All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 4.5 000/238] 4.5.1-stable review
@ 2016-04-10 18:32 Greg Kroah-Hartman
  2016-04-10 18:32 ` [PATCH 4.5 001/238] x86/microcode/intel: Make early loader look for builtin microcode too Greg Kroah-Hartman
                   ` (229 more replies)
  0 siblings, 230 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah.kh, patches, stable

This is the start of the stable review cycle for the 4.5.1 release.
There are 238 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Apr 12 18:34:18 UTC 2016.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.5.1-rc1.gz
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.5.1-rc1

Andi Kleen <ak@linux.intel.com>
    perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere

Jiri Olsa <jolsa@redhat.com>
    perf/x86/intel: Use PAGE_SIZE for PEBS buffer size on Core2

Kan Liang <kan.liang@intel.com>
    perf/x86/intel: Fix PEBS warning by only restoring active PMU in pmi

Kan Liang <kan.liang@intel.com>
    perf/x86/intel/uncore: Remove SBOX support for BDX-DE

Stephane Eranian <eranian@google.com>
    perf/x86/pebs: Add workaround for broken OVFL status on HSW+

Thomas Gleixner <tglx@linutronix.de>
    sched/cputime: Fix steal time accounting vs. CPU hotplug

Hannes Reinecke <hare@suse.de>
    scsi_common: do not clobber fixed sense information

Lukas Wunner <lukas@wunner.de>
    PM / sleep: Clear pm_suspend_global_flags upon hibernate

Len Brown <len.brown@intel.com>
    intel_idle: prevent SKL-H boot failure when C8+C9+C10 enabled

Aaro Koskinen <aaro.koskinen@iki.fi>
    mtd: onenand: fix deadlock in onenand_block_markbad

Vlastimil Babka <vbabka@suse.cz>
    mm/page_alloc: prevent merging between isolated and other pageblocks

Joseph Qi <joseph.qi@huawei.com>
    ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list

Joseph Qi <joseph.qi@huawei.com>
    ocfs2/dlm: fix race between convert and recovery

Junxiao Bi <junxiao.bi@oracle.com>
    ocfs2: o2hb: fix double free bug

Vladis Dronov <vdronov@redhat.com>
    Input: ati_remote2 - fix crashes on detecting device with invalid descriptor

Oliver Neukum <oneukum@suse.com>
    Input: ims-pcu - sanity check against missing interfaces

Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Input: synaptics - handle spurious release of trackstick buttons, again

Tejun Heo <tj@kernel.org>
    writeback, cgroup: fix use of the wrong bdi_writeback which mismatches the inode

Tejun Heo <tj@kernel.org>
    writeback, cgroup: fix premature wb_put() in locked_inode_to_wb_and_lock_list()

Lukas Wunner <lukas@wunner.de>
    ACPI / PM: Runtime resume devices when waking from hibernate

Ludovic Desroches <ludovic.desroches@atmel.com>
    ARM: dts: at91: sama5d4 Xplained: don't disable hsmci regulator

Ludovic Desroches <ludovic.desroches@atmel.com>
    ARM: dts: at91: sama5d3 Xplained: don't disable hsmci regulator

J. Bruce Fields <bfields@redhat.com>
    nfsd: fix deadlock secinfo+readdir compound

J. Bruce Fields <bfields@redhat.com>
    nfsd4: fix bad bounds checking

Jenny Derzhavetz <jennyf@mellanox.com>
    iser-target: Rework connection termination

Jenny Derzhavetz <jennyf@mellanox.com>
    iser-target: Separate flows for np listeners and connections cma events

Jenny Derzhavetz <jennyf@mellanox.com>
    iser-target: Add new state ISER_CONN_BOUND to isert_conn

Jenny Derzhavetz <jennyf@mellanox.com>
    iser-target: Fix identification of login rx descriptor type

Himanshu Madhani <himanshu.madhani@qlogic.com>
    target: Fix target_release_cmd_kref shutdown comp leak

Eric Anholt <eric@anholt.net>
    clk: bcm2835: Fix setting of PLL divider clock rates

Alexander Kochetkov <al.kochet@gmail.com>
    clk: rockchip: add hclk_cpubus to the list of rk3188 critical clocks

Heiko Stuebner <heiko@sntech.de>
    clk: rockchip: rk3368: fix hdmi_cec gate-register

Heiko Stuebner <heiko@sntech.de>
    clk: rockchip: rk3368: fix parents of video encoder/decoder

Heiko Stuebner <heiko@sntech.de>
    clk: rockchip: rk3368: fix cpuclk core dividers

Heiko Stuebner <heiko@sntech.de>
    clk: rockchip: rk3368: fix cpuclk mux bit of big cpu-cluster

Brent Taylor <motobud@gmail.com>
    mmc: atmel-mci: Check pdata for NULL before dereferencing it at DMA config

Adrian Hunter <adrian.hunter@intel.com>
    mmc: sdhci: Fix override of timeout clk wrt max_busy_timeout

Lucas Stach <dev@lynxeye.de>
    mmc: tegra: properly disable card clock

Jon Hunter <jonathanh@nvidia.com>
    mmc: tegra: Disable UHS-I modes for tegra114

Russell King <rmk+kernel@arm.linux.org.uk>
    mmc: sdhci-pxav3: fix higher speed mode capabilities

Russell King <rmk+kernel@arm.linux.org.uk>
    mmc: sdhci: fix data timeout (part 2)

Russell King <rmk+kernel@arm.linux.org.uk>
    mmc: sdhci: fix data timeout (part 1)

Russell King <rmk+kernel@arm.linux.org.uk>
    mmc: sdhci: plug DMA mapping leak on error

Russell King <rmk+kernel@arm.linux.org.uk>
    mmc: sdhci: avoid unnecessary mapping/unmapping of align buffer

Russell King <rmk+kernel@arm.linux.org.uk>
    mmc: sdhci: further fix for DMA unmapping in sdhci_post_req()

Russell King <rmk+kernel@arm.linux.org.uk>
    mmc: sdhci: fix command response CRC error handling

Russell King <rmk+kernel@arm.linux.org.uk>
    mmc: sdhci: clean up command error handling

Russell King <rmk+kernel@arm.linux.org.uk>
    mmc: sdhci: move initialisation of command error member

Magnus Damm <damm+renesas@opensource.se>
    mmc: mmc_spi: Add Card Detect comments and fix CD GPIO case

Shawn Lin <shawn.lin@rock-chips.com>
    mmc: block: fix ABI regression of mmc_blk_ioctl

John Dahlstrom <jodarom@SDF.ORG>
    ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list

Guenter Roeck <linux@roeck-us.net>
    MAINTAINERS: Update mailing list and web page for hwmon subsystem

Jiri Kosina <jkosina@suse.cz>
    kbuild/mkspec: fix grub2 installkernel issue

Jan Beulich <JBeulich@suse.com>
    scripts/kconfig: allow building with make 3.80 again

Julia Lawall <Julia.Lawall@lip6.fr>
    scripts/coccinelle: modernize &

Peter Zijlstra <peterz@infradead.org>
    bitops: Do not default to __clear_bit() for __clear_bit_unlock()

Steven Rostedt (Red Hat) <rostedt@goodmis.org>
    tracing: Fix trace_printk() to print when not using bprintk()

Steven Rostedt (Red Hat) <rostedt@goodmis.org>
    tracing: Fix crash from reading trace_pipe with sendfile

Steven Rostedt (Red Hat) <rostedt@goodmis.org>
    tracing: Have preempt(irqs)off trace preempt disabled functions

Eric Huang <JinHuiEric.Huang@amd.com>
    drm/amd/powerplay: add uvd/vce dpm enabling flag to fix the performance issue for CZ

Ken Wang <Qingqing.Wang@amd.com>
    drm/amdgpu: include the right version of gmc header files for iceland

Alex Deucher <alexander.deucher@amd.com>
    drm/amdgpu: disable runtime pm on PX laptops without dGPU power control

Dave Airlie <airlied@redhat.com>
    drm/radeon/mst: fix regression in lane/link handling.

