri Slaby

From: "Wang, Rui Y" <rui.y.wang@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3a020a723c65eb8ffa7c237faca26521a024e582 upstream.

ghash_clmulni_intel fails to load on Linux 4.3+ with the following message:
"modprobe: ERROR: could not insert 'ghash_clmulni_intel': Invalid argument"

After 8996eafdc ("crypto: ahash - ensure statesize is non-zero") all ahash
drivers are required to implement import()/export(), and must have a non-
zero statesize.

This patch has been tested with the algif_hash interface. The calculated
digest values, after several rounds of import()s and export()s, match those
calculated by tcrypt.

Signed-off-by: Rui Wang <rui.y.wang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/crypto/ghash-clmulni-intel_glue.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/arch/x86/crypto/ghash-clmulni-intel_glue.c b/arch/x86/crypto/ghash-clmulni-intel_glue.c
index 4bcf841e4701..3deb8e533359 100644
--- a/arch/x86/crypto/ghash-clmulni-intel_glue.c
+++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c
@@ -218,6 +218,29 @@ static int ghash_async_final(struct ahash_request *req)
 	}
 }
 
+static int ghash_async_import(struct ahash_request *req, const void *in)
+{
+	struct ahash_request *cryptd_req = ahash_request_ctx(req);
+	struct shash_desc *desc = cryptd_shash_desc(cryptd_req);
+	struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
+
+	ghash_async_init(req);
+	memcpy(dctx, in, sizeof(*dctx));
+	return 0;
+
+}
+
+static int ghash_async_export(struct ahash_request *req, void *out)
+{
+	struct ahash_request *cryptd_req = ahash_request_ctx(req);
+	struct shash_desc *desc = cryptd_shash_desc(cryptd_req);
+	struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
+
+	memcpy(out, dctx, sizeof(*dctx));
+	return 0;
+
+}
+
 static int ghash_async_digest(struct ahash_request *req)
 {
 	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
@@ -285,8 +308,11 @@ static struct ahash_alg ghash_async_alg = {
 	.final		= ghash_async_final,
 	.setkey		= ghash_async_setkey,
 	.digest		= ghash_async_digest,
+	.export		= ghash_async_export,
+	.import		= ghash_async_import,
 	.halg = {
 		.digestsize	= GHASH_DIGEST_SIZE,
+		.statesize = sizeof(struct ghash_desc_ctx),
 		.base = {
 			.cra_name		= "ghash",
 			.cra_driver_name	= "ghash-clmulni",
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 045/142] crypto: cryptd - Assign statesize properly
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (43 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 044/142] crypto: ghash-clmulni - Fix load failure Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 046/142] ACPI / video: skip evaluating _DOD when it does not exist Jiri Slaby
                   ` (98 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Wang, Rui Y, Herbert Xu, Sumit Semwal, Jiri Slaby

From: "Wang, Rui Y" <rui.y.wang@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 1a07834024dfca5c4bed5de8f8714306e0a11836 upstream.

cryptd_create_hash() fails by returning -EINVAL.  It is because after
8996eafdc ("crypto: ahash - ensure statesize is non-zero") all ahash
drivers must have a non-zero statesize.

This patch fixes the problem by properly assigning the statesize.

Signed-off-by: Rui Wang <rui.y.wang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 crypto/cryptd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index d85fab975514..acbe1b978431 100644
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -606,6 +606,7 @@ static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
 	inst->alg.halg.base.cra_flags = CRYPTO_ALG_ASYNC;
 
 	inst->alg.halg.digestsize = salg->digestsize;
+	inst->alg.halg.statesize = salg->statesize;
 	inst->alg.halg.base.cra_ctxsize = sizeof(struct cryptd_hash_ctx);
 
 	inst->alg.halg.base.cra_init = cryptd_hash_init_tfm;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 046/142] ACPI / video: skip evaluating _DOD when it does not exist
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (44 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 045/142] crypto: cryptd - Assign statesize properly Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 047/142] Drivers: hv: balloon: don't crash when memory is added in non-sorted order Jiri Slaby
                   ` (97 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Alex Hung, Rafael J . Wysocki, Sumit Semwal, Jiri Slaby

From: Alex Hung <alex.hung@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e34fbbac669de0b7fb7803929d0477f35f6e2833 upstream.

Some system supports hybrid graphics and its discrete VGA
does not have any connectors and therefore has no _DOD method.

Signed-off-by: Alex Hung <alex.hung@canonical.com>
Reviewed-by: Aaron Lu <aaron.lu@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/acpi/video.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
index ff5ec8ecc257..cf7efcda09e1 100644
--- a/drivers/acpi/video.c
+++ b/drivers/acpi/video.c
@@ -1174,6 +1174,9 @@ static int acpi_video_device_enumerate(struct acpi_video_bus *video)
 	union acpi_object *dod = NULL;
 	union acpi_object *obj;
 
+	if (!video->cap._DOD)
+		return AE_NOT_EXIST;
+
 	status = acpi_evaluate_object(video->device->handle, "_DOD", NULL, &buffer);
 	if (!ACPI_SUCCESS(status)) {
 		ACPI_EXCEPTION((AE_INFO, status, "Evaluating _DOD"));
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 047/142] Drivers: hv: balloon: don't crash when memory is added in non-sorted order
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (45 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 046/142] ACPI / video: skip evaluating _DOD when it does not exist Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 048/142] Drivers: hv: avoid vfree() on crash Jiri Slaby
                   ` (96 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Vitaly Kuznetsov, K . Y . Srinivasan, Sumit Semwal,
	Jiri Slaby

From: Vitaly Kuznetsov <vkuznets@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 77c0c9735bc0ba5898e637a3a20d6bcb50e3f67d upstream.

When we iterate through all HA regions in handle_pg_range() we have an
assumption that all these regions are sorted in the list and the
'start_pfn >= has->end_pfn' check is enough to find the proper region.
Unfortunately it's not the case with WS2016 where host can hot-add regions
in a different order. We end up modifying the wrong HA region and crashing
later on pages online. Modify the check to make sure we found the region
we were searching for while iterating. Fix the same check in pfn_covered()
as well.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/hv/hv_balloon.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
index 393fd8a98735..17109ce27fe8 100644
--- a/drivers/hv/hv_balloon.c
+++ b/drivers/hv/hv_balloon.c
@@ -673,7 +673,7 @@ static bool pfn_covered(unsigned long start_pfn, unsigned long pfn_cnt)
 		 * If the pfn range we are dealing with is not in the current
 		 * "hot add block", move on.
 		 */
-		if ((start_pfn >= has->end_pfn))
+		if (start_pfn < has->start_pfn || start_pfn >= has->end_pfn)
 			continue;
 		/*
 		 * If the current hot add-request extends beyond
@@ -728,7 +728,7 @@ static unsigned long handle_pg_range(unsigned long pg_start,
 		 * If the pfn range we are dealing with is not in the current
 		 * "hot add block", move on.
 		 */
-		if ((start_pfn >= has->end_pfn))
+		if (start_pfn < has->start_pfn || start_pfn >= has->end_pfn)
 			continue;
 
 		old_covered_state = has->covered_end_pfn;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 048/142] Drivers: hv: avoid vfree() on crash
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (46 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 047/142] Drivers: hv: balloon: don't crash when memory is added in non-sorted order Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 049/142] KVM: PPC: Book3S PR: Fix illegal opcode emulation Jiri Slaby
                   ` (95 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Vitaly Kuznetsov, K . Y . Srinivasan, Sumit Semwal,
	Jiri Slaby

From: Vitaly Kuznetsov <vkuznets@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit a9f61ca793becabdefab03b77568d6c6f8c1bc79 upstream.

When we crash from NMI context (e.g. after NMI injection from host when
'sysctl -w kernel.unknown_nmi_panic=1' is set) we hit

    kernel BUG at mm/vmalloc.c:1530!

as vfree() is denied. While the issue could be solved with in_nmi() check
instead I opted for skipping vfree on all sorts of crashes to reduce the
amount of work which can cause consequent crashes. We don't really need to
free anything on crash.

[js] no tsc and kexec in 3.12 yet

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/hv/hv.c           | 5 +++--
 drivers/hv/hyperv_vmbus.h | 2 +-
 drivers/hv/vmbus_drv.c    | 4 ++--
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
index 9c0d458ec232..24d3ceec9d0a 100644
--- a/drivers/hv/hv.c
+++ b/drivers/hv/hv.c
@@ -193,7 +193,7 @@ cleanup:
  *
  * This routine is called normally during driver unloading or exiting.
  */
-void hv_cleanup(void)
+void hv_cleanup(bool crash)
 {
 	union hv_x64_msr_hypercall_contents hypercall_msr;
 
@@ -203,7 +203,8 @@ void hv_cleanup(void)
 	if (hv_context.hypercall_page) {
 		hypercall_msr.as_uint64 = 0;
 		wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
-		vfree(hv_context.hypercall_page);
+		if (!crash)
+			vfree(hv_context.hypercall_page);
 		hv_context.hypercall_page = NULL;
 	}
 }
diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
index d84918fe19ab..862004c15c41 100644
--- a/drivers/hv/hyperv_vmbus.h
+++ b/drivers/hv/hyperv_vmbus.h
@@ -519,7 +519,7 @@ extern struct hv_context hv_context;
 
 extern int hv_init(void);
 
-extern void hv_cleanup(void);
+extern void hv_cleanup(bool crash);
 
 extern int hv_post_message(union hv_connection_id connection_id,
 			 enum hv_message_type message_type,
diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
index d13f3dda6769..37f697fcf477 100644
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -622,7 +622,7 @@ err_unregister:
 	bus_unregister(&hv_bus);
 
 err_cleanup:
-	hv_cleanup();
+	hv_cleanup(false);
 
 	return ret;
 }
@@ -845,7 +845,7 @@ static void __exit vmbus_exit(void)
 	free_irq(irq, hv_acpi_dev);
 	vmbus_free_channels();
 	bus_unregister(&hv_bus);
-	hv_cleanup();
+	hv_cleanup(false);
 	acpi_bus_unregister_driver(&vmbus_acpi_driver);
 	hv_cpu_hotplug_quirk(false);
 }
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 049/142] KVM: PPC: Book3S PR: Fix illegal opcode emulation
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (47 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 048/142] Drivers: hv: avoid vfree() on crash Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 050/142] s390/pci: fix use after free in dma_init Jiri Slaby
                   ` (94 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Thomas Huth, Paul Mackerras, Sumit Semwal, Jiri Slaby

From: Thomas Huth <thuth@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 708e75a3ee750dce1072134e630d66c4e6eaf63c upstream.

If kvmppc_handle_exit_pr() calls kvmppc_emulate_instruction() to emulate
one instruction (in the BOOK3S_INTERRUPT_H_EMUL_ASSIST case), it calls
kvmppc_core_queue_program() afterwards if kvmppc_emulate_instruction()
returned EMULATE_FAIL, so the guest gets an program interrupt for the
illegal opcode.
However, the kvmppc_emulate_instruction() also tried to inject a
program exception for this already, so the program interrupt gets
injected twice and the return address in srr0 gets destroyed.
All other callers of kvmppc_emulate_instruction() are also injecting
a program interrupt, and since the callers have the right knowledge
about the srr1 flags that should be used, it is the function
kvmppc_emulate_instruction() that should _not_ inject program
interrupts, so remove the kvmppc_core_queue_program() here.

This fixes the issue discovered by Laurent Vivier with kvm-unit-tests
where the logs are filled with these messages when the test tries
to execute an illegal instruction:

     Couldn't emulate instruction 0x00000000 (op 0 xop 0)
     kvmppc_handle_exit_pr: emulation at 700 failed (00000000)

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Tested-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/powerpc/kvm/emulate.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/arch/powerpc/kvm/emulate.c b/arch/powerpc/kvm/emulate.c
index 751cd45f65a0..128651aa8437 100644
--- a/arch/powerpc/kvm/emulate.c
+++ b/arch/powerpc/kvm/emulate.c
@@ -471,7 +471,6 @@ int kvmppc_emulate_instruction(struct kvm_run *run, struct kvm_vcpu *vcpu)
 			advance = 0;
 			printk(KERN_ERR "Couldn't emulate instruction 0x%08x "
 			       "(op %d xop %d)\n", inst, get_op(inst), get_xop(inst));
-			kvmppc_core_queue_program(vcpu, 0);
 		}
 	}
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 050/142] s390/pci: fix use after free in dma_init
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (48 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 049/142] KVM: PPC: Book3S PR: Fix illegal opcode emulation Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 051/142] kernek/fork.c: allocate idle task for a CPU always on its local node Jiri Slaby
                   ` (93 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Sebastian Ott, Martin Schwidefsky, Sumit Semwal,
	Jiri Slaby

From: Sebastian Ott <sebott@linux.vnet.ibm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit dba599091c191d209b1499511a524ad9657c0e5a upstream.

After a failure during registration of the dma_table (because of the
function being in error state) we free its memory but don't reset the
associated pointer to zero.

When we then receive a notification from firmware (about the function
being in error state) we'll try to walk and free the dma_table again.

Fix this by resetting the dma_table pointer. In addition to that make
sure that we free the iommu_bitmap when appropriate.

Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/s390/pci/pci_dma.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/arch/s390/pci/pci_dma.c b/arch/s390/pci/pci_dma.c
index 7e5573acb063..9b76189d3375 100644
--- a/arch/s390/pci/pci_dma.c
+++ b/arch/s390/pci/pci_dma.c
@@ -416,7 +416,7 @@ int zpci_dma_init_device(struct zpci_dev *zdev)
 	zdev->dma_table = dma_alloc_cpu_table();
 	if (!zdev->dma_table) {
 		rc = -ENOMEM;
-		goto out_clean;
+		goto out;
 	}
 
 	zdev->iommu_size = (unsigned long) high_memory - PAGE_OFFSET;
@@ -424,7 +424,7 @@ int zpci_dma_init_device(struct zpci_dev *zdev)
 	zdev->iommu_bitmap = vzalloc(zdev->iommu_pages / 8);
 	if (!zdev->iommu_bitmap) {
 		rc = -ENOMEM;
-		goto out_reg;
+		goto free_dma_table;
 	}
 
 	rc = zpci_register_ioat(zdev,
@@ -433,12 +433,16 @@ int zpci_dma_init_device(struct zpci_dev *zdev)
 				zdev->start_dma + zdev->iommu_size - 1,
 				(u64) zdev->dma_table);
 	if (rc)
-		goto out_reg;
-	return 0;
+		goto free_bitmap;
 
-out_reg:
+	return 0;
+free_bitmap:
+	vfree(zdev->iommu_bitmap);
+	zdev->iommu_bitmap = NULL;
+free_dma_table:
 	dma_free_cpu_table(zdev->dma_table);
-out_clean:
+	zdev->dma_table = NULL;
+out:
 	return rc;
 }
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 051/142] kernek/fork.c: allocate idle task for a CPU always on its local node
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (49 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 050/142] s390/pci: fix use after free in dma_init Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 052/142] perf/core: Fix event inheritance on fork() Jiri Slaby
                   ` (92 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Andi Kleen, Thomas Gleixner, Andrew Morton,
	Linus Torvalds, Sumit Semwal, Jiri Slaby

From: Andi Kleen <ak@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 725fc629ff2545b061407305ae51016c9f928fce upstream.

Linux preallocates the task structs of the idle tasks for all possible
CPUs.  This currently means they all end up on node 0.  This also
implies that the cache line of MWAIT, which is around the flags field in
the task struct, are all located in node 0.

We see a noticeable performance improvement on Knights Landing CPUs when
the cache lines used for MWAIT are located in the local nodes of the
CPUs using them.  I would expect this to give a (likely slight)
improvement on other systems too.

The patch implements placing the idle task in the node of its CPUs, by
passing the right target node to copy_process()

[js] to tls in copy_process in 3.12 yet

[akpm@linux-foundation.org: use NUMA_NO_NODE, not a bare -1]
Link: http://lkml.kernel.org/r/1463492694-15833-1-git-send-email-andi@firstfloor.org
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 kernel/fork.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index 360c1d46e842..00e6407cc85a 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -292,14 +292,15 @@ int __attribute__((weak)) arch_dup_task_struct(struct task_struct *dst,
 	return 0;
 }
 
-static struct task_struct *dup_task_struct(struct task_struct *orig)
+static struct task_struct *dup_task_struct(struct task_struct *orig, int node)
 {
 	struct task_struct *tsk;
 	struct thread_info *ti;
 	unsigned long *stackend;
-	int node = tsk_fork_get_node(orig);
 	int err;
 
+	if (node == NUMA_NO_NODE)
+		node = tsk_fork_get_node(orig);
 	tsk = alloc_task_struct_node(node);
 	if (!tsk)
 		return NULL;
@@ -1142,7 +1143,8 @@ static struct task_struct *copy_process(unsigned long clone_flags,
 					unsigned long stack_size,
 					int __user *child_tidptr,
 					struct pid *pid,
-					int trace)
+					int trace,
+					int node)
 {
 	int retval;
 	struct task_struct *p;
@@ -1195,7 +1197,7 @@ static struct task_struct *copy_process(unsigned long clone_flags,
 		goto fork_out;
 
 	retval = -ENOMEM;
-	p = dup_task_struct(current);
+	p = dup_task_struct(current, node);
 	if (!p)
 		goto fork_out;
 
@@ -1565,7 +1567,8 @@ static inline void init_idle_pids(struct pid_link *links)
 struct task_struct *fork_idle(int cpu)
 {
 	struct task_struct *task;
-	task = copy_process(CLONE_VM, 0, 0, NULL, &init_struct_pid, 0);
+	task = copy_process(CLONE_VM, 0, 0, NULL, &init_struct_pid, 0,
+			    cpu_to_node(cpu));
 	if (!IS_ERR(task)) {
 		init_idle_pids(task->pids);
 		init_idle(task, cpu);
@@ -1609,7 +1612,7 @@ long do_fork(unsigned long clone_flags,
 	}
 
 	p = copy_process(clone_flags, stack_start, stack_size,
-			 child_tidptr, NULL, trace);
+			 child_tidptr, NULL, trace, NUMA_NO_NODE);
 	/*
 	 * Do this prior waking up the new thread - the thread pointer
 	 * might get invalid after that point, if the thread exits quickly.
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 052/142] perf/core: Fix event inheritance on fork()
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (50 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 051/142] kernek/fork.c: allocate idle task for a CPU always on its local node Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 053/142] cpufreq: Fix and clean up show_cpuinfo_cur_freq() Jiri Slaby
                   ` (91 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Peter Zijlstra, Alexander Shishkin,
	Arnaldo Carvalho de Melo, Arnaldo Carvalho de Melo,
	Dmitry Vyukov, Frederic Weisbecker, Jiri Olsa, Linus Torvalds,
	Mathieu Desnoyers, Stephane Eranian, Thomas Gleixner,
	Vince Weaver, oleg, Ingo Molnar, Jiri Slaby

From: Peter Zijlstra <peterz@infradead.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e7cc4865f0f31698ef2f7aac01a50e78968985b7 upstream.

While hunting for clues to a use-after-free, Oleg spotted that
perf_event_init_context() can loose an error value with the result
that fork() can succeed even though we did not fully inherit the perf
event context.

Spotted-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: oleg@redhat.com
Fixes: 889ff0150661 ("perf/core: Split context's event group list into pinned and non-pinned lists")
Link: http://lkml.kernel.org/r/20170316125823.190342547@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 kernel/events/core.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index a4a1516f3efc..0a360d3868c5 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7754,7 +7754,7 @@ int perf_event_init_context(struct task_struct *child, int ctxn)
 		ret = inherit_task_group(event, parent, parent_ctx,
 					 child, ctxn, &inherited_all);
 		if (ret)
-			break;
+			goto out_unlock;
 	}
 
 	/*
@@ -7770,7 +7770,7 @@ int perf_event_init_context(struct task_struct *child, int ctxn)
 		ret = inherit_task_group(event, parent, parent_ctx,
 					 child, ctxn, &inherited_all);
 		if (ret)
-			break;
+			goto out_unlock;
 	}
 
 	raw_spin_lock_irqsave(&parent_ctx->lock, flags);
@@ -7798,6 +7798,7 @@ int perf_event_init_context(struct task_struct *child, int ctxn)
 	}
 
 	raw_spin_unlock_irqrestore(&parent_ctx->lock, flags);
+out_unlock:
 	mutex_unlock(&parent_ctx->mutex);
 
 	perf_unpin_context(parent_ctx);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 053/142] cpufreq: Fix and clean up show_cpuinfo_cur_freq()
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (51 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 052/142] perf/core: Fix event inheritance on fork() Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 054/142] target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export Jiri Slaby
                   ` (90 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Rafael J. Wysocki, Jiri Slaby

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 9b4f603e7a9f4282aec451063ffbbb8bb410dcd9 upstream.

There is a missing newline in show_cpuinfo_cur_freq(), so add it,
but while at it clean that function up somewhat too.

Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/cpufreq/cpufreq.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index a7b2a5f53b2b..ac6ed021f2de 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -462,9 +462,11 @@ static ssize_t show_cpuinfo_cur_freq(struct cpufreq_policy *policy,
 					char *buf)
 {
 	unsigned int cur_freq = __cpufreq_get(policy->cpu);
-	if (!cur_freq)
-		return sprintf(buf, "<unknown>");
-	return sprintf(buf, "%u\n", cur_freq);
+
+	if (cur_freq)
+		return sprintf(buf, "%u\n", cur_freq);
+
+	return sprintf(buf, "<unknown>\n");
 }
 
 /**
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 054/142] target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (52 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 053/142] cpufreq: Fix and clean up show_cpuinfo_cur_freq() Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 055/142] scsi: lpfc: Add shutdown method for kexec Jiri Slaby
                   ` (89 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Nicholas Bellinger, Jiri Slaby

From: Nicholas Bellinger <nab@linux-iscsi.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit a04e54f2c35823ca32d56afcd5cea5b783e2f51a upstream.

The following fixes a divide by zero OOPs with TYPE_TAPE
due to pscsi_tape_read_blocksize() failing causing a zero
sd->sector_size being propigated up via dev_attrib.hw_block_size.

It also fixes another long-standing bug where TYPE_TAPE and
TYPE_MEDIMUM_CHANGER where using pscsi_create_type_other(),
which does not call scsi_device_get() to take the device
reference.  Instead, rename pscsi_create_type_rom() to
pscsi_create_type_nondisk() and use it for all cases.

Finally, also drop a dump_stack() in pscsi_get_blocks() for
non TYPE_DISK, which in modern target-core can get invoked
via target_sense_desc_format() during CHECK_CONDITION.

[js] cast max_sectors to unsigned to avoid warnings

Reported-by: Malcolm Haak <insanemal@gmail.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/target/target_core_pscsi.c | 47 ++++++++++----------------------------
 1 file changed, 12 insertions(+), 35 deletions(-)

diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
index 9b90cfacf75c..a67877503234 100644
--- a/drivers/target/target_core_pscsi.c
+++ b/drivers/target/target_core_pscsi.c
@@ -157,7 +157,7 @@ static void pscsi_tape_read_blocksize(struct se_device *dev,
 
 	buf = kzalloc(12, GFP_KERNEL);
 	if (!buf)
-		return;
+		goto out_free;
 
 	memset(cdb, 0, MAX_COMMAND_SIZE);
 	cdb[0] = MODE_SENSE;
@@ -172,9 +172,10 @@ static void pscsi_tape_read_blocksize(struct se_device *dev,
 	 * If MODE_SENSE still returns zero, set the default value to 1024.
 	 */
 	sdev->sector_size = (buf[9] << 16) | (buf[10] << 8) | (buf[11]);
+out_free:
 	if (!sdev->sector_size)
 		sdev->sector_size = 1024;
-out_free:
+
 	kfree(buf);
 }
 
@@ -317,9 +318,10 @@ static int pscsi_add_device_to_list(struct se_device *dev,
 				sd->lun, sd->queue_depth);
 	}
 
-	dev->dev_attrib.hw_block_size = sd->sector_size;
+	dev->dev_attrib.hw_block_size =
+		min_not_zero((int)sd->sector_size, 512);
 	dev->dev_attrib.hw_max_sectors =
-		min_t(int, sd->host->max_sectors, queue_max_hw_sectors(q));
+		min_not_zero((unsigned)sd->host->max_sectors, queue_max_hw_sectors(q));
 	dev->dev_attrib.hw_queue_depth = sd->queue_depth;
 
 	/*
@@ -342,8 +344,10 @@ static int pscsi_add_device_to_list(struct se_device *dev,
 	/*
 	 * For TYPE_TAPE, attempt to determine blocksize with MODE_SENSE.
 	 */
-	if (sd->type == TYPE_TAPE)
+	if (sd->type == TYPE_TAPE) {
 		pscsi_tape_read_blocksize(dev, sd);
+		dev->dev_attrib.hw_block_size = sd->sector_size;
+	}
 	return 0;
 }
 
@@ -409,7 +413,7 @@ static int pscsi_create_type_disk(struct se_device *dev, struct scsi_device *sd)
 /*
  * Called with struct Scsi_Host->host_lock called.
  */
-static int pscsi_create_type_rom(struct se_device *dev, struct scsi_device *sd)
+static int pscsi_create_type_nondisk(struct se_device *dev, struct scsi_device *sd)
 	__releases(sh->host_lock)
 {
 	struct pscsi_hba_virt *phv = dev->se_hba->hba_ptr;
@@ -436,28 +440,6 @@ static int pscsi_create_type_rom(struct se_device *dev, struct scsi_device *sd)
 	return 0;
 }
 
-/*
- * Called with struct Scsi_Host->host_lock called.
- */
-static int pscsi_create_type_other(struct se_device *dev,
-		struct scsi_device *sd)
-	__releases(sh->host_lock)
-{
-	struct pscsi_hba_virt *phv = dev->se_hba->hba_ptr;
-	struct Scsi_Host *sh = sd->host;
-	int ret;
-
-	spin_unlock_irq(sh->host_lock);
-	ret = pscsi_add_device_to_list(dev, sd);
-	if (ret)
-		return ret;
-
-	pr_debug("CORE_PSCSI[%d] - Added Type: %s for %d:%d:%d:%d\n",
-		phv->phv_host_id, scsi_device_type(sd->type), sh->host_no,
-		sd->channel, sd->id, sd->lun);
-	return 0;
-}
-
 static int pscsi_configure_device(struct se_device *dev)
 {
 	struct se_hba *hba = dev->se_hba;
@@ -545,11 +527,8 @@ static int pscsi_configure_device(struct se_device *dev)
 		case TYPE_DISK:
 			ret = pscsi_create_type_disk(dev, sd);
 			break;
-		case TYPE_ROM:
-			ret = pscsi_create_type_rom(dev, sd);
-			break;
 		default:
-			ret = pscsi_create_type_other(dev, sd);
+			ret = pscsi_create_type_nondisk(dev, sd);
 			break;
 		}
 
@@ -606,8 +585,7 @@ static void pscsi_free_device(struct se_device *dev)
 		else if (pdv->pdv_lld_host)
 			scsi_host_put(pdv->pdv_lld_host);
 
-		if ((sd->type == TYPE_DISK) || (sd->type == TYPE_ROM))
-			scsi_device_put(sd);
+		scsi_device_put(sd);
 
 		pdv->pdv_sd = NULL;
 	}
@@ -1124,7 +1102,6 @@ static sector_t pscsi_get_blocks(struct se_device *dev)
 	if (pdv->pdv_bd && pdv->pdv_bd->bd_part)
 		return pdv->pdv_bd->bd_part->nr_sects;
 
-	dump_stack();
 	return 0;
 }
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 055/142] scsi: lpfc: Add shutdown method for kexec
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (53 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 054/142] target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 056/142] isdn/gigaset: fix NULL-deref at probe Jiri Slaby
                   ` (88 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Anton Blanchard, Martin K . Petersen, Jiri Slaby

From: Anton Blanchard <anton@samba.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 85e8a23936ab3442de0c42da97d53b29f004ece1 upstream.

We see lpfc devices regularly fail during kexec. Fix this by adding a
shutdown method which mirrors the remove method.

Signed-off-by: Anton Blanchard <anton@samba.org>
Reviewed-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Tested-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/scsi/lpfc/lpfc_init.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index 3b73eea72946..7656f8b46649 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -10907,6 +10907,7 @@ static struct pci_driver lpfc_driver = {
 	.id_table	= lpfc_id_table,
 	.probe		= lpfc_pci_probe_one,
 	.remove		= lpfc_pci_remove_one,
+	.shutdown	= lpfc_pci_remove_one,
 	.suspend        = lpfc_pci_suspend_one,
 	.resume		= lpfc_pci_resume_one,
 	.err_handler    = &lpfc_err_handler,
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 056/142] isdn/gigaset: fix NULL-deref at probe
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (54 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 055/142] scsi: lpfc: Add shutdown method for kexec Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 057/142] xen: do not re-use pirq number cached in pci device msi msg data Jiri Slaby
                   ` (87 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Johan Hovold, Hansjoerg Lipp, David S . Miller, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 68c32f9c2a36d410aa242e661506e5b2c2764179 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Fixes: cf7776dc05b8 ("[PATCH] isdn4linux: Siemens Gigaset drivers - direct USB connection")
Cc: Hansjoerg Lipp <hjlipp@web.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/isdn/gigaset/bas-gigaset.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c
index c44950d3eb7b..6d4d9c1c2cf0 100644
--- a/drivers/isdn/gigaset/bas-gigaset.c
+++ b/drivers/isdn/gigaset/bas-gigaset.c
@@ -2317,6 +2317,9 @@ static int gigaset_probe(struct usb_interface *interface,
 		return -ENODEV;
 	}
 
+	if (hostif->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	dev_info(&udev->dev,
 		 "%s: Device matched (Vendor: 0x%x, Product: 0x%x)\n",
 		 __func__, le16_to_cpu(udev->descriptor.idVendor),
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 057/142] xen: do not re-use pirq number cached in pci device msi msg data
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (55 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 056/142] isdn/gigaset: fix NULL-deref at probe Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 058/142] igb: Workaround for igb i210 firmware issue Jiri Slaby
                   ` (86 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Dan Streetman, Dan Streetman, Boris Ostrovsky,
	Sasha Levin, Jiri Slaby

From: Dan Streetman <ddstreet@ieee.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit c74fd80f2f41d05f350bb478151021f88551afe8 ]

Revert the main part of commit:
af42b8d12f8a ("xen: fix MSI setup and teardown for PV on HVM guests")

That commit introduced reading the pci device's msi message data to see
if a pirq was previously configured for the device's msi/msix, and re-use
that pirq.  At the time, that was the correct behavior.  However, a
later change to Qemu caused it to call into the Xen hypervisor to unmap
all pirqs for a pci device, when the pci device disables its MSI/MSIX
vectors; specifically the Qemu commit:
c976437c7dba9c7444fb41df45468968aaa326ad
("qemu-xen: free all the pirqs for msi/msix when driver unload")

Once Qemu added this pirq unmapping, it was no longer correct for the
kernel to re-use the pirq number cached in the pci device msi message
data.  All Qemu releases since 2.1.0 contain the patch that unmaps the
pirqs when the pci device disables its MSI/MSIX vectors.

This bug is causing failures to initialize multiple NVMe controllers
under Xen, because the NVMe driver sets up a single MSIX vector for
each controller (concurrently), and then after using that to talk to
the controller for some configuration data, it disables the single MSIX
vector and re-configures all the MSIX vectors it needs.  So the MSIX
setup code tries to re-use the cached pirq from the first vector
for each controller, but the hypervisor has already given away that
pirq to another controller, and its initialization fails.

This is discussed in more detail at:
https://lists.xen.org/archives/html/xen-devel/2017-01/msg00447.html

Fixes: af42b8d12f8a ("xen: fix MSI setup and teardown for PV on HVM guests")
Signed-off-by: Dan Streetman <dan.streetman@canonical.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/pci/xen.c | 23 +++++++----------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c
index 48e8461057ba..6e4580b87600 100644
--- a/arch/x86/pci/xen.c
+++ b/arch/x86/pci/xen.c
@@ -227,23 +227,14 @@ static int xen_hvm_setup_msi_irqs(struct pci_dev *dev, int nvec, int type)
 		return 1;
 
 	list_for_each_entry(msidesc, &dev->msi_list, list) {
-		__read_msi_msg(msidesc, &msg);
-		pirq = MSI_ADDR_EXT_DEST_ID(msg.address_hi) |
-			((msg.address_lo >> MSI_ADDR_DEST_ID_SHIFT) & 0xff);
-		if (msg.data != XEN_PIRQ_MSI_DATA ||
-		    xen_irq_from_pirq(pirq) < 0) {
-			pirq = xen_allocate_pirq_msi(dev, msidesc);
-			if (pirq < 0) {
-				irq = -ENODEV;
-				goto error;
-			}
-			xen_msi_compose_msg(dev, pirq, &msg);
-			__write_msi_msg(msidesc, &msg);
-			dev_dbg(&dev->dev, "xen: msi bound to pirq=%d\n", pirq);
-		} else {
-			dev_dbg(&dev->dev,
-				"xen: msi already bound to pirq=%d\n", pirq);
+		pirq = xen_allocate_pirq_msi(dev, msidesc);
+		if (pirq < 0) {
+			irq = -ENODEV;
+			goto error;
 		}
+		xen_msi_compose_msg(dev, pirq, &msg);
+		__write_msi_msg(msidesc, &msg);
+		dev_dbg(&dev->dev, "xen: msi bound to pirq=%d\n", pirq);
 		irq = xen_bind_pirq_msi_to_irq(dev, msidesc, pirq,
 					       (type == PCI_CAP_ID_MSIX) ?
 					       "msi-x" : "msi",
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 058/142] igb: Workaround for igb i210 firmware issue
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (56 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 057/142] xen: do not re-use pirq number cached in pci device msi msg data Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 059/142] igb: add i211 to i210 PHY workaround Jiri Slaby
                   ` (85 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Chris J Arges, Jeff Kirsher, Sasha Levin, Jiri Slaby

From: Chris J Arges <christopherarges@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 4e684f59d760a2c7c716bb60190783546e2d08a1 ]

Sometimes firmware may not properly initialize I347AT4_PAGE_SELECT causing
the probe of an igb i210 NIC to fail. This patch adds an addition zeroing
of this register during igb_get_phy_id to workaround this issue.

Thanks for Jochen Henneberg for the idea and original patch.

Signed-off-by: Chris J Arges <christopherarges@gmail.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/ethernet/intel/igb/e1000_phy.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/ethernet/intel/igb/e1000_phy.c b/drivers/net/ethernet/intel/igb/e1000_phy.c
index ad2b74d95138..bd91752760d0 100644
--- a/drivers/net/ethernet/intel/igb/e1000_phy.c
+++ b/drivers/net/ethernet/intel/igb/e1000_phy.c
@@ -87,6 +87,10 @@ s32 igb_get_phy_id(struct e1000_hw *hw)
 	s32 ret_val = 0;
 	u16 phy_id;
 
+	/* ensure PHY page selection to fix misconfigured i210 */
+	if (hw->mac.type == e1000_i210)
+		phy->ops.write_reg(hw, I347AT4_PAGE_SELECT, 0);
+
 	ret_val = phy->ops.read_reg(hw, PHY_ID1, &phy_id);
 	if (ret_val)
 		goto out;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 059/142] igb: add i211 to i210 PHY workaround
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (57 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 058/142] igb: Workaround for igb i210 firmware issue Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 060/142] net: properly release sk_frag.page Jiri Slaby
                   ` (84 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Todd Fujinaka, Jeff Kirsher, Sasha Levin, Jiri Slaby

From: Todd Fujinaka <todd.fujinaka@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 5bc8c230e2a993b49244f9457499f17283da9ec7 ]

i210 and i211 share the same PHY but have different PCI IDs. Don't
forget i211 for any i210 workarounds.