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: rework fbdev handling on chips with no connectors

Mario Kleiner <mario.kleiner.de@gmail.com>
    drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards.

Alex Deucher <alexander.deucher@amd.com>
    drm/radeon: disable runtime pm on PX laptops without dGPU power control

Dan Carpenter <dan.carpenter@oracle.com>
    drm/vc4: Return -EFAULT on copy_from_user() failure

Aurelien Jacquiot <a-jacquiot@ti.com>
    rapidio/rionet: fix deadlock on SMP

Jann Horn <jann@thejh.net>
    fs/coredump: prevent fsuid=0 dumps into user-controlled directories

Jan Kiszka <jan.kiszka@siemens.com>
    scripts/gdb: account for changes in module data structure

Seth Forshee <seth.forshee@canonical.com>
    fuse: Add reference counting for fuse_io_priv

Robert Doebbelin <robert@quobyte.com>
    fuse: do not use iocb after it may have been freed

Ming Lei <ming.lei@canonical.com>
    md: multipath: don't hardcopy bio in .make_request path

NeilBrown <neilb@suse.com>
    md/raid5: preserve STRIPE_PREREAD_ACTIVE in break_stripe_batch_list

Shaohua Li <shli@fb.com>
    raid10: include bio_end_io_list in nr_queued to prevent freeze_array hang

Shaohua Li <shli@fb.com>
    RAID5: revert e9e4c377e2f563 to fix a livelock

Shaohua Li <shli@fb.com>
    RAID5: check_reshape() shouldn't call mddev_suspend

Jes Sorensen <Jes.Sorensen@redhat.com>
    md/raid5: Compare apples to apples (or sectors to sectors)

Nate Dailey <nate.dailey@stratus.com>
    raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang

Mateusz Guzik <mguzik@redhat.com>
    xfs: fix two memory leaks in xfs_attr_list.c error paths

Nikolay Borisov <kernel@kyup.com>
    quota: Fix possible GPF due to uninitialised pointers

Vineet Gupta <vgupta@synopsys.com>
    ARC: bitops: Remove non relevant comments

Lada Trimasova <ltrimas@synopsys.com>
    ARC: [BE] readl()/writel() to work in Big Endian CPU configuration

Alexey Brodkin <Alexey.Brodkin@synopsys.com>
    ARC: [plat-axs10x] add Ethernet PHY description in .dts

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: clear all DBREAKC registers on start

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: fix preemption in {clear,copy}_user_highpage

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: ISS: don't hang if stdin EOF is reached

Rabin Vincent <rabin@rab.in>
    splice: handle zero nr_pages in splice_to_pipe()

Dmitry V. Levin <ldv@altlinux.org>
    vfs: show_vfsstat: do not ignore errors from show_devname method

Vinayak Menon <vinmenon@codeaurora.org>
    of: alloc anywhere from memblock if range not specified

Hante Meuleman <meuleman@broadcom.com>
    brcmfmac: Increase nr of supported flowrings.

Dmitri Epshtein <dima@marvell.com>
    net: mvneta: enable change MAC address when interface is up

Tejun Heo <tj@kernel.org>
    cgroup: ignore css_sets associated with dead cgroups during migration

Johan Hedberg <johan.hedberg@intel.com>
    Bluetooth: Fix potential buffer overflow with Add Advertising

Dmitry Tunin <hanipouspilot@gmail.com>
    Bluetooth: Add new AR3012 ID 0489:e095

Michael S. Tsirkin <mst@redhat.com>
    watchdog: rc32434_wdt: fix ioctl error handling

Joshua Hunt <johunt@akamai.com>
    watchdog: don't run proc_watchdog_update if new value is same as old

Aaro Koskinen <aaro.koskinen@iki.fi>
    drivers/firmware/broadcom/bcm47xx_nvram.c: fix incorrect __ioread32_copy

Luis R. Rodriguez <mcgrof@kernel.org>
    ia64: define ioremap_uc()

Johannes Weiner <hannes@cmpxchg.org>
    mm: memcontrol: reclaim and OOM kill when shrinking memory.max below usage

Johannes Weiner <hannes@cmpxchg.org>
    mm: memcontrol: reclaim when shrinking memory.high below usage

Eric Wheeler <git@linux.ewheeler.net>
    bcache: fix cache_set_flush() NULL pointer dereference on OOM

Eric Wheeler <git@linux.ewheeler.net>
    bcache: fix race of writeback thread starting before complete initialization

Eric Wheeler <git@linux.ewheeler.net>
    bcache: cleaned up error handling around register_cache()

Bart Van Assche <bart.vanassche@sandisk.com>
    IB/srpt: Simplify srpt_handle_tsk_mgmt()

Bart Van Assche <bart.vanassche@sandisk.com>
    brd: Fix discard request processing

Catalin Marinas <catalin.marinas@arm.com>
    arm64: Update PTE_RDONLY in set_pte_at() for PROT_NONE permission

Geert Uytterhoeven <geert+renesas@glider.be>
    gpio: pca953x: Fix pca953x_gpio_set_multiple() on 64-bit

OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path

Kamal Mostafa <kamal@canonical.com>
    tools/hv: Use include/uapi with __EXPORTED_HEADERS__

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix missing ELD update at unplugging

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Workaround for unbalanced i915 power refcount by concurrent probe

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix forgotten HDMI monitor_present update

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Really restrict i915 notifier to HSW+

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix spurious kernel WARNING on Baytrail HDMI

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Limit i915 HDMI binding only for HSW and later

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix unconditional GPIO toggle via automute

Aaron Plattner <aplattner@nvidia.com>
    ALSA: hda - Add new GPU codec ID 0x10de0082 to snd-hda

Hui Wang <hui.wang@canonical.com>
    ALSA: hda - fix the mic mute button and led problem for a Lenovo AIO

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Don't handle ELD notify from invalid port

Vittorio Gambaletta (VittGam) <linuxbugs@vittgam.net>
    ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41.

Takashi Iwai <tiwai@suse.de>
    ALSA: pcm: Avoid "BUG:" string for warnings again

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Apply reboot D3 fix for CX20724 codec, too

Takashi Iwai <tiwai@suse.de>
    ALSA: hda - Fix unexpected resume through regmap code path

Asai Thambi SP <asamymuthupa@micron.com>
    mtip32xx: Cleanup queued requests after surprise removal

Asai Thambi SP <asamymuthupa@micron.com>
    mtip32xx: Implement timeout handler

Asai Thambi SP <asamymuthupa@micron.com>
    mtip32xx: Handle FTL rebuild failure state during device initialization

Asai Thambi SP <asamymuthupa@micron.com>
    mtip32xx: Handle safe removal during IO

Asai Thambi SP <asamymuthupa@micron.com>
    mtip32xx: Fix for rmmod crash when drive is in FTL rebuild

Asai Thambi SP <asamymuthupa@micron.com>
    mtip32xx: Print exact time when an internal command is interrupted

Asai Thambi SP <asamymuthupa@micron.com>
    mtip32xx: Remove unwanted code from taskfile error handler

Asai Thambi SP <asamymuthupa@micron.com>
    mtip32xx: Fix broken service thread handling

Asai Thambi SP <asamymuthupa@micron.com>
    mtip32xx: Avoid issuing standby immediate cmd during FTL rebuild

Tiffany Lin <tiffany.lin@mediatek.com>
    media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32

Philipp Zabel <p.zabel@pengutronix.de>
    coda: fix first encoded frame payload

Hans de Goede <hdegoede@redhat.com>
    bttv: Width must be a multiple of 16 when capturing planar formats

Hans Verkuil <hverkuil@xs4all.nl>
    adv7511: TX_EDID_PRESENT is still 1 after a disconnect

Hans de Goede <hdegoede@redhat.com>
    saa7134: Fix bytesperline not being set correctly for planar formats

Sebastian Frias <sf84@laposte.net>
    8250: use callbacks to access UART_DLL/UART_DLM

Peter Hurley <peter@hurleysoftware.com>
    net: irda: Fix use-after-free in irtty_open()

Peter Hurley <peter@hurleysoftware.com>
    tty: Fix GPF in flush_to_ldisc(), part 2

H Hartley Sweeten <hsweeten@visionengravers.com>
    staging: comedi: ni_mio_common: fix the ni_write[blw]() functions

Vladimir Zapolskiy <vz@mleia.com>
    staging: android: ion_test: fix check of platform_device_register_simple() error code

Spencer E. Olson <olsonse@umich.edu>
    staging: comedi: ni_tiocmd: change mistaken use of start_src for start_arg

Benjamin Tissoires <benjamin.tissoires@redhat.com>
    HID: fix hid_ignore_special_drivers module parameter

Benjamin Tissoires <benjamin.tissoires@redhat.com>
    HID: multitouch: force retrieving of Win8 signature blob

Dmitry Torokhov <dtor@chromium.org>
    HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()

Grazvydas Ignotas <notasas@gmail.com>
    HID: logitech: fix Dual Action gamepad support

Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
    tpm: fix the cleanup of struct tpm_chip

Harald Hoyer <harald@redhat.com>
    tpm_eventlog.c: fix binary_bios_measurements

Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
    tpm_crb: tpm2_shutdown() must be called before tpm_chip_unregister()

Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
    tpm: fix the rollback in tpm_chip_register()

Alexander Usyskin <alexander.usyskin@intel.com>
    mei: bus: check if the device is enabled before data transfer

David Howells <dhowells@redhat.com>
    X.509: Fix leap year handling again

Boris BREZILLON <boris.brezillon@free-electrons.com>
    crypto: marvell/cesa - forward devm_ioremap_resource() error code

Vladimir Zapolskiy <vz@mleia.com>
    crypto: ux500 - fix checks of error code returned by devm_ioremap_resource()

Vladimir Zapolskiy <vz@mleia.com>
    crypto: atmel - fix checks of error code returned by devm_ioremap_resource()

Dan Carpenter <dan.carpenter@oracle.com>
    crypto: keywrap - memzero the correct memory

Tom Lendacky <thomas.lendacky@amd.com>
    crypto: ccp - memset request context to zero during import

Tom Lendacky <thomas.lendacky@amd.com>
    crypto: ccp - Don't assume export/import areas are aligned

Tom Lendacky <thomas.lendacky@amd.com>
    crypto: ccp - Limit the amount of information exported

Tom Lendacky <thomas.lendacky@amd.com>
    crypto: ccp - Add hash state import and export support

Dmitry Tunin <hanipouspilot@gmail.com>
    Bluetooth: btusb: Add a new AR3012 ID 13d3:3472

Dmitry Tunin <hanipouspilot@gmail.com>
    Bluetooth: btusb: Add a new AR3012 ID 04ca:3014

Dmitry Tunin <hanipouspilot@gmail.com>
    Bluetooth: btusb: Add new AR3012 ID 13d3:3395

Vladis Dronov <vdronov@redhat.com>
    ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call

Takashi Iwai <tiwai@suse.de>
    ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()

Victor Clément <victor.clement@openmailbox.org>
    ALSA: usb-audio: add Microsoft HD-5001 to quirks

Takashi Iwai <tiwai@suse.de>
    ALSA: usb-audio: Add sanity checks for endpoint accesses

Takashi Iwai <tiwai@suse.de>
    ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()

Josh Boyer <jwboyer@fedoraproject.org>
    Input: powermate - fix oops with malicious USB descriptors

Hans de Goede <hdegoede@redhat.com>
    pwc: Add USB id for Philips Spc880nc webcam

Anthony Wong <anthony.wong@ubuntu.com>
    rt2x00: add new rt2800usb device Buffalo WLI-UC-G450

Bjørn Mork <bjorn@mork.no>
    USB: option: add "D-Link DWM-221 B1" device id

Josh Boyer <jwboyer@fedoraproject.org>
    USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices

Martyn Welch <martyn.welch@collabora.co.uk>
    USB: serial: cp210x: Adding GE Healthcare Device ID

Oliver Neukum <oneukum@suse.com>
    USB: cypress_m8: add endpoint sanity check

Oliver Neukum <oneukum@suse.com>
    USB: digi_acceleport: do sanity checking for the number of ports

Oliver Neukum <oneukum@suse.com>
    USB: mct_u232: add sanity checking in probe

Oliver Neukum <oneukum@suse.com>
    USB: usb_driver_claim_interface: add sanity checking

Josh Boyer <jwboyer@fedoraproject.org>
    USB: iowarrior: fix oops with malicious USB descriptors

Oliver Neukum <oneukum@suse.com>
    USB: cdc-acm: more sanity checking

Hans de Goede <hdegoede@redhat.com>
    USB: uas: Reduce can_queue to MAX_CMNDS

Oliver Neukum <oneukum@suse.com>
    usb: hub: fix a typo in hub_port_init() leading to wrong logic

Oliver Neukum <oneukum@suse.com>
    usb: retry reset if a device times out

Bryn M. Reeves <bmr@redhat.com>
    dm: fix rq_end_stats() NULL pointer in dm_requeue_original_request()

Joe Thornber <ejt@redhat.com>
    dm cache: make sure every metadata function checks fail_io

Joe Thornber <ejt@redhat.com>
    dm thin metadata: don't issue prefetches if a transaction abort has failed

Mike Snitzer <snitzer@redhat.com>
    dm: fix excessive dm-mq context switching

DingXiang <dingxiang@huawei.com>
    dm snapshot: disallow the COW and origin devices from being identical

Dan Williams <dan.j.williams@intel.com>
    libnvdimm, pmem: fix kmap_atomic() leak in error path

Jerry Hoemann <jerry.hoemann@hpe.com>
    libnvdimm: Fix security issue with DSM IOCTL.

Alan <gnomes@lxorguk.ukuu.org.uk>
    aic7xxx: Fix queue depth handling

Maurizio Lombardi <mlombard@redhat.com>
    be2iscsi: set the boot_kset pointer to NULL in case of failure

Vitaly Kuznetsov <vkuznets@redhat.com>
    scsi: storvsc: fix SRB_STATUS_ABORTED handling

Finn Thain <fthain@telegraphics.com.au>
    ncr5380: Call scsi_eh_prep_cmnd() and scsi_eh_restore_cmnd() as and when appropriate

Finn Thain <fthain@telegraphics.com.au>
    ncr5380: Fix NCR5380_select() EH checks and result handling

Finn Thain <fthain@telegraphics.com.au>
    ncr5380: Forget aborted commands

Finn Thain <fthain@telegraphics.com.au>
    ncr5380: Dont re-enter NCR5380_select()

Finn Thain <fthain@telegraphics.com.au>
    ncr5380: Dont release lock for PIO transfer

Finn Thain <fthain@telegraphics.com.au>
    ncr5380: Correctly clear command pointers and lists after bus reset

Martin K. Petersen <martin.petersen@oracle.com>
    sd: Fix discard granularity when LBPRZ=1

Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
    aacraid: Set correct msix count for EEH recovery

Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
    aacraid: Fix memory leak in aac_fib_map_free

Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
    aacraid: Fix RRQ overload

Douglas Gilbert <dgilbert@interlog.com>
    sg: fix dxferp in from_to case

Nadav Amit <namit@vmware.com>
    x86/mm: TLB_REMOTE_SEND_IPI should count pages

Andy Lutomirski <luto@kernel.org>
    x86/iopl: Fix iopl capability check on Xen PV