Signed-off-by: Todd Fujinaka <todd.fujinaka@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/ethernet/intel/igb/e1000_phy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/igb/e1000_phy.c b/drivers/net/ethernet/intel/igb/e1000_phy.c
index bd91752760d0..44274022a73b 100644
--- a/drivers/net/ethernet/intel/igb/e1000_phy.c
+++ b/drivers/net/ethernet/intel/igb/e1000_phy.c
@@ -88,7 +88,7 @@ s32 igb_get_phy_id(struct e1000_hw *hw)
 	u16 phy_id;
 
 	/* ensure PHY page selection to fix misconfigured i210 */
-	if (hw->mac.type == e1000_i210)
+	if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211))
 		phy->ops.write_reg(hw, I347AT4_PAGE_SELECT, 0);
 
 	ret_val = phy->ops.read_reg(hw, PHY_ID1, &phy_id);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 060/142] net: properly release sk_frag.page
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (58 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 059/142] igb: add i211 to i210 PHY workaround Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 061/142] net: unix: properly re-increment inflight counter of GC discarded candidates Jiri Slaby
                   ` (83 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Eric Dumazet, David S . Miller

From: Eric Dumazet <edumazet@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 22a0e18eac7a9e986fec76c60fa4a2926d1291e2 ]

I mistakenly added the code to release sk->sk_frag in
sk_common_release() instead of sk_destruct()

TCP sockets using sk->sk_allocation == GFP_ATOMIC do no call
sk_common_release() at close time, thus leaking one (order-3) page.

iSCSI is using such sockets.

Fixes: 5640f7685831 ("net: use a per task frag allocator")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/core/sock.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/core/sock.c b/net/core/sock.c
index d765d6411a5b..046a72affe69 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1425,6 +1425,11 @@ static void __sk_free(struct sock *sk)
 		pr_debug("%s: optmem leakage (%d bytes) detected\n",
 			 __func__, atomic_read(&sk->sk_omem_alloc));
 
+	if (sk->sk_frag.page) {
+		put_page(sk->sk_frag.page);
+		sk->sk_frag.page = NULL;
+	}
+
 	if (sk->sk_peer_cred)
 		put_cred(sk->sk_peer_cred);
 	put_pid(sk->sk_peer_pid);
@@ -2660,11 +2665,6 @@ void sk_common_release(struct sock *sk)
 
 	sk_refcnt_debug_release(sk);
 
-	if (sk->sk_frag.page) {
-		put_page(sk->sk_frag.page);
-		sk->sk_frag.page = NULL;
-	}
-
 	sock_put(sk);
 }
 EXPORT_SYMBOL(sk_common_release);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 061/142] net: unix: properly re-increment inflight counter of GC discarded candidates
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (59 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 060/142] net: properly release sk_frag.page Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 062/142] qmi_wwan: add Dell DW5811e Jiri Slaby
                   ` (82 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Andrey Ulanov, David S . Miller

From: Andrey Ulanov <andreyu@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 7df9c24625b9981779afb8fcdbe2bb4765e61147 ]

Dmitry has reported that a BUG_ON() condition in unix_notinflight()
may be triggered by a simple code that forwards unix socket in an
SCM_RIGHTS message.
That is caused by incorrect unix socket GC implementation in unix_gc().

The GC first collects list of candidates, then (a) decrements their
"children's" inflight counter, (b) checks which inflight counters are
now 0, and then (c) increments all inflight counters back.
(a) and (c) are done by calling scan_children() with inc_inflight or
dec_inflight as the second argument.

Commit 6209344f5a37 ("net: unix: fix inflight counting bug in garbage
collector") changed scan_children() such that it no longer considers
sockets that do not have UNIX_GC_CANDIDATE flag. It also added a block
of code that that unsets this flag _before_ invoking
scan_children(, dec_iflight, ). This may lead to incorrect inflight
counters for some sockets.

This change fixes this bug by changing order of operations:
UNIX_GC_CANDIDATE is now unset only after all inflight counters are
restored to the original state.

  kernel BUG at net/unix/garbage.c:149!
  RIP: 0010:[<ffffffff8717ebf4>]  [<ffffffff8717ebf4>]
  unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149
  Call Trace:
   [<ffffffff8716cfbf>] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487
   [<ffffffff8716f6a9>] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496
   [<ffffffff86a90a01>] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655
   [<ffffffff86a9808a>] skb_release_all+0x1a/0x60 net/core/skbuff.c:668
   [<ffffffff86a980ea>] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684
   [<ffffffff86a98284>] kfree_skb+0x184/0x570 net/core/skbuff.c:705
   [<ffffffff871789d5>] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559
   [<ffffffff87179039>] unix_release+0x49/0x90 net/unix/af_unix.c:836
   [<ffffffff86a694b2>] sock_release+0x92/0x1f0 net/socket.c:570
   [<ffffffff86a6962b>] sock_close+0x1b/0x20 net/socket.c:1017
   [<ffffffff81a76b8e>] __fput+0x34e/0x910 fs/file_table.c:208
   [<ffffffff81a771da>] ____fput+0x1a/0x20 fs/file_table.c:244
   [<ffffffff81483ab0>] task_work_run+0x1a0/0x280 kernel/task_work.c:116
   [<     inline     >] exit_task_work include/linux/task_work.h:21
   [<ffffffff8141287a>] do_exit+0x183a/0x2640 kernel/exit.c:828
   [<ffffffff8141383e>] do_group_exit+0x14e/0x420 kernel/exit.c:931
   [<ffffffff814429d3>] get_signal+0x663/0x1880 kernel/signal.c:2307
   [<ffffffff81239b45>] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807
   [<ffffffff8100666a>] exit_to_usermode_loop+0x1ea/0x2d0
  arch/x86/entry/common.c:156
   [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
   [<ffffffff81009693>] syscall_return_slowpath+0x4d3/0x570
  arch/x86/entry/common.c:259
   [<ffffffff881478e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6

Link: https://lkml.org/lkml/2017/3/6/252
Signed-off-by: Andrey Ulanov <andreyu@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: 6209344 ("net: unix: fix inflight counting bug in garbage collector")
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/unix/garbage.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index a72182d6750f..58ba0e5f147b 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -152,6 +152,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp)
 	if (s) {
 		struct unix_sock *u = unix_sk(s);
 
+		BUG_ON(!atomic_long_read(&u->inflight));
 		BUG_ON(list_empty(&u->link));
 		if (atomic_long_dec_and_test(&u->inflight))
 			list_del_init(&u->link);
@@ -358,6 +359,14 @@ void unix_gc(void)
 	}
 	list_del(&cursor);
 
+	/* Now gc_candidates contains only garbage.  Restore original
+	 * inflight counters for these as well, and remove the skbuffs
+	 * which are creating the cycle(s).
+	 */
+	skb_queue_head_init(&hitlist);
+	list_for_each_entry(u, &gc_candidates, link)
+		scan_children(&u->sk, inc_inflight, &hitlist);
+
 	/*
 	 * not_cycle_list contains those sockets which do not make up a
 	 * cycle.  Restore these to the inflight list.
@@ -368,15 +377,6 @@ void unix_gc(void)
 		list_move_tail(&u->link, &gc_inflight_list);
 	}
 
-	/*
-	 * Now gc_candidates contains only garbage.  Restore original
-	 * inflight counters for these as well, and remove the skbuffs
-	 * which are creating the cycle(s).
-	 */
-	skb_queue_head_init(&hitlist);
-	list_for_each_entry(u, &gc_candidates, link)
-	scan_children(&u->sk, inc_inflight, &hitlist);
-
 	spin_unlock(&unix_gc_lock);
 
 	/* Here we are. Hitlist is filled. Die. */
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 062/142] qmi_wwan: add Dell DW5811e
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (60 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 061/142] net: unix: properly re-increment inflight counter of GC discarded candidates Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 063/142] net/mlx5: Increase number of max QPs in default profile Jiri Slaby
                   ` (81 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Bjørn Mork, David S . Miller

From: Bjørn Mork <bjorn@mork.no>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 6bd845d1cf98b45c634baacb8381436dad3c2dd0 ]

This is a Dell branded Sierra Wireless EM7455. It is operating in
MBIM mode by default, but can be configured to provide two QMI/RMNET
functions.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 drivers/net/usb/qmi_wwan.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 40eabbb4bcd7..811b9cdb1824 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -829,6 +829,8 @@ static const struct usb_device_id products[] = {
 	{QMI_FIXED_INTF(0x413c, 0x81a9, 8)},	/* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
 	{QMI_FIXED_INTF(0x413c, 0x81b1, 8)},	/* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
 	{QMI_FIXED_INTF(0x413c, 0x81b3, 8)},	/* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
+	{QMI_FIXED_INTF(0x413c, 0x81b6, 8)},	/* Dell Wireless 5811e */
+	{QMI_FIXED_INTF(0x413c, 0x81b6, 10)},	/* Dell Wireless 5811e */
 	{QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)},	/* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
 	{QMI_FIXED_INTF(0x22de, 0x9061, 3)},	/* WeTelecom WPD-600N */
 	{QMI_FIXED_INTF(0x1e0e, 0x9001, 5)},	/* SIMCom 7230E */
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 063/142] net/mlx5: Increase number of max QPs in default profile
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (61 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 062/142] qmi_wwan: add Dell DW5811e Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 064/142] ipv4: provide stronger user input validation in nl_fib_input() Jiri Slaby
                   ` (80 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Maor Gottlieb, Saeed Mahameed, David S . Miller

From: Maor Gottlieb <maorg@mellanox.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 5f40b4ed975c26016cf41953b7510fe90718e21c ]

With ConnectX-4 sharing SRQs from the same space as QPs, we hit a
limit preventing some applications to allocate needed QPs amount.
Double the size to 256K.

[js] this is in another file in 3.12

Fixes: e126ba97dba9e ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 drivers/infiniband/hw/mlx5/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
index 1300a377aca8..94f1408b391c 100644
--- a/drivers/infiniband/hw/mlx5/main.c
+++ b/drivers/infiniband/hw/mlx5/main.c
@@ -73,7 +73,7 @@ static struct mlx5_profile profile[] = {
 	[2] = {
 		.mask		= MLX5_PROF_MASK_QP_SIZE |
 				  MLX5_PROF_MASK_MR_CACHE,
-		.log_max_qp	= 17,
+		.log_max_qp	= 18,
 		.mr_cache[0]	= {
 			.size	= 500,
 			.limit	= 250
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 064/142] ipv4: provide stronger user input validation in nl_fib_input()
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (62 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 063/142] net/mlx5: Increase number of max QPs in default profile Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 065/142] tcp: initialize icsk_ack.lrcvtime at session start time Jiri Slaby
                   ` (79 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Eric Dumazet, David S . Miller

From: Eric Dumazet <edumazet@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit c64c0b3cac4c5b8cb093727d2c19743ea3965c0b ]

Alexander reported a KMSAN splat caused by reads of uninitialized
field (tb_id_in) from user provided struct fib_result_nl

It turns out nl_fib_input() sanity tests on user input is a bit
wrong :

User can pretend nlh->nlmsg_len is big enough, but provide
at sendmsg() time a too small buffer.

Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/ipv4/fib_frontend.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 3d3966bf3df6..4a30de61bec1 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -965,7 +965,8 @@ static void nl_fib_input(struct sk_buff *skb)
 
 	net = sock_net(skb->sk);
 	nlh = nlmsg_hdr(skb);
-	if (skb->len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len ||
+	if (skb->len < nlmsg_total_size(sizeof(*frn)) ||
+	    skb->len < nlh->nlmsg_len ||
 	    nlmsg_len(nlh) < sizeof(*frn))
 		return;
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 065/142] tcp: initialize icsk_ack.lrcvtime at session start time
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (63 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 064/142] ipv4: provide stronger user input validation in nl_fib_input() Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 066/142] libceph: don't set weight to IN when OSD is destroyed Jiri Slaby
                   ` (78 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Eric Dumazet, David S . Miller

From: Eric Dumazet <edumazet@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 15bb7745e94a665caf42bfaabf0ce062845b533b ]

icsk_ack.lrcvtime has a 0 value at socket creation time.

tcpi_last_data_recv can have bogus value if no payload is ever received.

This patch initializes icsk_ack.lrcvtime for active sessions
in tcp_finish_connect(), and for passive sessions in
tcp_create_openreq_child()

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/ipv4/tcp_input.c     | 2 +-
 net/ipv4/tcp_minisocks.c | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 9eef76176704..7789595a1009 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5292,6 +5292,7 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb)
 	struct inet_connection_sock *icsk = inet_csk(sk);
 
 	tcp_set_state(sk, TCP_ESTABLISHED);
+	icsk->icsk_ack.lrcvtime = tcp_time_stamp;
 
 	if (skb != NULL) {
 		icsk->icsk_af_ops->sk_rx_dst_set(sk, skb);
@@ -5492,7 +5493,6 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
 			 * to stand against the temptation 8)     --ANK
 			 */
 			inet_csk_schedule_ack(sk);
-			icsk->icsk_ack.lrcvtime = tcp_time_stamp;
 			tcp_enter_quickack_mode(sk);
 			inet_csk_reset_xmit_timer(sk, ICSK_TIME_DACK,
 						  TCP_DELACK_MAX, TCP_RTO_MAX);
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 58a3e69aef64..34fe583eeef3 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -403,6 +403,7 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req,
 		newtp->srtt = 0;
 		newtp->mdev = TCP_TIMEOUT_INIT;
 		newicsk->icsk_rto = TCP_TIMEOUT_INIT;
+		newicsk->icsk_ack.lrcvtime = tcp_time_stamp;
 
 		newtp->packets_out = 0;
 		newtp->retrans_out = 0;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 066/142] libceph: don't set weight to IN when OSD is destroyed
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (64 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 065/142] tcp: initialize icsk_ack.lrcvtime at session start time Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 067/142] USB: qcserial: Add support for Dell Wireless 5809e 4G Modem Jiri Slaby
                   ` (77 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Ilya Dryomov, Jiri Slaby

From: Ilya Dryomov <idryomov@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b581a5854eee4b7851dedb0f8c2ceb54fb902c06 upstream.

Since ceph.git commit 4e28f9e63644 ("osd/OSDMap: clear osd_info,
osd_xinfo on osd deletion"), weight is set to IN when OSD is deleted.
This changes the result of applying an incremental for clients, not
just OSDs.  Because CRUSH computations are obviously affected,
pre-4e28f9e63644 servers disagree with post-4e28f9e63644 clients on
object placement, resulting in misdirected requests.

Mirrors ceph.git commit a6009d1039a55e2c77f431662b3d6cc5a8e8e63f.

Fixes: 930c53286977 ("libceph: apply new_state before new_up_client on incrementals")
Link: http://tracker.ceph.com/issues/19122
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/ceph/osdmap.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index c1de8d404c47..26e2235356c5 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -870,7 +870,6 @@ static int decode_new_up_state_weight(void **p, void *end,
 		if ((map->osd_state[osd] & CEPH_OSD_EXISTS) &&
 		    (xorstate & CEPH_OSD_EXISTS)) {
 			pr_info("osd%d does not exist\n", osd);
-			map->osd_weight[osd] = CEPH_OSD_IN;
 			memset(map->osd_addr + osd, 0, sizeof(*map->osd_addr));
 			map->osd_state[osd] = 0;
 		} else {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 067/142] USB: qcserial: Add support for Dell Wireless 5809e 4G Modem
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (65 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 066/142] libceph: don't set weight to IN when OSD is destroyed Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 068/142] USB: qcserial: add HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module Jiri Slaby
                   ` (76 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Pieter Hollants, Johan Hovold, Jiri Slaby

From: Pieter Hollants <pieter@hollants.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6da3700c98cdc8360f55c5510915efae1d66deea upstream.

Added the USB IDs 0x413c:0x81b1 for the "Dell Wireless 5809e Gobi(TM) 4G
LTE Mobile Broadband Card", a Dell-branded Sierra Wireless EM7305 LTE
card in M.2 form factor, used eg. in Dell's Latitude E7540 Notebook
series.

"lsusb -v" output for this device:

Bus 002 Device 003: ID 413c:81b1 Dell Computer Corp.
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x413c Dell Computer Corp.
  idProduct          0x81b1
  bcdDevice            0.06
  iManufacturer           1 Sierra Wireless, Incorporated
  iProduct                2 Dell Wireless 5809e Gobi™ 4G LTE Mobile Broadband Card
  iSerial                 3
  bNumConfigurations      2
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength          204
    bNumInterfaces          4
    bConfigurationValue     1
    iConfiguration          0
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
      ** UNRECOGNIZED:  05 24 00 10 01
      ** UNRECOGNIZED:  05 24 01 00 00
      ** UNRECOGNIZED:  04 24 02 02
      ** UNRECOGNIZED:  05 24 06 00 00
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x000c  1x 12 bytes
        bInterval               9
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        3
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              0
      ** UNRECOGNIZED:  05 24 00 10 01
      ** UNRECOGNIZED:  05 24 01 00 00
      ** UNRECOGNIZED:  04 24 02 02
      ** UNRECOGNIZED:  05 24 06 00 00
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x85  EP 5 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x000c  1x 12 bytes
        bInterval               9
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x84  EP 4 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x03  EP 3 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        8
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x87  EP 7 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x000a  1x 10 bytes
        bInterval               9
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x86  EP 6 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
        ** UNRECOGNIZED:  2c ff 42 49 53 54 00 01 07 f5 40 f6 00 00 00 00 01 f7 c4 09 02 f8 c4 09 03 f9 88 13 04 fa 10 27 05 fb 10 27 06 fc c4 09 07 fd c4 09
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           95
    bNumInterfaces          2
    bConfigurationValue     2
    iConfiguration          0
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower              500mA
    Interface Association:
      bLength                 8
      bDescriptorType        11
      bFirstInterface        12
      bInterfaceCount         2
      bFunctionClass          2 Communications
      bFunctionSubClass      14
      bFunctionProtocol       0
      iFunction               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber       12
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         2 Communications
      bInterfaceSubClass     14
      bInterfaceProtocol      0
      iInterface              0
      CDC Header:
        bcdCDC               1.10
      CDC Union:
        bMasterInterface        12
        bSlaveInterface         13
      CDC MBIM:
        bcdMBIMVersion       1.00
        wMaxControlMessage   4096
        bNumberFilters       32
        bMaxFilterSize       128
        wMaxSegmentSize      1500
        bmNetworkCapabilities 0x20
          8-byte ntb input size
      CDC MBIM Extended:
        bcdMBIMExtendedVersion           1.00
        bMaxOutstandingCommandMessages     64
        wMTU                             1500
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               9
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber       13
      bAlternateSetting       0
      bNumEndpoints           0
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0
      bInterfaceProtocol      2
      iInterface              0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber       13
      bAlternateSetting       1
      bNumEndpoints           2
      bInterfaceClass        10 CDC Data
      bInterfaceSubClass      0
      bInterfaceProtocol      2
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass            0
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  bNumConfigurations      2
Device Status:     0x0000
  (Bus Powered)

Signed-off-by: Pieter Hollants <pieter@hollants.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/qcserial.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
index d2e8eee46ef7..d328bb1d7d55 100644
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -157,6 +157,7 @@ static const struct usb_device_id id_table[] = {
 	{DEVICE_SWI(0x413c, 0x81a4)},	/* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
 	{DEVICE_SWI(0x413c, 0x81a8)},	/* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */
 	{DEVICE_SWI(0x413c, 0x81a9)},	/* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
+	{DEVICE_SWI(0x413c, 0x81b1)},	/* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
 
 	{ }				/* Terminating entry */
 };
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 068/142] USB: qcserial: add HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (66 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 067/142] USB: qcserial: Add support for Dell Wireless 5809e 4G Modem Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 069/142] USB: qcserial: add Sierra Wireless MC74xx/EM74xx Jiri Slaby
                   ` (75 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, David Ward, Johan Hovold, Greg Kroah-Hartman, Jiri Slaby

From: David Ward <david.ward@ll.mit.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 44840dec6127e4d7c5074f75d2dd96bc4ab85fe3 upstream.

This is an HP-branded Sierra Wireless EM7355:
https://bugzilla.redhat.com/show_bug.cgi?id=1223646#c2

Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/qcserial.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
index d328bb1d7d55..7fea50498c00 100644
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -137,6 +137,7 @@ static const struct usb_device_id id_table[] = {
 	{USB_DEVICE(0x0AF0, 0x8120)},	/* Option GTM681W */
 
 	/* non-Gobi Sierra Wireless devices */
+	{DEVICE_SWI(0x03f0, 0x4e1d)},	/* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
 	{DEVICE_SWI(0x0f3d, 0x68a2)},	/* Sierra Wireless MC7700 */
 	{DEVICE_SWI(0x114f, 0x68a2)},	/* Sierra Wireless MC7750 */
 	{DEVICE_SWI(0x1199, 0x68a2)},	/* Sierra Wireless MC7710 */
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 069/142] USB: qcserial: add Sierra Wireless MC74xx/EM74xx
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (67 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 068/142] USB: qcserial: add HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 070/142] USB: qcserial: Add support for Quectel EC20 Mini PCIe module Jiri Slaby
                   ` (74 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Bjørn Mork, Greg Kroah-Hartman, Jiri Slaby

From: Bjørn Mork <bjorn@mork.no>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f504ab1888026d15b5be8f9c262bf4ae9cacd177 upstream.

New device IDs shamelessly lifted from the vendor driver.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/qcserial.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
index 7fea50498c00..9792bfa17f74 100644
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -153,6 +153,8 @@ static const struct usb_device_id id_table[] = {
 	{DEVICE_SWI(0x1199, 0x9056)},	/* Sierra Wireless Modem */
 	{DEVICE_SWI(0x1199, 0x9060)},	/* Sierra Wireless Modem */
 	{DEVICE_SWI(0x1199, 0x9061)},	/* Sierra Wireless Modem */
+	{DEVICE_SWI(0x1199, 0x9070)},	/* Sierra Wireless MC74xx/EM74xx */
+	{DEVICE_SWI(0x1199, 0x9071)},	/* Sierra Wireless MC74xx/EM74xx */
 	{DEVICE_SWI(0x413c, 0x81a2)},	/* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
 	{DEVICE_SWI(0x413c, 0x81a3)},	/* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */
 	{DEVICE_SWI(0x413c, 0x81a4)},	/* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 070/142] USB: qcserial: Add support for Quectel EC20 Mini PCIe module
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (68 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 069/142] USB: qcserial: add Sierra Wireless MC74xx/EM74xx Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 071/142] USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3) Jiri Slaby
                   ` (73 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Petr Štetiar, Johan Hovold, Jiri Slaby

From: Petr Štetiar <ynezz@true.cz>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 9d5b5ed796d7afd7e8d2ac4b4fb77c6a49463f4b upstream.

It seems like this device has same vendor and product IDs as G2K
devices, but it has different number of interfaces(4 vs 5) and also
different interface layout which makes it currently unusable:

	usbcore: registered new interface driver qcserial
	usbserial: USB Serial support registered for Qualcomm USB modem
	usb 2-1.2: unknown number of interfaces: 5

lsusb output:

	Bus 002 Device 003: ID 05c6:9215 Qualcomm, Inc. Acer Gobi 2000 Wireless
	Device Descriptor:
	  bLength                18
	  bDescriptorType         1
	  bcdUSB               2.00
	  bDeviceClass            0 (Defined at Interface level)
	  bDeviceSubClass         0
	  bDeviceProtocol         0
	  bMaxPacketSize0        64
	  idVendor           0x05c6 Qualcomm, Inc.
	  idProduct          0x9215 Acer Gobi 2000 Wireless Modem
	  bcdDevice            2.32
	  iManufacturer           1 Quectel
	  iProduct                2 Quectel LTE Module
	  iSerial                 0
	  bNumConfigurations      1
	  Configuration Descriptor:
	    bLength                 9
	    bDescriptorType         2
	    wTotalLength          209
	    bNumInterfaces          5
	    bConfigurationValue     1
	    iConfiguration          0
	    bmAttributes         0xa0
	      (Bus Powered)
	      Remote Wakeup
	    MaxPower              500mA

Signed-off-by: Petr Štetiar <ynezz@true.cz>
[johan: rename define and add comment ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/qcserial.c | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
index 9792bfa17f74..2c9a44523991 100644
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -22,6 +22,8 @@
 #define DRIVER_AUTHOR "Qualcomm Inc"
 #define DRIVER_DESC "Qualcomm USB Serial driver"
 
+#define QUECTEL_EC20_PID	0x9215
+
 /* standard device layouts supported by this driver */
 enum qcserial_layouts {
 	QCSERIAL_G2K = 0,	/* Gobi 2000 */
@@ -166,6 +168,38 @@ static const struct usb_device_id id_table[] = {
 };
 MODULE_DEVICE_TABLE(usb, id_table);
 
+static int handle_quectel_ec20(struct device *dev, int ifnum)
+{
+	int altsetting = 0;
+
+	/*
+	 * Quectel EC20 Mini PCIe LTE module layout:
+	 * 0: DM/DIAG (use libqcdm from ModemManager for communication)
+	 * 1: NMEA
+	 * 2: AT-capable modem port
+	 * 3: Modem interface
+	 * 4: NDIS
+	 */
+	switch (ifnum) {
+	case 0:
+		dev_dbg(dev, "Quectel EC20 DM/DIAG interface found\n");
+		break;
+	case 1:
+		dev_dbg(dev, "Quectel EC20 NMEA GPS interface found\n");
+		break;
+	case 2:
+	case 3:
+		dev_dbg(dev, "Quectel EC20 Modem port found\n");
+		break;
+	case 4:
+		/* Don't claim the QMI/net interface */
+		altsetting = -1;
+		break;
+	}
+
+	return altsetting;
+}
+
 static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id)
 {
 	struct usb_host_interface *intf = serial->interface->cur_altsetting;
@@ -241,6 +275,12 @@ static int qcprobe(struct usb_serial *serial, const struct usb_device_id *id)
 			altsetting = -1;
 		break;
 	case QCSERIAL_G2K:
+		/* handle non-standard layouts */
+		if (nintf == 5 && id->idProduct == QUECTEL_EC20_PID) {
+			altsetting = handle_quectel_ec20(dev, ifnum);
+			goto done;
+		}
+
 		/*
 		 * Gobi 2K+ USB layout:
 		 * 0: QMI/net
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 071/142] USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3)
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (69 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 070/142] USB: qcserial: Add support for Quectel EC20 Mini PCIe module Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 072/142] USB: qcserial: add Sierra Wireless EM74xx device ID Jiri Slaby
                   ` (72 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Patrik Halfar, Johan Hovold, Jiri Slaby

From: Patrik Halfar <patrik_halfar@halfarit.cz>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 013dd239d6220a4e0dfdf0d45a82c34f1fd73deb upstream.

New revision of Dell Wireless 5809e Gobi 4G HSPA+ Mobile Broadband Card
has new idProduct.

Bus 002 Device 006: ID 413c:81b3 Dell Computer Corp.
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x413c Dell Computer Corp.
  idProduct          0x81b3
  bcdDevice            0.06
  iManufacturer           1 Sierra Wireless, Incorporated
  iProduct                2 Dell Wireless 5809e Gobi™ 4G HSPA+ Mobile Broadband Card
  iSerial                 3
  bNumConfigurations      2

Signed-off-by: Patrik Halfar <patrik_halfar@halfarit.cz>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/qcserial.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
index 2c9a44523991..68ec0b1bdc18 100644
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -163,6 +163,7 @@ static const struct usb_device_id id_table[] = {
 	{DEVICE_SWI(0x413c, 0x81a8)},	/* Dell Wireless 5808 Gobi(TM) 4G LTE Mobile Broadband Card */
 	{DEVICE_SWI(0x413c, 0x81a9)},	/* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
 	{DEVICE_SWI(0x413c, 0x81b1)},	/* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
+	{DEVICE_SWI(0x413c, 0x81b3)},	/* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
 
 	{ }				/* Terminating entry */
 };
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 072/142] USB: qcserial: add Sierra Wireless EM74xx device ID
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (70 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 071/142] USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3) Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 073/142] Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 Jiri Slaby
                   ` (71 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Bjørn Mork, Johan Hovold, Jiri Slaby

From: Bjørn Mork <bjorn@mork.no>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 04fdbc825ffc02fb098964b92de802fff44e73fd upstream.

The MC74xx and EM74xx modules use different IDs by default, according
to the Lenovo EM7455 driver for Windows.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/qcserial.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
index 68ec0b1bdc18..25f97da78989 100644
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -155,8 +155,10 @@ static const struct usb_device_id id_table[] = {
 	{DEVICE_SWI(0x1199, 0x9056)},	/* Sierra Wireless Modem */
 	{DEVICE_SWI(0x1199, 0x9060)},	/* Sierra Wireless Modem */
 	{DEVICE_SWI(0x1199, 0x9061)},	/* Sierra Wireless Modem */
-	{DEVICE_SWI(0x1199, 0x9070)},	/* Sierra Wireless MC74xx/EM74xx */
-	{DEVICE_SWI(0x1199, 0x9071)},	/* Sierra Wireless MC74xx/EM74xx */
+	{DEVICE_SWI(0x1199, 0x9070)},	/* Sierra Wireless MC74xx */
+	{DEVICE_SWI(0x1199, 0x9071)},	/* Sierra Wireless MC74xx */
+	{DEVICE_SWI(0x1199, 0x9078)},	/* Sierra Wireless EM74xx */
+	{DEVICE_SWI(0x1199, 0x9079)},	/* Sierra Wireless EM74xx */
 	{DEVICE_SWI(0x413c, 0x81a2)},	/* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
 	{DEVICE_SWI(0x413c, 0x81a3)},	/* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */
 	{DEVICE_SWI(0x413c, 0x81a4)},	/* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 073/142] Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (71 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 072/142] USB: qcserial: add Sierra Wireless EM74xx device ID Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 074/142] Input: iforce - validate number of endpoints before using them Jiri Slaby
                   ` (70 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Kai-Heng Feng, Dmitry Torokhov, Jiri Slaby

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream.

The aux port does not get detected without noloop quirk, so external PS/2
mouse cannot work as result.

The PS/2 mouse can work with this quirk.

BugLink: https://bugs.launchpad.net/bugs/1591053
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
index 3f3c517f2039..9a2d2159bf0c 100644
--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -120,6 +120,13 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = {
 		},
 	},
 	{
+		/* Dell Embedded Box PC 3000 */
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+			DMI_MATCH(DMI_PRODUCT_NAME, "Embedded Box PC 3000"),
+		},
+	},
+	{
 		/* OQO Model 01 */
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "OQO"),
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 074/142] Input: iforce - validate number of endpoints before using them
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (72 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 073/142] Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 075/142] Input: ims-pcu " Jiri Slaby
                   ` (69 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Dmitry Torokhov, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 59cf8bed44a79ec42303151dd014fdb6434254bb upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory that lie beyond the end of the endpoint
array should a malicious device lack the expected endpoints.

Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/joystick/iforce/iforce-usb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/input/joystick/iforce/iforce-usb.c b/drivers/input/joystick/iforce/iforce-usb.c
index d96aa27dfcdc..db64adfbe1af 100644
--- a/drivers/input/joystick/iforce/iforce-usb.c
+++ b/drivers/input/joystick/iforce/iforce-usb.c
@@ -141,6 +141,9 @@ static int iforce_usb_probe(struct usb_interface *intf,
 
 	interface = intf->cur_altsetting;
 
+	if (interface->desc.bNumEndpoints < 2)
+		return -ENODEV;
+
 	epirq = &interface->endpoint[0].desc;
 	epout = &interface->endpoint[1].desc;
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 075/142] Input: ims-pcu - validate number of endpoints before using them
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (73 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 074/142] Input: iforce - validate number of endpoints before using them Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 076/142] Input: hanwang " Jiri Slaby
                   ` (68 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Dmitry Torokhov, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 1916d319271664241b7aa0cd2b05e32bdb310ce9 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack control-interface endpoints.

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/misc/ims-pcu.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index 77164dc1bedd..8fb814ccfd7a 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1437,6 +1437,10 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
 		return -EINVAL;
 
 	alt = pcu->ctrl_intf->cur_altsetting;
+
+	if (alt->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	pcu->ep_ctrl = &alt->endpoint[0].desc;
 	pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl);
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 076/142] Input: hanwang - validate number of endpoints before using them
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (74 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 075/142] Input: ims-pcu " Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 077/142] Input: yealink " Jiri Slaby
                   ` (67 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Dmitry Torokhov, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ba340d7b83703768ce566f53f857543359aa1b98 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/tablet/hanwang.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/input/tablet/hanwang.c b/drivers/input/tablet/hanwang.c
index 5cc04124995c..263c85e72e14 100644
--- a/drivers/input/tablet/hanwang.c
+++ b/drivers/input/tablet/hanwang.c
@@ -341,6 +341,9 @@ static int hanwang_probe(struct usb_interface *intf, const struct usb_device_id
 	int error;
 	int i;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	hanwang = kzalloc(sizeof(struct hanwang), GFP_KERNEL);
 	input_dev = input_allocate_device();
 	if (!hanwang || !input_dev) {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 077/142] Input: yealink - validate number of endpoints before using them
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (75 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 076/142] Input: hanwang " Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 078/142] Input: cm109 " Jiri Slaby
                   ` (66 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Dmitry Torokhov, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Fixes: aca951a22a1d ("[PATCH] input-driver-yealink-P1K-usb-phone")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/misc/yealink.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/input/misc/yealink.c b/drivers/input/misc/yealink.c
index 285a5bd6cbc9..3b6fdb389a2d 100644
--- a/drivers/input/misc/yealink.c
+++ b/drivers/input/misc/yealink.c
@@ -876,6 +876,10 @@ static int usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
 	int ret, pipe, i;
 
 	interface = intf->cur_altsetting;
+
+	if (interface->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	endpoint = &interface->endpoint[0].desc;
 	if (!usb_endpoint_is_int_in(endpoint))
 		return -ENODEV;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 078/142] Input: cm109 - validate number of endpoints before using them
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (76 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 077/142] Input: yealink " Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 079/142] Input: kbtab " Jiri Slaby
                   ` (65 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Dmitry Torokhov, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ac2ee9ba953afe88f7a673e1c0c839227b1d7891 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109...")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/misc/cm109.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/input/misc/cm109.c b/drivers/input/misc/cm109.c
index 9365535ba7f1..50a7faa504f7 100644
--- a/drivers/input/misc/cm109.c
+++ b/drivers/input/misc/cm109.c
@@ -675,6 +675,10 @@ static int cm109_usb_probe(struct usb_interface *intf,
 	int error = -ENOMEM;
 
 	interface = intf->cur_altsetting;
+
+	if (interface->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	endpoint = &interface->endpoint[0].desc;
 
 	if (!usb_endpoint_is_int_in(endpoint))
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 079/142] Input: kbtab - validate number of endpoints before using them
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (77 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 078/142] Input: cm109 " Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 080/142] ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() Jiri Slaby
                   ` (64 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Dmitry Torokhov, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit cb1b494663e037253337623bf1ef2df727883cb7 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/tablet/kbtab.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/input/tablet/kbtab.c b/drivers/input/tablet/kbtab.c
index 3fba74b9b602..f0d532684afd 100644
--- a/drivers/input/tablet/kbtab.c
+++ b/drivers/input/tablet/kbtab.c
@@ -123,6 +123,9 @@ static int kbtab_probe(struct usb_interface *intf, const struct usb_device_id *i
 	struct input_dev *input_dev;
 	int error = -ENOMEM;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	kbtab = kzalloc(sizeof(struct kbtab), GFP_KERNEL);
 	input_dev = input_allocate_device();
 	if (!kbtab || !input_dev)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 080/142] ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (78 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 079/142] Input: kbtab " Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 081/142] USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems Jiri Slaby
                   ` (63 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Takashi Iwai, Jiri Slaby

From: Takashi Iwai <tiwai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e upstream.

When snd_seq_pool_done() is called, it marks the closing flag to
refuse the further cell insertions.  But snd_seq_pool_done() itself
doesn't clear the cells but just waits until all cells are cleared by
the caller side.  That is, it's racy, and this leads to the endless
stall as syzkaller spotted.