Andy Lutomirski <luto@kernel.org>
    x86/iopl/64: Properly context-switch IOPL on Xen PV

Dave Jones <davej@codemonkey.org.uk>
    x86/apic: Fix suspicious RCU usage in smp_trace_call_function_interrupt()

Thomas Gleixner <tglx@linutronix.de>
    x86/irq: Cure live lock in fixup_irqs()

Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    PCI: ACPI: IA64: fix IO port generic range check

Bjorn Helgaas <bhelgaas@google.com>
    PCI: Disable IO/MEM decoding for devices with non-compliant BARs

Phil Elwell <phil@raspberrypi.org>
    pinctrl-bcm2835: Fix cut-and-paste error in "pull" parsing

Sebastian Ott <sebott@linux.vnet.ibm.com>
    s390/pci: enforce fmb page boundary rule

Heiko Carstens <heiko.carstens@de.ibm.com>
    s390/cpumf: add missing lpp magic initialization

Martin Schwidefsky <schwidefsky@de.ibm.com>
    s390: fix floating pointer register corruption (again)

Dan Carpenter <dan.carpenter@oracle.com>
    EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()

Tony Luck <tony.luck@intel.com>
    EDAC/sb_edac: Fix computation of channel address

David Hildenbrand <dahi@linux.vnet.ibm.com>
    sched/preempt, sh: kmap_coherent relies on disabled preemption

Byungchul Park <byungchul.park@lge.com>
    sched/fair: Avoid using decay_load_missed() with a negative value

Chris Friesen <cbf123@mail.usask.ca>
    sched/cputime: Fix steal_account_process_tick() to always return jiffies

Zhang Rui <rui.zhang@intel.com>
    Thermal: Ignore invalid trip points

Jiri Olsa <jolsa@redhat.com>
    perf tools: Fix python extension build

Wang Nan <wangnan0@huawei.com>
    perf tools: Fix checking asprintf return value

Andi Kleen <ak@linux.intel.com>
    perf tools: Dont stop PMU parsing on alias parse error

Alexander Shishkin <alexander.shishkin@linux.intel.com>
    perf/core: Fix perf_sched_count derailment

Paolo Bonzini <pbonzini@redhat.com>
    KVM: VMX: fix nested vpid for old KVM guests

Paolo Bonzini <pbonzini@redhat.com>
    KVM: VMX: avoid guest hang on invalid invvpid instruction

Paolo Bonzini <pbonzini@redhat.com>
    KVM: VMX: avoid guest hang on invalid invept instruction

Paolo Bonzini <pbonzini@redhat.com>
    KVM: fix spin_lock_init order on x86

Radim Krčmář <rkrcmar@redhat.com>
    KVM: i8254: change PIT discard tick policy

Paolo Bonzini <pbonzini@redhat.com>
    KVM: x86: fix missed hardware breakpoints

Bjorn Helgaas <bhelgaas@google.com>
    x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs

Stephane Eranian <eranian@google.com>
    perf/x86/intel: Add definition for PT PMI bit

Andy Lutomirski <luto@kernel.org>
    x86/entry/compat: Keep TS_COMPAT set during signal delivery

Borislav Petkov <bp@suse.de>
    x86/microcode: Untangle from BLK_DEV_INITRD

Borislav Petkov <bp@suse.de>
    x86/microcode/intel: Make early loader look for builtin microcode too


-------------

Diffstat:

 Documentation/cgroup-v2.txt                        |   6 +
 MAINTAINERS                                        |  96 ++++----
 Makefile                                           |   4 +-
 arch/arc/boot/dts/axs10x_mb.dtsi                   |   8 +
 arch/arc/include/asm/bitops.h                      |  15 --
 arch/arc/include/asm/io.h                          |  18 +-
 arch/arm/boot/dts/at91-sama5d3_xplained.dts        |   1 +
 arch/arm/boot/dts/at91-sama5d4_xplained.dts        |   1 +
 arch/arm64/include/asm/pgtable.h                   |   3 +-
 arch/ia64/include/asm/io.h                         |   1 +
 arch/s390/include/asm/pci.h                        |   2 +-
 arch/s390/kernel/entry.S                           | 106 +-------
 arch/s390/kernel/setup.c                           |   1 +
 arch/s390/pci/pci.c                                |   5 +-
 arch/sh/mm/kmap.c                                  |   2 +
 arch/um/drivers/mconsole_kern.c                    |   2 +-
 arch/x86/Kconfig                                   |  27 ++-
 arch/x86/entry/common.c                            |  23 +-
 arch/x86/include/asm/apic.h                        |   2 +-
 arch/x86/include/asm/hw_irq.h                      |   1 +
 arch/x86/include/asm/microcode.h                   |  26 ++
 arch/x86/include/asm/perf_event.h                  |   1 +
 arch/x86/include/asm/xen/hypervisor.h              |   2 +
 arch/x86/kernel/apic/vector.c                      |  88 +++++--
 arch/x86/kernel/cpu/microcode/intel.c              |  38 +--
 arch/x86/kernel/cpu/perf_event.c                   |  13 +
 arch/x86/kernel/cpu/perf_event.h                   |   3 +
 arch/x86/kernel/cpu/perf_event_intel.c             |  27 ++-
 arch/x86/kernel/cpu/perf_event_intel_ds.c          |  24 +-
 .../x86/kernel/cpu/perf_event_intel_uncore_snbep.c |   8 +-
 arch/x86/kernel/cpu/perf_event_knc.c               |   4 +-
 arch/x86/kernel/ioport.c                           |  12 +-
 arch/x86/kernel/process_64.c                       |  12 +
 arch/x86/kvm/i8254.c                               |  12 +-
 arch/x86/kvm/vmx.c                                 |  16 +-
 arch/x86/kvm/x86.c                                 |   1 +
 arch/x86/mm/tlb.c                                  |  12 +-
 arch/x86/pci/fixup.c                               |   7 +
 arch/x86/xen/enlighten.c                           |   2 +-
 arch/xtensa/kernel/head.S                          |   2 +-
 arch/xtensa/mm/cache.c                             |   8 +-
 arch/xtensa/platforms/iss/console.c                |  10 +-
 block/blk-core.c                                   |   2 +-
 crypto/asymmetric_keys/x509_cert_parser.c          |   8 +-
 crypto/keywrap.c                                   |   4 +-
 drivers/acpi/resource.c                            |  14 +-
 drivers/acpi/sleep.c                               |   1 +
 drivers/block/brd.c                                |   2 +-
 drivers/block/mtip32xx/mtip32xx.c                  | 267 ++++++++++++++++-----
 drivers/block/mtip32xx/mtip32xx.h                  |  11 +-
 drivers/bluetooth/ath3k.c                          |   8 +
 drivers/bluetooth/btusb.c                          |   4 +
 drivers/char/tpm/tpm-chip.c                        |  14 +-
 drivers/char/tpm/tpm_crb.c                         |   4 +-
 drivers/char/tpm/tpm_eventlog.c                    |  14 +-
 drivers/clk/bcm/clk-bcm2835.c                      |  12 +-
 drivers/clk/rockchip/clk-rk3188.c                  |   1 +
 drivers/clk/rockchip/clk-rk3368.c                  |  48 ++--
 drivers/crypto/atmel-aes.c                         |   4 +-
 drivers/crypto/atmel-sha.c                         |   4 +-
 drivers/crypto/atmel-tdes.c                        |   4 +-
 drivers/crypto/ccp/ccp-crypto-aes-cmac.c           |  36 +++
 drivers/crypto/ccp/ccp-crypto-sha.c                |  40 +++
 drivers/crypto/ccp/ccp-crypto.h                    |  22 ++
 drivers/crypto/marvell/cesa.c                      |   2 +-
 drivers/crypto/ux500/cryp/cryp_core.c              |   4 +-
 drivers/crypto/ux500/hash/hash_core.c              |   4 +-
 drivers/edac/amd64_edac.c                          |   2 +-
 drivers/edac/sb_edac.c                             |  26 +-
 drivers/firmware/broadcom/bcm47xx_nvram.c          |   5 +-
 drivers/gpio/gpio-pca953x.c                        |   6 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_atpx_handler.c   |   8 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c         |   8 +-
 drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c             |   4 +-
 drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c     |   5 +
 drivers/gpu/drm/radeon/atombios_encoders.c         |   6 +-
 drivers/gpu/drm/radeon/radeon_atpx_handler.c       |   8 +-
 drivers/gpu/drm/radeon/radeon_device.c             |   8 +-
 drivers/gpu/drm/radeon/radeon_display.c            |   6 +-
 drivers/gpu/drm/radeon/radeon_dp_mst.c             |  12 +-
 drivers/gpu/drm/radeon/radeon_fb.c                 |  19 +-
 drivers/gpu/drm/vc4/vc4_bo.c                       |   7 +-
 drivers/hid/hid-core.c                             |   8 +-
 drivers/hid/hid-multitouch.c                       |   5 +
 drivers/hid/i2c-hid/i2c-hid.c                      |  16 +-
 drivers/idle/intel_idle.c                          | 108 +++++++--
 drivers/infiniband/ulp/isert/ib_isert.c            | 122 +++++-----
 drivers/infiniband/ulp/isert/ib_isert.h            |   2 +-
 drivers/infiniband/ulp/srpt/ib_srpt.c              |  59 +----
 drivers/input/misc/ati_remote2.c                   |  36 ++-
 drivers/input/misc/ims-pcu.c                       |   4 +
 drivers/input/misc/powermate.c                     |   3 +
 drivers/input/mouse/synaptics.c                    |   5 +-
 drivers/md/bcache/super.c                          |  46 +++-
 drivers/md/dm-cache-metadata.c                     |  98 +++++---
 drivers/md/dm-cache-metadata.h                     |   4 +-
 drivers/md/dm-cache-target.c                       |  12 +-
 drivers/md/dm-snap.c                               |   9 +
 drivers/md/dm-table.c                              |  36 ++-
 drivers/md/dm-thin-metadata.c                      |   5 +-
 drivers/md/dm.c                                    |  15 +-
 drivers/md/multipath.c                             |   4 +-
 drivers/md/raid1.c                                 |   7 +-
 drivers/md/raid10.c                                |   7 +-
 drivers/md/raid5.c                                 |  51 ++--
 drivers/md/raid5.h                                 |   4 +-
 drivers/media/i2c/adv7511.c                        |  21 +-
 drivers/media/pci/bt8xx/bttv-driver.c              |  26 +-
 drivers/media/pci/saa7134/saa7134-video.c          |  18 +-
 drivers/media/platform/coda/coda-bit.c             |   2 +-
 drivers/media/usb/pwc/pwc-if.c                     |   6 +
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c      |  21 +-
 drivers/misc/mei/bus.c                             |   9 +
 drivers/mmc/card/block.c                           |  24 +-
 drivers/mmc/host/atmel-mci.c                       |   2 +-
 drivers/mmc/host/mmc_spi.c                         |   6 +
 drivers/mmc/host/sdhci-pxav3.c                     |   6 +-
 drivers/mmc/host/sdhci-tegra.c                     |  14 +-
 drivers/mmc/host/sdhci.c                           | 142 ++++++-----
 drivers/mtd/onenand/onenand_base.c                 |   3 +-
 drivers/net/ethernet/marvell/mvneta.c              |   2 +-
 drivers/net/irda/irtty-sir.c                       |  10 -
 drivers/net/rionet.c                               |   4 +-
 .../broadcom/brcm80211/brcmfmac/flowring.c         |  38 +--
 .../broadcom/brcm80211/brcmfmac/flowring.h         |  20 +-
 .../wireless/broadcom/brcm80211/brcmfmac/msgbuf.c  |  11 +-
 .../wireless/broadcom/brcm80211/brcmfmac/msgbuf.h  |   2 +-
 drivers/net/wireless/ralink/rt2x00/rt2800usb.c     |   1 +
 drivers/nvdimm/bus.c                               |   8 +-
 drivers/nvdimm/pmem.c                              |  11 +-
 drivers/of/of_reserved_mem.c                       |   4 +-
 drivers/pci/probe.c                                |  14 ++
 drivers/pinctrl/bcm/pinctrl-bcm2835.c              |   2 +-
 drivers/platform/x86/ideapad-laptop.c              |  14 ++
 drivers/scsi/NCR5380.c                             | 133 +++++-----
 drivers/scsi/aacraid/aacraid.h                     |   2 +
 drivers/scsi/aacraid/commsup.c                     |  37 ++-
 drivers/scsi/aacraid/linit.c                       |  12 +-
 drivers/scsi/aacraid/src.c                         |  30 +--
 drivers/scsi/aic7xxx/aic7xxx_osm.c                 |   1 +
 drivers/scsi/atari_NCR5380.c                       | 133 +++++-----
 drivers/scsi/be2iscsi/be_main.c                    |   1 +
 drivers/scsi/scsi_common.c                         |  12 +-
 drivers/scsi/sd.c                                  |   2 +-
 drivers/scsi/sg.c                                  |   3 +-
 drivers/scsi/storvsc_drv.c                         |   5 +-
 drivers/staging/android/ion/ion_test.c             |   4 +-
 drivers/staging/comedi/drivers/ni_mio_common.c     |  12 +-
 drivers/staging/comedi/drivers/ni_tiocmd.c         |   2 +-
 drivers/target/target_core_transport.c             |   2 -
 drivers/thermal/thermal_core.c                     |  13 +-
 drivers/tty/serial/8250/8250_port.c                |  18 +-
 drivers/usb/class/cdc-acm.c                        |   3 +
 drivers/usb/core/driver.c                          |   6 +-
 drivers/usb/core/hub.c                             |  16 +-
 drivers/usb/misc/iowarrior.c                       |   6 +
 drivers/usb/serial/cp210x.c                        |   1 +
 drivers/usb/serial/cypress_m8.c                    |  11 +-
 drivers/usb/serial/digi_acceleport.c               |  19 ++
 drivers/usb/serial/ftdi_sio.c                      |   4 +
 drivers/usb/serial/ftdi_sio_ids.h                  |   8 +
 drivers/usb/serial/mct_u232.c                      |   9 +-
 drivers/usb/serial/option.c                        |   2 +
 drivers/usb/storage/uas.c                          |   2 +-
 drivers/watchdog/rc32434_wdt.c                     |   2 +-
 fs/coredump.c                                      |  30 ++-
 fs/fhandle.c                                       |   2 +-
 fs/fs-writeback.c                                  |  37 ++-
 fs/fuse/cuse.c                                     |   4 +-
 fs/fuse/file.c                                     |  33 ++-
 fs/fuse/fuse_i.h                                   |   9 +
 fs/jbd2/journal.c                                  |  17 +-
 fs/nfsd/nfs4proc.c                                 |   1 +
 fs/nfsd/nfs4xdr.c                                  |  13 +-
 fs/ocfs2/cluster/heartbeat.c                       |   4 +-
 fs/ocfs2/dlm/dlmconvert.c                          |  24 +-
 fs/ocfs2/dlm/dlmrecovery.c                         |   1 -
 fs/open.c                                          |   6 +-
 fs/proc_namespace.c                                |   2 +
 fs/quota/dquot.c                                   |   3 +-
 fs/splice.c                                        |   3 +
 fs/xfs/xfs_attr_list.c                             |  19 +-
 include/asm-generic/bitops/lock.h                  |  14 +-
 include/linux/cgroup-defs.h                        |   3 +
 include/linux/device-mapper.h                      |   2 +
 include/linux/fs.h                                 |   2 +-
 include/linux/kernel.h                             |   6 +-
 include/linux/pci.h                                |   1 +
 include/linux/thermal.h                            |   2 +
 include/linux/tty.h                                |   2 +-
 include/sound/hdaudio.h                            |   2 +
 kernel/cgroup.c                                    |  20 +-
 kernel/events/core.c                               |   7 +-
 kernel/power/hibernate.c                           |   1 +
 kernel/sched/core.c                                |   1 +
 kernel/sched/cputime.c                             |  14 +-
 kernel/sched/fair.c                                |  12 +-
 kernel/sched/sched.h                               |  13 +
 kernel/sysctl_binary.c                             |   2 +-
 kernel/trace/trace.c                               |   5 +-
 kernel/trace/trace_irqsoff.c                       |   8 +-
 kernel/trace/trace_printk.c                        |   3 +
 kernel/watchdog.c                                  |   9 +-
 mm/memcontrol.c                                    |  44 +++-
 mm/page_alloc.c                                    |  46 +++-
 net/bluetooth/mgmt.c                               |   4 +
 scripts/coccinelle/iterators/use_after_iter.cocci  |   2 +-
 scripts/gdb/linux/modules.py                       |   5 +-
 scripts/gdb/linux/symbols.py                       |   2 +-
 scripts/kconfig/Makefile                           |   4 +-
 scripts/package/mkspec                             |   8 +-
 sound/core/pcm_lib.c                               |   2 +-
 sound/hda/hdac_device.c                            |  16 ++
 sound/hda/hdac_regmap.c                            |  69 ++++--
 sound/pci/hda/patch_cirrus.c                       |   8 +-
 sound/pci/hda/patch_conexant.c                     |   7 +-
 sound/pci/hda/patch_hdmi.c                         |  43 +++-
 sound/pci/hda/patch_realtek.c                      |   1 +
 sound/pci/intel8x0.c                               |   1 +
 sound/usb/clock.c                                  |   2 +
 sound/usb/endpoint.c                               |   3 +
 sound/usb/mixer_quirks.c                           |   4 +
 sound/usb/pcm.c                                    |   2 +
 sound/usb/quirks.c                                 |  27 ++-
 sound/usb/stream.c                                 |   6 +-
 tools/hv/Makefile                                  |   2 +
 tools/perf/util/parse-events.c                     |   6 +-
 tools/perf/util/pmu.c                              |  15 +-
 tools/perf/util/setup.py                           |   4 +
 virt/kvm/kvm_main.c                                |  21 +-
 230 files changed, 2359 insertions(+), 1266 deletions(-)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 001/238] x86/microcode/intel: Make early loader look for builtin microcode too
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
@ 2016-04-10 18:32 ` Greg Kroah-Hartman
  2016-04-10 18:32 ` [PATCH 4.5 002/238] x86/microcode: Untangle from BLK_DEV_INITRD Greg Kroah-Hartman
                   ` (228 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Voegtle, Borislav Petkov,
	Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Borislav Petkov <bp@suse.de>