This patch addresses the racy by splitting the setup of pool->closing
flag out of snd_seq_pool_done(), and calling it properly before
snd_seq_pool_done().

BugLink: http://lkml.kernel.org/r/CACT4Y+aqqy8bZA1fFieifNxR2fAfFQQABcBHj801+u5ePV0URw@mail.gmail.com
Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 sound/core/seq/seq_clientmgr.c |  1 +
 sound/core/seq/seq_fifo.c      |  3 +++
 sound/core/seq/seq_memory.c    | 17 +++++++++++++----
 sound/core/seq/seq_memory.h    |  1 +
 4 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
index 08865dcbf5f1..d449dde1bf50 100644
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1909,6 +1909,7 @@ static int snd_seq_ioctl_set_client_pool(struct snd_seq_client *client,
 	     info.output_pool != client->pool->size)) {
 		if (snd_seq_write_pool_allocated(client)) {
 			/* remove all existing cells */
+			snd_seq_pool_mark_closing(client->pool);
 			snd_seq_queue_client_leave_cells(client->number);
 			snd_seq_pool_done(client->pool);
 		}
diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c
index 118481839d46..fc2c55b18f49 100644
--- a/sound/core/seq/seq_fifo.c
+++ b/sound/core/seq/seq_fifo.c
@@ -72,6 +72,9 @@ void snd_seq_fifo_delete(struct snd_seq_fifo **fifo)
 		return;
 	*fifo = NULL;
 
+	if (f->pool)
+		snd_seq_pool_mark_closing(f->pool);
+
 	snd_seq_fifo_clear(f);
 
 	/* wake up clients if any */
diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
index 7204c0f1700b..4603bcae5e40 100644
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -414,6 +414,18 @@ int snd_seq_pool_init(struct snd_seq_pool *pool)
 	return 0;
 }
 
+/* refuse the further insertion to the pool */
+void snd_seq_pool_mark_closing(struct snd_seq_pool *pool)
+{
+	unsigned long flags;
+
+	if (snd_BUG_ON(!pool))
+		return;
+	spin_lock_irqsave(&pool->lock, flags);
+	pool->closing = 1;
+	spin_unlock_irqrestore(&pool->lock, flags);
+}
+
 /* remove events */
 int snd_seq_pool_done(struct snd_seq_pool *pool)
 {
@@ -424,10 +436,6 @@ int snd_seq_pool_done(struct snd_seq_pool *pool)
 		return -EINVAL;
 
 	/* wait for closing all threads */
-	spin_lock_irqsave(&pool->lock, flags);
-	pool->closing = 1;
-	spin_unlock_irqrestore(&pool->lock, flags);
-
 	if (waitqueue_active(&pool->output_sleep))
 		wake_up(&pool->output_sleep);
 
@@ -486,6 +494,7 @@ int snd_seq_pool_delete(struct snd_seq_pool **ppool)
 	*ppool = NULL;
 	if (pool == NULL)
 		return 0;
+	snd_seq_pool_mark_closing(pool);
 	snd_seq_pool_done(pool);
 	kfree(pool);
 	return 0;
diff --git a/sound/core/seq/seq_memory.h b/sound/core/seq/seq_memory.h
index 4a2ec779b8a7..32f959c17786 100644
--- a/sound/core/seq/seq_memory.h
+++ b/sound/core/seq/seq_memory.h
@@ -84,6 +84,7 @@ static inline int snd_seq_total_cells(struct snd_seq_pool *pool)
 int snd_seq_pool_init(struct snd_seq_pool *pool);
 
 /* done pool - free events */
+void snd_seq_pool_mark_closing(struct snd_seq_pool *pool);
 int snd_seq_pool_done(struct snd_seq_pool *pool);
 
 /* create pool */
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 081/142] USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (79 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 080/142] ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 082/142] USB: serial: qcserial: add Dell DW5811e Jiri Slaby
                   ` (62 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dan Williams, Johan Hovold, Jiri Slaby

From: Dan Williams <dcbw@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 upstream.

Add Quectel UC15, UC20, EC21, and EC25.  The EC20 is handled by
qcserial due to a USB VID/PID conflict with an existing Acer
device.

Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/option.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 49b668da6cf0..edadc7568eb7 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -234,6 +234,14 @@ static void option_instat_callback(struct urb *urb);
 #define BANDRICH_PRODUCT_1012			0x1012
 
 #define QUALCOMM_VENDOR_ID			0x05C6
+/* These Quectel products use Qualcomm's vendor ID */
+#define QUECTEL_PRODUCT_UC20			0x9003
+#define QUECTEL_PRODUCT_UC15			0x9090
+
+#define QUECTEL_VENDOR_ID			0x2c7c
+/* These Quectel products use Quectel's vendor ID */
+#define QUECTEL_PRODUCT_EC21			0x0121
+#define QUECTEL_PRODUCT_EC25			0x0125
 
 #define CMOTECH_VENDOR_ID			0x16d8
 #define CMOTECH_PRODUCT_6001			0x6001
@@ -1169,7 +1177,14 @@ static const struct usb_device_id option_ids[] = {
 	{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */
 	{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */
 	{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
-	{ USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9003), /* Quectel UC20 */
+	/* Quectel products using Qualcomm vendor ID */
+	{ USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
+	{ USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),
+	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+	/* Quectel products using Quectel vendor ID */
+	{ USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21),
+	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+	{ USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25),
 	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
 	{ USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 082/142] USB: serial: qcserial: add Dell DW5811e
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (80 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 081/142] USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 083/142] ACM gadget: fix endianness in notifications Jiri Slaby
                   ` (61 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Bjørn Mork, Johan Hovold, Jiri Slaby

From: Bjørn Mork <bjorn@mork.no>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 436ecf5519d892397af133a79ccd38a17c25fa51 upstream.

This is a Dell branded Sierra Wireless EM7455.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/qcserial.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c
index 25f97da78989..c811c2dc1ae3 100644
--- a/drivers/usb/serial/qcserial.c
+++ b/drivers/usb/serial/qcserial.c
@@ -166,6 +166,8 @@ static const struct usb_device_id id_table[] = {
 	{DEVICE_SWI(0x413c, 0x81a9)},	/* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
 	{DEVICE_SWI(0x413c, 0x81b1)},	/* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
 	{DEVICE_SWI(0x413c, 0x81b3)},	/* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
+	{DEVICE_SWI(0x413c, 0x81b5)},	/* Dell Wireless 5811e QDL */
+	{DEVICE_SWI(0x413c, 0x81b6)},	/* Dell Wireless 5811e QDL */
 
 	{ }				/* Terminating entry */
 };
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 083/142] ACM gadget: fix endianness in notifications
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (81 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 082/142] USB: serial: qcserial: add Dell DW5811e Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 084/142] usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk Jiri Slaby
                   ` (60 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Oliver Neukum, Jiri Slaby

From: Oliver Neukum <oneukum@suse.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit cdd7928df0d2efaa3270d711963773a08a4cc8ab upstream.

The gadget code exports the bitfield for serial status changes
over the wire in its internal endianness. The fix is to convert
to little endian before sending it over the wire.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Tested-by: 家瑋 <momo1208@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/gadget/f_acm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/f_acm.c b/drivers/usb/gadget/f_acm.c
index 3384486c2884..ff30171b6926 100644
--- a/drivers/usb/gadget/f_acm.c
+++ b/drivers/usb/gadget/f_acm.c
@@ -535,13 +535,15 @@ static int acm_notify_serial_state(struct f_acm *acm)
 {
 	struct usb_composite_dev *cdev = acm->port.func.config->cdev;
 	int			status;
+	__le16			serial_state;
 
 	spin_lock(&acm->lock);
 	if (acm->notify_req) {
 		DBG(cdev, "acm ttyGS%d serial state %04x\n",
 				acm->port_num, acm->serial_state);
+		serial_state = cpu_to_le16(acm->serial_state);
 		status = acm_cdc_notify(acm, USB_CDC_NOTIFY_SERIAL_STATE,
-				0, &acm->serial_state, sizeof(acm->serial_state));
+				0, &serial_state, sizeof(acm->serial_state));
 	} else {
 		acm->pending = true;
 		status = 0;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 084/142] usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (82 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 083/142] ACM gadget: fix endianness in notifications Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 085/142] USB: uss720: fix NULL-deref at probe Jiri Slaby
                   ` (59 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Samuel Thibault, Jiri Slaby

From: Samuel Thibault <samuel.thibault@ens-lyon.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3243367b209faed5c320a4e5f9a565ee2a2ba958 upstream.

Some USB 2.0 devices erroneously report millisecond values in
bInterval. The generic config code manages to catch most of them,
but in some cases it's not completely enough.

The case at stake here is a USB 2.0 braille device, which wants to
announce 10ms and thus sets bInterval to 10, but with the USB 2.0
computation that yields to 64ms.  It happens that one can type fast
enough to reach this interval and get the device buffers overflown,
leading to problematic latencies.  The generic config code does not
catch this case because the 64ms is considered a sane enough value.

This change thus adds a USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL quirk
to mark devices which actually report milliseconds in bInterval,
and marks Vario Ultra devices as needing it.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/core/config.c  | 10 ++++++++++
 drivers/usb/core/quirks.c  |  8 ++++++++
 include/linux/usb/quirks.h |  6 ++++++
 3 files changed, 24 insertions(+)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 15b39065f1dc..ee8e42064d25 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -248,6 +248,16 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
 
 			/*
 			 * Adjust bInterval for quirked devices.
+			 */
+			/*
+			 * This quirk fixes bIntervals reported in ms.
+			 */
+			if (to_usb_device(ddev)->quirks &
+				USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL) {
+				n = clamp(fls(d->bInterval) + 3, i, j);
+				i = j = n;
+			}
+			/*
 			 * This quirk fixes bIntervals reported in
 			 * linear microframes.
 			 */
diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
index 094fe92ac21f..f792e6bea6b4 100644
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -164,6 +164,14 @@ static const struct usb_device_id usb_quirk_list[] = {
 	/* M-Systems Flash Disk Pioneers */
 	{ USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME },
 
+	/* Baum Vario Ultra */
+	{ USB_DEVICE(0x0904, 0x6101), .driver_info =
+			USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
+	{ USB_DEVICE(0x0904, 0x6102), .driver_info =
+			USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
+	{ USB_DEVICE(0x0904, 0x6103), .driver_info =
+			USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
+
 	/* Keytouch QWERTY Panel keyboard */
 	{ USB_DEVICE(0x0926, 0x3333), .driver_info =
 			USB_QUIRK_CONFIG_INTF_STRINGS },
diff --git a/include/linux/usb/quirks.h b/include/linux/usb/quirks.h
index 7eb814c60b5d..24872fc86962 100644
--- a/include/linux/usb/quirks.h
+++ b/include/linux/usb/quirks.h
@@ -50,4 +50,10 @@
 /* device can't handle Link Power Management */
 #define USB_QUIRK_NO_LPM			BIT(10)
 
+/*
+ * Device reports its bInterval as linear frames instead of the
+ * USB 2.0 calculation.
+ */
+#define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL	BIT(11)
+
 #endif /* __LINUX_USB_QUIRKS_H */
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 085/142] USB: uss720: fix NULL-deref at probe
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (83 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 084/142] usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 086/142] USB: idmouse: " Jiri Slaby
                   ` (58 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

Note that the endpoint access that causes the NULL-deref is currently
only used for debugging purposes during probe so the oops only happens
when dynamic debugging is enabled. This means the driver could be
rewritten to continue to accept device with only two endpoints, should
such devices exist.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/misc/uss720.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c
index 40ef40affe83..3cb05eb5f1df 100644
--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -715,6 +715,11 @@ static int uss720_probe(struct usb_interface *intf,
 
 	interface = intf->cur_altsetting;
 
+	if (interface->desc.bNumEndpoints < 3) {
+		usb_put_dev(usbdev);
+		return -ENODEV;
+	}
+
 	/*
 	 * Allocate parport interface 
 	 */
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 086/142] USB: idmouse: fix NULL-deref at probe
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (84 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 085/142] USB: uss720: fix NULL-deref at probe Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 087/142] USB: wusbcore: " Jiri Slaby
                   ` (57 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b0addd3fa6bcd119be9428996d5d4522479ab240 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/misc/idmouse.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c
index ce978384fda1..3b885c61b73e 100644
--- a/drivers/usb/misc/idmouse.c
+++ b/drivers/usb/misc/idmouse.c
@@ -347,6 +347,9 @@ static int idmouse_probe(struct usb_interface *interface,
 	if (iface_desc->desc.bInterfaceClass != 0x0A)
 		return -ENODEV;
 
+	if (iface_desc->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	/* allocate memory for our device state and initialize it */
 	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
 	if (dev == NULL)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 087/142] USB: wusbcore: fix NULL-deref at probe
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (85 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 086/142] USB: idmouse: " Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 088/142] usb: hub: Fix crash after failure to read BOS descriptor Jiri Slaby
                   ` (56 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Johan Hovold, Inaky Perez-Gonzalez, David Vrabel,
	Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.

This specifically fixes the NULL-pointer dereference when probing HWA HC
devices.

Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core")
Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
Cc: David Vrabel <david.vrabel@csr.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/wusbcore/wa-hc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/wusbcore/wa-hc.c b/drivers/usb/wusbcore/wa-hc.c
index a09b65ebd9bb..2bb0fd3f3423 100644
--- a/drivers/usb/wusbcore/wa-hc.c
+++ b/drivers/usb/wusbcore/wa-hc.c
@@ -38,6 +38,9 @@ int wa_create(struct wahc *wa, struct usb_interface *iface)
 	int result;
 	struct device *dev = &iface->dev;
 
+	if (iface->cur_altsetting->desc.bNumEndpoints < 3)
+		return -ENODEV;
+
 	result = wa_rpipes_create(wa);
 	if (result < 0)
 		goto error_rpipes_create;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 088/142] usb: hub: Fix crash after failure to read BOS descriptor
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (86 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 087/142] USB: wusbcore: " Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 089/142] uwb: i1480-dfu: fix NULL-deref at probe Jiri Slaby
                   ` (55 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Guenter Roeck, Mathias Nyman, Jiri Slaby

From: Guenter Roeck <linux@roeck-us.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc upstream.

If usb_get_bos_descriptor() returns an error, usb->bos will be NULL.
Nevertheless, it is dereferenced unconditionally in
hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set.
This results in a crash.

usb 5-1: unable to get BOS descriptor
...
Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = ffffffc00165f000
[00000008] *pgd=000000000174f003, *pud=000000000174f003,
		*pmd=0000000001750003, *pte=00e8000001751713
Internal error: Oops: 96000005 [#1] PREEMPT SMP
Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ]
CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G    B 4.4.52 #480
Hardware name: Google Kevin (DT)
Workqueue: events driver_set_config_work
task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000
PC is at hub_port_init+0xc3c/0xd10
LR is at hub_port_init+0xc3c/0xd10
...
Call trace:
[<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10
[<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c
[<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298
[<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152]
[<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8
[<ffffffc000774a24>] driver_probe_device+0x180/0x3b4
[<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0
[<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4
[<ffffffc0007747ec>] __device_attach+0xd0/0x158
[<ffffffc000775080>] device_initial_probe+0x24/0x30
[<ffffffc0007739d4>] bus_probe_device+0x50/0xe4
[<ffffffc000770bd0>] device_add+0x414/0x738
[<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914
[<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0
[<ffffffc000249bb8>] process_one_work+0x390/0x6b8
[<ffffffc00024abcc>] worker_thread+0x480/0x610
[<ffffffc000251a80>] kthread+0x164/0x178
[<ffffffc0002045d0>] ret_from_fork+0x10/0x40

Since we don't know anything about LPM capabilities without BOS descriptor,
don't attempt to enable LPM if it is not available.

Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...")
Cc: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/core/hub.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 770cea7de0ec..53aa23dee140 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4004,7 +4004,7 @@ static void hub_set_initial_usb2_lpm_policy(struct usb_device *udev)
 {
 	int connect_type;
 
-	if (!udev->usb2_hw_lpm_capable)
+	if (!udev->usb2_hw_lpm_capable || !udev->bos)
 		return;
 
 	connect_type = usb_get_hub_port_connect_type(udev->parent,
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 089/142] uwb: i1480-dfu: fix NULL-deref at probe
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (87 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 088/142] usb: hub: Fix crash after failure to read BOS descriptor Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 090/142] uwb: hwa-rc: " Jiri Slaby
                   ` (54 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Johan Hovold, Inaky Perez-Gonzalez, David Vrabel,
	Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 4ce362711d78a4999011add3115b8f4b0bc25e8c upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Note that the dereference happens in the cmd and wait_init_done
callbacks which are called during probe.

Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver")
Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
Cc: David Vrabel <david.vrabel@csr.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/uwb/i1480/dfu/usb.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/uwb/i1480/dfu/usb.c b/drivers/uwb/i1480/dfu/usb.c
index 2bfc846ac071..6345e85822a4 100644
--- a/drivers/uwb/i1480/dfu/usb.c
+++ b/drivers/uwb/i1480/dfu/usb.c
@@ -362,6 +362,9 @@ int i1480_usb_probe(struct usb_interface *iface, const struct usb_device_id *id)
 				 result);
 	}
 
+	if (iface->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	result = -ENOMEM;
 	i1480_usb = kzalloc(sizeof(*i1480_usb), GFP_KERNEL);
 	if (i1480_usb == NULL) {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 090/142] uwb: hwa-rc: fix NULL-deref at probe
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (88 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 089/142] uwb: i1480-dfu: fix NULL-deref at probe Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 091/142] mmc: ushc: " Jiri Slaby
                   ` (53 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Johan Hovold, Inaky Perez-Gonzalez, David Vrabel,
	Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit daf229b15907fbfdb6ee183aac8ca428cb57e361 upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Note that the dereference happens in the start callback which is called
during probe.

Fixes: de520b8bd552 ("uwb: add HWA radio controller driver")
Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
Cc: David Vrabel <david.vrabel@csr.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/uwb/hwa-rc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/uwb/hwa-rc.c b/drivers/uwb/hwa-rc.c
index 0257f35cfb9d..e75bbe5a10cd 100644
--- a/drivers/uwb/hwa-rc.c
+++ b/drivers/uwb/hwa-rc.c
@@ -825,6 +825,9 @@ static int hwarc_probe(struct usb_interface *iface,
 	struct hwarc *hwarc;
 	struct device *dev = &iface->dev;
 
+	if (iface->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	result = -ENOMEM;
 	uwb_rc = uwb_rc_alloc();
 	if (uwb_rc == NULL) {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 091/142] mmc: ushc: fix NULL-deref at probe
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (89 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 090/142] uwb: hwa-rc: " Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 092/142] ext4: mark inode dirty after converting inline directory Jiri Slaby
                   ` (52 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, David Vrabel, Ulf Hansson, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 181302dc7239add8ab1449c23ecab193f52ee6ab upstream.

Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.

Fixes: 53f3a9e26ed5 ("mmc: USB SD Host Controller (USHC) driver")
Cc: David Vrabel <david.vrabel@csr.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/mmc/host/ushc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/mmc/host/ushc.c b/drivers/mmc/host/ushc.c
index c0105a2e269a..d5493a5a7e7c 100644
--- a/drivers/mmc/host/ushc.c
+++ b/drivers/mmc/host/ushc.c
@@ -426,6 +426,9 @@ static int ushc_probe(struct usb_interface *intf, const struct usb_device_id *id
 	struct ushc_data *ushc;
 	int ret;
 
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1)
+		return -ENODEV;
+
 	mmc = mmc_alloc_host(sizeof(struct ushc_data), &intf->dev);
 	if (mmc == NULL)
 		return -ENOMEM;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 092/142] ext4: mark inode dirty after converting inline directory
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (90 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 091/142] mmc: ushc: " Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 093/142] mmc: sdhci: Do not disable interrupts while waiting for clock Jiri Slaby
                   ` (51 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Eric Biggers, Theodore Ts'o, Jiri Slaby

From: Eric Biggers <ebiggers@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b9cf625d6ecde0d372e23ae022feead72b4228a6 upstream.

If ext4_convert_inline_data() was called on a directory with inline
data, the filesystem was left in an inconsistent state (as considered by
e2fsck) because the file size was not increased to cover the new block.
This happened because the inode was not marked dirty after i_disksize
was updated.  Fix this by marking the inode dirty at the end of
ext4_finish_convert_inline_dir().

This bug was probably not noticed before because most users mark the
inode dirty afterwards for other reasons.  But if userspace executed
FS_IOC_SET_ENCRYPTION_POLICY with invalid parameters, as exercised by
'kvm-xfstests -c adv generic/396', then the inode was never marked dirty
after updating i_disksize.

Fixes: 3c47d54170b6a678875566b1b8d6dcf57904e49b
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ext4/inline.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index a4d6e9a953f9..af053f3105b8 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1146,10 +1146,9 @@ static int ext4_finish_convert_inline_dir(handle_t *handle,
 	set_buffer_uptodate(dir_block);
 	err = ext4_handle_dirty_dirent_node(handle, inode, dir_block);
 	if (err)
-		goto out;
+		return err;
 	set_buffer_verified(dir_block);
-out:
-	return err;
+	return ext4_mark_inode_dirty(handle, inode);
 }
 
 static int ext4_convert_inline_data_nolock(handle_t *handle,
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 093/142] mmc: sdhci: Do not disable interrupts while waiting for clock
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (91 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 092/142] ext4: mark inode dirty after converting inline directory Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 094/142] nl80211: fix dumpit error path RTNL deadlocks Jiri Slaby
                   ` (50 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Adrian Hunter, Ulf Hansson, Jiri Slaby

From: Adrian Hunter <adrian.hunter@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e2ebfb2142acefecc2496e71360f50d25726040b upstream.

Disabling interrupts for even a millisecond can cause problems for some
devices. That can happen when sdhci changes clock frequency because it
waits for the clock to become stable under a spin lock.

The spin lock is not necessary here. Anything that is racing with changes
to the I/O state is already broken. The mmc core already provides
synchronization via "claiming" the host.

Although the spin lock probably should be removed from the code paths that
lead to this point, such a patch would touch too much code to be suitable
for stable trees. Consequently, for this patch, just drop the spin lock
while waiting.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Tested-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/mmc/host/sdhci.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
index 4e697ea67ae2..c3070ab2a05c 100644
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -1232,7 +1232,9 @@ clock_set:
 			return;
 		}
 		timeout--;
-		mdelay(1);
+		spin_unlock_irq(&host->lock);
+		usleep_range(900, 1100);
+		spin_lock_irq(&host->lock);
 	}
 
 	clk |= SDHCI_CLOCK_CARD_EN;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 094/142] nl80211: fix dumpit error path RTNL deadlocks
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (92 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 093/142] mmc: sdhci: Do not disable interrupts while waiting for clock Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 095/142] USB: usbtmc: add missing endpoint sanity check Jiri Slaby
                   ` (49 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johannes Berg, Jiri Slaby

From: Johannes Berg <johannes.berg@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ea90e0dc8cecba6359b481e24d9c37160f6f524f upstream.

Sowmini pointed out Dmitry's RTNL deadlock report to me, and it turns out
to be perfectly accurate - there are various error paths that miss unlock
of the RTNL.

To fix those, change the locking a bit to not be conditional in all those
nl80211_prepare_*_dump() functions, but make those require the RTNL to
start with, and fix the buggy error paths. This also let me use sparse
(by appropriately overriding the rtnl_lock/rtnl_unlock functions) to
validate the changes.

[js] no mpp and vendor dumps in 3.12 yet

Reported-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/wireless/nl80211.c | 52 ++++++++++++++++++++------------------------------
 1 file changed, 21 insertions(+), 31 deletions(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index cda142009426..bb03e47bf887 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -438,21 +438,17 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
 {
 	int err;
 
-	rtnl_lock();
-
 	if (!cb->args[0]) {
 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
 				  nl80211_fam.attrbuf, nl80211_fam.maxattr,
 				  nl80211_policy);
 		if (err)
-			goto out_unlock;
+			return err;
 
 		*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk),
 						   nl80211_fam.attrbuf);
-		if (IS_ERR(*wdev)) {
-			err = PTR_ERR(*wdev);
-			goto out_unlock;
-		}
+		if (IS_ERR(*wdev))
+			return PTR_ERR(*wdev);
 		*rdev = wiphy_to_dev((*wdev)->wiphy);
 		/* 0 is the first index - add 1 to parse only once */
 		cb->args[0] = (*rdev)->wiphy_idx + 1;
@@ -462,10 +458,8 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
 		struct wireless_dev *tmp;
 
-		if (!wiphy) {
-			err = -ENODEV;
-			goto out_unlock;
-		}
+		if (!wiphy)
+			return -ENODEV;
 		*rdev = wiphy_to_dev(wiphy);
 		*wdev = NULL;
 
@@ -476,21 +470,11 @@ static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
 			}
 		}
 
-		if (!*wdev) {
-			err = -ENODEV;
-			goto out_unlock;
-		}
+		if (!*wdev)
+			return -ENODEV;
 	}
 
 	return 0;
- out_unlock:
-	rtnl_unlock();
-	return err;
-}
-
-static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
-{
-	rtnl_unlock();
 }
 
 /* IE validation */
@@ -3607,9 +3591,10 @@ static int nl80211_dump_station(struct sk_buff *skb,
 	int sta_idx = cb->args[2];
 	int err;
 
+	rtnl_lock();
 	err = nl80211_prepare_wdev_dump(skb, cb, &dev, &wdev);
 	if (err)
-		return err;
+		goto out_err;
 
 	if (!wdev->netdev) {
 		err = -EINVAL;
@@ -3645,7 +3630,7 @@ static int nl80211_dump_station(struct sk_buff *skb,
 	cb->args[2] = sta_idx;
 	err = skb->len;
  out_err:
-	nl80211_finish_wdev_dump(dev);
+	rtnl_unlock();
 
 	return err;
 }
@@ -4273,9 +4258,10 @@ static int nl80211_dump_mpath(struct sk_buff *skb,
 	int path_idx = cb->args[2];
 	int err;
 
+	rtnl_lock();
 	err = nl80211_prepare_wdev_dump(skb, cb, &dev, &wdev);
 	if (err)
-		return err;
+		goto out_err;
 
 	if (!dev->ops->dump_mpath) {
 		err = -EOPNOTSUPP;
@@ -4309,7 +4295,7 @@ static int nl80211_dump_mpath(struct sk_buff *skb,
 	cb->args[2] = path_idx;
 	err = skb->len;
  out_err:
-	nl80211_finish_wdev_dump(dev);
+	rtnl_unlock();
 	return err;
 }
 
@@ -5853,9 +5839,12 @@ static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
 	int start = cb->args[2], idx = 0;
 	int err;
 
+	rtnl_lock();
 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
-	if (err)
+	if (err) {
+		rtnl_unlock();
 		return err;
+	}
 
 	wdev_lock(wdev);
 	spin_lock_bh(&rdev->bss_lock);
@@ -5878,7 +5867,7 @@ static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
 	wdev_unlock(wdev);
 
 	cb->args[2] = idx;
-	nl80211_finish_wdev_dump(rdev);
+	rtnl_unlock();
 
 	return skb->len;
 }
@@ -5951,9 +5940,10 @@ static int nl80211_dump_survey(struct sk_buff *skb,
 	int survey_idx = cb->args[2];
 	int res;
 
+	rtnl_lock();
 	res = nl80211_prepare_wdev_dump(skb, cb, &dev, &wdev);
 	if (res)
-		return res;
+		goto out_err;
 
 	if (!wdev->netdev) {
 		res = -EINVAL;
@@ -5999,7 +5989,7 @@ static int nl80211_dump_survey(struct sk_buff *skb,
 	cb->args[2] = survey_idx;
 	res = skb->len;
  out_err:
-	nl80211_finish_wdev_dump(dev);
+	rtnl_unlock();
 	return res;
 }
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 095/142] USB: usbtmc: add missing endpoint sanity check
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (93 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 094/142] nl80211: fix dumpit error path RTNL deadlocks Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 096/142] xfs: clear _XBF_PAGES from buffers when readahead page Jiri Slaby
                   ` (48 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 687e0687f71ec00e0132a21fef802dee88c2f1ad upstream.

USBTMC devices are required to have a bulk-in and a bulk-out endpoint,
but the driver failed to verify this, something which could lead to the
endpoint addresses being taken from uninitialised memory.

Make sure to zero all private data as part of allocation, and add the
missing endpoint sanity check.

Note that this also addresses a more recently introduced issue, where
the interrupt-in-presence flag would also be uninitialised whenever the
optional interrupt-in endpoint is not present. This in turn could lead
to an interrupt urb being allocated, initialised and submitted based on
uninitialised values.

Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
Fixes: 5b775f672cc9 ("USB: add USB test and measurement class driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
[ johan: backport to v4.4 ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/class/usbtmc.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c
index 72ed4ac2cfad..13583a2edba7 100644
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -1102,7 +1102,7 @@ static int usbtmc_probe(struct usb_interface *intf,
 
 	dev_dbg(&intf->dev, "%s called\n", __func__);
 
-	data = kmalloc(sizeof(*data), GFP_KERNEL);
+	data = kzalloc(sizeof(*data), GFP_KERNEL);
 	if (!data) {
 		dev_err(&intf->dev, "Unable to allocate kernel memory\n");
 		return -ENOMEM;
@@ -1162,6 +1162,12 @@ static int usbtmc_probe(struct usb_interface *intf,
 		}
 	}
 
+	if (!data->bulk_out || !data->bulk_in) {
+		dev_err(&intf->dev, "bulk endpoints not found\n");
+		retcode = -ENODEV;
+		goto err_put;
+	}
+
 	retcode = get_capabilities(data);
 	if (retcode)
 		dev_err(&intf->dev, "can't read capabilities\n");
@@ -1185,6 +1191,7 @@ static int usbtmc_probe(struct usb_interface *intf,
 error_register:
 	sysfs_remove_group(&intf->dev.kobj, &capability_attr_grp);
 	sysfs_remove_group(&intf->dev.kobj, &data_attr_grp);
+err_put:
 	kref_put(&data->kref, usbtmc_delete);
 	return retcode;
 }
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 096/142] xfs: clear _XBF_PAGES from buffers when readahead page
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (94 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 095/142] USB: usbtmc: add missing endpoint sanity check Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 097/142] block: allow WRITE_SAME commands with the SG_IO ioctl Jiri Slaby
                   ` (47 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Darrick J. Wong, Ivan Kozik, Jiri Slaby

From: "Darrick J. Wong" <darrick.wong@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 2aa6ba7b5ad3189cc27f14540aa2f57f0ed8df4b upstream.

If we try to allocate memory pages to back an xfs_buf that we're trying
to read, it's possible that we'll be so short on memory that the page
allocation fails.  For a blocking read we'll just wait, but for
readahead we simply dump all the pages we've collected so far.

Unfortunately, after dumping the pages we neglect to clear the
_XBF_PAGES state, which means that the subsequent call to xfs_buf_free
thinks that b_pages still points to pages we own.  It then double-frees
the b_pages pages.

This results in screaming about negative page refcounts from the memory
manager, which xfs oughtn't be triggering.  To reproduce this case,
mount a filesystem where the size of the inodes far outweighs the
availalble memory (a ~500M inode filesystem on a VM with 300MB memory
did the trick here) and run bulkstat in parallel with other memory
eating processes to put a huge load on the system.  The "check summary"
phase of xfs_scrub also works for this purpose.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Cc: Ivan Kozik <ivan@ludios.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/xfs/xfs_buf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
index c4a4ad0cd33e..e99655a1b372 100644
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -376,6 +376,7 @@ retry:
 out_free_pages:
 	for (i = 0; i < bp->b_page_count; i++)
 		__free_page(bp->b_pages[i]);
+	bp->b_flags &= ~_XBF_PAGES;
 	return error;
 }
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 097/142] block: allow WRITE_SAME commands with the SG_IO ioctl
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (95 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 096/142] xfs: clear _XBF_PAGES from buffers when readahead page Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:32 ` [PATCH 3.12 098/142] uvcvideo: uvc_scan_fallback() for webcams with broken chain Jiri Slaby
                   ` (46 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Sumit Semwal, Mauricio Faria de Oliveira,
	Brahadambal Srinivasan, Jens Axboe, Sasha Levin,
	Greg Kroah-Hartman, Jiri Slaby

From: Sumit Semwal <sumit.semwal@linaro.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

From: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>

[ Upstream commit 25cdb64510644f3e854d502d69c73f21c6df88a9 ]

The WRITE_SAME commands are not present in the blk_default_cmd_filter
write_ok list, and thus are failed with -EPERM when the SG_IO ioctl()
is executed without CAP_SYS_RAWIO capability (e.g., unprivileged users).
[ sg_io() -> blk_fill_sghdr_rq() > blk_verify_command() -> -EPERM ]

The problem can be reproduced with the sg_write_same command

  # sg_write_same --num 1 --xferlen 512 /dev/sda
  #

  # capsh --drop=cap_sys_rawio -- -c \
    'sg_write_same --num 1 --xferlen 512 /dev/sda'
    Write same: pass through os error: Operation not permitted
  #

For comparison, the WRITE_VERIFY command does not observe this problem,
since it is in that list:

  # capsh --drop=cap_sys_rawio -- -c \
    'sg_write_verify --num 1 --ilen 512 --lba 0 /dev/sda'
  #

So, this patch adds the WRITE_SAME commands to the list, in order
for the SG_IO ioctl to finish successfully:

  # capsh --drop=cap_sys_rawio -- -c \
    'sg_write_same --num 1 --xferlen 512 /dev/sda'
  #

That case happens to be exercised by QEMU KVM guests with 'scsi-block' devices
(qemu "-device scsi-block" [1], libvirt "<disk type='block' device='lun'>" [2]),
which employs the SG_IO ioctl() and runs as an unprivileged user (libvirt-qemu).

In that scenario, when a filesystem (e.g., ext4) performs its zero-out calls,
which are translated to write-same calls in the guest kernel, and then into
SG_IO ioctls to the host kernel, SCSI I/O errors may be observed in the guest:

  [...] sd 0:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
  [...] sd 0:0:0:0: [sda] tag#0 Sense Key : Aborted Command [current]
  [...] sd 0:0:0:0: [sda] tag#0 Add. Sense: I/O process terminated
  [...] sd 0:0:0:0: [sda] tag#0 CDB: Write Same(10) 41 00 01 04 e0 78 00 00 08 00
  [...] blk_update_request: I/O error, dev sda, sector 17096824

Links:
[1] http://git.qemu.org/?p=qemu.git;a=commit;h=336a6915bc7089fb20fea4ba99972ad9a97c5f52
[2] https://libvirt.org/formatdomain.html#elementsDisks (see 'disk' -> 'device')

Signed-off-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Signed-off-by: Brahadambal Srinivasan <latha@linux.vnet.ibm.com>
Reported-by: Manjunatha H R <manjuhr1@in.ibm.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 block/scsi_ioctl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index 1b4988b4bc11..9bfbb51aa75e 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -175,6 +175,9 @@ static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
 	__set_bit(WRITE_16, filter->write_ok);
 	__set_bit(WRITE_LONG, filter->write_ok);
 	__set_bit(WRITE_LONG_2, filter->write_ok);
+	__set_bit(WRITE_SAME, filter->write_ok);
+	__set_bit(WRITE_SAME_16, filter->write_ok);
+	__set_bit(WRITE_SAME_32, filter->write_ok);
 	__set_bit(ERASE, filter->write_ok);
 	__set_bit(GPCMD_MODE_SELECT_10, filter->write_ok);
 	__set_bit(MODE_SELECT, filter->write_ok);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 098/142] uvcvideo: uvc_scan_fallback() for webcams with broken chain
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (96 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 097/142] block: allow WRITE_SAME commands with the SG_IO ioctl Jiri Slaby
@ 2017-04-10 15:32 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 099/142] fbcon: Fix vc attr at deinit Jiri Slaby
                   ` (45 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:32 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Sumit Semwal, Henrik Ingo, Laurent Pinchart,
	Mauro Carvalho Chehab, Sasha Levin, Greg Kroah-Hartman,
	Jiri Slaby

From: Sumit Semwal <sumit.semwal@linaro.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

From: Henrik Ingo <henrik.ingo@avoinelama.fi>

[ Upstream commit e950267ab802c8558f1100eafd4087fd039ad634 ]

Some devices have invalid baSourceID references, causing uvc_scan_chain()
to fail, but if we just take the entities we can find and put them
together in the most sensible chain we can think of, turns out they do
work anyway. Note: This heuristic assumes there is a single chain.

At the time of writing, devices known to have such a broken chain are
  - Acer Integrated Camera (5986:055a)
  - Realtek rtl157a7 (0bda:57a7)

Signed-off-by: Henrik Ingo <henrik.ingo@avoinelama.fi>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/media/usb/uvc/uvc_driver.c | 118 +++++++++++++++++++++++++++++++++++--
 1 file changed, 112 insertions(+), 6 deletions(-)

diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
index 45314412b4a3..f47d1885b0d4 100644
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -1533,6 +1533,114 @@ static const char *uvc_print_chain(struct uvc_video_chain *chain)
 	return buffer;
 }
 
+static struct uvc_video_chain *uvc_alloc_chain(struct uvc_device *dev)
+{
+	struct uvc_video_chain *chain;
+
+	chain = kzalloc(sizeof(*chain), GFP_KERNEL);
+	if (chain == NULL)
+		return NULL;
+
+	INIT_LIST_HEAD(&chain->entities);
+	mutex_init(&chain->ctrl_mutex);
+	chain->dev = dev;
+	v4l2_prio_init(&chain->prio);
+
+	return chain;
+}
+
+/*
+ * Fallback heuristic for devices that don't connect units and terminals in a
+ * valid chain.
+ *
+ * Some devices have invalid baSourceID references, causing uvc_scan_chain()
+ * to fail, but if we just take the entities we can find and put them together
+ * in the most sensible chain we can think of, turns out they do work anyway.
+ * Note: This heuristic assumes there is a single chain.
+ *
+ * At the time of writing, devices known to have such a broken chain are
+ *  - Acer Integrated Camera (5986:055a)
+ *  - Realtek rtl157a7 (0bda:57a7)
+ */
+static int uvc_scan_fallback(struct uvc_device *dev)
+{
+	struct uvc_video_chain *chain;
+	struct uvc_entity *iterm = NULL;
+	struct uvc_entity *oterm = NULL;
+	struct uvc_entity *entity;
+	struct uvc_entity *prev;
+
+	/*
+	 * Start by locating the input and output terminals. We only support
+	 * devices with exactly one of each for now.
+	 */
+	list_for_each_entry(entity, &dev->entities, list) {
+		if (UVC_ENTITY_IS_ITERM(entity)) {
+			if (iterm)
+				return -EINVAL;
+			iterm = entity;
+		}
+
+		if (UVC_ENTITY_IS_OTERM(entity)) {
+			if (oterm)
+				return -EINVAL;
+			oterm = entity;
+		}
+	}
+
+	if (iterm == NULL || oterm == NULL)
+		return -EINVAL;
+
+	/* Allocate the chain and fill it. */
+	chain = uvc_alloc_chain(dev);
+	if (chain == NULL)
+		return -ENOMEM;
+
+	if (uvc_scan_chain_entity(chain, oterm) < 0)
+		goto error;
+
+	prev = oterm;
+
+	/*
+	 * Add all Processing and Extension Units with two pads. The order
+	 * doesn't matter much, use reverse list traversal to connect units in
+	 * UVC descriptor order as we build the chain from output to input. This
+	 * leads to units appearing in the order meant by the manufacturer for
+	 * the cameras known to require this heuristic.
+	 */
+	list_for_each_entry_reverse(entity, &dev->entities, list) {
+		if (entity->type != UVC_VC_PROCESSING_UNIT &&
+		    entity->type != UVC_VC_EXTENSION_UNIT)
+			continue;
+
+		if (entity->num_pads != 2)
+			continue;
+
+		if (uvc_scan_chain_entity(chain, entity) < 0)
+			goto error;
+
+		prev->baSourceID[0] = entity->id;
+		prev = entity;
+	}
+
+	if (uvc_scan_chain_entity(chain, iterm) < 0)
+		goto error;
+
+	prev->baSourceID[0] = iterm->id;
+
+	list_add_tail(&chain->list, &dev->chains);
+
+	uvc_trace(UVC_TRACE_PROBE,
+		  "Found a video chain by fallback heuristic (%s).\n",
+		  uvc_print_chain(chain));
+
+	return 0;
+
+error:
+	kfree(chain);
+	return -EINVAL;
+}
+
 /*
  * Scan the device for video chains and register video devices.
  *
@@ -1555,15 +1663,10 @@ static int uvc_scan_device(struct uvc_device *dev)
 		if (term->chain.next || term->chain.prev)
 			continue;
 
-		chain = kzalloc(sizeof(*chain), GFP_KERNEL);
+		chain = uvc_alloc_chain(dev);
 		if (chain == NULL)
 			return -ENOMEM;
 
-		INIT_LIST_HEAD(&chain->entities);
-		mutex_init(&chain->ctrl_mutex);
-		chain->dev = dev;
-		v4l2_prio_init(&chain->prio);
-
 		term->flags |= UVC_ENTITY_FLAG_DEFAULT;
 
 		if (uvc_scan_chain(chain, term) < 0) {
@@ -1577,6 +1680,9 @@ static int uvc_scan_device(struct uvc_device *dev)
 		list_add_tail(&chain->list, &dev->chains);
 	}
 
+	if (list_empty(&dev->chains))
+		uvc_scan_fallback(dev);
+
 	if (list_empty(&dev->chains)) {
 		uvc_printk(KERN_INFO, "No valid video chain found.\n");
 		return -1;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 099/142] fbcon: Fix vc attr at deinit
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (97 preceding siblings ...)
  2017-04-10 15:32 ` [PATCH 3.12 098/142] uvcvideo: uvc_scan_fallback() for webcams with broken chain Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 100/142] crypto: algif_hash - avoid zero-sized array Jiri Slaby
                   ` (44 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Takashi Iwai, Bartlomiej Zolnierkiewicz,
	Arnd Bergmann, Jiri Slaby

From: Takashi Iwai <tiwai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8aac7f34369726d1a158788ae8aff3002d5eb528 upstream.

fbcon can deal with vc_hi_font_mask (the upper 256 chars) and adjust
the vc attrs dynamically when vc_hi_font_mask is changed at
fbcon_init().  When the vc_hi_font_mask is set, it remaps the attrs in
the existing console buffer with one bit shift up (for 9 bits), while
it remaps with one bit shift down (for 8 bits) when the value is
cleared.  It works fine as long as the font gets updated after fbcon
was initialized.

However, we hit a bizarre problem when the console is switched to
another fb driver (typically from vesafb or efifb to drmfb).  At
switching to the new fb driver, we temporarily rebind the console to
the dummy console, then rebind to the new driver.  During the
switching, we leave the modified attrs as is.  Thus, the new fbcon
takes over the old buffer as if it were to contain 8 bits chars
(although the attrs are still shifted for 9 bits), and effectively
this results in the yellow color texts instead of the original white
color, as found in the bugzilla entry below.

An easy fix for this is to re-adjust the attrs before leaving the
fbcon at con_deinit callback.  Since the code to adjust the attrs is
already present in the current fbcon code, in this patch, we simply
factor out the relevant code, and call it from fbcon_deinit().

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000619
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/video/console/fbcon.c | 67 ++++++++++++++++++++++++++-----------------
 1 file changed, 40 insertions(+), 27 deletions(-)

diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
index 9297a9b967fc..3939493bd3b3 100644
--- a/drivers/video/console/fbcon.c
+++ b/drivers/video/console/fbcon.c
@@ -1168,6 +1168,8 @@ static void fbcon_free_font(struct display *p, bool freefont)
 	p->userfont = 0;
 }
 
+static void set_vc_hi_font(struct vc_data *vc, bool set);
+
 static void fbcon_deinit(struct vc_data *vc)
 {
 	struct display *p = &fb_display[vc->vc_num];
@@ -1203,6 +1205,9 @@ finished:
 	if (free_font)
 		vc->vc_font.data = NULL;
 
+	if (vc->vc_hi_font_mask)
+		set_vc_hi_font(vc, false);
+
 	if (!con_is_bound(&fb_con))
 		fbcon_exit();
 
@@ -2438,32 +2443,10 @@ static int fbcon_get_font(struct vc_data *vc, struct console_font *font)
 	return 0;
 }
 
-static int fbcon_do_set_font(struct vc_data *vc, int w, int h,
-			     const u8 * data, int userfont)
+/* set/clear vc_hi_font_mask and update vc attrs accordingly */
+static void set_vc_hi_font(struct vc_data *vc, bool set)
 {
-	struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
-	struct fbcon_ops *ops = info->fbcon_par;
-	struct display *p = &fb_display[vc->vc_num];
-	int resize;
-	int cnt;
-	char *old_data = NULL;
-
-	if (CON_IS_VISIBLE(vc) && softback_lines)
-		fbcon_set_origin(vc);
-
-	resize = (w != vc->vc_font.width) || (h != vc->vc_font.height);
-	if (p->userfont)
-		old_data = vc->vc_font.data;
-	if (userfont)
-		cnt = FNTCHARCNT(data);
-	else
-		cnt = 256;
-	vc->vc_font.data = (void *)(p->fontdata = data);
-	if ((p->userfont = userfont))
-		REFCOUNT(data)++;
-	vc->vc_font.width = w;
-	vc->vc_font.height = h;
-	if (vc->vc_hi_font_mask && cnt == 256) {
+	if (!set) {
 		vc->vc_hi_font_mask = 0;
 		if (vc->vc_can_do_color) {
 			vc->vc_complement_mask >>= 1;
@@ -2486,7 +2469,7 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h,
 			    ((c & 0xfe00) >> 1) | (c & 0xff);
 			vc->vc_attr >>= 1;
 		}
-	} else if (!vc->vc_hi_font_mask && cnt == 512) {
+	} else {
 		vc->vc_hi_font_mask = 0x100;
 		if (vc->vc_can_do_color) {
 			vc->vc_complement_mask <<= 1;
@@ -2518,8 +2501,38 @@ static int fbcon_do_set_font(struct vc_data *vc, int w, int h,
 			} else
 				vc->vc_video_erase_char = c & ~0x100;
 		}
-
 	}
+}
+
+static int fbcon_do_set_font(struct vc_data *vc, int w, int h,
+			     const u8 * data, int userfont)
+{
+	struct fb_info *info = registered_fb[con2fb_map[vc->vc_num]];
+	struct fbcon_ops *ops = info->fbcon_par;
+	struct display *p = &fb_display[vc->vc_num];
+	int resize;
+	int cnt;
+	char *old_data = NULL;
+
+	if (CON_IS_VISIBLE(vc) && softback_lines)
+		fbcon_set_origin(vc);
+
+	resize = (w != vc->vc_font.width) || (h != vc->vc_font.height);
+	if (p->userfont)
+		old_data = vc->vc_font.data;
+	if (userfont)
+		cnt = FNTCHARCNT(data);
+	else
+		cnt = 256;
+	vc->vc_font.data = (void *)(p->fontdata = data);
+	if ((p->userfont = userfont))
+		REFCOUNT(data)++;
+	vc->vc_font.width = w;
+	vc->vc_font.height = h;
+	if (vc->vc_hi_font_mask && cnt == 256)
+		set_vc_hi_font(vc, false);
+	else if (!vc->vc_hi_font_mask && cnt == 512)
+		set_vc_hi_font(vc, true);
 
 	if (resize) {
 		int cols, rows;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 100/142] crypto: algif_hash - avoid zero-sized array
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (98 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 099/142] fbcon: Fix vc attr at deinit Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 101/142] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window Jiri Slaby
                   ` (43 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Jiri Slaby, Herbert Xu, David S. Miller, Arnd Bergmann

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6207119444595d287b1e9e83a2066c17209698f3 upstream.

With this reproducer:
  struct sockaddr_alg alg = {
          .salg_family = 0x26,
          .salg_type = "hash",
          .salg_feat = 0xf,
          .salg_mask = 0x5,
          .salg_name = "digest_null",
  };
  int sock, sock2;

  sock = socket(AF_ALG, SOCK_SEQPACKET, 0);
  bind(sock, (struct sockaddr *)&alg, sizeof(alg));
  sock2 = accept(sock, NULL, NULL);
  setsockopt(sock, SOL_ALG, ALG_SET_KEY, "\x9b\xca", 2);
  accept(sock2, NULL, NULL);

==== 8< ======== 8< ======== 8< ======== 8< ====

one can immediatelly see an UBSAN warning:
UBSAN: Undefined behaviour in crypto/algif_hash.c:187:7
variable length array bound value 0 <= 0
CPU: 0 PID: 15949 Comm: syz-executor Tainted: G            E      4.4.30-0-default #1
...
Call Trace:
...
 [<ffffffff81d598fd>] ? __ubsan_handle_vla_bound_not_positive+0x13d/0x188
 [<ffffffff81d597c0>] ? __ubsan_handle_out_of_bounds+0x1bc/0x1bc
 [<ffffffffa0e2204d>] ? hash_accept+0x5bd/0x7d0 [algif_hash]
 [<ffffffffa0e2293f>] ? hash_accept_nokey+0x3f/0x51 [algif_hash]
 [<ffffffffa0e206b0>] ? hash_accept_parent_nokey+0x4a0/0x4a0 [algif_hash]
 [<ffffffff8235c42b>] ? SyS_accept+0x2b/0x40

It is a correct warning, as hash state is propagated to accept as zero,
but creating a zero-length variable array is not allowed in C.

Fix this as proposed by Herbert -- do "?: 1" on that site. No sizeof or
similar happens in the code there, so we just allocate one byte even
though we do not use the array.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net> (maintainer:CRYPTO API)
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 crypto/algif_hash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
index b351127426db..2c4df1304922 100644
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -195,7 +195,7 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags)
 	struct alg_sock *ask = alg_sk(sk);
 	struct hash_ctx *ctx = ask->private;
 	struct ahash_request *req = &ctx->req;
-	char state[crypto_ahash_statesize(crypto_ahash_reqtfm(req))];
+	char state[crypto_ahash_statesize(crypto_ahash_reqtfm(req)) ? : 1];
 	struct sock *sk2;
 	struct alg_sock *ask2;
 	struct hash_ctx *ctx2;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 101/142] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (99 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 100/142] crypto: algif_hash - avoid zero-sized array Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 102/142] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder Jiri Slaby
                   ` (42 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Andy Whitcroft, Linus Torvalds, Jiri Slaby

From: Andy Whitcroft <apw@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 677e806da4d916052585301785d847c3b3e6186a upstream.

When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer.  However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents.  We do
not at this point check that the replay_window is within the allocated
memory.  This leads to out-of-bounds reads and writes triggered by
netlink packets.  This leads to memory corruption and the potential for
priviledge escalation.

We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn.  It however does not check the replay_window
remains within that buffer.  Add validation of the contained
replay_window.

CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/xfrm/xfrm_user.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 32a2dd39b785..9a6bd448468d 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -393,6 +393,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
 	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
 		return -EINVAL;
 
+	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
+		return -EINVAL;
+
 	return 0;
 }
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 102/142] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (100 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 101/142] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 103/142] virtio_balloon: init 1st buffer in stats vq Jiri Slaby
                   ` (41 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Andy Whitcroft, Linus Torvalds, Jiri Slaby

From: Andy Whitcroft <apw@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f843ee6dd019bcece3e74e76ad9df0155655d0df upstream.

Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues.  To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.

CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/xfrm/xfrm_user.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 9a6bd448468d..52fe9a77a1b1 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -390,7 +390,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
 	up = nla_data(rp);
 	ulen = xfrm_replay_state_esn_len(up);
 
-	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+	/* Check the overall length and the internal bitmap length to avoid
+	 * potential overflow. */
+	if (nla_len(rp) < ulen ||
+	    xfrm_replay_state_esn_len(replay_esn) != ulen ||
+	    replay_esn->bmp_len != up->bmp_len)
 		return -EINVAL;
 
 	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 103/142] virtio_balloon: init 1st buffer in stats vq
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (101 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 102/142] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 104/142] c6x/ptrace: Remove useless PTRACE_SETREGSET implementation Jiri Slaby
                   ` (40 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Ladi Prosek, Michael S . Tsirkin, Jiri Slaby

From: Ladi Prosek <lprosek@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit fc8653228c8588a120f6b5dad6983b7b61ff669e upstream.

When init_vqs runs, virtio_balloon.stats is either uninitialized or
contains stale values. The host updates its state with garbage data
because it has no way of knowing that this is just a marker buffer
used for signaling.

This patch updates the stats before pushing the initial buffer.

Alternative fixes:
* Push an empty buffer in init_vqs. Not easily done with the current
  virtio implementation and violates the spec "Driver MUST supply the
  same subset of statistics in all buffers submitted to the statsq".
* Push a buffer with invalid tags in init_vqs. Violates the same
  spec clause, plus "invalid tag" is not really defined.

Note: the spec says:
	When using the legacy interface, the device SHOULD ignore all values in
	the first buffer in the statsq supplied by the driver after device
	initialization. Note: Historically, drivers supplied an uninitialized
	buffer in the first buffer.

Unfortunately QEMU does not seem to implement the recommendation
even for the legacy interface.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/virtio/virtio_balloon.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
index d6fa59e447c5..0dc571a3cf65 100644
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -350,6 +350,8 @@ static int init_vqs(struct virtio_balloon *vb)
 		 * Prime this virtqueue with one buffer so the hypervisor can
 		 * use it to signal us later.
 		 */
+		update_balloon_stats(vb);
+
 		sg_init_one(&sg, vb->stats, sizeof vb->stats);
 		if (virtqueue_add_outbuf(vb->stats_vq, &sg, 1, vb, GFP_KERNEL)
 		    < 0)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 104/142] c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (102 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 103/142] virtio_balloon: init 1st buffer in stats vq Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 105/142] sparc/ptrace: Preserve previous registers for short regset write Jiri Slaby
                   ` (39 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dave Martin, Linus Torvalds, Jiri Slaby

From: Dave Martin <Dave.Martin@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit fb411b837b587a32046dc4f369acb93a10b1def8 upstream.

gpr_set won't work correctly and can never have been tested, and the
correct behaviour is not clear due to the endianness-dependent task
layout.

So, just remove it.  The core code will now return -EOPNOTSUPPORT when
trying to set NT_PRSTATUS on this architecture until/unless a correct
implementation is supplied.

Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/c6x/kernel/ptrace.c | 41 -----------------------------------------
 1 file changed, 41 deletions(-)

diff --git a/arch/c6x/kernel/ptrace.c b/arch/c6x/kernel/ptrace.c
index 3c494e84444d..a511ac16a8e3 100644
--- a/arch/c6x/kernel/ptrace.c
+++ b/arch/c6x/kernel/ptrace.c
@@ -69,46 +69,6 @@ static int gpr_get(struct task_struct *target,
 				   0, sizeof(*regs));
 }
 
-static int gpr_set(struct task_struct *target,
-		   const struct user_regset *regset,
-		   unsigned int pos, unsigned int count,
-		   const void *kbuf, const void __user *ubuf)
-{
-	int ret;
-	struct pt_regs *regs = task_pt_regs(target);
-
-	/* Don't copyin TSR or CSR */
-	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
-				 &regs,
-				 0, PT_TSR * sizeof(long));
-	if (ret)
-		return ret;
-
-	ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
-					PT_TSR * sizeof(long),
-					(PT_TSR + 1) * sizeof(long));
-	if (ret)
-		return ret;
-
-	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
-				 &regs,
-				 (PT_TSR + 1) * sizeof(long),
-				 PT_CSR * sizeof(long));
-	if (ret)
-		return ret;
-
-	ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
-					PT_CSR * sizeof(long),
-					(PT_CSR + 1) * sizeof(long));
-	if (ret)
-		return ret;
-
-	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
-				 &regs,
-				 (PT_CSR + 1) * sizeof(long), -1);
-	return ret;
-}
-
 enum c6x_regset {
 	REGSET_GPR,
 };
@@ -120,7 +80,6 @@ static const struct user_regset c6x_regsets[] = {
 		.size = sizeof(u32),
 		.align = sizeof(u32),
 		.get = gpr_get,
-		.set = gpr_set
 	},
 };
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 105/142] sparc/ptrace: Preserve previous registers for short regset write
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (103 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 104/142] c6x/ptrace: Remove useless PTRACE_SETREGSET implementation Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 106/142] metag/ptrace: " Jiri Slaby
                   ` (38 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dave Martin, Linus Torvalds, Jiri Slaby

From: Dave Martin <Dave.Martin@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d3805c546b275c8cc7d40f759d029ae92c7175f2 upstream.

Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.

Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/sparc/kernel/ptrace_64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c
index 773c1f2983ce..89297b7c6261 100644
--- a/arch/sparc/kernel/ptrace_64.c
+++ b/arch/sparc/kernel/ptrace_64.c
@@ -310,7 +310,7 @@ static int genregs64_set(struct task_struct *target,
 	}
 
 	if (!ret) {
-		unsigned long y;
+		unsigned long y = regs->y;
 
 		ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
 					 &y,
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 106/142] metag/ptrace: Preserve previous registers for short regset write
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (104 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 105/142] sparc/ptrace: Preserve previous registers for short regset write Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 107/142] metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS Jiri Slaby
                   ` (37 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dave Martin, Linus Torvalds, Jiri Slaby

From: Dave Martin <Dave.Martin@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit a78ce80d2c9178351b34d78fec805140c29c193e upstream.

Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.

Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/metag/kernel/ptrace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/metag/kernel/ptrace.c b/arch/metag/kernel/ptrace.c
index 7563628822bd..ae659ba61948 100644
--- a/arch/metag/kernel/ptrace.c
+++ b/arch/metag/kernel/ptrace.c
@@ -303,7 +303,7 @@ static int metag_tls_set(struct task_struct *target,
 			const void *kbuf, const void __user *ubuf)
 {
 	int ret;
-	void __user *tls;
+	void __user *tls = target->thread.tls_ptr;
 
 	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
 	if (ret)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 107/142] metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (105 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 106/142] metag/ptrace: " Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 108/142] metag/ptrace: Reject partial NT_METAG_RPIPE writes Jiri Slaby
                   ` (36 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dave Martin, Linus Torvalds, Jiri Slaby

From: Dave Martin <Dave.Martin@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5fe81fe98123ce41265c65e95d34418d30d005d1 upstream.

Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill TXSTATUS, a well-defined default value is used, based on the
task's current value.

Suggested-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/metag/kernel/ptrace.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/arch/metag/kernel/ptrace.c b/arch/metag/kernel/ptrace.c
index ae659ba61948..2e4dfc15abd3 100644
--- a/arch/metag/kernel/ptrace.c
+++ b/arch/metag/kernel/ptrace.c
@@ -24,6 +24,16 @@
  * user_regset definitions.
  */
 
+static unsigned long user_txstatus(const struct pt_regs *regs)
+{
+	unsigned long data = (unsigned long)regs->ctx.Flags;
+
+	if (regs->ctx.SaveMask & TBICTX_CBUF_BIT)
+		data |= USER_GP_REGS_STATUS_CATCH_BIT;
+
+	return data;
+}
+
 int metag_gp_regs_copyout(const struct pt_regs *regs,
 			  unsigned int pos, unsigned int count,
 			  void *kbuf, void __user *ubuf)
@@ -62,9 +72,7 @@ int metag_gp_regs_copyout(const struct pt_regs *regs,
 	if (ret)
 		goto out;
 	/* TXSTATUS */
-	data = (unsigned long)regs->ctx.Flags;
-	if (regs->ctx.SaveMask & TBICTX_CBUF_BIT)
-		data |= USER_GP_REGS_STATUS_CATCH_BIT;
+	data = user_txstatus(regs);
 	ret = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
 				  &data, 4*25, 4*26);
 	if (ret)
@@ -119,6 +127,7 @@ int metag_gp_regs_copyin(struct pt_regs *regs,
 	if (ret)
 		goto out;
 	/* TXSTATUS */
+	data = user_txstatus(regs);
 	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
 				 &data, 4*25, 4*26);
 	if (ret)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 108/142] metag/ptrace: Reject partial NT_METAG_RPIPE writes
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (106 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 107/142] metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 109/142] sched/rt: Add a missing rescheduling point Jiri Slaby
                   ` (35 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dave Martin, Linus Torvalds, Jiri Slaby

From: Dave Martin <Dave.Martin@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7195ee3120d878259e8d94a5d9f808116f34d5ea upstream.

It's not clear what behaviour is sensible when doing partial write of
NT_METAG_RPIPE, so just don't bother.

This patch assumes that userspace will never rely on a partial SETREGSET
in this case, since it's not clear what should happen anyway.

Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/metag/kernel/ptrace.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/metag/kernel/ptrace.c b/arch/metag/kernel/ptrace.c
index 2e4dfc15abd3..5e2dc7defd2c 100644
--- a/arch/metag/kernel/ptrace.c
+++ b/arch/metag/kernel/ptrace.c
@@ -253,6 +253,8 @@ int metag_rp_state_copyin(struct pt_regs *regs,
 	unsigned long long *ptr;
 	int ret, i;
 
+	if (count < 4*13)
+		return -EINVAL;
 	/* Read the entire pipeline before making any changes */
 	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
 				 &rp, 0, 4*13);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 109/142] sched/rt: Add a missing rescheduling point
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (107 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 108/142] metag/ptrace: Reject partial NT_METAG_RPIPE writes Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 110/142] libceph: force GFP_NOIO for socket allocations Jiri Slaby
                   ` (34 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Sebastian Andrzej Siewior, Peter Zijlstra,
	Linus Torvalds, Mike Galbraith, Thomas Gleixner, Ingo Molnar,
	Jiri Slaby

From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 619bd4a71874a8fd78eb6ccf9f272c5e98bcc7b7 upstream.

Since the change in commit:

  fd7a4bed1835 ("sched, rt: Convert switched_{from, to}_rt() / prio_changed_rt() to balance callbacks")

... we don't reschedule a task under certain circumstances:

Lets say task-A, SCHED_OTHER, is running on CPU0 (and it may run only on
CPU0) and holds a PI lock. This task is removed from the CPU because it
used up its time slice and another SCHED_OTHER task is running. Task-B on
CPU1 runs at RT priority and asks for the lock owned by task-A. This
results in a priority boost for task-A. Task-B goes to sleep until the
lock has been made available. Task-A is already runnable (but not active),
so it receives no wake up.

The reality now is that task-A gets on the CPU once the scheduler decides
to remove the current task despite the fact that a high priority task is
enqueued and waiting. This may take a long time.

The desired behaviour is that CPU0 immediately reschedules after the
priority boost which made task-A the task with the lowest priority.

[js] no deadline in 3.12 yet

Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: fd7a4bed1835 ("sched, rt: Convert switched_{from, to}_rt() prio_changed_rt() to balance callbacks")
Link: http://lkml.kernel.org/r/20170124144006.29821-1-bigeasy@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 kernel/sched/rt.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
index 10edf9d2a8b7..ce4ec3ae9abc 100644
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -1871,10 +1871,9 @@ static void switched_to_rt(struct rq *rq, struct task_struct *p)
 #ifdef CONFIG_SMP
 		if (rq->rt.overloaded)
 			queue_push_tasks(rq);
-#else
+#endif /* CONFIG_SMP */
 		if (p->prio < rq->curr->prio)
 			resched_task(rq->curr);
-#endif /* CONFIG_SMP */
 	}
 }
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 110/142] libceph: force GFP_NOIO for socket allocations
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (108 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 109/142] sched/rt: Add a missing rescheduling point Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 111/142] scsi: mpt3sas: fix hang on ata passthrough commands Jiri Slaby
                   ` (33 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Ilya Dryomov, Greg Kroah-Hartman

From: Ilya Dryomov <idryomov@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 633ee407b9d15a75ac9740ba9d3338815e1fcb95 upstream.

sock_alloc_inode() allocates socket+inode and socket_wq with
GFP_KERNEL, which is not allowed on the writeback path:

    Workqueue: ceph-msgr con_work [libceph]
    ffff8810871cb018 0000000000000046 0000000000000000 ffff881085d40000
    0000000000012b00 ffff881025cad428 ffff8810871cbfd8 0000000000012b00
    ffff880102fc1000 ffff881085d40000 ffff8810871cb038 ffff8810871cb148
    Call Trace:
    [<ffffffff816dd629>] schedule+0x29/0x70
    [<ffffffff816e066d>] schedule_timeout+0x1bd/0x200
    [<ffffffff81093ffc>] ? ttwu_do_wakeup+0x2c/0x120
    [<ffffffff81094266>] ? ttwu_do_activate.constprop.135+0x66/0x70
    [<ffffffff816deb5f>] wait_for_completion+0xbf/0x180
    [<ffffffff81097cd0>] ? try_to_wake_up+0x390/0x390
    [<ffffffff81086335>] flush_work+0x165/0x250
    [<ffffffff81082940>] ? worker_detach_from_pool+0xd0/0xd0
    [<ffffffffa03b65b1>] xlog_cil_force_lsn+0x81/0x200 [xfs]
    [<ffffffff816d6b42>] ? __slab_free+0xee/0x234
    [<ffffffffa03b4b1d>] _xfs_log_force_lsn+0x4d/0x2c0 [xfs]
    [<ffffffff811adc1e>] ? lookup_page_cgroup_used+0xe/0x30
    [<ffffffffa039a723>] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [<ffffffffa03b4dcf>] xfs_log_force_lsn+0x3f/0xf0 [xfs]
    [<ffffffffa039a723>] ? xfs_reclaim_inode+0xa3/0x330 [xfs]
    [<ffffffffa03a62c6>] xfs_iunpin_wait+0xc6/0x1a0 [xfs]
    [<ffffffff810aa250>] ? wake_atomic_t_function+0x40/0x40
    [<ffffffffa039a723>] xfs_reclaim_inode+0xa3/0x330 [xfs]
    [<ffffffffa039ac07>] xfs_reclaim_inodes_ag+0x257/0x3d0 [xfs]
    [<ffffffffa039bb13>] xfs_reclaim_inodes_nr+0x33/0x40 [xfs]
    [<ffffffffa03ab745>] xfs_fs_free_cached_objects+0x15/0x20 [xfs]
    [<ffffffff811c0c18>] super_cache_scan+0x178/0x180
    [<ffffffff8115912e>] shrink_slab_node+0x14e/0x340
    [<ffffffff811afc3b>] ? mem_cgroup_iter+0x16b/0x450
    [<ffffffff8115af70>] shrink_slab+0x100/0x140
    [<ffffffff8115e425>] do_try_to_free_pages+0x335/0x490
    [<ffffffff8115e7f9>] try_to_free_pages+0xb9/0x1f0
    [<ffffffff816d56e4>] ? __alloc_pages_direct_compact+0x69/0x1be
    [<ffffffff81150cba>] __alloc_pages_nodemask+0x69a/0xb40
    [<ffffffff8119743e>] alloc_pages_current+0x9e/0x110
    [<ffffffff811a0ac5>] new_slab+0x2c5/0x390
    [<ffffffff816d71c4>] __slab_alloc+0x33b/0x459
    [<ffffffff815b906d>] ? sock_alloc_inode+0x2d/0xd0
    [<ffffffff8164bda1>] ? inet_sendmsg+0x71/0xc0
    [<ffffffff815b906d>] ? sock_alloc_inode+0x2d/0xd0
    [<ffffffff811a21f2>] kmem_cache_alloc+0x1a2/0x1b0
    [<ffffffff815b906d>] sock_alloc_inode+0x2d/0xd0
    [<ffffffff811d8566>] alloc_inode+0x26/0xa0
    [<ffffffff811da04a>] new_inode_pseudo+0x1a/0x70
    [<ffffffff815b933e>] sock_alloc+0x1e/0x80
    [<ffffffff815ba855>] __sock_create+0x95/0x220
    [<ffffffff815baa04>] sock_create_kern+0x24/0x30
    [<ffffffffa04794d9>] con_work+0xef9/0x2050 [libceph]
    [<ffffffffa04aa9ec>] ? rbd_img_request_submit+0x4c/0x60 [rbd]
    [<ffffffff81084c19>] process_one_work+0x159/0x4f0
    [<ffffffff8108561b>] worker_thread+0x11b/0x530
    [<ffffffff81085500>] ? create_worker+0x1d0/0x1d0
    [<ffffffff8108b6f9>] kthread+0xc9/0xe0
    [<ffffffff8108b630>] ? flush_kthread_worker+0x90/0x90
    [<ffffffff816e1b98>] ret_from_fork+0x58/0x90
    [<ffffffff8108b630>] ? flush_kthread_worker+0x90/0x90

Use memalloc_noio_{save,restore}() to temporarily force GFP_NOIO here.

Link: http://tracker.ceph.com/issues/19309
Reported-by: Sergey Jerusalimov <wintchester@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ceph/messenger.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index ecdf164c80fe..a61159bd5b02 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -6,6 +6,7 @@
 #include <linux/inet.h>
 #include <linux/kthread.h>
 #include <linux/net.h>
+#include <linux/sched.h>
 #include <linux/slab.h>
 #include <linux/socket.h>
 #include <linux/string.h>
@@ -475,11 +476,16 @@ static int ceph_tcp_connect(struct ceph_connection *con)
 {
 	struct sockaddr_storage *paddr = &con->peer_addr.in_addr;
 	struct socket *sock;
+	unsigned int noio_flag;
 	int ret;
 
 	BUG_ON(con->sock);
+
+	/* sock_create_kern() allocates with GFP_KERNEL */
+	noio_flag = memalloc_noio_save();
 	ret = sock_create_kern(con->peer_addr.in_addr.ss_family, SOCK_STREAM,
 			       IPPROTO_TCP, &sock);
+	memalloc_noio_restore(noio_flag);
 	if (ret)
 		return ret;
 	sock->sk->sk_allocation = GFP_NOFS;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 111/142] scsi: mpt3sas: fix hang on ata passthrough commands
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (109 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 110/142] libceph: force GFP_NOIO for socket allocations Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 112/142] scsi: libsas: fix ata xfer length Jiri Slaby
                   ` (32 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, James Bottomley, Martin K . Petersen, Joe Korty,
	Jiri Slaby

From: James Bottomley <James.Bottomley@HansenPartnership.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ffb58456589443ca572221fabbdef3db8483a779 upstream.

mpt3sas has a firmware failure where it can only handle one pass through
ATA command at a time.  If another comes in, contrary to the SAT
standard, it will hang until the first one completes (causing long
commands like secure erase to timeout).  The original fix was to block
the device when an ATA command came in, but this caused a regression
with

commit 669f044170d8933c3d66d231b69ea97cb8447338
Author: Bart Van Assche <bart.vanassche@sandisk.com>
Date:   Tue Nov 22 16:17:13 2016 -0800

    scsi: srp_transport: Move queuecommand() wait code to SCSI core

So fix the original fix of the secure erase timeout by properly
returning SAM_STAT_BUSY like the SAT recommends.  The original patch
also had a concurrency problem since scsih_qcmd is lockless at that
point (this is fixed by using atomic bitops to set and test the flag).