commit 264285ac01673e70557c43ecee338ce97c4c0672 upstream.

Set the initrd @start depending on the presence of an initrd. Otherwise,
builtin microcode loading doesn't work as the start is wrong and we're
using it to compute offset to the microcode blobs.

Tested-by: Thomas Voegtle <tv@lio96.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1454499225-21544-3-git-send-email-bp@alien8.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/microcode/intel.c |   24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -551,10 +551,14 @@ scan_microcode(struct mc_saved_data *mc_
 	cd.data = NULL;
 	cd.size = 0;
 
-	cd = find_cpio_data(p, (void *)start, size, &offset);
-	if (!cd.data) {
+	/* try built-in microcode if no initrd */
+	if (!size) {
 		if (!load_builtin_intel_microcode(&cd))
 			return UCODE_ERROR;
+	} else {
+		cd = find_cpio_data(p, (void *)start, size, &offset);
+		if (!cd.data)
+			return UCODE_ERROR;
 	}
 
 	return get_matching_model_microcode(0, start, cd.data, cd.size,
@@ -728,16 +732,20 @@ void __init load_ucode_intel_bsp(void)
 	struct boot_params *p;
 
 	p	= (struct boot_params *)__pa_nodebug(&boot_params);
-	start	= p->hdr.ramdisk_image;
 	size	= p->hdr.ramdisk_size;
 
-	_load_ucode_intel_bsp(
-			(struct mc_saved_data *)__pa_nodebug(&mc_saved_data),
-			(unsigned long *)__pa_nodebug(&mc_saved_in_initrd),
-			start, size);
+	/*
+	 * Set start only if we have an initrd image. We cannot use initrd_start
+	 * because it is not set that early yet.
+	 */
+	start	= (size ? p->hdr.ramdisk_image : 0);
+
+	_load_ucode_intel_bsp((struct mc_saved_data *)__pa_nodebug(&mc_saved_data),
+			      (unsigned long *)__pa_nodebug(&mc_saved_in_initrd),
+			      start, size);
 #else
-	start	= boot_params.hdr.ramdisk_image + PAGE_OFFSET;
 	size	= boot_params.hdr.ramdisk_size;
+	start	= (size ? boot_params.hdr.ramdisk_image + PAGE_OFFSET : 0);
 
 	_load_ucode_intel_bsp(&mc_saved_data, mc_saved_in_initrd, start, size);
 #endif

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 002/238] x86/microcode: Untangle from BLK_DEV_INITRD
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
  2016-04-10 18:32 ` [PATCH 4.5 001/238] x86/microcode/intel: Make early loader look for builtin microcode too Greg Kroah-Hartman
@ 2016-04-10 18:32 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 003/238] x86/entry/compat: Keep TS_COMPAT set during signal delivery Greg Kroah-Hartman
                   ` (227 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Voegtle, Borislav Petkov,
	Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Borislav Petkov <bp@suse.de>

commit 5f9c01aa7c49a2d74474d6d879a797b8badf29e6 upstream.

Thomas Voegtle reported that doing oldconfig with a .config which has
CONFIG_MICROCODE enabled but BLK_DEV_INITRD disabled prevents the
microcode loading mechanism from being built.

So untangle it from the BLK_DEV_INITRD dependency so that oldconfig
doesn't turn it off and add an explanatory text to its Kconfig help what
the supported methods for supplying microcode are.

Reported-by: Thomas Voegtle <tv@lio96.de>
Tested-by: Thomas Voegtle <tv@lio96.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1454499225-21544-2-git-send-email-bp@alien8.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/Kconfig                      |   23 ++++++++++++-----------
 arch/x86/include/asm/microcode.h      |   26 ++++++++++++++++++++++++++
 arch/x86/kernel/cpu/microcode/intel.c |   14 ++++----------
 3 files changed, 42 insertions(+), 21 deletions(-)

--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1160,22 +1160,23 @@ config MICROCODE
 	bool "CPU microcode loading support"
 	default y
 	depends on CPU_SUP_AMD || CPU_SUP_INTEL
-	depends on BLK_DEV_INITRD
 	select FW_LOADER
 	---help---
-
 	  If you say Y here, you will be able to update the microcode on
-	  certain Intel and AMD processors. The Intel support is for the
-	  IA32 family, e.g. Pentium Pro, Pentium II, Pentium III, Pentium 4,
-	  Xeon etc. The AMD support is for families 0x10 and later. You will
-	  obviously need the actual microcode binary data itself which is not
-	  shipped with the Linux kernel.
+	  Intel and AMD processors. The Intel support is for the IA32 family,
+	  e.g. Pentium Pro, Pentium II, Pentium III, Pentium 4, Xeon etc. The
+	  AMD support is for families 0x10 and later. You will obviously need
+	  the actual microcode binary data itself which is not shipped with
+	  the Linux kernel.
 
-	  This option selects the general module only, you need to select
-	  at least one vendor specific module as well.
+	  The preferred method to load microcode from a detached initrd is described
+	  in Documentation/x86/early-microcode.txt. For that you need to enable
+	  CONFIG_BLK_DEV_INITRD in order for the loader to be able to scan the
+	  initrd for microcode blobs.
 
-	  To compile this driver as a module, choose M here: the module
-	  will be called microcode.
+	  In addition, you can build-in the microcode into the kernel. For that you
+	  need to enable FIRMWARE_IN_KERNEL and add the vendor-supplied microcode
+	  to the CONFIG_EXTRA_FIRMWARE config option.
 
 config MICROCODE_INTEL
 	bool "Intel microcode loading support"
--- a/arch/x86/include/asm/microcode.h
+++ b/arch/x86/include/asm/microcode.h
@@ -3,6 +3,7 @@
 
 #include <asm/cpu.h>
 #include <linux/earlycpio.h>
+#include <linux/initrd.h>
 
 #define native_rdmsr(msr, val1, val2)			\
 do {							\
@@ -143,4 +144,29 @@ static inline void reload_early_microcod
 static inline bool
 get_builtin_firmware(struct cpio_data *cd, const char *name)	{ return false; }
 #endif
+
+static inline unsigned long get_initrd_start(void)
+{
+#ifdef CONFIG_BLK_DEV_INITRD
+	return initrd_start;
+#else
+	return 0;
+#endif
+}
+
+static inline unsigned long get_initrd_start_addr(void)
+{
+#ifdef CONFIG_BLK_DEV_INITRD
+#ifdef CONFIG_X86_32
+	unsigned long *initrd_start_p = (unsigned long *)__pa_nodebug(&initrd_start);
+
+	return (unsigned long)__pa_nodebug(*initrd_start_p);
+#else
+	return get_initrd_start();
+#endif
+#else /* CONFIG_BLK_DEV_INITRD */
+	return 0;
+#endif
+}
+
 #endif /* _ASM_X86_MICROCODE_H */
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -694,7 +694,7 @@ int __init save_microcode_in_initrd_inte
 	if (count == 0)
 		return ret;
 
-	copy_initrd_ptrs(mc_saved, mc_saved_in_initrd, initrd_start, count);
+	copy_initrd_ptrs(mc_saved, mc_saved_in_initrd, get_initrd_start(), count);
 	ret = save_microcode(&mc_saved_data, mc_saved, count);
 	if (ret)
 		pr_err("Cannot save microcode patches from initrd.\n");
@@ -756,20 +756,14 @@ void load_ucode_intel_ap(void)
 	struct mc_saved_data *mc_saved_data_p;
 	struct ucode_cpu_info uci;
 	unsigned long *mc_saved_in_initrd_p;
-	unsigned long initrd_start_addr;
 	enum ucode_state ret;
 #ifdef CONFIG_X86_32
-	unsigned long *initrd_start_p;
 
-	mc_saved_in_initrd_p =
-		(unsigned long *)__pa_nodebug(mc_saved_in_initrd);
+	mc_saved_in_initrd_p = (unsigned long *)__pa_nodebug(mc_saved_in_initrd);
 	mc_saved_data_p = (struct mc_saved_data *)__pa_nodebug(&mc_saved_data);
-	initrd_start_p = (unsigned long *)__pa_nodebug(&initrd_start);
-	initrd_start_addr = (unsigned long)__pa_nodebug(*initrd_start_p);
 #else
-	mc_saved_data_p = &mc_saved_data;
 	mc_saved_in_initrd_p = mc_saved_in_initrd;
-	initrd_start_addr = initrd_start;
+	mc_saved_data_p = &mc_saved_data;
 #endif
 
 	/*
@@ -781,7 +775,7 @@ void load_ucode_intel_ap(void)
 
 	collect_cpu_info_early(&uci);
 	ret = load_microcode(mc_saved_data_p, mc_saved_in_initrd_p,
-			     initrd_start_addr, &uci);
+			     get_initrd_start_addr(), &uci);
 
 	if (ret != UCODE_OK)
 		return;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 003/238] x86/entry/compat: Keep TS_COMPAT set during signal delivery
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
  2016-04-10 18:32 ` [PATCH 4.5 001/238] x86/microcode/intel: Make early loader look for builtin microcode too Greg Kroah-Hartman
  2016-04-10 18:32 ` [PATCH 4.5 002/238] x86/microcode: Untangle from BLK_DEV_INITRD Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 004/238] perf/x86/intel: Add definition for PT PMI bit Greg Kroah-Hartman
                   ` (226 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robert OCallahan, Andy Lutomirski,
	Al Viro, Andy Lutomirski, Borislav Petkov, Brian Gerst,
	Denys Vlasenko, H. Peter Anvin, Linus Torvalds, Peter Zijlstra,
	Shuah Khan, Thomas Gleixner, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@kernel.org>

commit 4e79e182b419172e35936a47f098509092d69817 upstream.

Signal delivery needs to know the sign of an interrupted syscall's
return value in order to detect -ERESTART variants.  Normally this
works independently of bitness because syscalls internally return
long.  Under ptrace, however, this can break, and syscall_get_error
is supposed to sign-extend regs->ax if needed.

We were clearing TS_COMPAT too early, though, and this prevented
sign extension, which subtly broke syscall restart under ptrace.

Reported-by: Robert O'Callahan <robert@ocallahan.org>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Shuah Khan <shuahkh@osg.samsung.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: c5c46f59e4e7 ("x86/entry: Add new, comprehensible entry and exit handlers written in C")
Link: http://lkml.kernel.org/r/cbce3cf545522f64eb37f5478cb59746230db3b5.1455142412.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/entry/common.c |   23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

--- a/arch/x86/entry/common.c
+++ b/arch/x86/entry/common.c
@@ -268,6 +268,7 @@ static void exit_to_usermode_loop(struct
 /* Called with IRQs disabled. */
 __visible inline void prepare_exit_to_usermode(struct pt_regs *regs)
 {
+	struct thread_info *ti = pt_regs_to_thread_info(regs);
 	u32 cached_flags;
 
 	if (IS_ENABLED(CONFIG_PROVE_LOCKING) && WARN_ON(!irqs_disabled()))
@@ -275,12 +276,22 @@ __visible inline void prepare_exit_to_us
 
 	lockdep_sys_exit();
 
-	cached_flags =
-		READ_ONCE(pt_regs_to_thread_info(regs)->flags);
+	cached_flags = READ_ONCE(ti->flags);
 
 	if (unlikely(cached_flags & EXIT_TO_USERMODE_LOOP_FLAGS))
 		exit_to_usermode_loop(regs, cached_flags);
 
+#ifdef CONFIG_COMPAT
+	/*
+	 * Compat syscalls set TS_COMPAT.  Make sure we clear it before
+	 * returning to user mode.  We need to clear it *after* signal
+	 * handling, because syscall restart has a fixup for compat
+	 * syscalls.  The fixup is exercised by the ptrace_syscall_32
+	 * selftest.
+	 */
+	ti->status &= ~TS_COMPAT;
+#endif
+
 	user_enter();
 }
 
@@ -332,14 +343,6 @@ __visible inline void syscall_return_slo
 	if (unlikely(cached_flags & SYSCALL_EXIT_WORK_FLAGS))
 		syscall_slow_exit_work(regs, cached_flags);
 
-#ifdef CONFIG_COMPAT
-	/*
-	 * Compat syscalls set TS_COMPAT.  Make sure we clear it before
-	 * returning to user mode.
-	 */
-	ti->status &= ~TS_COMPAT;
-#endif
-
 	local_irq_disable();
 	prepare_exit_to_usermode(regs);
 }

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 004/238] perf/x86/intel: Add definition for PT PMI bit
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 003/238] x86/entry/compat: Keep TS_COMPAT set during signal delivery Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 005/238] x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs Greg Kroah-Hartman
                   ` (225 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephane Eranian,
	Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Thomas Gleixner, Vince Weaver, adrian.hunter,
	kan.liang, namhyung, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephane Eranian <eranian@google.com>

commit 5690ae28e472d25e330ad0c637a5cea3fc39fb32 upstream.