[mkp: addressed feedback wrt. test_bit and fixed whitespace]

Fixes: 18f6084a989ba1b (mpt3sas: Fix secure erase premature termination)
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Acked-by: Sreekanth Reddy <Sreekanth.Reddy@broadcom.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reported-by: Ingo Molnar <mingo@kernel.org>
Tested-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Joe Korty <joe.korty@ccur.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/scsi/mpt3sas/mpt3sas_base.h  | 12 ++++++++++++
 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 36 +++++++++++++++++++++++++-----------
 2 files changed, 37 insertions(+), 11 deletions(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.h b/drivers/scsi/mpt3sas/mpt3sas_base.h
index 0ebf5d913c80..c56ac73a8d05 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.h
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.h
@@ -219,6 +219,7 @@ struct MPT3SAS_TARGET {
  * @eedp_enable: eedp support enable bit
  * @eedp_type: 0(type_1), 1(type_2), 2(type_3)
  * @eedp_block_length: block size
+ * @ata_command_pending: SATL passthrough outstanding for device
  */
 struct MPT3SAS_DEVICE {
 	struct MPT3SAS_TARGET *sas_target;
@@ -227,6 +228,17 @@ struct MPT3SAS_DEVICE {
 	u8	configured_lun;
 	u8	block;
 	u8	tlr_snoop_check;
+	/*
+	 * Bug workaround for SATL handling: the mpt2/3sas firmware
+	 * doesn't return BUSY or TASK_SET_FULL for subsequent
+	 * commands while a SATL pass through is in operation as the
+	 * spec requires, it simply does nothing with them until the
+	 * pass through completes, causing them possibly to timeout if
+	 * the passthrough is a long executing command (like format or
+	 * secure erase).  This variable allows us to do the right
+	 * thing while a SATL command is pending.
+	 */
+	unsigned long ata_command_pending;
 };
 
 #define MPT3_CMD_NOT_USED	0x8000	/* free */
diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index ae1db5499ca6..3d3d37e4b37c 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -3516,9 +3516,18 @@ _scsih_eedp_error_handling(struct scsi_cmnd *scmd, u16 ioc_status)
 	    SAM_STAT_CHECK_CONDITION;
 }
 
-static inline bool ata_12_16_cmd(struct scsi_cmnd *scmd)
+static int _scsih_set_satl_pending(struct scsi_cmnd *scmd, bool pending)
 {
-	return (scmd->cmnd[0] == ATA_12 || scmd->cmnd[0] == ATA_16);
+	struct MPT3SAS_DEVICE *priv = scmd->device->hostdata;
+
+	if (scmd->cmnd[0] != ATA_12 && scmd->cmnd[0] != ATA_16)
+		return 0;
+
+	if (pending)
+		return test_and_set_bit(0, &priv->ata_command_pending);
+
+	clear_bit(0, &priv->ata_command_pending);
+	return 0;
 }
 
 /**
@@ -3548,13 +3557,6 @@ _scsih_qcmd_lck(struct scsi_cmnd *scmd, void (*done)(struct scsi_cmnd *))
 		scsi_print_command(scmd);
 #endif
 
-	/*
-	 * Lock the device for any subsequent command until command is
-	 * done.
-	 */
-	if (ata_12_16_cmd(scmd))
-		scsi_internal_device_block(scmd->device);
-
 	scmd->scsi_done = done;
 	sas_device_priv_data = scmd->device->hostdata;
 	if (!sas_device_priv_data || !sas_device_priv_data->sas_target) {
@@ -3569,6 +3571,19 @@ _scsih_qcmd_lck(struct scsi_cmnd *scmd, void (*done)(struct scsi_cmnd *))
 		return 0;
 	}
 
+	/*
+	 * Bug work around for firmware SATL handling.  The loop
+	 * is based on atomic operations and ensures consistency
+	 * since we're lockless at this point
+	 */
+	do {
+		if (test_bit(0, &sas_device_priv_data->ata_command_pending)) {
+			scmd->result = SAM_STAT_BUSY;
+			scmd->scsi_done(scmd);
+			return 0;
+		}
+	} while (_scsih_set_satl_pending(scmd, true));
+
 	sas_target_priv_data = sas_device_priv_data->sas_target;
 
 	/* invalid device handle */
@@ -4058,8 +4073,7 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply)
 	if (scmd == NULL)
 		return 1;
 
-	if (ata_12_16_cmd(scmd))
-		scsi_internal_device_unblock(scmd->device, SDEV_RUNNING);
+	_scsih_set_satl_pending(scmd, false);
 
 	mpi_request = mpt3sas_base_get_msg_frame(ioc, smid);
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 112/142] scsi: libsas: fix ata xfer length
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (110 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 111/142] scsi: mpt3sas: fix hang on ata passthrough commands Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 113/142] ALSA: seq: Fix race during FIFO resize Jiri Slaby
                   ` (31 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Garry, Martin K . Petersen, Jiri Slaby

From: John Garry <john.garry@huawei.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 9702c67c6066f583b629cf037d2056245bb7a8e6 upstream.

The total ata xfer length may not be calculated properly, in that we do
not use the proper method to get an sg element dma length.

According to the code comment, sg_dma_len() should be used after
dma_map_sg() is called.

This issue was found by turning on the SMMUv3 in front of the hisi_sas
controller in hip07. Multiple sg elements were being combined into a
single element, but the original first element length was being use as
the total xfer length.

Fixes: ff2aeb1eb64c8a4770a6 ("libata: convert to chained sg")
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/scsi/libsas/sas_ata.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c
index d2895836f9fa..83e3ca703cd1 100644
--- a/drivers/scsi/libsas/sas_ata.c
+++ b/drivers/scsi/libsas/sas_ata.c
@@ -219,7 +219,7 @@ static unsigned int sas_ata_qc_issue(struct ata_queued_cmd *qc)
 		task->num_scatter = qc->n_elem;
 	} else {
 		for_each_sg(qc->sg, sg, qc->n_elem, si)
-			xfer += sg->length;
+			xfer += sg_dma_len(sg);
 
 		task->total_xfer_len = xfer;
 		task->num_scatter = si;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 113/142] ALSA: seq: Fix race during FIFO resize
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (111 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 112/142] scsi: libsas: fix ata xfer length Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 114/142] ACPI: Fix incompatibility with mcount-based function graph tracing Jiri Slaby
                   ` (30 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Takashi Iwai, Jiri Slaby

From: Takashi Iwai <tiwai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 2d7d54002e396c180db0c800c1046f0a3c471597 upstream.

When a new event is queued while processing to resize the FIFO in
snd_seq_fifo_clear(), it may lead to a use-after-free, as the old pool
that is being queued gets removed.  For avoiding this race, we need to
close the pool to be deleted and sync its usage before actually
deleting it.

The issue was spotted by syzkaller.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 sound/core/seq/seq_fifo.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c
index fc2c55b18f49..490b697e83ff 100644
--- a/sound/core/seq/seq_fifo.c
+++ b/sound/core/seq/seq_fifo.c
@@ -267,6 +267,10 @@ int snd_seq_fifo_resize(struct snd_seq_fifo *f, int poolsize)
 	/* NOTE: overflow flag is not cleared */
 	spin_unlock_irqrestore(&f->lock, flags);
 
+	/* close the old pool and wait until all users are gone */
+	snd_seq_pool_mark_closing(oldpool);
+	snd_use_lock_sync(&f->use_lock);
+
 	/* release cells in old pool */
 	for (cell = oldhead; cell; cell = next) {
 		next = cell->next;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 114/142] ACPI: Fix incompatibility with mcount-based function graph tracing
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (112 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 113/142] ALSA: seq: Fix race during FIFO resize Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 115/142] USB: fix linked-list corruption in rh_call_control() Jiri Slaby
                   ` (29 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Josh Poimboeuf, Rafael J . Wysocki, Jiri Slaby

From: Josh Poimboeuf <jpoimboe@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 61b79e16c68d703dde58c25d3935d67210b7d71b upstream.

Paul Menzel reported a warning:

  WARNING: CPU: 0 PID: 774 at /build/linux-ROBWaj/linux-4.9.13/kernel/trace/trace_functions_graph.c:233 ftrace_return_to_handler+0x1aa/0x1e0
  Bad frame pointer: expected f6919d98, received f6919db0
    from func acpi_pm_device_sleep_wake return to c43b6f9d

The warning means that function graph tracing is broken for the
acpi_pm_device_sleep_wake() function.  That's because the ACPI Makefile
unconditionally sets the '-Os' gcc flag to optimize for size.  That's an
issue because mcount-based function graph tracing is incompatible with
'-Os' on x86, thanks to the following gcc bug:

  https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42109

I have another patch pending which will ensure that mcount-based
function graph tracing is never used with CONFIG_CC_OPTIMIZE_FOR_SIZE on
x86.

But this patch is needed in addition to that one because the ACPI
Makefile overrides that config option for no apparent reason.  It has
had this flag since the beginning of git history, and there's no related
comment, so I don't know why it's there.  As far as I can tell, there's
no reason for it to be there.  The appropriate behavior is for it to
honor CONFIG_CC_OPTIMIZE_FOR_{SIZE,PERFORMANCE} like the rest of the
kernel.

Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/acpi/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile
index cdaf68b58b00..447ba3cd3f8c 100644
--- a/drivers/acpi/Makefile
+++ b/drivers/acpi/Makefile
@@ -2,7 +2,6 @@
 # Makefile for the Linux ACPI interpreter
 #
 
-ccflags-y			:= -Os
 ccflags-$(CONFIG_ACPI_DEBUG)	+= -DACPI_DEBUG_OUTPUT
 
 #
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 115/142] USB: fix linked-list corruption in rh_call_control()
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (113 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 114/142] ACPI: Fix incompatibility with mcount-based function graph tracing Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 116/142] KVM: x86: clear bus pointer when destroyed Jiri Slaby
                   ` (28 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alan Stern, Jiri Slaby

From: Alan Stern <stern@rowland.harvard.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 1633682053a7ee8058e10c76722b9b28e97fb73f upstream.

Using KASAN, Dmitry found a bug in the rh_call_control() routine: If
buffer allocation fails, the routine returns immediately without
unlinking its URB from the control endpoint, eventually leading to
linked-list corruption.

This patch fixes the problem by jumping to the end of the routine
(where the URB is unlinked) when an allocation failure occurs.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/core/hcd.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index 79055b3df45a..9925e4b6e2d3 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -498,8 +498,10 @@ static int rh_call_control (struct usb_hcd *hcd, struct urb *urb)
 	 */
 	tbuf_size =  max_t(u16, sizeof(struct usb_hub_descriptor), wLength);
 	tbuf = kzalloc(tbuf_size, GFP_KERNEL);
-	if (!tbuf)
-		return -ENOMEM;
+	if (!tbuf) {
+		status = -ENOMEM;
+		goto err_alloc;
+	}
 
 	bufp = tbuf;
 
@@ -702,6 +704,7 @@ error:
 	}
 
 	kfree(tbuf);
+ err_alloc:
 
 	/* any errors get returned through the urb completion */
 	spin_lock_irq(&hcd_root_hub_lock);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 116/142] KVM: x86: clear bus pointer when destroyed
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (114 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 115/142] USB: fix linked-list corruption in rh_call_control() Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 117/142] mm, hugetlb: use pte_present() instead of pmd_present() in follow_huge_pmd() Jiri Slaby
                   ` (27 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Peter Xu, Radim Krčmář, Jiri Slaby

From: Peter Xu <peterx@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit df630b8c1e851b5e265dc2ca9c87222e342c093b upstream.

When releasing the bus, let's clear the bus pointers to mark it out. If
any further device unregister happens on this bus, we know that we're
done if we found the bus being released already.

Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 virt/kvm/kvm_main.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index e7a1166c3eb4..659556b28e83 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -587,8 +587,10 @@ static void kvm_destroy_vm(struct kvm *kvm)
 	list_del(&kvm->vm_list);
 	raw_spin_unlock(&kvm_lock);
 	kvm_free_irq_routing(kvm);
-	for (i = 0; i < KVM_NR_BUSES; i++)
+	for (i = 0; i < KVM_NR_BUSES; i++) {
 		kvm_io_bus_destroy(kvm->buses[i]);
+		kvm->buses[i] = NULL;
+	}
 	kvm_coalesced_mmio_free(kvm);
 #if defined(CONFIG_MMU_NOTIFIER) && defined(KVM_ARCH_WANT_MMU_NOTIFIER)
 	mmu_notifier_unregister(&kvm->mmu_notifier, kvm->mm);
@@ -3045,6 +3047,14 @@ int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
 	struct kvm_io_bus *new_bus, *bus;
 
 	bus = kvm->buses[bus_idx];
+
+	/*
+	 * It's possible the bus being released before hand. If so,
+	 * we're done here.
+	 */
+	if (!bus)
+		return 0;
+
 	r = -ENOENT;
 	for (i = 0; i < bus->dev_count; i++)
 		if (bus->range[i].dev == dev) {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 117/142] mm, hugetlb: use pte_present() instead of pmd_present() in follow_huge_pmd()
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (115 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 116/142] KVM: x86: clear bus pointer when destroyed Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 118/142] rtc: s35390a: fix reading out alarm Jiri Slaby
                   ` (26 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Naoya Horiguchi, Hugh Dickins, Michal Hocko,
	Kirill A. Shutemov, Mike Kravetz, Christian Borntraeger,
	Gerald Schaefer, Andrew Morton, Linus Torvalds, Jiri Slaby

From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c9d398fa237882ea07167e23bcfc5e6847066518 upstream.

I found the race condition which triggers the following bug when
move_pages() and soft offline are called on a single hugetlb page
concurrently.

    Soft offlining page 0x119400 at 0x700000000000
    BUG: unable to handle kernel paging request at ffffea0011943820
    IP: follow_huge_pmd+0x143/0x190
    PGD 7ffd2067
    PUD 7ffd1067
    PMD 0
        [61163.582052] Oops: 0000 [#1] SMP
    Modules linked in: binfmt_misc ppdev virtio_balloon parport_pc pcspkr i2c_piix4 parport i2c_core acpi_cpufreq ip_tables xfs libcrc32c ata_generic pata_acpi virtio_blk 8139too crc32c_intel ata_piix serio_raw libata virtio_pci 8139cp virtio_ring virtio mii floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: cap_check]
    CPU: 0 PID: 22573 Comm: iterate_numa_mo Tainted: P           OE   4.11.0-rc2-mm1+ #2
    Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
    RIP: 0010:follow_huge_pmd+0x143/0x190
    RSP: 0018:ffffc90004bdbcd0 EFLAGS: 00010202
    RAX: 0000000465003e80 RBX: ffffea0004e34d30 RCX: 00003ffffffff000
    RDX: 0000000011943800 RSI: 0000000000080001 RDI: 0000000465003e80
    RBP: ffffc90004bdbd18 R08: 0000000000000000 R09: ffff880138d34000
    R10: ffffea0004650000 R11: 0000000000c363b0 R12: ffffea0011943800
    R13: ffff8801b8d34000 R14: ffffea0000000000 R15: 000077ff80000000
    FS:  00007fc977710740(0000) GS:ffff88007dc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffffea0011943820 CR3: 000000007a746000 CR4: 00000000001406f0
    Call Trace:
     follow_page_mask+0x270/0x550
     SYSC_move_pages+0x4ea/0x8f0
     SyS_move_pages+0xe/0x10
     do_syscall_64+0x67/0x180
     entry_SYSCALL64_slow_path+0x25/0x25
    RIP: 0033:0x7fc976e03949
    RSP: 002b:00007ffe72221d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000117
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc976e03949
    RDX: 0000000000c22390 RSI: 0000000000001400 RDI: 0000000000005827
    RBP: 00007ffe72221e00 R08: 0000000000c2c3a0 R09: 0000000000000004
    R10: 0000000000c363b0 R11: 0000000000000246 R12: 0000000000400650
    R13: 00007ffe72221ee0 R14: 0000000000000000 R15: 0000000000000000
    Code: 81 e4 ff ff 1f 00 48 21 c2 49 c1 ec 0c 48 c1 ea 0c 4c 01 e2 49 bc 00 00 00 00 00 ea ff ff 48 c1 e2 06 49 01 d4 f6 45 bc 04 74 90 <49> 8b 7c 24 20 40 f6 c7 01 75 2b 4c 89 e7 8b 47 1c 85 c0 7e 2a
    RIP: follow_huge_pmd+0x143/0x190 RSP: ffffc90004bdbcd0
    CR2: ffffea0011943820
    ---[ end trace e4f81353a2d23232 ]---
    Kernel panic - not syncing: Fatal exception
    Kernel Offset: disabled

This bug is triggered when pmd_present() returns true for non-present
hugetlb, so fixing the present check in follow_huge_pmd() prevents it.
Using pmd_present() to determine present/non-present for hugetlb is not
correct, because pmd_present() checks multiple bits (not only
_PAGE_PRESENT) for historical reason and it can misjudge hugetlb state.

Fixes: e66f17ff7177 ("mm/hugetlb: take page table lock in follow_huge_pmd()")
Link: http://lkml.kernel.org/r/1490149898-20231-1-git-send-email-n-horiguchi@ah.jp.nec.com
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 mm/hugetlb.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 24d50334d51c..ea69c897330e 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3512,6 +3512,7 @@ follow_huge_pmd(struct mm_struct *mm, unsigned long address,
 {
 	struct page *page = NULL;
 	spinlock_t *ptl;
+	pte_t pte;
 retry:
 	ptl = &mm->page_table_lock;
 	spin_lock(ptl);
@@ -3521,12 +3522,13 @@ retry:
 	 */
 	if (!pmd_huge(*pmd))
 		goto out;
-	if (pmd_present(*pmd)) {
+	pte = huge_ptep_get((pte_t *)pmd);
+	if (pte_present(pte)) {
 		page = pmd_page(*pmd) + ((address & ~PMD_MASK) >> PAGE_SHIFT);
 		if (flags & FOLL_GET)
 			get_page(page);
 	} else {
-		if (is_hugetlb_entry_migration(huge_ptep_get((pte_t *)pmd))) {
+		if (is_hugetlb_entry_migration(pte)) {
 			spin_unlock(ptl);
 			__migration_entry_wait(mm, (pte_t *)pmd, ptl);
 			goto retry;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 118/142] rtc: s35390a: fix reading out alarm
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (116 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 117/142] mm, hugetlb: use pte_present() instead of pmd_present() in follow_huge_pmd() Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 119/142] rtc: s35390a: make sure all members in the output are set Jiri Slaby
                   ` (25 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Uwe Kleine-König, Alexandre Belloni, Jiri Slaby

From: Uwe Kleine-König <uwe@kleine-koenig.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f87e904ddd8f0ef120e46045b0addeb1cc88354e upstream.

There are several issues fixed in this patch:

 - When alarm isn't enabled, set .enabled to zero instead of returning
   -EINVAL.
 - Ignore how IRQ1 is configured when determining if IRQ2 is on.
 - The three alarm registers have an enable flag which must be
   evaluated.
 - The chip always triggers when the seconds register gets 0.

Note that the rtc framework however doesn't handle the result correctly
because it doesn't check wday being initialized and so interprets an
alarm being set for 10:00 AM in three days as 10:00 AM tomorrow (or
today if that's not over yet).

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/rtc/rtc-s35390a.c | 40 +++++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
index f40afdd0e5f5..6507a01cf9ad 100644
--- a/drivers/rtc/rtc-s35390a.c
+++ b/drivers/rtc/rtc-s35390a.c
@@ -242,6 +242,8 @@ static int s35390a_set_alarm(struct i2c_client *client, struct rtc_wkalrm *alm)
 
 	if (alm->time.tm_wday != -1)
 		buf[S35390A_ALRM_BYTE_WDAY] = bin2bcd(alm->time.tm_wday) | 0x80;
+	else
+		buf[S35390A_ALRM_BYTE_WDAY] = 0;
 
 	buf[S35390A_ALRM_BYTE_HOURS] = s35390a_hr2reg(s35390a,
 			alm->time.tm_hour) | 0x80;
@@ -269,23 +271,43 @@ static int s35390a_read_alarm(struct i2c_client *client, struct rtc_wkalrm *alm)
 	if (err < 0)
 		return err;
 
-	if (bitrev8(sts) != S35390A_INT2_MODE_ALARM)
-		return -EINVAL;
+	if ((bitrev8(sts) & S35390A_INT2_MODE_MASK) != S35390A_INT2_MODE_ALARM) {
+		/*
+		 * When the alarm isn't enabled, the register to configure
+		 * the alarm time isn't accessible.
+		 */
+		alm->enabled = 0;
+		return 0;
+	} else {
+		alm->enabled = 1;
+	}
 
 	err = s35390a_get_reg(s35390a, S35390A_CMD_INT2_REG1, buf, sizeof(buf));
 	if (err < 0)
 		return err;
 
 	/* This chip returns the bits of each byte in reverse order */
-	for (i = 0; i < 3; ++i) {
+	for (i = 0; i < 3; ++i)
 		buf[i] = bitrev8(buf[i]);
-		buf[i] &= ~0x80;
-	}
 
-	alm->time.tm_wday = bcd2bin(buf[S35390A_ALRM_BYTE_WDAY]);
-	alm->time.tm_hour = s35390a_reg2hr(s35390a,
-						buf[S35390A_ALRM_BYTE_HOURS]);
-	alm->time.tm_min = bcd2bin(buf[S35390A_ALRM_BYTE_MINS]);
+	/*
+	 * B0 of the three matching registers is an enable flag. Iff it is set
+	 * the configured value is used for matching.
+	 */
+	if (buf[S35390A_ALRM_BYTE_WDAY] & 0x80)
+		alm->time.tm_wday =
+			bcd2bin(buf[S35390A_ALRM_BYTE_WDAY] & ~0x80);
+
+	if (buf[S35390A_ALRM_BYTE_HOURS] & 0x80)
+		alm->time.tm_hour =
+			s35390a_reg2hr(s35390a,
+				       buf[S35390A_ALRM_BYTE_HOURS] & ~0x80);
+
+	if (buf[S35390A_ALRM_BYTE_MINS] & 0x80)
+		alm->time.tm_min = bcd2bin(buf[S35390A_ALRM_BYTE_MINS] & ~0x80);
+
+	/* alarm triggers always at s=0 */
+	alm->time.tm_sec = 0;
 
 	dev_dbg(&client->dev, "%s: alm is mins=%d, hours=%d, wday=%d\n",
 			__func__, alm->time.tm_min, alm->time.tm_hour,
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 119/142] rtc: s35390a: make sure all members in the output are set
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (117 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 118/142] rtc: s35390a: fix reading out alarm Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 120/142] rtc: s35390a: implement reset routine as suggested by the reference Jiri Slaby
                   ` (24 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Uwe Kleine-König, Jiri Slaby

From: Uwe Kleine-König <uwe@kleine-koenig.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

The rtc core calls the .read_alarm with all fields initialized to 0. As
the s35390a driver doesn't touch some fields the returned date is
interpreted as a date in January 1900. So make sure all fields are set
to -1; some of them are then overwritten with the right data depending
on the hardware state.

In mainline this is done by commit d68778b80dd7 ("rtc: initialize output
parameter for read alarm to "uninitialized"") in the core. This is
considered to dangerous for stable as it might have side effects for
other rtc drivers that might for example rely on alarm->time.tm_sec
being initialized to 0.

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/rtc/rtc-s35390a.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
index 6507a01cf9ad..47b88bbe4ce7 100644
--- a/drivers/rtc/rtc-s35390a.c
+++ b/drivers/rtc/rtc-s35390a.c
@@ -267,6 +267,20 @@ static int s35390a_read_alarm(struct i2c_client *client, struct rtc_wkalrm *alm)
 	char buf[3], sts;
 	int i, err;
 
+	/*
+	 * initialize all members to -1 to signal the core that they are not
+	 * defined by the hardware.
+	 */
+	alm->time.tm_sec = -1;
+	alm->time.tm_min = -1;
+	alm->time.tm_hour = -1;
+	alm->time.tm_mday = -1;
+	alm->time.tm_mon = -1;
+	alm->time.tm_year = -1;
+	alm->time.tm_wday = -1;
+	alm->time.tm_yday = -1;
+	alm->time.tm_isdst = -1;
+
 	err = s35390a_get_reg(s35390a, S35390A_CMD_STATUS2, &sts, sizeof(sts));
 	if (err < 0)
 		return err;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 120/142] rtc: s35390a: implement reset routine as suggested by the reference
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (118 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 119/142] rtc: s35390a: make sure all members in the output are set Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 121/142] rtc: s35390a: improve irq handling Jiri Slaby
                   ` (23 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Uwe Kleine-König, Alexandre Belloni, Jiri Slaby

From: Uwe Kleine-König <uwe@kleine-koenig.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8e6583f1b5d1f5f129b873f1428b7e414263d847 upstream.

There were two deviations from the reference manual: you have to wait
half a second when POC is active and you might have to repeat
initialization when POC or BLD are still set after the sequence.

Note however that as POC and BLD are cleared by read the driver might
not be able to detect that a reset is necessary. I don't have a good
idea how to fix this.

Additionally report the value read from STATUS1 to the caller. This
prepares the next patch.

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/rtc/rtc-s35390a.c | 65 +++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 55 insertions(+), 10 deletions(-)

diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
index 47b88bbe4ce7..c7c1fce69635 100644
--- a/drivers/rtc/rtc-s35390a.c
+++ b/drivers/rtc/rtc-s35390a.c
@@ -15,6 +15,7 @@
 #include <linux/bitrev.h>
 #include <linux/bcd.h>
 #include <linux/slab.h>
+#include <linux/delay.h>
 
 #define S35390A_CMD_STATUS1	0
 #define S35390A_CMD_STATUS2	1
@@ -94,19 +95,63 @@ static int s35390a_get_reg(struct s35390a *s35390a, int reg, char *buf, int len)
 	return 0;
 }
 
-static int s35390a_reset(struct s35390a *s35390a)
+/*
+ * Returns <0 on error, 0 if rtc is setup fine and 1 if the chip was reset.
+ * To keep the information if an irq is pending, pass the value read from
+ * STATUS1 to the caller.
+ */
+static int s35390a_reset(struct s35390a *s35390a, char *status1)
 {
-	char buf[1];
+	char buf;
+	int ret;
+	unsigned initcount = 0;
 
-	if (s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, buf, sizeof(buf)) < 0)
-		return -EIO;
+	ret = s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, status1, 1);
+	if (ret < 0)
+		return ret;
 
-	if (!(buf[0] & (S35390A_FLAG_POC | S35390A_FLAG_BLD)))
+	if (*status1 & S35390A_FLAG_POC)
+		/*
+		 * Do not communicate for 0.5 seconds since the power-on
+		 * detection circuit is in operation.
+		 */
+		msleep(500);
+	else if (!(*status1 & S35390A_FLAG_BLD))
+		/*
+		 * If both POC and BLD are unset everything is fine.
+		 */
 		return 0;
 
-	buf[0] |= (S35390A_FLAG_RESET | S35390A_FLAG_24H);
-	buf[0] &= 0xf0;
-	return s35390a_set_reg(s35390a, S35390A_CMD_STATUS1, buf, sizeof(buf));
+	/*
+	 * At least one of POC and BLD are set, so reinitialise chip. Keeping
+	 * this information in the hardware to know later that the time isn't
+	 * valid is unfortunately not possible because POC and BLD are cleared
+	 * on read. So the reset is best done now.
+	 *
+	 * The 24H bit is kept over reset, so set it already here.
+	 */
+initialize:
+	*status1 = S35390A_FLAG_24H;
+	buf = S35390A_FLAG_RESET | S35390A_FLAG_24H;
+	ret = s35390a_set_reg(s35390a, S35390A_CMD_STATUS1, &buf, 1);
+
+	if (ret < 0)
+		return ret;
+
+	ret = s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, &buf, 1);
+	if (ret < 0)
+		return ret;
+
+	if (buf & (S35390A_FLAG_POC | S35390A_FLAG_BLD)) {
+		/* Try up to five times to reset the chip */
+		if (initcount < 5) {
+			++initcount;
+			goto initialize;
+		} else
+			return -EIO;
+	}
+
+	return 1;
 }
 
 static int s35390a_disable_test_mode(struct s35390a *s35390a)
@@ -367,7 +412,7 @@ static int s35390a_probe(struct i2c_client *client,
 	unsigned int i;
 	struct s35390a *s35390a;
 	struct rtc_time tm;
-	char buf[1];
+	char buf[1], status1;
 
 	if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
 		err = -ENODEV;
@@ -396,7 +441,7 @@ static int s35390a_probe(struct i2c_client *client,
 		}
 	}
 
-	err = s35390a_reset(s35390a);
+	err = s35390a_reset(s35390a, &status1);
 	if (err < 0) {
 		dev_err(&client->dev, "error resetting chip\n");
 		goto exit_dummy;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 121/142] rtc: s35390a: improve irq handling
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (119 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 120/142] rtc: s35390a: implement reset routine as suggested by the reference Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 122/142] KVM: kvm_io_bus_unregister_dev() should never fail Jiri Slaby
                   ` (22 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Uwe Kleine-König, Alexandre Belloni, Jiri Slaby

From: Uwe Kleine-König <uwe@kleine-koenig.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3bd32722c827d00eafe8e6d5b83e9f3148ea7c7e upstream.

On some QNAP NAS devices the rtc can wake the machine. Several people
noticed that once the machine was woken this way it fails to shut down.
That's because the driver fails to acknowledge the interrupt and so it
keeps active and restarts the machine immediatly after shutdown. See
https://bugs.debian.org/794266 for a bug report.

Doing this correctly requires to interpret the INT2 flag of the first read
of the STATUS1 register because this bit is cleared by read.

Note this is not maximally robust though because a pending irq isn't
detected when the STATUS1 register was already read (and so INT2 is not
set) but the irq was not disabled. But that is a hardware imposed problem
that cannot easily be fixed by software.

Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/rtc/rtc-s35390a.c | 48 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 31 insertions(+), 17 deletions(-)

diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
index c7c1fce69635..00662dd28d66 100644
--- a/drivers/rtc/rtc-s35390a.c
+++ b/drivers/rtc/rtc-s35390a.c
@@ -35,10 +35,14 @@
 #define S35390A_ALRM_BYTE_HOURS	1
 #define S35390A_ALRM_BYTE_MINS	2
 
+/* flags for STATUS1 */
 #define S35390A_FLAG_POC	0x01
 #define S35390A_FLAG_BLD	0x02
+#define S35390A_FLAG_INT2	0x04
 #define S35390A_FLAG_24H	0x40
 #define S35390A_FLAG_RESET	0x80
+
+/* flag for STATUS2 */
 #define S35390A_FLAG_TEST	0x01
 
 #define S35390A_INT2_MODE_MASK		0xF0
@@ -408,11 +412,11 @@ static struct i2c_driver s35390a_driver;
 static int s35390a_probe(struct i2c_client *client,
 			 const struct i2c_device_id *id)
 {
-	int err;
+	int err, err_reset;
 	unsigned int i;
 	struct s35390a *s35390a;
 	struct rtc_time tm;
-	char buf[1], status1;
+	char buf, status1;
 
 	if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
 		err = -ENODEV;
@@ -441,29 +445,35 @@ static int s35390a_probe(struct i2c_client *client,
 		}
 	}
 
-	err = s35390a_reset(s35390a, &status1);
-	if (err < 0) {
+	err_reset = s35390a_reset(s35390a, &status1);
+	if (err_reset < 0) {
+		err = err_reset;
 		dev_err(&client->dev, "error resetting chip\n");
 		goto exit_dummy;
 	}
 
-	err = s35390a_disable_test_mode(s35390a);
-	if (err < 0) {
-		dev_err(&client->dev, "error disabling test mode\n");
-		goto exit_dummy;
-	}
-
-	err = s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, buf, sizeof(buf));
-	if (err < 0) {
-		dev_err(&client->dev, "error checking 12/24 hour mode\n");
-		goto exit_dummy;
-	}
-	if (buf[0] & S35390A_FLAG_24H)
+	if (status1 & S35390A_FLAG_24H)
 		s35390a->twentyfourhour = 1;
 	else
 		s35390a->twentyfourhour = 0;
 
-	if (s35390a_get_datetime(client, &tm) < 0)
+	if (status1 & S35390A_FLAG_INT2) {
+		/* disable alarm (and maybe test mode) */
+		buf = 0;
+		err = s35390a_set_reg(s35390a, S35390A_CMD_STATUS2, &buf, 1);
+		if (err < 0) {
+			dev_err(&client->dev, "error disabling alarm");
+			goto exit_dummy;
+		}
+	} else {
+		err = s35390a_disable_test_mode(s35390a);
+		if (err < 0) {
+			dev_err(&client->dev, "error disabling test mode\n");
+			goto exit_dummy;
+		}
+	}
+
+	if (err_reset > 0 || s35390a_get_datetime(client, &tm) < 0)
 		dev_warn(&client->dev, "clock needs to be set\n");
 
 	device_set_wakeup_capable(&client->dev, 1);
@@ -476,6 +486,10 @@ static int s35390a_probe(struct i2c_client *client,
 		err = PTR_ERR(s35390a->rtc);
 		goto exit_dummy;
 	}
+
+	if (status1 & S35390A_FLAG_INT2)
+		rtc_update_irq(s35390a->rtc, 1, RTC_AF);
+
 	return 0;
 
 exit_dummy:
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 122/142] KVM: kvm_io_bus_unregister_dev() should never fail
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (120 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 121/142] rtc: s35390a: improve irq handling Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 123/142] padata: avoid race in reordering Jiri Slaby
                   ` (21 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, David Hildenbrand, Paolo Bonzini, Jiri Slaby

From: David Hildenbrand <david@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 90db10434b163e46da413d34db8d0e77404cc645 upstream.

No caller currently checks the return value of
kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on
freeing their device. A stale reference will remain in the io_bus,
getting at least used again, when the iobus gets teared down on
kvm_destroy_vm() - leading to use after free errors.

There is nothing the callers could do, except retrying over and over
again.

So let's simply remove the bus altogether, print an error and make
sure no one can access this broken bus again (returning -ENOMEM on any
attempt to access it).

Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/linux/kvm_host.h |  4 ++--
 virt/kvm/eventfd.c       |  3 ++-
 virt/kvm/kvm_main.c      | 40 +++++++++++++++++++++++-----------------
 3 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index e47c7e2f4d04..16a92b104264 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -176,8 +176,8 @@ int kvm_io_bus_read_cookie(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
 			   int len, void *val, long cookie);
 int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
 			    int len, struct kvm_io_device *dev);
-int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
-			      struct kvm_io_device *dev);
+void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
+			       struct kvm_io_device *dev);
 
 #ifdef CONFIG_KVM_ASYNC_PF
 struct kvm_async_pf {
diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
index abe4d6043b36..06fa6f4ba35c 100644
--- a/virt/kvm/eventfd.c
+++ b/virt/kvm/eventfd.c
@@ -799,7 +799,8 @@ kvm_deassign_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args)
 			continue;
 
 		kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev);
-		kvm->buses[bus_idx]->ioeventfd_count--;
+		if (kvm->buses[bus_idx])
+			kvm->buses[bus_idx]->ioeventfd_count--;
 		ioeventfd_release(p);
 		ret = 0;
 		break;
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 659556b28e83..96fe24ea1449 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -588,7 +588,8 @@ static void kvm_destroy_vm(struct kvm *kvm)
 	raw_spin_unlock(&kvm_lock);
 	kvm_free_irq_routing(kvm);
 	for (i = 0; i < KVM_NR_BUSES; i++) {
-		kvm_io_bus_destroy(kvm->buses[i]);
+		if (kvm->buses[i])
+			kvm_io_bus_destroy(kvm->buses[i]);
 		kvm->buses[i] = NULL;
 	}
 	kvm_coalesced_mmio_free(kvm);
@@ -2916,6 +2917,8 @@ int kvm_io_bus_write(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
 	};
 
 	bus = srcu_dereference(kvm->buses[bus_idx], &kvm->srcu);
+	if (!bus)
+		return -ENOMEM;
 	r = __kvm_io_bus_write(bus, &range, val);
 	return r < 0 ? r : 0;
 }
@@ -2982,6 +2985,8 @@ int kvm_io_bus_read(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
 	};
 
 	bus = srcu_dereference(kvm->buses[bus_idx], &kvm->srcu);
+	if (!bus)
+		return -ENOMEM;
 	r = __kvm_io_bus_read(bus, &range, val);
 	return r < 0 ? r : 0;
 }
@@ -2999,6 +3004,8 @@ int kvm_io_bus_read_cookie(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
 	};
 
 	bus = srcu_dereference(kvm->buses[bus_idx], &kvm->srcu);
+	if (!bus)
+		return -ENOMEM;
 
 	/* First try the device referenced by cookie. */
 	if ((cookie >= 0) && (cookie < bus->dev_count) &&
@@ -3021,6 +3028,9 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
 	struct kvm_io_bus *new_bus, *bus;
 
 	bus = kvm->buses[bus_idx];
+	if (!bus)
+		return -ENOMEM;
+
 	/* exclude ioeventfd which is limited by maximum fd */
 	if (bus->dev_count - bus->ioeventfd_count > NR_IOBUS_DEVS - 1)
 		return -ENOSPC;
@@ -3040,45 +3050,41 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
 }
 
 /* Caller must hold slots_lock. */
-int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
-			      struct kvm_io_device *dev)
+void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
+			       struct kvm_io_device *dev)
 {
-	int i, r;
+	int i;
 	struct kvm_io_bus *new_bus, *bus;
 
 	bus = kvm->buses[bus_idx];
-
-	/*
-	 * It's possible the bus being released before hand. If so,
-	 * we're done here.
-	 */
 	if (!bus)
-		return 0;
+		return;
 
-	r = -ENOENT;
 	for (i = 0; i < bus->dev_count; i++)
 		if (bus->range[i].dev == dev) {
-			r = 0;
 			break;
 		}
 
-	if (r)
-		return r;
+	if (i == bus->dev_count)
+		return;
 
 	new_bus = kzalloc(sizeof(*bus) + ((bus->dev_count - 1) *
 			  sizeof(struct kvm_io_range)), GFP_KERNEL);
-	if (!new_bus)
-		return -ENOMEM;
+	if (!new_bus)  {
+		pr_err("kvm: failed to shrink bus, removing it completely\n");
+		goto broken;
+	}
 
 	memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
 	new_bus->dev_count--;
 	memcpy(new_bus->range + i, bus->range + i + 1,
 	       (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
 
+broken:
 	rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
 	synchronize_srcu_expedited(&kvm->srcu);
 	kfree(bus);
-	return r;
+	return;
 }
 
 static struct notifier_block kvm_cpu_notifier = {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 123/142] padata: avoid race in reordering
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (121 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 122/142] KVM: kvm_io_bus_unregister_dev() should never fail Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 124/142] ALSA: ctxfi: Fallback DMA mask to 32bit Jiri Slaby
                   ` (20 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Jason A. Donenfeld, Herbert Xu, Jiri Slaby

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit de5540d088fe97ad583cc7d396586437b32149a5 upstream.

Under extremely heavy uses of padata, crashes occur, and with list
debugging turned on, this happens instead:

[87487.298728] WARNING: CPU: 1 PID: 882 at lib/list_debug.c:33
__list_add+0xae/0x130
[87487.301868] list_add corruption. prev->next should be next
(ffffb17abfc043d0), but was ffff8dba70872c80. (prev=ffff8dba70872b00).
[87487.339011]  [<ffffffff9a53d075>] dump_stack+0x68/0xa3
[87487.342198]  [<ffffffff99e119a1>] ? console_unlock+0x281/0x6d0
[87487.345364]  [<ffffffff99d6b91f>] __warn+0xff/0x140
[87487.348513]  [<ffffffff99d6b9aa>] warn_slowpath_fmt+0x4a/0x50
[87487.351659]  [<ffffffff9a58b5de>] __list_add+0xae/0x130
[87487.354772]  [<ffffffff9add5094>] ? _raw_spin_lock+0x64/0x70
[87487.357915]  [<ffffffff99eefd66>] padata_reorder+0x1e6/0x420
[87487.361084]  [<ffffffff99ef0055>] padata_do_serial+0xa5/0x120

padata_reorder calls list_add_tail with the list to which its adding
locked, which seems correct:

spin_lock(&squeue->serial.lock);
list_add_tail(&padata->list, &squeue->serial.list);
spin_unlock(&squeue->serial.lock);

This therefore leaves only place where such inconsistency could occur:
if padata->list is added at the same time on two different threads.
This pdata pointer comes from the function call to
padata_get_next(pd), which has in it the following block:

next_queue = per_cpu_ptr(pd->pqueue, cpu);
padata = NULL;
reorder = &next_queue->reorder;
if (!list_empty(&reorder->list)) {
       padata = list_entry(reorder->list.next,
                           struct padata_priv, list);
       spin_lock(&reorder->lock);
       list_del_init(&padata->list);
       atomic_dec(&pd->reorder_objects);
       spin_unlock(&reorder->lock);

       pd->processed++;

       goto out;
}
out:
return padata;

I strongly suspect that the problem here is that two threads can race
on reorder list. Even though the deletion is locked, call to
list_entry is not locked, which means it's feasible that two threads
pick up the same padata object and subsequently call list_add_tail on
them at the same time. The fix is thus be hoist that lock outside of
that block.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 kernel/padata.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/padata.c b/kernel/padata.c
index 07af2c95dcfe..86473271650f 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -190,19 +190,20 @@ static struct padata_priv *padata_get_next(struct parallel_data *pd)
 
 	reorder = &next_queue->reorder;
 
+	spin_lock(&reorder->lock);
 	if (!list_empty(&reorder->list)) {
 		padata = list_entry(reorder->list.next,
 				    struct padata_priv, list);
 
-		spin_lock(&reorder->lock);
 		list_del_init(&padata->list);
 		atomic_dec(&pd->reorder_objects);
-		spin_unlock(&reorder->lock);
 
 		pd->processed++;
 
+		spin_unlock(&reorder->lock);
 		goto out;
 	}
+	spin_unlock(&reorder->lock);
 
 	if (__this_cpu_read(pd->pqueue->cpu_index) == next_queue->cpu_index) {
 		padata = ERR_PTR(-ENODATA);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 124/142] ALSA: ctxfi: Fallback DMA mask to 32bit
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (122 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 123/142] padata: avoid race in reordering Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 125/142] ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call Jiri Slaby
                   ` (19 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Takashi Iwai, Jiri Slaby

From: Takashi Iwai <tiwai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 15c75b09f8d190f89ab4db463b87d411ca349dfe upstream.

Currently ctxfi driver tries to set only the 64bit DMA mask on 64bit
architectures, and bails out if it fails.  This causes a problem on
some platforms since the 64bit DMA isn't always guaranteed.  We should
fall back to the default 32bit DMA when 64bit DMA fails.

Fixes: 6d74b86d3c0f ("ALSA: ctxfi - Allow 64bit DMA")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 sound/pci/ctxfi/cthw20k1.c | 19 ++++++-------------
 sound/pci/ctxfi/cthw20k2.c | 18 ++++++------------
 2 files changed, 12 insertions(+), 25 deletions(-)

diff --git a/sound/pci/ctxfi/cthw20k1.c b/sound/pci/ctxfi/cthw20k1.c
index 6ac40beb49da..abd0a2d0856c 100644
--- a/sound/pci/ctxfi/cthw20k1.c
+++ b/sound/pci/ctxfi/cthw20k1.c
@@ -27,12 +27,6 @@
 #include "cthw20k1.h"
 #include "ct20k1reg.h"
 
-#if BITS_PER_LONG == 32
-#define CT_XFI_DMA_MASK		DMA_BIT_MASK(32) /* 32 bit PTE */
-#else
-#define CT_XFI_DMA_MASK		DMA_BIT_MASK(64) /* 64 bit PTE */
-#endif
-
 struct hw20k1 {
 	struct hw hw;
 	spinlock_t reg_20k1_lock;
@@ -1903,19 +1897,18 @@ static int hw_card_start(struct hw *hw)
 {
 	int err;
 	struct pci_dev *pci = hw->pci;
+	const unsigned int dma_bits = BITS_PER_LONG;
 
 	err = pci_enable_device(pci);
 	if (err < 0)
 		return err;
 
 	/* Set DMA transfer mask */
-	if (pci_set_dma_mask(pci, CT_XFI_DMA_MASK) < 0 ||
-	    pci_set_consistent_dma_mask(pci, CT_XFI_DMA_MASK) < 0) {
-		printk(KERN_ERR "architecture does not support PCI "
-				"busmaster DMA with mask 0x%llx\n",
-		       CT_XFI_DMA_MASK);
-		err = -ENXIO;
-		goto error1;
+	if (dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
+		dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits));
+	} else {
+		dma_set_mask(&pci->dev, DMA_BIT_MASK(32));
+		dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(32));
 	}
 
 	if (!hw->io_base) {
diff --git a/sound/pci/ctxfi/cthw20k2.c b/sound/pci/ctxfi/cthw20k2.c
index b1438861d38a..5828a3ec58bb 100644
--- a/sound/pci/ctxfi/cthw20k2.c
+++ b/sound/pci/ctxfi/cthw20k2.c
@@ -26,12 +26,6 @@
 #include "cthw20k2.h"
 #include "ct20k2reg.h"
 
-#if BITS_PER_LONG == 32
-#define CT_XFI_DMA_MASK		DMA_BIT_MASK(32) /* 32 bit PTE */
-#else
-#define CT_XFI_DMA_MASK		DMA_BIT_MASK(64) /* 64 bit PTE */
-#endif
-
 struct hw20k2 {
 	struct hw hw;
 	/* for i2c */
@@ -2026,18 +2020,18 @@ static int hw_card_start(struct hw *hw)
 	int err = 0;
 	struct pci_dev *pci = hw->pci;
 	unsigned int gctl;
+	const unsigned int dma_bits = BITS_PER_LONG;
 
 	err = pci_enable_device(pci);
 	if (err < 0)
 		return err;
 
 	/* Set DMA transfer mask */
-	if (pci_set_dma_mask(pci, CT_XFI_DMA_MASK) < 0 ||
-	    pci_set_consistent_dma_mask(pci, CT_XFI_DMA_MASK) < 0) {
-		printk(KERN_ERR "ctxfi: architecture does not support PCI "
-		"busmaster DMA with mask 0x%llx\n", CT_XFI_DMA_MASK);
-		err = -ENXIO;
-		goto error1;
+	if (!dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
+		dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits));
+	} else {
+		dma_set_mask(&pci->dev, DMA_BIT_MASK(32));
+		dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(32));
 	}
 
 	if (!hw->io_base) {
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 125/142] ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (123 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 124/142] ALSA: ctxfi: Fallback DMA mask to 32bit Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 126/142] Revert "cpufreq: fix garbage kobjects on errors during suspend/resume" Jiri Slaby
                   ` (18 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Takashi Iwai, Jiri Slaby

From: Takashi Iwai <tiwai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f363a06642f28caaa78cb6446bbad90c73fe183c upstream.

In the commit [15c75b09f8d1: ALSA: ctxfi: Fallback DMA mask to 32bit],
I forgot to put "!" at dam_set_mask() call check in cthw20k1.c (while
cthw20k2.c is OK).  This patch fixes that obvious bug.

(As a side note: although the original commit was completely wrong,
 it's still working for most of machines, as it sets to 32bit DMA mask
 in the end.  So the bug severity is low.)

Fixes: 15c75b09f8d1 ("ALSA: ctxfi: Fallback DMA mask to 32bit")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 sound/pci/ctxfi/cthw20k1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/pci/ctxfi/cthw20k1.c b/sound/pci/ctxfi/cthw20k1.c
index abd0a2d0856c..7f414b05644b 100644
--- a/sound/pci/ctxfi/cthw20k1.c
+++ b/sound/pci/ctxfi/cthw20k1.c
@@ -1904,7 +1904,7 @@ static int hw_card_start(struct hw *hw)
 		return err;
 
 	/* Set DMA transfer mask */
-	if (dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
+	if (!dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
 		dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits));
 	} else {
 		dma_set_mask(&pci->dev, DMA_BIT_MASK(32));
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 126/142] Revert "cpufreq: fix garbage kobjects on errors during suspend/resume"
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (124 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 125/142] ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 127/142] cgroup: use an ordered workqueue for cgroup destruction Jiri Slaby
                   ` (17 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Rafael J. Wysocki, Jiri Slaby

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d4faadd5d5b368a7051fef374ee933ec3606713b upstream.

Commit 2167e2399dc5 (cpufreq: fix garbage kobjects on errors during
suspend/resume) breaks suspend/resume on Martin Ziegler's system
(hard lockup during resume), so revert it.

Fixes: 2167e2399dc5 (cpufreq: fix garbage kobjects on errors during suspend/resume)
References: https://bugzilla.kernel.org/show_bug.cgi?id=66751
Reported-by: Martin Ziegler <ziegler@uni-freiburg.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/cpufreq/cpufreq.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index ac6ed021f2de..776bdefb5517 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -2072,6 +2072,9 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb,
 	dev = get_cpu_device(cpu);
 	if (dev) {
 
+		if (action & CPU_TASKS_FROZEN)
+			frozen = true;
+
 		switch (action & ~CPU_TASKS_FROZEN) {
 		case CPU_ONLINE:
 			__cpufreq_add_dev(dev, NULL, frozen);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 000/142] 3.12.73-stable review
@ 2017-04-10 15:33 Jiri Slaby
  2017-04-10 15:31 ` [PATCH 3.12 001/142] dm: flush queued bios when process blocks to avoid deadlock Jiri Slaby
                   ` (143 more replies)
  0 siblings, 144 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux, shuahkh, linux-kernel, Jiri Slaby

This is the start of the stable review cycle for the 3.12.73 release.
There are 142 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed Apr 12 17:33:10 CEST 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	http://kernel.org/pub/linux/kernel/people/jirislaby/stable-review/patch-3.12.73-rc1.xz
and the diffstat can be found below.

thanks,
js

===============


Adrian Hunter (1):
  mmc: sdhci: Do not disable interrupts while waiting for clock

Akinobu Mita (2):
  Input: mpr121 - handle multiple bits change of status register
  Input: mpr121 - set missing event capability

Alan Stern (2):
  USB: fix linked-list corruption in rh_call_control()
  USB: OHCI: Fix race between ED unlink and URB submission

Alex Hung (1):
  ACPI / video: skip evaluating _DOD when it does not exist

Alexander Potapenko (1):
  net: don't call strlen() on the user buffer in packet_bind_spkt()

Andi Kleen (1):
  kernek/fork.c: allocate idle task for a CPU always on its local node

Andrew Lunn (1):
  ipv4: igmp: Allow removing groups from a removed interface

Andrey Ulanov (1):
  net: unix: properly re-increment inflight counter of GC discarded
    candidates

Andy Whitcroft (2):
  xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
  xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder

Anton Blanchard (1):
  scsi: lpfc: Add shutdown method for kexec

Ardinartsev Nikita (1):
  HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2

Arnaldo Carvalho de Melo (1):
  dccp: Unlock sock before calling sk_free()

Arnd Bergmann (5):
  crypto: improve gcc optimization flags for serpent and wp512
  MIPS: ip27: Disable qlge driver in defconfig
  MIPS: ip22: Fix ip28 build for modern gcc
  mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy
  cpmac: remove hopeless #warning

Bjørn Mork (4):
  qmi_wwan: add Dell DW5811e
  USB: qcserial: add Sierra Wireless MC74xx/EM74xx
  USB: qcserial: add Sierra Wireless EM74xx device ID
  USB: serial: qcserial: add Dell DW5811e

Brendan McGrath (1):
  HID: i2c-hid: Add sleep between POWER ON and RESET

Brian Foster (1):
  xfs: pass total block res. as total xfs_bmapi_write() parameter

Chris J Arges (1):
  igb: Workaround for igb i210 firmware issue

Colin Ian King (1):
  HID: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL

Dan Carpenter (1):
  ACPI / resources: free memory on error in add_region_before()

Dan Streetman (1):
  xen: do not re-use pirq number cached in pci device msi msg data

Dan Williams (1):
  USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems

Darrick J. Wong (2):
  xfs: don't allow di_size with high bit set
  xfs: clear _XBF_PAGES from buffers when readahead page

Dave Martin (5):
  c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
  sparc/ptrace: Preserve previous registers for short regset write
  metag/ptrace: Preserve previous registers for short regset write
  metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
  metag/ptrace: Reject partial NT_METAG_RPIPE writes

David Hildenbrand (1):
  KVM: kvm_io_bus_unregister_dev() should never fail

David Ward (1):
  USB: qcserial: add HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module

Dmitry V. Levin (1):
  uapi: fix linux/packet_diag.h userspace compilation error

Eric Biggers (1):
  ext4: mark inode dirty after converting inline directory

Eric Dumazet (5):
  net: net_enable_timestamp() can be called from irq contexts
  tcp: fix various issues for sockets morphing to listen state
  net: properly release sk_frag.page
  ipv4: provide stronger user input validation in nl_fib_input()
  tcp: initialize icsk_ack.lrcvtime at session start time

Eric Sandeen (1):
  xfs: fix up xfs_swap_extent_forks inline extent handling

Felipe Balbi (1):
  usb: dwc3: gadget: make Set Endpoint Configuration macros safe

Florian Westphal (2):
  ipv6: avoid write to a possibly cloned skb
  netlink: remove mmapped netlink support

Guenter Roeck (2):
  usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci
    controllers
  usb: hub: Fix crash after failure to read BOS descriptor

Hannes Frederic Sowa (1):
  dccp: fix memory leak during tear-down of unsuccessful connection
    request

Hugh Dickins (1):
  cgroup: use an ordered workqueue for cgroup destruction

Ilya Dryomov (2):
  libceph: don't set weight to IN when OSD is destroyed
  libceph: force GFP_NOIO for socket allocations

James Bottomley (1):
  scsi: mpt3sas: fix hang on ata passthrough commands

Jason A. Donenfeld (1):
  padata: avoid race in reordering

Jiri Slaby (1):
  crypto: algif_hash - avoid zero-sized array

Johan Hovold (22):
  USB: serial: digi_acceleport: fix OOB data sanity check
  USB: serial: digi_acceleport: fix OOB-event processing
  USB: serial: safe_serial: fix information leak in completion handler
  USB: serial: omninet: fix reference leaks at open
  USB: iowarrior: fix NULL-deref at probe
  USB: iowarrior: fix NULL-deref in write
  USB: serial: io_ti: fix NULL-deref in interrupt callback
  USB: serial: io_ti: fix information leak in completion handler
  isdn/gigaset: fix NULL-deref at probe
  Input: iforce - validate number of endpoints before using them
  Input: ims-pcu - validate number of endpoints before using them
  Input: hanwang - validate number of endpoints before using them
  Input: yealink - validate number of endpoints before using them
  Input: cm109 - validate number of endpoints before using them
  Input: kbtab - validate number of endpoints before using them
  USB: uss720: fix NULL-deref at probe
  USB: idmouse: fix NULL-deref at probe
  USB: wusbcore: fix NULL-deref at probe
  uwb: i1480-dfu: fix NULL-deref at probe
  uwb: hwa-rc: fix NULL-deref at probe
  mmc: ushc: fix NULL-deref at probe
  USB: usbtmc: add missing endpoint sanity check

Johannes Berg (1):
  nl80211: fix dumpit error path RTNL deadlocks

John Crispin (1):
  MIPS: ralink: Cosmetic change to prom_init().

John Garry (1):
  scsi: libsas: fix ata xfer length

Jon Maxwell (1):
  dccp/tcp: fix routing redirect race

Josh Poimboeuf (1):
  ACPI: Fix incompatibility with mcount-based function graph tracing

Julian Anastasov (1):
  ipv4: mask tos for input route

Kai-Heng Feng (1):
  Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000

Keno Fischer (1):
  mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp

Ladi Prosek (1):
  virtio_balloon: init 1st buffer in stats vq

Linus Torvalds (1):
  give up on gcc ilog2() constant optimizations

Ludovic Desroches (1):
  i2c: at91: manage unexpected RXRDY flag when starting a transfer

Luis de Bethencourt (1):
  mvsas: fix misleading indentation

Maor Gottlieb (1):
  net/mlx5: Increase number of max QPs in default profile

Mathias Nyman (1):
  xhci: fix 10 second timeout on removal of PCI hotpluggable xhci
    controllers

Matthias Schiffer (1):
  vxlan: correctly validate VXLAN ID against VXLAN_N_VID

Maxime Ripard (1):
  Input: tca8418 - use the interrupt trigger from the device tree

Mikulas Patocka (1):
  dm: flush queued bios when process blocks to avoid deadlock

Naoya Horiguchi (1):
  mm, hugetlb: use pte_present() instead of pmd_present() in
    follow_huge_pmd()

Nicholas Bellinger (1):
  target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export

Oliver Neukum (1):
  ACM gadget: fix endianness in notifications

Patrik Halfar (1):
  USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3)

Paul Hüber (1):
  l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv

Peter Xu (1):
  KVM: x86: clear bus pointer when destroyed

Peter Zijlstra (4):
  locking/static_keys: Add static_key_{en,dis}able() helpers
  futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
  futex: Add missing error handling to FUTEX_REQUEUE_PI
  perf/core: Fix event inheritance on fork()

Petr Štetiar (1):
  USB: qcserial: Add support for Quectel EC20 Mini PCIe module

Pieter Hollants (1):
  USB: qcserial: Add support for Dell Wireless 5809e 4G Modem

Rafael J. Wysocki (4):
  cpufreq: Fix and clean up show_cpuinfo_cur_freq()
  Revert "cpufreq: fix garbage kobjects on errors during suspend/resume"
  ACPI / PNP: Avoid conflicting resource reservations
  ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage

Ralf Baechle (1):
  MIPS: DEC: Avoid la pseudo-instruction in delay slots

Raphael Assenat (1):
  Input: joydev - do not report stale values on first open

Richard Genoud (1):
  tty/serial: atmel: fix race condition (TX+DMA)

Rik van Riel (1):
  tracing: Add #undef to fix compile error

Roman Mashak (1):
  net sched actions: decrement module reference count after table flush.

Samuel Thibault (1):
  usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk

Sebastian Andrzej Siewior (1):
  sched/rt: Add a missing rescheduling point

Sebastian Ott (1):
  s390/pci: fix use after free in dma_init

Sumit Semwal (2):
  block: allow WRITE_SAME commands with the SG_IO ioctl
  uvcvideo: uvc_scan_fallback() for webcams with broken chain

Takashi Iwai (5):
  ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
  fbcon: Fix vc attr at deinit
  ALSA: seq: Fix race during FIFO resize
  ALSA: ctxfi: Fallback DMA mask to 32bit
  ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call

Thomas Huth (1):
  KVM: PPC: Book3S PR: Fix illegal opcode emulation

Todd Fujinaka (1):
  igb: add i211 to i210 PHY workaround

Uwe Kleine-König (4):
  rtc: s35390a: fix reading out alarm
  rtc: s35390a: make sure all members in the output are set
  rtc: s35390a: implement reset routine as suggested by the reference
  rtc: s35390a: improve irq handling

Viresh Kumar (1):
  cpufreq: move policy kobj to policy->cpu at resume

Vitaly Kuznetsov (2):
  Drivers: hv: balloon: don't crash when memory is added in non-sorted
    order
  Drivers: hv: avoid vfree() on crash

Wang, Rui Y (2):
  crypto: ghash-clmulni - Fix load failure
  crypto: cryptd - Assign statesize properly

Zhaohongjiang (1):
  cancel the setfilesize transation when io error happen

 arch/c6x/kernel/ptrace.c                   |  41 --
 arch/metag/kernel/ptrace.c                 |  19 +-
 arch/mips/configs/ip27_defconfig           |   1 -
 arch/mips/dec/int-handler.S                |  40 +-
 arch/mips/ralink/prom.c                    |   9 +-
 arch/mips/sgi-ip22/Platform                |   2 +-
 arch/powerpc/kvm/emulate.c                 |   1 -
 arch/s390/pci/pci_dma.c                    |  16 +-
 arch/sparc/kernel/ptrace_64.c              |   2 +-
 arch/x86/crypto/ghash-clmulni-intel_glue.c |  26 ++
 arch/x86/pci/xen.c                         |  23 +-
 block/scsi_ioctl.c                         |   3 +
 crypto/Makefile                            |   2 +
 crypto/algif_hash.c                        |   2 +-
 crypto/cryptd.c                            |   1 +
 drivers/acpi/Makefile                      |   1 -
 drivers/acpi/osl.c                         |   6 +-
 drivers/acpi/video.c                       |   3 +
 drivers/cpufreq/cpufreq.c                  |  17 +-
 drivers/hid/hid-ids.h                      |   3 +
 drivers/hid/hid-lg.c                       |   2 +-
 drivers/hid/i2c-hid/i2c-hid.c              |   9 +
 drivers/hid/usbhid/hid-quirks.c            |   1 +
 drivers/hv/hv.c                            |   5 +-
 drivers/hv/hv_balloon.c                    |   4 +-
 drivers/hv/hyperv_vmbus.h                  |   2 +-
 drivers/hv/vmbus_drv.c                     |   4 +-
 drivers/i2c/busses/i2c-at91.c              |  36 +-
 drivers/infiniband/hw/mlx5/main.c          |   2 +-
 drivers/input/joydev.c                     |  18 +-
 drivers/input/joystick/iforce/iforce-usb.c |   3 +
 drivers/input/keyboard/mpr121_touchkey.c   |  24 +-
 drivers/input/keyboard/tca8418_keypad.c    |   6 +-
 drivers/input/misc/cm109.c                 |   4 +
 drivers/input/misc/ims-pcu.c               |   4 +
 drivers/input/misc/yealink.c               |   4 +
 drivers/input/serio/i8042-x86ia64io.h      |   7 +
 drivers/input/tablet/hanwang.c             |   3 +
 drivers/input/tablet/kbtab.c               |   3 +
 drivers/isdn/gigaset/bas-gigaset.c         |   3 +
 drivers/md/dm.c                            |  55 +++
 drivers/media/usb/uvc/uvc_driver.c         | 118 ++++-
 drivers/mmc/host/sdhci.c                   |   4 +-
 drivers/mmc/host/ushc.c                    |   3 +
 drivers/mtd/maps/pmcmsp-flash.c            |   4 +-
 drivers/net/ethernet/intel/igb/e1000_phy.c |   4 +
 drivers/net/ethernet/ti/cpmac.c            |   2 +-
 drivers/net/usb/qmi_wwan.c                 |   2 +
 drivers/net/vxlan.c                        |   2 +-
 drivers/rtc/rtc-s35390a.c                  | 167 +++++--
 drivers/scsi/libsas/sas_ata.c              |   2 +-
 drivers/scsi/lpfc/lpfc_init.c              |   1 +
 drivers/scsi/mpt3sas/mpt3sas_base.h        |  12 +
 drivers/scsi/mpt3sas/mpt3sas_scsih.c       |  36 +-
 drivers/scsi/mvsas/mv_sas.c                |   4 +-
 drivers/target/target_core_pscsi.c         |  47 +-
 drivers/tty/serial/atmel_serial.c          |   5 +
 drivers/usb/class/usbtmc.c                 |   9 +-
 drivers/usb/core/config.c                  |  10 +
 drivers/usb/core/hcd.c                     |   7 +-
 drivers/usb/core/hub.c                     |   2 +-
 drivers/usb/core/quirks.c                  |   8 +
 drivers/usb/dwc3/gadget.h                  |  14 +-
 drivers/usb/gadget/f_acm.c                 |   4 +-
 drivers/usb/host/ohci-q.c                  |   7 +-
 drivers/usb/host/xhci-pci.c                |   1 +
 drivers/usb/host/xhci-plat.c               |   2 +
 drivers/usb/host/xhci.c                    |   6 +-
 drivers/usb/host/xhci.h                    |   1 +
 drivers/usb/misc/idmouse.c                 |   3 +
 drivers/usb/misc/iowarrior.c               |  21 +-
 drivers/usb/misc/uss720.c                  |   5 +
 drivers/usb/serial/digi_acceleport.c       |  14 +-
 drivers/usb/serial/io_ti.c                 |   8 +-
 drivers/usb/serial/omninet.c               |   6 -
 drivers/usb/serial/option.c                |  17 +-
 drivers/usb/serial/qcserial.c              |  49 ++
 drivers/usb/serial/safe_serial.c           |   5 +
 drivers/usb/wusbcore/wa-hc.c               |   3 +
 drivers/uwb/hwa-rc.c                       |   3 +
 drivers/uwb/i1480/dfu/usb.c                |   3 +
 drivers/video/console/fbcon.c              |  67 +--
 drivers/virtio/virtio_balloon.c            |   2 +
 fs/ext4/inline.c                           |   5 +-
 fs/xfs/xfs_aops.c                          |  13 +-
 fs/xfs/xfs_bmap_util.c                     |   9 +-
 fs/xfs/xfs_buf.c                           |   1 +
 fs/xfs/xfs_inode_buf.c                     |   8 +
 fs/xfs/xfs_iomap.c                         |   8 +-
 include/linux/jump_label.h                 |  16 +
 include/linux/kvm_host.h                   |   4 +-
 include/linux/log2.h                       |  13 +-
 include/linux/usb/quirks.h                 |   6 +
 include/trace/events/syscalls.h            |   1 +
 include/uapi/linux/netlink.h               |   4 +
 include/uapi/linux/netlink_diag.h          |   2 +
 include/uapi/linux/packet_diag.h           |   2 +-
 kernel/cgroup.c                            |   8 +-
 kernel/events/core.c                       |   5 +-
 kernel/fork.c                              |  15 +-
 kernel/futex.c                             |  22 +-
 kernel/padata.c                            |   5 +-
 kernel/sched/core.c                        |   6 +-
 kernel/sched/rt.c                          |   3 +-
 mm/huge_memory.c                           |  19 +-
 mm/hugetlb.c                               |   6 +-
 net/ceph/messenger.c                       |   6 +
 net/ceph/osdmap.c                          |   1 -
 net/core/dev.c                             |  35 +-
 net/core/sock.c                            |  10 +-
 net/dccp/ccids/ccid2.c                     |   1 +
 net/dccp/ipv4.c                            |   3 +-
 net/dccp/ipv6.c                            |   8 +-
 net/dccp/minisocks.c                       |   1 +
 net/ipv4/fib_frontend.c                    |   3 +-
 net/ipv4/igmp.c                            |   6 +-
 net/ipv4/route.c                           |   1 +
 net/ipv4/tcp_input.c                       |   2 +-
 net/ipv4/tcp_ipv4.c                        |  10 +-
 net/ipv4/tcp_minisocks.c                   |   1 +
 net/ipv4/tcp_timer.c                       |   6 +-
 net/ipv6/ip6_output.c                      |   7 +-
 net/ipv6/tcp_ipv6.c                        |   8 +-
 net/l2tp/l2tp_ip.c                         |   2 +-
 net/netlink/Kconfig                        |   9 -
 net/netlink/af_netlink.c                   | 726 +----------------------------
 net/netlink/af_netlink.h                   |  15 -
 net/netlink/diag.c                         |  39 --
 net/packet/af_packet.c                     |   8 +-
 net/sched/act_api.c                        |   5 +-
 net/unix/garbage.c                         |  18 +-
 net/wireless/nl80211.c                     |  52 +--
 net/xfrm/xfrm_user.c                       |   9 +-
 sound/core/seq/seq_clientmgr.c             |   1 +
 sound/core/seq/seq_fifo.c                  |   7 +
 sound/core/seq/seq_memory.c                |  17 +-
 sound/core/seq/seq_memory.h                |   1 +
 sound/pci/ctxfi/cthw20k1.c                 |  19 +-
 sound/pci/ctxfi/cthw20k2.c                 |  18 +-
 virt/kvm/eventfd.c                         |   3 +-
 virt/kvm/kvm_main.c                        |  40 +-
 141 files changed, 1144 insertions(+), 1242 deletions(-)

-- 
2.12.2

^ permalink raw reply	[flat|nested] 148+ messages in thread

* [PATCH 3.12 127/142] cgroup: use an ordered workqueue for cgroup destruction
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (125 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 126/142] Revert "cpufreq: fix garbage kobjects on errors during suspend/resume" Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 19:30   ` Hugh Dickins
  2017-04-10 15:33 ` [PATCH 3.12 128/142] cpufreq: move policy kobj to policy->cpu at resume Jiri Slaby
                   ` (16 subsequent siblings)
  143 siblings, 1 reply; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Hugh Dickins, Tejun Heo, Jiri Slaby

From: Hugh Dickins <hughd@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ab3f5faa6255a0eb4f832675507d9e295ca7e9ba upstream.

Sometimes the cleanup after memcg hierarchy testing gets stuck in
mem_cgroup_reparent_charges(), unable to bring non-kmem usage down to 0.

There may turn out to be several causes, but a major cause is this: the
workitem to offline parent can get run before workitem to offline child;
parent's mem_cgroup_reparent_charges() circles around waiting for the
child's pages to be reparented to its lrus, but it's holding cgroup_mutex
which prevents the child from reaching its mem_cgroup_reparent_charges().

Just use an ordered workqueue for cgroup_destroy_wq.

tj: Committing as the temporary fix until the reverse dependency can
    be removed from memcg.  Comment updated accordingly.

Fixes: e5fca243abae ("cgroup: use a dedicated workqueue for cgroup destruction")
Suggested-by: Filipe Brandenburger <filbranden@google.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 kernel/cgroup.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 5d9d542c0bb5..e89f6cec01c9 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -5168,12 +5168,16 @@ static int __init cgroup_wq_init(void)
 	/*
 	 * There isn't much point in executing destruction path in
 	 * parallel.  Good chunk is serialized with cgroup_mutex anyway.
-	 * Use 1 for @max_active.
+	 *
+	 * XXX: Must be ordered to make sure parent is offlined after
+	 * children.  The ordering requirement is for memcg where a
+	 * parent's offline may wait for a child's leading to deadlock.  In
+	 * the long term, this should be fixed from memcg side.
 	 *
 	 * We would prefer to do this in cgroup_init() above, but that
 	 * is called before init_workqueues(): so leave this until after.
 	 */
-	cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1);
+	cgroup_destroy_wq = alloc_ordered_workqueue("cgroup_destroy", 0);
 	BUG_ON(!cgroup_destroy_wq);
 	return 0;
 }
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 128/142] cpufreq: move policy kobj to policy->cpu at resume
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (126 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 127/142] cgroup: use an ordered workqueue for cgroup destruction Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 129/142] ACPI / PNP: Avoid conflicting resource reservations Jiri Slaby
                   ` (15 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Viresh Kumar, Rafael J . Wysocki, Jiri Slaby

From: Viresh Kumar <viresh.kumar@linaro.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 92c14bd9477a20a83144f08c0ca25b0308bf0730 upstream.

This is only relevant to implementations with multiple clusters, where clusters
have separate clock lines but all CPUs within a cluster share it.

Consider a dual cluster platform with 2 cores per cluster. During suspend we
start hot unplugging CPUs in order 1 to 3. When CPU2 is removed, policy->kobj
would be moved to CPU3 and when CPU3 goes down we wouldn't free policy or its
kobj as we want to retain permissions/values/etc.

Now on resume, we will get CPU2 before CPU3 and will call __cpufreq_add_dev().
We will recover the old policy and update policy->cpu from 3 to 2 from
update_policy_cpu().

But the kobj is still tied to CPU3 and isn't moved to CPU2. We wouldn't create a
link for CPU2, but would try that for CPU3 while bringing it online. Which will
report errors as CPU3 already has kobj assigned to it.

This bug got introduced with commit 42f921a, which overlooked this scenario.

To fix this, lets move kobj to the new policy->cpu while bringing first CPU of a
cluster back. Also do a WARN_ON() if kobject_move failed, as we would reach here
only for the first CPU of a non-boot cluster. And we can't recover from this
situation, if kobject_move() fails.

Fixes: 42f921a6f10c (cpufreq: remove sysfs files for CPUs which failed to come back after resume)
Reported-and-tested-by: Bu Yitian <ybu@qti.qualcomm.com>
Reported-by: Saravana Kannan <skannan@codeaurora.org>
Reviewed-by: Srivatsa S. Bhat <srivatsa@mit.edu>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/cpufreq/cpufreq.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index 776bdefb5517..6237f687c5d3 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -1061,10 +1061,12 @@ static int __cpufreq_add_dev(struct device *dev, struct subsys_interface *sif,
 	 * the creation of a brand new one. So we need to perform this update
 	 * by invoking update_policy_cpu().
 	 */
-	if (frozen && cpu != policy->cpu)
+	if (frozen && cpu != policy->cpu) {
 		update_policy_cpu(policy, cpu);
-	else
+		WARN_ON(kobject_move(&policy->kobj, &dev->kobj));
+	} else {
 		policy->cpu = cpu;
+	}
 
 	policy->governor = CPUFREQ_DEFAULT_GOVERNOR;
 	cpumask_copy(policy->cpus, cpumask_of(cpu));
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 129/142] ACPI / PNP: Avoid conflicting resource reservations
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (127 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 128/142] cpufreq: move policy kobj to policy->cpu at resume Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 130/142] ACPI / resources: free memory on error in add_region_before() Jiri Slaby
                   ` (14 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Rafael J. Wysocki, Jiri Slaby

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 0f1b414d190724617eb1cdd615592fa8cd9d0b50 upstream.

Commit b9a5e5e18fbf "ACPI / init: Fix the ordering of
acpi_reserve_resources()" overlooked the fact that the memory
and/or I/O regions reserved by acpi_reserve_resources() may
conflict with those reserved by the PNP "system" driver.

If that conflict actually takes place, it causes the reservations
made by the "system" driver to fail while before commit b9a5e5e18fbf
all reservations made by it and by acpi_reserve_resources() would be
successful.  In turn, that allows the resources that haven't been
reserved by the "system" driver to be used by others (e.g. PCI) which
sometimes leads to functional problems (up to and including boot
failures).

To fix that issue, introduce a common resource reservation routine,
acpi_reserve_region(), to be used by both acpi_reserve_resources()
and the "system" driver, that will track all resources reserved by
it and avoid making conflicting requests.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=99831
Link: http://marc.info/?t=143389402600001&r=1&w=2
Fixes: b9a5e5e18fbf "ACPI / init: Fix the ordering of acpi_reserve_resources()"
Reported-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/acpi/osl.c      |   6 +-
 drivers/acpi/resource.c | 160 ++++++++++++++++++++++++++++++++++++++++++++++++
 drivers/pnp/system.c    |  35 ++++++++---
 include/linux/acpi.h    |  10 +++
 4 files changed, 197 insertions(+), 14 deletions(-)

diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 72eb7aaf9e8b..5f9b5b10fbe2 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -170,11 +170,7 @@ static void __init acpi_request_region (struct acpi_generic_address *gas,
 	if (!addr || !length)
 		return;
 
-	/* Resources are never freed */
-	if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO)
-		request_region(addr, length, desc);
-	else if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
-		request_mem_region(addr, length, desc);
+	acpi_reserve_region(addr, length, gas->space_id, 0, desc);
 }
 
 static void __init acpi_reserve_resources(void)
diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
index 2ba8f02ced36..28314ba82320 100644
--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -26,6 +26,7 @@
 #include <linux/device.h>
 #include <linux/export.h>
 #include <linux/ioport.h>
+#include <linux/list.h>
 #include <linux/slab.h>
 
 #ifdef CONFIG_X86
@@ -538,3 +539,162 @@ int acpi_dev_get_resources(struct acpi_device *adev, struct list_head *list,
 	return c.count;
 }
 EXPORT_SYMBOL_GPL(acpi_dev_get_resources);
+
+struct reserved_region {
+	struct list_head node;
+	u64 start;
+	u64 end;
+};
+
+static LIST_HEAD(reserved_io_regions);
+static LIST_HEAD(reserved_mem_regions);
+
+static int request_range(u64 start, u64 end, u8 space_id, unsigned long flags,
+			 char *desc)
+{
+	unsigned int length = end - start + 1;
+	struct resource *res;
+
+	res = space_id == ACPI_ADR_SPACE_SYSTEM_IO ?
+		request_region(start, length, desc) :
+		request_mem_region(start, length, desc);
+	if (!res)
+		return -EIO;
+
+	res->flags &= ~flags;
+	return 0;
+}
+
+static int add_region_before(u64 start, u64 end, u8 space_id,
+			     unsigned long flags, char *desc,
+			     struct list_head *head)
+{
+	struct reserved_region *reg;
+	int error;
+
+	reg = kmalloc(sizeof(*reg), GFP_KERNEL);
+	if (!reg)
+		return -ENOMEM;
+
+	error = request_range(start, end, space_id, flags, desc);
+	if (error)
+		return error;
+
+	reg->start = start;
+	reg->end = end;
+	list_add_tail(&reg->node, head);
+	return 0;
+}
+
+/**
+ * acpi_reserve_region - Reserve an I/O or memory region as a system resource.
+ * @start: Starting address of the region.
+ * @length: Length of the region.
+ * @space_id: Identifier of address space to reserve the region from.
+ * @flags: Resource flags to clear for the region after requesting it.
+ * @desc: Region description (for messages).
+ *
+ * Reserve an I/O or memory region as a system resource to prevent others from
+ * using it.  If the new region overlaps with one of the regions (in the given
+ * address space) already reserved by this routine, only the non-overlapping
+ * parts of it will be reserved.
+ *
+ * Returned is either 0 (success) or a negative error code indicating a resource
+ * reservation problem.  It is the code of the first encountered error, but the
+ * routine doesn't abort until it has attempted to request all of the parts of
+ * the new region that don't overlap with other regions reserved previously.
+ *
+ * The resources requested by this routine are never released.
+ */
+int acpi_reserve_region(u64 start, unsigned int length, u8 space_id,
+			unsigned long flags, char *desc)
+{
+	struct list_head *regions;
+	struct reserved_region *reg;
+	u64 end = start + length - 1;
+	int ret = 0, error = 0;
+
+	if (space_id == ACPI_ADR_SPACE_SYSTEM_IO)
+		regions = &reserved_io_regions;
+	else if (space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
+		regions = &reserved_mem_regions;
+	else
+		return -EINVAL;
+
+	if (list_empty(regions))
+		return add_region_before(start, end, space_id, flags, desc, regions);
+
+	list_for_each_entry(reg, regions, node)
+		if (reg->start == end + 1) {
+			/* The new region can be prepended to this one. */
+			ret = request_range(start, end, space_id, flags, desc);
+			if (!ret)
+				reg->start = start;
+
+			return ret;
+		} else if (reg->start > end) {
+			/* No overlap.  Add the new region here and get out. */
+			return add_region_before(start, end, space_id, flags,
+						 desc, &reg->node);
+		} else if (reg->end == start - 1) {
+			goto combine;
+		} else if (reg->end >= start) {
+			goto overlap;
+		}
+
+	/* The new region goes after the last existing one. */
+	return add_region_before(start, end, space_id, flags, desc, regions);
+
+ overlap:
+	/*
+	 * The new region overlaps an existing one.
+	 *
+	 * The head part of the new region immediately preceding the existing
+	 * overlapping one can be combined with it right away.
+	 */
+	if (reg->start > start) {
+		error = request_range(start, reg->start - 1, space_id, flags, desc);
+		if (error)
+			ret = error;
+		else
+			reg->start = start;
+	}
+
+ combine:
+	/*
+	 * The new region is adjacent to an existing one.  If it extends beyond
+	 * that region all the way to the next one, it is possible to combine
+	 * all three of them.
+	 */
+	while (reg->end < end) {
+		struct reserved_region *next = NULL;
+		u64 a = reg->end + 1, b = end;
+
+		if (!list_is_last(&reg->node, regions)) {
+			next = list_next_entry(reg, node);
+			if (next->start <= end)
+				b = next->start - 1;
+		}
+		error = request_range(a, b, space_id, flags, desc);
+		if (!error) {
+			if (next && next->start == b + 1) {
+				reg->end = next->end;
+				list_del(&next->node);
+				kfree(next);
+			} else {
+				reg->end = end;
+				break;
+			}
+		} else if (next) {
+			if (!ret)
+				ret = error;
+
+			reg = next;
+		} else {
+			break;
+		}
+	}
+
+	return ret ? ret : error;
+}
+EXPORT_SYMBOL_GPL(acpi_reserve_region);
diff --git a/drivers/pnp/system.c b/drivers/pnp/system.c
index 49c1720df59a..515f33882ab8 100644
--- a/drivers/pnp/system.c
+++ b/drivers/pnp/system.c
@@ -7,6 +7,7 @@
  *	Bjorn Helgaas <bjorn.helgaas@hp.com>
  */
 
+#include <linux/acpi.h>
 #include <linux/pnp.h>
 #include <linux/device.h>
 #include <linux/init.h>
@@ -22,25 +23,41 @@ static const struct pnp_device_id pnp_dev_table[] = {
 	{"", 0}
 };
 
+#ifdef CONFIG_ACPI
+static bool __reserve_range(u64 start, unsigned int length, bool io, char *desc)
+{
+	u8 space_id = io ? ACPI_ADR_SPACE_SYSTEM_IO : ACPI_ADR_SPACE_SYSTEM_MEMORY;
+	return !acpi_reserve_region(start, length, space_id, IORESOURCE_BUSY, desc);
+}
+#else
+static bool __reserve_range(u64 start, unsigned int length, bool io, char *desc)
+{
+	struct resource *res;
+
+	res = io ? request_region(start, length, desc) :
+		request_mem_region(start, length, desc);
+	if (res) {
+		res->flags &= ~IORESOURCE_BUSY;
+		return true;
+	}
+	return false;
+}
+#endif
+
 static void reserve_range(struct pnp_dev *dev, struct resource *r, int port)
 {
 	char *regionid;
 	const char *pnpid = dev_name(&dev->dev);
 	resource_size_t start = r->start, end = r->end;
-	struct resource *res;
+	bool reserved;
 
 	regionid = kmalloc(16, GFP_KERNEL);
 	if (!regionid)
 		return;
 
 	snprintf(regionid, 16, "pnp %s", pnpid);
-	if (port)
-		res = request_region(start, end - start + 1, regionid);
-	else
-		res = request_mem_region(start, end - start + 1, regionid);
-	if (res)
-		res->flags &= ~IORESOURCE_BUSY;
-	else
+	reserved = __reserve_range(start, end - start + 1, !!port, regionid);
+	if (!reserved)
 		kfree(regionid);
 
 	/*
@@ -49,7 +66,7 @@ static void reserve_range(struct pnp_dev *dev, struct resource *r, int port)
 	 * have double reservations.
 	 */
 	dev_info(&dev->dev, "%pR %s reserved\n", r,
-		 res ? "has been" : "could not be");
+		 reserved ? "has been" : "could not be");
 }
 
 static void reserve_resources_of_dev(struct pnp_dev *dev)
diff --git a/include/linux/acpi.h b/include/linux/acpi.h
index a5db4aeefa36..4e185d5dda03 100644
--- a/include/linux/acpi.h
+++ b/include/linux/acpi.h
@@ -283,6 +283,9 @@ int acpi_check_region(resource_size_t start, resource_size_t n,
 
 int acpi_resources_are_enforced(void);
 
+int acpi_reserve_region(u64 start, unsigned int length, u8 space_id,
+			unsigned long flags, char *desc);
+
 #ifdef CONFIG_HIBERNATION
 void __init acpi_no_s4_hw_signature(void);
 #endif
@@ -439,6 +442,13 @@ static inline int acpi_check_region(resource_size_t start, resource_size_t n,
 	return 0;
 }
 
+static inline int acpi_reserve_region(u64 start, unsigned int length,
+				      u8 space_id, unsigned long flags,
+				      char *desc)
+{
+	return -ENXIO;
+}
+
 struct acpi_table_header;
 static inline int acpi_table_parse(char *id,
 				int (*handler)(struct acpi_table_header *))
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 130/142] ACPI / resources: free memory on error in add_region_before()
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (128 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 129/142] ACPI / PNP: Avoid conflicting resource reservations Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 131/142] ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage Jiri Slaby
                   ` (13 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dan Carpenter, Rafael J . Wysocki, Jiri Slaby

From: Dan Carpenter <dan.carpenter@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7bc10388ccdd79b3d20463151a1f8e7a590a775b upstream.

There is a small memory leak on error.

Fixes: 0f1b414d1907 (ACPI / PNP: Avoid conflicting resource reservations)
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/acpi/resource.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
index 28314ba82320..3760e9635aea 100644
--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -577,8 +577,10 @@ static int add_region_before(u64 start, u64 end, u8 space_id,
 		return -ENOMEM;
 
 	error = request_range(start, end, space_id, flags, desc);
-	if (error)
+	if (error) {
+		kfree(reg);
 		return error;
+	}
 
 	reg->start = start;
 	reg->end = end;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 131/142] ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (129 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 130/142] ACPI / resources: free memory on error in add_region_before() Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 132/142] USB: OHCI: Fix race between ED unlink and URB submission Jiri Slaby
                   ` (12 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Rafael J. Wysocki, Jiri Slaby

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 0294112ee3135fbd15eaa70015af8283642dd970 upstream.

This effectively reverts the following three commits:

 7bc10388ccdd ACPI / resources: free memory on error in add_region_before()
 0f1b414d1907 ACPI / PNP: Avoid conflicting resource reservations
 b9a5e5e18fbf ACPI / init: Fix the ordering of acpi_reserve_resources()

(commit b9a5e5e18fbf introduced regressions some of which, but not
all, were addressed by commit 0f1b414d1907 and commit 7bc10388ccdd
was a fixup on top of the latter) and causes ACPI fixed hardware
resources to be reserved at the fs_initcall_sync stage of system
initialization.

The story is as follows.  First, a boot regression was reported due
to an apparent resource reservation ordering change after a commit
that shouldn't lead to such changes.  Investigation led to the
conclusion that the problem happened because acpi_reserve_resources()
was executed at the device_initcall() stage of system initialization
which wasn't strictly ordered with respect to driver initialization
(and with respect to the initialization of the pcieport driver in
particular), so a random change causing the device initcalls to be
run in a different order might break things.

The response to that was to attempt to run acpi_reserve_resources()
as soon as we knew that ACPI would be in use (commit b9a5e5e18fbf).
However, that turned out to be too early, because it caused resource
reservations made by the PNP system driver to fail on at least one
system and that failure was addressed by commit 0f1b414d1907.

That fix still turned out to be insufficient, though, because
calling acpi_reserve_resources() before the fs_initcall stage of
system initialization caused a boot regression to happen on the
eCAFE EC-800-H20G/S netbook.  That meant that we only could call
acpi_reserve_resources() at the fs_initcall initialization stage
or later, but then we might just as well call it after the PNP
initalization in which case commit 0f1b414d1907 wouldn't be
necessary any more.

For this reason, the changes made by commit 0f1b414d1907 are reverted
(along with a memory leak fixup on top of that commit), the changes
made by commit b9a5e5e18fbf that went too far are reverted too and
acpi_reserve_resources() is changed into fs_initcall_sync, which
will cause it to be executed after the PNP subsystem initialization
(which is an fs_initcall) and before device initcalls (including
the pcieport driver initialization) which should avoid the initial
issue.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=100581
Link: http://marc.info/?t=143092384600002&r=1&w=2
Link: https://bugzilla.kernel.org/show_bug.cgi?id=99831
Link: http://marc.info/?t=143389402600001&r=1&w=2
Fixes: b9a5e5e18fbf "ACPI / init: Fix the ordering of acpi_reserve_resources()"
Reported-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/acpi/osl.c      |  12 +++-
 drivers/acpi/resource.c | 162 ------------------------------------------------
 drivers/pnp/system.c    |  35 +++--------
 include/linux/acpi.h    |  10 ---
 4 files changed, 18 insertions(+), 201 deletions(-)

diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c
index 5f9b5b10fbe2..0d7d265713a1 100644
--- a/drivers/acpi/osl.c
+++ b/drivers/acpi/osl.c
@@ -170,10 +170,14 @@ static void __init acpi_request_region (struct acpi_generic_address *gas,
 	if (!addr || !length)
 		return;
 
-	acpi_reserve_region(addr, length, gas->space_id, 0, desc);
+	/* Resources are never freed */
+	if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_IO)
+		request_region(addr, length, desc);
+	else if (gas->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
+		request_mem_region(addr, length, desc);
 }
 
-static void __init acpi_reserve_resources(void)
+static int __init acpi_reserve_resources(void)
 {
 	acpi_request_region(&acpi_gbl_FADT.xpm1a_event_block, acpi_gbl_FADT.pm1_event_length,
 		"ACPI PM1a_EVT_BLK");
@@ -202,7 +206,10 @@ static void __init acpi_reserve_resources(void)
 	if (!(acpi_gbl_FADT.gpe1_block_length & 0x1))
 		acpi_request_region(&acpi_gbl_FADT.xgpe1_block,
 			       acpi_gbl_FADT.gpe1_block_length, "ACPI GPE1_BLK");
+
+	return 0;
 }
+fs_initcall_sync(acpi_reserve_resources);
 
 void acpi_os_printf(const char *fmt, ...)
 {
@@ -1763,7 +1770,6 @@ acpi_status __init acpi_os_initialize(void)
 
 acpi_status __init acpi_os_initialize1(void)
 {
-	acpi_reserve_resources();
 	kacpid_wq = alloc_workqueue("kacpid", 0, 1);
 	kacpi_notify_wq = alloc_workqueue("kacpi_notify", 0, 1);
 	kacpi_hotplug_wq = alloc_workqueue("kacpi_hotplug", 0, 1);
diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
index 3760e9635aea..2ba8f02ced36 100644
--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -26,7 +26,6 @@
 #include <linux/device.h>
 #include <linux/export.h>
 #include <linux/ioport.h>
-#include <linux/list.h>
 #include <linux/slab.h>
 
 #ifdef CONFIG_X86
@@ -539,164 +538,3 @@ int acpi_dev_get_resources(struct acpi_device *adev, struct list_head *list,
 	return c.count;
 }
 EXPORT_SYMBOL_GPL(acpi_dev_get_resources);
-
-struct reserved_region {
-	struct list_head node;
-	u64 start;
-	u64 end;
-};
-
-static LIST_HEAD(reserved_io_regions);
-static LIST_HEAD(reserved_mem_regions);
-
-static int request_range(u64 start, u64 end, u8 space_id, unsigned long flags,
-			 char *desc)
-{
-	unsigned int length = end - start + 1;
-	struct resource *res;
-
-	res = space_id == ACPI_ADR_SPACE_SYSTEM_IO ?
-		request_region(start, length, desc) :
-		request_mem_region(start, length, desc);
-	if (!res)
-		return -EIO;
-
-	res->flags &= ~flags;
-	return 0;
-}
-
-static int add_region_before(u64 start, u64 end, u8 space_id,
-			     unsigned long flags, char *desc,
-			     struct list_head *head)
-{
-	struct reserved_region *reg;
-	int error;
-
-	reg = kmalloc(sizeof(*reg), GFP_KERNEL);
-	if (!reg)
-		return -ENOMEM;
-
-	error = request_range(start, end, space_id, flags, desc);
-	if (error) {
-		kfree(reg);
-		return error;
-	}
-
-	reg->start = start;
-	reg->end = end;
-	list_add_tail(&reg->node, head);
-	return 0;
-}
-
-/**
- * acpi_reserve_region - Reserve an I/O or memory region as a system resource.
- * @start: Starting address of the region.
- * @length: Length of the region.
- * @space_id: Identifier of address space to reserve the region from.
- * @flags: Resource flags to clear for the region after requesting it.
- * @desc: Region description (for messages).
- *
- * Reserve an I/O or memory region as a system resource to prevent others from
- * using it.  If the new region overlaps with one of the regions (in the given
- * address space) already reserved by this routine, only the non-overlapping
- * parts of it will be reserved.
- *
- * Returned is either 0 (success) or a negative error code indicating a resource
- * reservation problem.  It is the code of the first encountered error, but the
- * routine doesn't abort until it has attempted to request all of the parts of
- * the new region that don't overlap with other regions reserved previously.
- *
- * The resources requested by this routine are never released.
- */
-int acpi_reserve_region(u64 start, unsigned int length, u8 space_id,
-			unsigned long flags, char *desc)
-{
-	struct list_head *regions;
-	struct reserved_region *reg;
-	u64 end = start + length - 1;
-	int ret = 0, error = 0;
-
-	if (space_id == ACPI_ADR_SPACE_SYSTEM_IO)
-		regions = &reserved_io_regions;
-	else if (space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
-		regions = &reserved_mem_regions;
-	else
-		return -EINVAL;
-
-	if (list_empty(regions))
-		return add_region_before(start, end, space_id, flags, desc, regions);
-
-	list_for_each_entry(reg, regions, node)
-		if (reg->start == end + 1) {
-			/* The new region can be prepended to this one. */
-			ret = request_range(start, end, space_id, flags, desc);
-			if (!ret)
-				reg->start = start;
-
-			return ret;
-		} else if (reg->start > end) {
-			/* No overlap.  Add the new region here and get out. */
-			return add_region_before(start, end, space_id, flags,
-						 desc, &reg->node);
-		} else if (reg->end == start - 1) {
-			goto combine;
-		} else if (reg->end >= start) {
-			goto overlap;
-		}
-
-	/* The new region goes after the last existing one. */
-	return add_region_before(start, end, space_id, flags, desc, regions);
-
- overlap:
-	/*
-	 * The new region overlaps an existing one.
-	 *
-	 * The head part of the new region immediately preceding the existing
-	 * overlapping one can be combined with it right away.
-	 */
-	if (reg->start > start) {
-		error = request_range(start, reg->start - 1, space_id, flags, desc);
-		if (error)
-			ret = error;
-		else
-			reg->start = start;
-	}
-
- combine:
-	/*
-	 * The new region is adjacent to an existing one.  If it extends beyond
-	 * that region all the way to the next one, it is possible to combine
-	 * all three of them.
-	 */
-	while (reg->end < end) {
-		struct reserved_region *next = NULL;
-		u64 a = reg->end + 1, b = end;
-
-		if (!list_is_last(&reg->node, regions)) {
-			next = list_next_entry(reg, node);
-			if (next->start <= end)
-				b = next->start - 1;
-		}
-		error = request_range(a, b, space_id, flags, desc);
-		if (!error) {
-			if (next && next->start == b + 1) {
-				reg->end = next->end;
-				list_del(&next->node);
-				kfree(next);
-			} else {
-				reg->end = end;
-				break;
-			}
-		} else if (next) {
-			if (!ret)
-				ret = error;
-
-			reg = next;
-		} else {
-			break;
-		}
-	}
-
-	return ret ? ret : error;
-}
-EXPORT_SYMBOL_GPL(acpi_reserve_region);
diff --git a/drivers/pnp/system.c b/drivers/pnp/system.c
index 515f33882ab8..49c1720df59a 100644
--- a/drivers/pnp/system.c
+++ b/drivers/pnp/system.c
@@ -7,7 +7,6 @@
  *	Bjorn Helgaas <bjorn.helgaas@hp.com>
  */
 
-#include <linux/acpi.h>
 #include <linux/pnp.h>
 #include <linux/device.h>
 #include <linux/init.h>
@@ -23,41 +22,25 @@ static const struct pnp_device_id pnp_dev_table[] = {
 	{"", 0}
 };
 
-#ifdef CONFIG_ACPI
-static bool __reserve_range(u64 start, unsigned int length, bool io, char *desc)
-{
-	u8 space_id = io ? ACPI_ADR_SPACE_SYSTEM_IO : ACPI_ADR_SPACE_SYSTEM_MEMORY;
-	return !acpi_reserve_region(start, length, space_id, IORESOURCE_BUSY, desc);
-}
-#else
-static bool __reserve_range(u64 start, unsigned int length, bool io, char *desc)
-{
-	struct resource *res;
-
-	res = io ? request_region(start, length, desc) :
-		request_mem_region(start, length, desc);
-	if (res) {
-		res->flags &= ~IORESOURCE_BUSY;
-		return true;
-	}
-	return false;
-}
-#endif
-
 static void reserve_range(struct pnp_dev *dev, struct resource *r, int port)
 {
 	char *regionid;
 	const char *pnpid = dev_name(&dev->dev);
 	resource_size_t start = r->start, end = r->end;
-	bool reserved;
+	struct resource *res;
 
 	regionid = kmalloc(16, GFP_KERNEL);
 	if (!regionid)
 		return;
 
 	snprintf(regionid, 16, "pnp %s", pnpid);
-	reserved = __reserve_range(start, end - start + 1, !!port, regionid);
-	if (!reserved)
+	if (port)
+		res = request_region(start, end - start + 1, regionid);
+	else
+		res = request_mem_region(start, end - start + 1, regionid);
+	if (res)
+		res->flags &= ~IORESOURCE_BUSY;
+	else
 		kfree(regionid);
 
 	/*
@@ -66,7 +49,7 @@ static void reserve_range(struct pnp_dev *dev, struct resource *r, int port)
 	 * have double reservations.
 	 */
 	dev_info(&dev->dev, "%pR %s reserved\n", r,
-		 reserved ? "has been" : "could not be");
+		 res ? "has been" : "could not be");
 }
 
 static void reserve_resources_of_dev(struct pnp_dev *dev)
diff --git a/include/linux/acpi.h b/include/linux/acpi.h
index 4e185d5dda03..a5db4aeefa36 100644
--- a/include/linux/acpi.h
+++ b/include/linux/acpi.h
@@ -283,9 +283,6 @@ int acpi_check_region(resource_size_t start, resource_size_t n,
 
 int acpi_resources_are_enforced(void);
 
-int acpi_reserve_region(u64 start, unsigned int length, u8 space_id,
-			unsigned long flags, char *desc);
-
 #ifdef CONFIG_HIBERNATION
 void __init acpi_no_s4_hw_signature(void);
 #endif
@@ -442,13 +439,6 @@ static inline int acpi_check_region(resource_size_t start, resource_size_t n,
 	return 0;
 }
 
-static inline int acpi_reserve_region(u64 start, unsigned int length,
-				      u8 space_id, unsigned long flags,
-				      char *desc)
-{
-	return -ENXIO;
-}
-
 struct acpi_table_header;
 static inline int acpi_table_parse(char *id,
 				int (*handler)(struct acpi_table_header *))
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 132/142] USB: OHCI: Fix race between ED unlink and URB submission
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (130 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 131/142] ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 133/142] i2c: at91: manage unexpected RXRDY flag when starting a transfer Jiri Slaby
                   ` (11 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alan Stern, Greg Kroah-Hartman, Jiri Slaby

From: Alan Stern <stern@rowland.harvard.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7d8021c967648accd1b78e5e1ddaad655cd2c61f upstream.

This patch fixes a bug introduced by commit 977dcfdc6031 ("USB: OHCI:
don't lose track of EDs when a controller dies").  The commit changed
ed_state from ED_UNLINK to ED_IDLE too early, before finish_urb() had
been called.  The user-visible consequence is that the driver
occasionally crashes or locks up when an URB is submitted while
another URB for the same endpoint is being unlinked.

This patch moves the ED state change later, to the right place.  The
drawback is that now we may unnecessarily execute some instructions
multiple times when a controller dies.  Since controllers dying is an
exceptional occurrence, a little wasted time won't matter.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Heiko Przybyl <lil_tux@web.de>
Tested-by: Heiko Przybyl <lil_tux@web.de>
Fixes: 977dcfdc60311e7aa571cabf6f39c36dde13339e
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/ohci-q.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/drivers/usb/host/ohci-q.c b/drivers/usb/host/ohci-q.c
index 4e9f6a45f4e4..810bfb1b7b46 100644
--- a/drivers/usb/host/ohci-q.c
+++ b/drivers/usb/host/ohci-q.c
@@ -929,10 +929,6 @@ rescan_all:
 		int			completed, modified;
 		__hc32			*prev;
 
-		/* Is this ED already invisible to the hardware? */
-		if (ed->state == ED_IDLE)
-			goto ed_idle;
-
 		/* only take off EDs that the HC isn't using, accounting for
 		 * frame counter wraps and EDs with partially retired TDs
 		 */
@@ -963,14 +959,12 @@ skip_ed:
 		}
 
 		/* ED's now officially unlinked, hc doesn't see */
-		ed->state = ED_IDLE;
 		if (quirk_zfmicro(ohci) && ed->type == PIPE_INTERRUPT)
 			ohci->eds_scheduled--;
 		ed->hwHeadP &= ~cpu_to_hc32(ohci, ED_H);
 		ed->hwNextED = 0;
 		wmb();
 		ed->hwINFO &= ~cpu_to_hc32(ohci, ED_SKIP | ED_DEQUEUE);
-ed_idle:
 
 		/* reentrancy:  if we drop the schedule lock, someone might
 		 * have modified this list.  normally it's just prepending
@@ -1041,6 +1035,7 @@ rescan_this:
 		if (list_empty(&ed->td_list)) {
 			*last = ed->ed_next;
 			ed->ed_next = NULL;
+			ed->state = ED_IDLE;
 		} else if (ohci->rh_state == OHCI_RH_RUNNING) {
 			*last = ed->ed_next;
 			ed->ed_next = NULL;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 133/142] i2c: at91: manage unexpected RXRDY flag when starting a transfer
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (131 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 132/142] USB: OHCI: Fix race between ED unlink and URB submission Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 134/142] ipv4: igmp: Allow removing groups from a removed interface Jiri Slaby
                   ` (10 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Ludovic Desroches, Wolfram Sang, Jiri Slaby

From: Ludovic Desroches <ludovic.desroches@atmel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit a9bed6b10bd117a300cceb9062003f7a2761ef99 upstream.

In some cases, we could start a new i2c transfer with the RXRDY flag
set. It is not a clean state and it leads to print annoying error
messages even if there no real issue. The cause is only having garbage
data in the Receive Holding Register because of a weird behavior of the
RXRDY flag.

Reported-by: Peter Rosin <peda@lysator.liu.se>
Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Tested-by: Peter Rosin <peda@lysator.liu.se>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Fixes: 93563a6a71bb ("i2c: at91: fix a race condition when using the DMA controller")
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/i2c/busses/i2c-at91.c | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/drivers/i2c/busses/i2c-at91.c b/drivers/i2c/busses/i2c-at91.c
index e6f18b241255..70782d560407 100644
--- a/drivers/i2c/busses/i2c-at91.c
+++ b/drivers/i2c/busses/i2c-at91.c
@@ -272,8 +272,14 @@ error:
 
 static void at91_twi_read_next_byte(struct at91_twi_dev *dev)
 {
-	if (dev->buf_len <= 0)
+	/*
+	 * If we are in this case, it means there is garbage data in RHR, so
+	 * delete them.
+	 */
+	if (!dev->buf_len) {
+		at91_twi_read(dev, AT91_TWI_RHR);
 		return;
+	}
 
 	*dev->buf = at91_twi_read(dev, AT91_TWI_RHR) & 0xff;
 	--dev->buf_len;
@@ -370,6 +376,24 @@ static irqreturn_t atmel_twi_interrupt(int irq, void *dev_id)
 
 	if (!irqstatus)
 		return IRQ_NONE;
+	/*
+	 * In reception, the behavior of the twi device (before sama5d2) is
+	 * weird. There is some magic about RXRDY flag! When a data has been
+	 * almost received, the reception of a new one is anticipated if there
+	 * is no stop command to send. That is the reason why ask for sending
+	 * the stop command not on the last data but on the second last one.
+	 *
+	 * Unfortunately, we could still have the RXRDY flag set even if the
+	 * transfer is done and we have read the last data. It might happen
+	 * when the i2c slave device sends too quickly data after receiving the
+	 * ack from the master. The data has been almost received before having
+	 * the order to send stop. In this case, sending the stop command could
+	 * cause a RXRDY interrupt with a TXCOMP one. It is better to manage
+	 * the RXRDY interrupt first in order to not keep garbage data in the
+	 * Receive Holding Register for the next transfer.
+	 */
+	if (irqstatus & AT91_TWI_RXRDY)
+		at91_twi_read_next_byte(dev);
 
 	/*
 	 * When a NACK condition is detected, the I2C controller sets the NACK,
@@ -412,8 +436,6 @@ static irqreturn_t atmel_twi_interrupt(int irq, void *dev_id)
 	if (irqstatus & (AT91_TWI_TXCOMP | AT91_TWI_NACK)) {
 		at91_disable_twi_interrupts(dev);
 		complete(&dev->cmd_complete);
-	} else if (irqstatus & AT91_TWI_RXRDY) {
-		at91_twi_read_next_byte(dev);
 	} else if (irqstatus & AT91_TWI_TXRDY) {
 		at91_twi_write_next_byte(dev);
 	}
@@ -428,7 +450,6 @@ static int at91_do_twi_transfer(struct at91_twi_dev *dev)
 {
 	int ret;
 	bool has_unre_flag = dev->pdata->has_unre_flag;
-	unsigned sr;
 
 	/*
 	 * WARNING: the TXCOMP bit in the Status Register is NOT a clear on
@@ -465,7 +486,7 @@ static int at91_do_twi_transfer(struct at91_twi_dev *dev)
 	dev->transfer_status = 0;
 
 	/* Clear pending interrupts, such as NACK. */
-	sr = at91_twi_read(dev, AT91_TWI_SR);
+	at91_twi_read(dev, AT91_TWI_SR);
 
 	if (!dev->buf_len) {
 		at91_twi_write(dev, AT91_TWI_CR, AT91_TWI_QUICK);
@@ -473,11 +494,6 @@ static int at91_do_twi_transfer(struct at91_twi_dev *dev)
 	} else if (dev->msg->flags & I2C_M_RD) {
 		unsigned start_flags = AT91_TWI_START;
 
-		if (sr & AT91_TWI_RXRDY) {
-			dev_err(dev->dev, "RXRDY still set!");
-			at91_twi_read(dev, AT91_TWI_RHR);
-		}
-
 		/* if only one byte is to be read, immediately stop transfer */
 		if (dev->buf_len <= 1 && !(dev->msg->flags & I2C_M_RECV_LEN))
 			start_flags |= AT91_TWI_STOP;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 134/142] ipv4: igmp: Allow removing groups from a removed interface
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (132 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 133/142] i2c: at91: manage unexpected RXRDY flag when starting a transfer Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 135/142] HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2 Jiri Slaby
                   ` (9 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Andrew Lunn, David S . Miller, Jiri Slaby

From: Andrew Lunn <andrew@lunn.ch>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 4eba7bb1d72d9bde67d810d09bf62dc207b63c5c upstream.

When a multicast group is joined on a socket, a struct ip_mc_socklist
is appended to the sockets mc_list containing information about the
joined group.

If the interface is hot unplugged, this entry becomes stale. Prior to
commit 52ad353a5344f ("igmp: fix the problem when mc leave group") it
was possible to remove the stale entry by performing a
IP_DROP_MEMBERSHIP, passing either the old ifindex or ip address on
the interface. However, this fix enforces that the interface must
still exist. Thus with time, the number of stale entries grows, until
sysctl_igmp_max_memberships is reached and then it is not possible to
join and more groups.

The previous patch fixes an issue where a IP_DROP_MEMBERSHIP is
performed without specifying the interface, either by ifindex or ip
address. However here we do supply one of these. So loosen the
restriction on device existence to only apply when the interface has
not been specified. This then restores the ability to clean up the
stale entries.

Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Fixes: 52ad353a5344f "(igmp: fix the problem when mc leave group")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/ipv4/igmp.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 38ab073783e2..7256628c77dc 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1955,7 +1955,7 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
 
 	rtnl_lock();
 	in_dev = ip_mc_find_dev(net, imr);
-	if (!in_dev) {
+	if (!imr->imr_ifindex && !imr->imr_address.s_addr && !in_dev) {
 		ret = -ENODEV;
 		goto out;
 	}
@@ -1976,8 +1976,10 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
 
 		*imlp = iml->next_rcu;
 
-		ip_mc_dec_group(in_dev, group);
+		if (in_dev)
+			ip_mc_dec_group(in_dev, group);
 		rtnl_unlock();
+
 		/* decrease mem now to avoid the memleak warning */
 		atomic_sub(sizeof(*iml), &sk->sk_omem_alloc);
 		kfree_rcu(iml, rcu);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 135/142] HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (133 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 134/142] ipv4: igmp: Allow removing groups from a removed interface Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 136/142] HID: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL Jiri Slaby
                   ` (8 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Ardinartsev Nikita, Ardinartsev Nikita,
	Jiri Kosina, Jiri Slaby

From: Ardinartsev Nikita <pinguin255@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 877a021e08ccb6434718c0cc781fdf943c884cc0 upstream.

With NOGET quirk Logitech F510 is now fully workable in dinput mode including
rumble effects (according to fftest).

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=117091

[jkosina@suse.cz: fix patch format]
Signed-off-by: Ardinartsev Nikita <ardinar23@gmail.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/hid/hid-lg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-lg.c b/drivers/hid/hid-lg.c
index 12fc48c968e6..34dbb9d6d852 100644
--- a/drivers/hid/hid-lg.c
+++ b/drivers/hid/hid-lg.c
@@ -790,7 +790,7 @@ static const struct hid_device_id lg_devices[] = {
 	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_WINGMAN_FFG),
 		.driver_data = LG_FF },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_RUMBLEPAD2),
-		.driver_data = LG_FF2 },
+		.driver_data = LG_NOGET | LG_FF2 },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_FLIGHT_SYSTEM_G940),
 		.driver_data = LG_FF3 },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_SPACENAVIGATOR),
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 136/142] HID: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (134 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 135/142] HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2 Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 137/142] HID: i2c-hid: Add sleep between POWER ON and RESET Jiri Slaby
                   ` (7 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Colin Ian King, Jiri Kosina, Jiri Slaby

From: Colin Ian King <colin.king@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ed9ab4287f96e66340e0390e2c583f2f9110cba0 upstream.

Quirking the following AMI USB device with ALWAYS_POLL fixes an AMI
virtual keyboard and mouse from not responding and timing out when
it is attached to a ppc64el Power 8 system and when we have some
rapid open/closes on the mouse device.

 usb 1-3: new high-speed USB device number 2 using xhci_hcd
 usb 1-3: New USB device found, idVendor=046b, idProduct=ff01
 usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
 usb 1-3: Product: Virtual Hub
 usb 1-3: Manufacturer: American Megatrends Inc.
 usb 1-3: SerialNumber: serial
 usb 1-3.3: new high-speed USB device number 3 using xhci_hcd
 usb 1-3.3: New USB device found, idVendor=046b, idProduct=ff31
 usb 1-3.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
 usb 1-3.3: Product: Virtual HardDisk Device
 usb 1-3.3: Manufacturer: American Megatrends Inc.
 usb 1-3.4: new low-speed USB device number 4 using xhci_hcd
 usb 1-3.4: New USB device found, idVendor=046b, idProduct=ff10
 usb 1-3.4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
 usb 1-3.4: Product: Virtual Keyboard and Mouse
 usb 1-3.4: Manufacturer: American Megatrends Inc.

With the quirk I have not been able to trigger the issue with
half an hour of saturation soak testing.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/hid/hid-ids.h           | 3 +++
 drivers/hid/usbhid/hid-quirks.c | 1 +
 2 files changed, 4 insertions(+)

diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 16583e6621d4..204d75fb32b3 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -67,6 +67,9 @@
 #define USB_VENDOR_ID_ALPS		0x0433
 #define USB_DEVICE_ID_IBM_GAMEPAD	0x1101
 
+#define USB_VENDOR_ID_AMI		0x046b
+#define USB_DEVICE_ID_AMI_VIRT_KEYBOARD_AND_MOUSE	0xff10
+
 #define USB_VENDOR_ID_APPLE		0x05ac
 #define USB_DEVICE_ID_APPLE_MIGHTYMOUSE	0x0304
 #define USB_DEVICE_ID_APPLE_MAGICMOUSE	0x030d
diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c
index 3fd5fa9385ae..22433538fc78 100644
--- a/drivers/hid/usbhid/hid-quirks.c
+++ b/drivers/hid/usbhid/hid-quirks.c
@@ -55,6 +55,7 @@ static const struct hid_blacklist {
 	{ USB_VENDOR_ID_TOUCHPACK, USB_DEVICE_ID_TOUCHPACK_RTS, HID_QUIRK_MULTI_INPUT },
 
 	{ USB_VENDOR_ID_AIREN, USB_DEVICE_ID_AIREN_SLIMPLUS, HID_QUIRK_NOGET },
+	{ USB_VENDOR_ID_AMI, USB_DEVICE_ID_AMI_VIRT_KEYBOARD_AND_MOUSE, HID_QUIRK_ALWAYS_POLL },
 	{ USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_UC100KM, HID_QUIRK_NOGET },
 	{ USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_CS124U, HID_QUIRK_NOGET },
 	{ USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_2PORTKVM, HID_QUIRK_NOGET },
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 137/142] HID: i2c-hid: Add sleep between POWER ON and RESET
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (135 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 136/142] HID: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 138/142] Input: joydev - do not report stale values on first open Jiri Slaby
                   ` (6 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Brendan McGrath, Jiri Kosina, Jiri Slaby

From: Brendan McGrath <redmcg@redmandi.dyndns.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit a89af4abdf9b353cdd6f61afc0eaaac403304873 upstream.

Support for the Asus Touchpad was recently added. It turns out this
device can fail initialisation (and become unusable) when the RESET
command is sent too soon after the POWER ON command.

Unfortunately the i2c-hid specification does not specify the need for
a delay between these two commands. But it was discovered the Windows
driver has a 1ms delay.

As a result, this patch modifies the i2c-hid module to add a sleep
inbetween the POWER ON and RESET commands which lasts between 1ms and 5ms.

See https://github.com/vlasenko/hid-asus-dkms/issues/24 for further
details.

Signed-off-by: Brendan McGrath <redmcg@redmandi.dyndns.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/hid/i2c-hid/i2c-hid.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index 0c65412cf5d4..c695689cfed0 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -341,6 +341,15 @@ static int i2c_hid_hwreset(struct i2c_client *client)
 	if (ret)
 		return ret;
 
+	/*
+	 * The HID over I2C specification states that if a DEVICE needs time
+	 * after the PWR_ON request, it should utilise CLOCK stretching.
+	 * However, it has been observered that the Windows driver provides a
+	 * 1ms sleep between the PWR_ON and RESET requests and that some devices
+	 * rely on this.
+	 */
+	usleep_range(1000, 5000);
+
 	i2c_hid_dbg(ihid, "resetting...\n");
 
 	ret = i2c_hid_command(client, &hid_reset_cmd, NULL, 0);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 138/142] Input: joydev - do not report stale values on first open
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (136 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 137/142] HID: i2c-hid: Add sleep between POWER ON and RESET Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 139/142] Input: tca8418 - use the interrupt trigger from the device tree Jiri Slaby
                   ` (5 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Raphael Assenat, Dmitry Torokhov, Oliver Neukum,
	Jiri Slaby

From: Raphael Assenat <raph@raphnet.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 45536d373a21d441bd488f618b6e3e9bfae839f3 upstream.

Postpone axis initialization to the first open instead of doing it
in joydev_connect. This is to make sure the generated startup events
are representative of the current joystick state rather than what
it was when joydev_connect() was called, potentially much earlier.
Once the first user is connected to joydev node we'll be updating
joydev->abs[] values and subsequent clients will be getting correct
initial states as well.

This solves issues with joystick driven menus that start scrolling
up each time they are started, until the user moves the joystick to
generate events. In emulator menu setups where the menu program is
restarted every time the game exits, the repeated need to move the
joystick to stop the unintended scrolling gets old rather quickly...

Signed-off-by: Raphael Assenat <raph@raphnet.net>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/joydev.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c
index f362883c94e3..3736c1759524 100644
--- a/drivers/input/joydev.c
+++ b/drivers/input/joydev.c
@@ -188,6 +188,17 @@ static void joydev_detach_client(struct joydev *joydev,
 	synchronize_rcu();
 }
 
+static void joydev_refresh_state(struct joydev *joydev)
+{
+	struct input_dev *dev = joydev->handle.dev;
+	int i, val;
+
+	for (i = 0; i < joydev->nabs; i++) {
+		val = input_abs_get_val(dev, joydev->abspam[i]);
+		joydev->abs[i] = joydev_correct(val, &joydev->corr[i]);
+	}
+}
+
 static int joydev_open_device(struct joydev *joydev)
 {
 	int retval;
@@ -202,6 +213,8 @@ static int joydev_open_device(struct joydev *joydev)
 		retval = input_open_device(&joydev->handle);
 		if (retval)
 			joydev->open--;
+		else
+			joydev_refresh_state(joydev);
 	}
 
 	mutex_unlock(&joydev->mutex);
@@ -823,7 +836,6 @@ static int joydev_connect(struct input_handler *handler, struct input_dev *dev,
 		j = joydev->abspam[i];
 		if (input_abs_get_max(dev, j) == input_abs_get_min(dev, j)) {
 			joydev->corr[i].type = JS_CORR_NONE;
-			joydev->abs[i] = input_abs_get_val(dev, j);
 			continue;
 		}
 		joydev->corr[i].type = JS_CORR_BROKEN;
@@ -838,10 +850,6 @@ static int joydev_connect(struct input_handler *handler, struct input_dev *dev,
 		if (t) {
 			joydev->corr[i].coef[2] = (1 << 29) / t;
 			joydev->corr[i].coef[3] = (1 << 29) / t;
-
-			joydev->abs[i] =
-				joydev_correct(input_abs_get_val(dev, j),
-					       joydev->corr + i);
 		}
 	}
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 139/142] Input: tca8418 - use the interrupt trigger from the device tree
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (137 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 138/142] Input: joydev - do not report stale values on first open Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 140/142] Input: mpr121 - handle multiple bits change of status register Jiri Slaby
                   ` (4 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Maxime Ripard, Dmitry Torokhov, Oliver Neukum, Jiri Slaby

From: Maxime Ripard <maxime.ripard@free-electrons.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 259b77ef853cc375a5c9198cf81f9b79fc19413c upstream.

The TCA8418 might be used using different interrupt triggers on various
boards. This is not working so far because the current code forces a
falling edge trigger.

The device tree already provides a trigger type, so let's use whatever it
sets up, and since we can be loaded without DT, keep the old behaviour for
the non-DT case.

Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/keyboard/tca8418_keypad.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/input/keyboard/tca8418_keypad.c b/drivers/input/keyboard/tca8418_keypad.c
index 55c15304ddbc..92c742420e20 100644
--- a/drivers/input/keyboard/tca8418_keypad.c
+++ b/drivers/input/keyboard/tca8418_keypad.c
@@ -274,6 +274,7 @@ static int tca8418_keypad_probe(struct i2c_client *client,
 	bool irq_is_gpio = false;
 	int irq;
 	int error, row_shift, max_keys;
+	unsigned long trigger = 0;
 
 	/* Copy the platform data */
 	if (pdata) {
@@ -286,6 +287,7 @@ static int tca8418_keypad_probe(struct i2c_client *client,
 		cols = pdata->cols;
 		rep  = pdata->rep;
 		irq_is_gpio = pdata->irq_is_gpio;
+		trigger = IRQF_TRIGGER_FALLING;
 	} else {
 		struct device_node *np = dev->of_node;
 		int err;
@@ -360,9 +362,7 @@ static int tca8418_keypad_probe(struct i2c_client *client,
 		irq = gpio_to_irq(irq);
 
 	error = devm_request_threaded_irq(dev, irq, NULL, tca8418_irq_handler,
-					  IRQF_TRIGGER_FALLING |
-						IRQF_SHARED |
-						IRQF_ONESHOT,
+					  trigger | IRQF_SHARED | IRQF_ONESHOT,
 					  client->name, keypad_data);
 	if (error) {
 		dev_err(dev, "Unable to claim irq %d; error %d\n",
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 140/142] Input: mpr121 - handle multiple bits change of status register
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (138 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 139/142] Input: tca8418 - use the interrupt trigger from the device tree Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 141/142] Input: mpr121 - set missing event capability Jiri Slaby
                   ` (3 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Akinobu Mita, Dmitry Torokhov, Oliver Neukum, Jiri Slaby

From: Akinobu Mita <akinobu.mita@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 08fea55e37f58371bffc5336a59e55d1f155955a upstream.

This driver reports input events on their interrupts which are triggered
by the sensor's status register changes.  But only single bit change is
reported in the interrupt handler.  So if there are multiple bits are
changed at almost the same time, other press or release events are ignored.

This fixes it by detecting all changed bits in the status register.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/keyboard/mpr121_touchkey.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/drivers/input/keyboard/mpr121_touchkey.c b/drivers/input/keyboard/mpr121_touchkey.c
index f7f3e9a9fd3f..d781d532c37e 100644
--- a/drivers/input/keyboard/mpr121_touchkey.c
+++ b/drivers/input/keyboard/mpr121_touchkey.c
@@ -88,7 +88,8 @@ static irqreturn_t mpr_touchkey_interrupt(int irq, void *dev_id)
 	struct mpr121_touchkey *mpr121 = dev_id;
 	struct i2c_client *client = mpr121->client;
 	struct input_dev *input = mpr121->input_dev;
-	unsigned int key_num, key_val, pressed;
+	unsigned long bit_changed;
+	unsigned int key_num;
 	int reg;
 
 	reg = i2c_smbus_read_byte_data(client, ELE_TOUCH_STATUS_1_ADDR);
@@ -106,18 +107,22 @@ static irqreturn_t mpr_touchkey_interrupt(int irq, void *dev_id)
 
 	reg &= TOUCH_STATUS_MASK;
 	/* use old press bit to figure out which bit changed */
-	key_num = ffs(reg ^ mpr121->statusbits) - 1;
-	pressed = reg & (1 << key_num);
+	bit_changed = reg ^ mpr121->statusbits;
 	mpr121->statusbits = reg;
+	for_each_set_bit(key_num, &bit_changed, mpr121->keycount) {
+		unsigned int key_val, pressed;
 
-	key_val = mpr121->keycodes[key_num];
+		pressed = reg & BIT(key_num);
+		key_val = mpr121->keycodes[key_num];
 
-	input_event(input, EV_MSC, MSC_SCAN, key_num);
-	input_report_key(input, key_val, pressed);
-	input_sync(input);
+		input_event(input, EV_MSC, MSC_SCAN, key_num);
+		input_report_key(input, key_val, pressed);
+
+		dev_dbg(&client->dev, "key %d %d %s\n", key_num, key_val,
+			pressed ? "pressed" : "released");
 
-	dev_dbg(&client->dev, "key %d %d %s\n", key_num, key_val,
-		pressed ? "pressed" : "released");
+	}
+	input_sync(input);
 
 out:
 	return IRQ_HANDLED;
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 141/142] Input: mpr121 - set missing event capability
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (139 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 140/142] Input: mpr121 - handle multiple bits change of status register Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 15:33 ` [PATCH 3.12 142/142] tty/serial: atmel: fix race condition (TX+DMA) Jiri Slaby
                   ` (2 subsequent siblings)
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Akinobu Mita, Dmitry Torokhov, Oliver Neukum, Jiri Slaby

From: Akinobu Mita <akinobu.mita@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 9723ddc8fe0d76ce41fe0dc16afb241ec7d0a29d upstream.

This driver reports misc scan input events on the sensor's status
register changes.  But the event capability for them was not set in the
device initialization, so these events were ignored.

This change adds the missing event capability.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/keyboard/mpr121_touchkey.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/input/keyboard/mpr121_touchkey.c b/drivers/input/keyboard/mpr121_touchkey.c
index d781d532c37e..e13713b7658c 100644
--- a/drivers/input/keyboard/mpr121_touchkey.c
+++ b/drivers/input/keyboard/mpr121_touchkey.c
@@ -235,6 +235,7 @@ static int mpr_touchkey_probe(struct i2c_client *client,
 	input_dev->id.bustype = BUS_I2C;
 	input_dev->dev.parent = &client->dev;
 	input_dev->evbit[0] = BIT_MASK(EV_KEY) | BIT_MASK(EV_REP);
+	input_set_capability(input_dev, EV_MSC, MSC_SCAN);
 
 	input_dev->keycode = mpr121->keycodes;
 	input_dev->keycodesize = sizeof(mpr121->keycodes[0]);
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* [PATCH 3.12 142/142] tty/serial: atmel: fix race condition (TX+DMA)
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (140 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 141/142] Input: mpr121 - set missing event capability Jiri Slaby
@ 2017-04-10 15:33 ` Jiri Slaby
  2017-04-10 20:37 ` [PATCH 3.12 000/142] 3.12.73-stable review Shuah Khan
  2017-04-10 23:22 ` Guenter Roeck
  143 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-10 15:33 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Richard Genoud, Greg Kroah-Hartman, Jiri Slaby

From: Richard Genoud <richard.genoud@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 31ca2c63fdc0aee725cbd4f207c1256f5deaabde upstream.

If uart_flush_buffer() is called between atmel_tx_dma() and
atmel_complete_tx_dma(), the circular buffer has been cleared, but not
atmel_port->tx_len.
That leads to a circular buffer overflow (dumping (UART_XMIT_SIZE -
atmel_port->tx_len) bytes).

Tested-by: Nicolas Ferre <nicolas.ferre@microchip.com>
[rg] backport to 3.12
Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/tty/serial/atmel_serial.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c
index ab2e22bf54fd..04a809284d63 100644
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -1690,6 +1690,11 @@ static void atmel_flush_buffer(struct uart_port *port)
 		UART_PUT_TCR(port, 0);
 		atmel_port->pdc_tx.ofs = 0;
 	}
+	/*
+	 * in uart_flush_buffer(), the xmit circular buffer has just
+	 * been cleared, so we have to reset its length accordingly.
+	 */
+	sg_dma_len(&atmel_port->sg_tx) = 0;
 }
 
 /*
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 148+ messages in thread

* Re: [PATCH 3.12 127/142] cgroup: use an ordered workqueue for cgroup destruction
  2017-04-10 15:33 ` [PATCH 3.12 127/142] cgroup: use an ordered workqueue for cgroup destruction Jiri Slaby
@ 2017-04-10 19:30   ` Hugh Dickins
  2017-04-11  6:05     ` Jiri Slaby
  0 siblings, 1 reply; 148+ messages in thread
From: Hugh Dickins @ 2017-04-10 19:30 UTC (permalink / raw)
  To: Jiri Slaby; +Cc: stable, linux-kernel, Hugh Dickins, Tejun Heo

On Mon, 10 Apr 2017, Jiri Slaby wrote:

> From: Hugh Dickins <hughd@google.com>
> 
> 3.12-stable review patch.  If anyone has any objections, please let me know.
> 
> ===============
> 
> commit ab3f5faa6255a0eb4f832675507d9e295ca7e9ba upstream.
> 
> Sometimes the cleanup after memcg hierarchy testing gets stuck in
> mem_cgroup_reparent_charges(), unable to bring non-kmem usage down to 0.
> 
> There may turn out to be several causes, but a major cause is this: the
> workitem to offline parent can get run before workitem to offline child;
> parent's mem_cgroup_reparent_charges() circles around waiting for the
> child's pages to be reparented to its lrus, but it's holding cgroup_mutex
> which prevents the child from reaching its mem_cgroup_reparent_charges().
> 
> Just use an ordered workqueue for cgroup_destroy_wq.
> 
> tj: Committing as the temporary fix until the reverse dependency can
>     be removed from memcg.  Comment updated accordingly.
> 
> Fixes: e5fca243abae ("cgroup: use a dedicated workqueue for cgroup destruction")
> Suggested-by: Filipe Brandenburger <filbranden@google.com>
> Signed-off-by: Hugh Dickins <hughd@google.com>
> Signed-off-by: Tejun Heo <tj@kernel.org>
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>

Deja vu, it won't lie down!  See your mailbox of 2016-11-25..28:

No, please drop this one.  It was indeed marked for stable at the time,
but then reverted by 1a11533fbd71792e8c5d36f6763fbce8df0d231d; and you
already have in 3.12-stable the commit which in the end we used to fix
the issue, 4fb1a86fb5e4209a7d4426d4e586c58e9edc74ac
"memcg: reparent charges of children before processing parent".

Hugh

> ---
>  kernel/cgroup.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index 5d9d542c0bb5..e89f6cec01c9 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -5168,12 +5168,16 @@ static int __init cgroup_wq_init(void)
>  	/*
>  	 * There isn't much point in executing destruction path in
>  	 * parallel.  Good chunk is serialized with cgroup_mutex anyway.
> -	 * Use 1 for @max_active.
> +	 *
> +	 * XXX: Must be ordered to make sure parent is offlined after
> +	 * children.  The ordering requirement is for memcg where a
> +	 * parent's offline may wait for a child's leading to deadlock.  In
> +	 * the long term, this should be fixed from memcg side.
>  	 *
>  	 * We would prefer to do this in cgroup_init() above, but that
>  	 * is called before init_workqueues(): so leave this until after.
>  	 */
> -	cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1);
> +	cgroup_destroy_wq = alloc_ordered_workqueue("cgroup_destroy", 0);
>  	BUG_ON(!cgroup_destroy_wq);
>  	return 0;
>  }
> -- 
> 2.12.2
> 
> 

^ permalink raw reply	[flat|nested] 148+ messages in thread

* Re: [PATCH 3.12 000/142] 3.12.73-stable review
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (141 preceding siblings ...)
  2017-04-10 15:33 ` [PATCH 3.12 142/142] tty/serial: atmel: fix race condition (TX+DMA) Jiri Slaby
@ 2017-04-10 20:37 ` Shuah Khan
  2017-04-25  7:07   ` Jiri Slaby
  2017-04-10 23:22 ` Guenter Roeck
  143 siblings, 1 reply; 148+ messages in thread
From: Shuah Khan @ 2017-04-10 20:37 UTC (permalink / raw)
  To: Jiri Slaby, stable; +Cc: linux, linux-kernel, Shuah Khan

On 04/10/2017 09:33 AM, Jiri Slaby wrote:
> This is the start of the stable review cycle for the 3.12.73 release.
> There are 142 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed Apr 12 17:33:10 CEST 2017.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	http://kernel.org/pub/linux/kernel/people/jirislaby/stable-review/patch-3.12.73-rc1.xz
> and the diffstat can be found below.
> 
> thanks,
> js
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 148+ messages in thread

* Re: [PATCH 3.12 000/142] 3.12.73-stable review
  2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
                   ` (142 preceding siblings ...)
  2017-04-10 20:37 ` [PATCH 3.12 000/142] 3.12.73-stable review Shuah Khan
@ 2017-04-10 23:22 ` Guenter Roeck
  143 siblings, 0 replies; 148+ messages in thread
From: Guenter Roeck @ 2017-04-10 23:22 UTC (permalink / raw)
  To: Jiri Slaby, stable; +Cc: shuahkh, linux-kernel

On 04/10/2017 08:33 AM, Jiri Slaby wrote:
> This is the start of the stable review cycle for the 3.12.73 release.
> There are 142 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Apr 12 17:33:10 CEST 2017.
> Anything received after that time might be too late.
>

Build results:
	total: 128 pass: 128 fail: 0
Qemu test results:
	total: 93 pass: 93 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter

^ permalink raw reply	[flat|nested] 148+ messages in thread

* Re: [PATCH 3.12 127/142] cgroup: use an ordered workqueue for cgroup destruction
  2017-04-10 19:30   ` Hugh Dickins
@ 2017-04-11  6:05     ` Jiri Slaby
  0 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-11  6:05 UTC (permalink / raw)
  To: Hugh Dickins; +Cc: stable, linux-kernel, Tejun Heo

On 04/10/2017, 09:30 PM, Hugh Dickins wrote:
> On Mon, 10 Apr 2017, Jiri Slaby wrote:
> 
>> From: Hugh Dickins <hughd@google.com>
>>
>> 3.12-stable review patch.  If anyone has any objections, please let me know.
>>
>> ===============
>>
>> commit ab3f5faa6255a0eb4f832675507d9e295ca7e9ba upstream.
>>
>> Sometimes the cleanup after memcg hierarchy testing gets stuck in
>> mem_cgroup_reparent_charges(), unable to bring non-kmem usage down to 0.
>>
>> There may turn out to be several causes, but a major cause is this: the
>> workitem to offline parent can get run before workitem to offline child;
>> parent's mem_cgroup_reparent_charges() circles around waiting for the
>> child's pages to be reparented to its lrus, but it's holding cgroup_mutex
>> which prevents the child from reaching its mem_cgroup_reparent_charges().
>>
>> Just use an ordered workqueue for cgroup_destroy_wq.
>>
>> tj: Committing as the temporary fix until the reverse dependency can
>>     be removed from memcg.  Comment updated accordingly.
>>
>> Fixes: e5fca243abae ("cgroup: use a dedicated workqueue for cgroup destruction")
>> Suggested-by: Filipe Brandenburger <filbranden@google.com>
>> Signed-off-by: Hugh Dickins <hughd@google.com>
>> Signed-off-by: Tejun Heo <tj@kernel.org>
>> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> 
> Deja vu, it won't lie down!  See your mailbox of 2016-11-25..28:
> 
> No, please drop this one.  It was indeed marked for stable at the time,
> but then reverted by 1a11533fbd71792e8c5d36f6763fbce8df0d231d; and you
> already have in 3.12-stable the commit which in the end we used to fix
> the issue, 4fb1a86fb5e4209a7d4426d4e586c58e9edc74ac
> "memcg: reparent charges of children before processing parent".

Hmm, right. If only people stopped asking me to pick it. Dropped and
blacklisted. Thanks!

-- 
js
suse labs

^ permalink raw reply	[flat|nested] 148+ messages in thread

* Re: [PATCH 3.12 000/142] 3.12.73-stable review
  2017-04-10 20:37 ` [PATCH 3.12 000/142] 3.12.73-stable review Shuah Khan
@ 2017-04-25  7:07   ` Jiri Slaby
  0 siblings, 0 replies; 148+ messages in thread
From: Jiri Slaby @ 2017-04-25  7:07 UTC (permalink / raw)
  To: Shuah Khan, stable, linux; +Cc: linux-kernel

On 04/10/2017, 10:37 PM, Shuah Khan wrote:
> On 04/10/2017 09:33 AM, Jiri Slaby wrote:
>> This is the start of the stable review cycle for the 3.12.73 release.
>> There are 142 patches in this series, all will be posted as a response
>> to this one.  If anyone has any issues with these being applied, please
>> let me know.
>>
>> Responses should be made by Wed Apr 12 17:33:10 CEST 2017.
>> Anything received after that time might be too late.
>>
>> The whole patch series can be found in one patch at:
>> 	http://kernel.org/pub/linux/kernel/people/jirislaby/stable-review/patch-3.12.73-rc1.xz
>> and the diffstat can be found below.
>>
>> thanks,
>> js
>>
> 
> Compiled and booted on my test system. No dmesg regressions.

On 04/11/2017, 01:22 AM, Guenter Roeck wrote:
> Build results:
>     total: 128 pass: 128 fail: 0
> Qemu test results:
>     total: 93 pass: 93 fail: 0
>
> Details are available at http://kerneltests.org/builders.

I forgot to: thank you!

-- 
js
suse labs

^ permalink raw reply	[flat|nested] 148+ messages in thread

end of thread, other threads:[~2017-04-25  7:08 UTC | newest]

Thread overview: 148+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-10 15:33 [PATCH 3.12 000/142] 3.12.73-stable review Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 001/142] dm: flush queued bios when process blocks to avoid deadlock Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 002/142] xfs: pass total block res. as total xfs_bmapi_write() parameter Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 003/142] mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 004/142] xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 005/142] USB: serial: digi_acceleport: fix OOB data sanity check Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 006/142] USB: serial: digi_acceleport: fix OOB-event processing Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 007/142] crypto: improve gcc optimization flags for serpent and wp512 Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 008/142] MIPS: ip27: Disable qlge driver in defconfig Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 009/142] MIPS: ip22: Fix ip28 build for modern gcc Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 010/142] mtd: pmcmsp: use kstrndup instead of kmalloc+strncpy Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 011/142] MIPS: ralink: Cosmetic change to prom_init() Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 012/142] cpmac: remove hopeless #warning Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 013/142] MIPS: DEC: Avoid la pseudo-instruction in delay slots Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 014/142] tracing: Add #undef to fix compile error Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 015/142] usb: dwc3: gadget: make Set Endpoint Configuration macros safe Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 016/142] usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 017/142] USB: serial: safe_serial: fix information leak in completion handler Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 018/142] USB: serial: omninet: fix reference leaks at open Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 019/142] USB: iowarrior: fix NULL-deref at probe Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 020/142] USB: iowarrior: fix NULL-deref in write Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 021/142] USB: serial: io_ti: fix NULL-deref in interrupt callback Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 022/142] USB: serial: io_ti: fix information leak in completion handler Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 023/142] mvsas: fix misleading indentation Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 024/142] locking/static_keys: Add static_key_{en,dis}able() helpers Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 025/142] vxlan: correctly validate VXLAN ID against VXLAN_N_VID Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 026/142] ipv4: mask tos for input route Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 027/142] l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 028/142] net: don't call strlen() on the user buffer in packet_bind_spkt() Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 029/142] net: net_enable_timestamp() can be called from irq contexts Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 030/142] dccp: Unlock sock before calling sk_free() Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 031/142] tcp: fix various issues for sockets morphing to listen state Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 032/142] uapi: fix linux/packet_diag.h userspace compilation error Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 033/142] ipv6: avoid write to a possibly cloned skb Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 034/142] dccp/tcp: fix routing redirect race Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 035/142] dccp: fix memory leak during tear-down of unsuccessful connection request Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 036/142] net sched actions: decrement module reference count after table flush Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 037/142] futex: Fix potential use-after-free in FUTEX_REQUEUE_PI Jiri Slaby
2017-04-10 15:31 ` [PATCH 3.12 038/142] futex: Add missing error handling to FUTEX_REQUEUE_PI Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 039/142] give up on gcc ilog2() constant optimizations Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 040/142] cancel the setfilesize transation when io error happen Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 041/142] xfs: fix up xfs_swap_extent_forks inline extent handling Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 042/142] xfs: don't allow di_size with high bit set Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 043/142] netlink: remove mmapped netlink support Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 044/142] crypto: ghash-clmulni - Fix load failure Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 045/142] crypto: cryptd - Assign statesize properly Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 046/142] ACPI / video: skip evaluating _DOD when it does not exist Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 047/142] Drivers: hv: balloon: don't crash when memory is added in non-sorted order Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 048/142] Drivers: hv: avoid vfree() on crash Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 049/142] KVM: PPC: Book3S PR: Fix illegal opcode emulation Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 050/142] s390/pci: fix use after free in dma_init Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 051/142] kernek/fork.c: allocate idle task for a CPU always on its local node Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 052/142] perf/core: Fix event inheritance on fork() Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 053/142] cpufreq: Fix and clean up show_cpuinfo_cur_freq() Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 054/142] target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 055/142] scsi: lpfc: Add shutdown method for kexec Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 056/142] isdn/gigaset: fix NULL-deref at probe Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 057/142] xen: do not re-use pirq number cached in pci device msi msg data Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 058/142] igb: Workaround for igb i210 firmware issue Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 059/142] igb: add i211 to i210 PHY workaround Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 060/142] net: properly release sk_frag.page Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 061/142] net: unix: properly re-increment inflight counter of GC discarded candidates Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 062/142] qmi_wwan: add Dell DW5811e Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 063/142] net/mlx5: Increase number of max QPs in default profile Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 064/142] ipv4: provide stronger user input validation in nl_fib_input() Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 065/142] tcp: initialize icsk_ack.lrcvtime at session start time Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 066/142] libceph: don't set weight to IN when OSD is destroyed Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 067/142] USB: qcserial: Add support for Dell Wireless 5809e 4G Modem Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 068/142] USB: qcserial: add HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 069/142] USB: qcserial: add Sierra Wireless MC74xx/EM74xx Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 070/142] USB: qcserial: Add support for Quectel EC20 Mini PCIe module Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 071/142] USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3) Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 072/142] USB: qcserial: add Sierra Wireless EM74xx device ID Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 073/142] Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 074/142] Input: iforce - validate number of endpoints before using them Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 075/142] Input: ims-pcu " Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 076/142] Input: hanwang " Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 077/142] Input: yealink " Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 078/142] Input: cm109 " Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 079/142] Input: kbtab " Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 080/142] ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 081/142] USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 082/142] USB: serial: qcserial: add Dell DW5811e Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 083/142] ACM gadget: fix endianness in notifications Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 084/142] usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 085/142] USB: uss720: fix NULL-deref at probe Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 086/142] USB: idmouse: " Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 087/142] USB: wusbcore: " Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 088/142] usb: hub: Fix crash after failure to read BOS descriptor Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 089/142] uwb: i1480-dfu: fix NULL-deref at probe Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 090/142] uwb: hwa-rc: " Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 091/142] mmc: ushc: " Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 092/142] ext4: mark inode dirty after converting inline directory Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 093/142] mmc: sdhci: Do not disable interrupts while waiting for clock Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 094/142] nl80211: fix dumpit error path RTNL deadlocks Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 095/142] USB: usbtmc: add missing endpoint sanity check Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 096/142] xfs: clear _XBF_PAGES from buffers when readahead page Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 097/142] block: allow WRITE_SAME commands with the SG_IO ioctl Jiri Slaby
2017-04-10 15:32 ` [PATCH 3.12 098/142] uvcvideo: uvc_scan_fallback() for webcams with broken chain Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 099/142] fbcon: Fix vc attr at deinit Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 100/142] crypto: algif_hash - avoid zero-sized array Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 101/142] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 102/142] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 103/142] virtio_balloon: init 1st buffer in stats vq Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 104/142] c6x/ptrace: Remove useless PTRACE_SETREGSET implementation Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 105/142] sparc/ptrace: Preserve previous registers for short regset write Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 106/142] metag/ptrace: " Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 107/142] metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 108/142] metag/ptrace: Reject partial NT_METAG_RPIPE writes Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 109/142] sched/rt: Add a missing rescheduling point Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 110/142] libceph: force GFP_NOIO for socket allocations Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 111/142] scsi: mpt3sas: fix hang on ata passthrough commands Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 112/142] scsi: libsas: fix ata xfer length Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 113/142] ALSA: seq: Fix race during FIFO resize Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 114/142] ACPI: Fix incompatibility with mcount-based function graph tracing Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 115/142] USB: fix linked-list corruption in rh_call_control() Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 116/142] KVM: x86: clear bus pointer when destroyed Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 117/142] mm, hugetlb: use pte_present() instead of pmd_present() in follow_huge_pmd() Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 118/142] rtc: s35390a: fix reading out alarm Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 119/142] rtc: s35390a: make sure all members in the output are set Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 120/142] rtc: s35390a: implement reset routine as suggested by the reference Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 121/142] rtc: s35390a: improve irq handling Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 122/142] KVM: kvm_io_bus_unregister_dev() should never fail Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 123/142] padata: avoid race in reordering Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 124/142] ALSA: ctxfi: Fallback DMA mask to 32bit Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 125/142] ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 126/142] Revert "cpufreq: fix garbage kobjects on errors during suspend/resume" Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 127/142] cgroup: use an ordered workqueue for cgroup destruction Jiri Slaby
2017-04-10 19:30   ` Hugh Dickins
2017-04-11  6:05     ` Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 128/142] cpufreq: move policy kobj to policy->cpu at resume Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 129/142] ACPI / PNP: Avoid conflicting resource reservations Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 130/142] ACPI / resources: free memory on error in add_region_before() Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 131/142] ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 132/142] USB: OHCI: Fix race between ED unlink and URB submission Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 133/142] i2c: at91: manage unexpected RXRDY flag when starting a transfer Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 134/142] ipv4: igmp: Allow removing groups from a removed interface Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 135/142] HID: hid-lg: Fix immediate disconnection of Logitech Rumblepad 2 Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 136/142] HID: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 137/142] HID: i2c-hid: Add sleep between POWER ON and RESET Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 138/142] Input: joydev - do not report stale values on first open Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 139/142] Input: tca8418 - use the interrupt trigger from the device tree Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 140/142] Input: mpr121 - handle multiple bits change of status register Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 141/142] Input: mpr121 - set missing event capability Jiri Slaby
2017-04-10 15:33 ` [PATCH 3.12 142/142] tty/serial: atmel: fix race condition (TX+DMA) Jiri Slaby
2017-04-10 20:37 ` [PATCH 3.12 000/142] 3.12.73-stable review Shuah Khan
2017-04-25  7:07   ` Jiri Slaby
2017-04-10 23:22 ` Guenter Roeck

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.