This patch adds a definition for GLOBAL_OVFL_STATUS bit 55
which is used with the Processor Trace (PT) feature.

Signed-off-by: Stephane Eranian <eranian@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: adrian.hunter@intel.com
Cc: kan.liang@intel.com
Cc: namhyung@kernel.org
Link: http://lkml.kernel.org/r/1457034642-21837-2-git-send-email-eranian@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/perf_event.h |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/include/asm/perf_event.h
+++ b/arch/x86/include/asm/perf_event.h
@@ -165,6 +165,7 @@ struct x86_pmu_capability {
 #define GLOBAL_STATUS_ASIF				BIT_ULL(60)
 #define GLOBAL_STATUS_COUNTERS_FROZEN			BIT_ULL(59)
 #define GLOBAL_STATUS_LBRS_FROZEN			BIT_ULL(58)
+#define GLOBAL_STATUS_TRACE_TOPAPMI			BIT_ULL(55)
 
 /*
  * IBS cpuid feature detection

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 005/238] x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 004/238] perf/x86/intel: Add definition for PT PMI bit Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 006/238] KVM: x86: fix missed hardware breakpoints Greg Kroah-Hartman
                   ` (224 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bjorn Helgaas, Andi Kleen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bjorn Helgaas <bhelgaas@google.com>

commit b894157145e4ac7598d7062bc93320898a5e059e upstream.

The Home Agent and PCU PCI devices in Broadwell-EP have a non-BAR register
where a BAR should be.  We don't know what the side effects of sizing the
"BAR" would be, and we don't know what address space the "BAR" might appear
to describe.

Mark these devices as having non-compliant BARs so the PCI core doesn't
touch them.

Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/pci/fixup.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/arch/x86/pci/fixup.c
+++ b/arch/x86/pci/fixup.c
@@ -540,3 +540,10 @@ static void twinhead_reserve_killing_zon
         }
 }
 DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x27B9, twinhead_reserve_killing_zone);
+
+static void pci_bdwep_bar(struct pci_dev *dev)
+{
+	dev->non_compliant_bars = 1;
+}
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fa0, pci_bdwep_bar);
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x6fc0, pci_bdwep_bar);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 006/238] KVM: x86: fix missed hardware breakpoints
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 005/238] x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 008/238] KVM: fix spin_lock_init order on x86 Greg Kroah-Hartman
                   ` (223 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nadadv Amit, Andrey Wagin, Paolo Bonzini

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit 4e422bdd2f849d98fffccbc3295c2f0996097fb3 upstream.

Sometimes when setting a breakpoint a process doesn't stop on it.
This is because the debug registers are not loaded correctly on
VCPU load.

The following simple reproducer from Oleg Nesterov tries using debug
registers in both the host and the guest, for example by running "./bp
0 1" on the host and "./bp 14 15" under QEMU.

    #include <unistd.h>
    #include <signal.h>
    #include <stdlib.h>
    #include <stdio.h>
    #include <sys/wait.h>
    #include <sys/ptrace.h>
    #include <sys/user.h>
    #include <asm/debugreg.h>
    #include <assert.h>

    #define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)

    unsigned long encode_dr7(int drnum, int enable, unsigned int type, unsigned int len)
    {
        unsigned long dr7;

        dr7 = ((len | type) & 0xf)
            << (DR_CONTROL_SHIFT + drnum * DR_CONTROL_SIZE);
        if (enable)
            dr7 |= (DR_GLOBAL_ENABLE << (drnum * DR_ENABLE_SIZE));

        return dr7;
    }

    int write_dr(int pid, int dr, unsigned long val)
    {
        return ptrace(PTRACE_POKEUSER, pid,
                offsetof (struct user, u_debugreg[dr]),
                val);
    }

    void set_bp(pid_t pid, void *addr)
    {
        unsigned long dr7;
        assert(write_dr(pid, 0, (long)addr) == 0);
        dr7 = encode_dr7(0, 1, DR_RW_EXECUTE, DR_LEN_1);
        assert(write_dr(pid, 7, dr7) == 0);
    }

    void *get_rip(int pid)
    {
        return (void*)ptrace(PTRACE_PEEKUSER, pid,
                offsetof(struct user, regs.rip), 0);
    }

    void test(int nr)
    {
        void *bp_addr = &&label + nr, *bp_hit;
        int pid;

        printf("test bp %d\n", nr);
        assert(nr < 16); // see 16 asm nops below

        pid = fork();
        if (!pid) {
            assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0);
            kill(getpid(), SIGSTOP);
            for (;;) {
                label: asm (
                    "nop; nop; nop; nop;"
                    "nop; nop; nop; nop;"
                    "nop; nop; nop; nop;"
                    "nop; nop; nop; nop;"
                );
            }
        }

        assert(pid == wait(NULL));
        set_bp(pid, bp_addr);

        for (;;) {
            assert(ptrace(PTRACE_CONT, pid, 0, 0) == 0);
            assert(pid == wait(NULL));

            bp_hit = get_rip(pid);
            if (bp_hit != bp_addr)
                fprintf(stderr, "ERR!! hit wrong bp %ld != %d\n",
                    bp_hit - &&label, nr);
        }
    }

    int main(int argc, const char *argv[])
    {
        while (--argc) {
            int nr = atoi(*++argv);
            if (!fork())
                test(nr);
        }

        while (wait(NULL) > 0)
            ;
        return 0;
    }

Suggested-by: Nadadv Amit <namit@cs.technion.ac.il>
Reported-by: Andrey Wagin <avagin@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/x86.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2752,6 +2752,7 @@ void kvm_arch_vcpu_load(struct kvm_vcpu
 	}
 
 	kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu);
+	vcpu->arch.switch_db_regs |= KVM_DEBUGREG_RELOAD;
 }
 
 void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 008/238] KVM: fix spin_lock_init order on x86
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 006/238] KVM: x86: fix missed hardware breakpoints Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 009/238] KVM: VMX: avoid guest hang on invalid invept instruction Greg Kroah-Hartman
                   ` (222 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Borislav Petkov, Paolo Bonzini

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit e9ad4ec8379ad1ba6f68b8ca1c26b50b5ae0a327 upstream.

Moving the initialization earlier is needed in 4.6 because
kvm_arch_init_vm is now using mmu_lock, causing lockdep to
complain:

[  284.440294] INFO: trying to register non-static key.
[  284.445259] the code is fine but needs lockdep annotation.
[  284.450736] turning off the locking correctness validator.
...
[  284.528318]  [<ffffffff810aecc3>] lock_acquire+0xd3/0x240
[  284.533733]  [<ffffffffa0305aa0>] ? kvm_page_track_register_notifier+0x20/0x60 [kvm]
[  284.541467]  [<ffffffff81715581>] _raw_spin_lock+0x41/0x80
[  284.546960]  [<ffffffffa0305aa0>] ? kvm_page_track_register_notifier+0x20/0x60 [kvm]
[  284.554707]  [<ffffffffa0305aa0>] kvm_page_track_register_notifier+0x20/0x60 [kvm]
[  284.562281]  [<ffffffffa02ece70>] kvm_mmu_init_vm+0x20/0x30 [kvm]
[  284.568381]  [<ffffffffa02dbf7a>] kvm_arch_init_vm+0x1ea/0x200 [kvm]
[  284.574740]  [<ffffffffa02bff3f>] kvm_dev_ioctl+0xbf/0x4d0 [kvm]

However, it also helps fixing a preexisting problem, which is why this
patch is also good for stable kernels: kvm_create_vm was incrementing
current->mm->mm_count but not decrementing it at the out_err label (in
case kvm_init_mmu_notifier failed).  The new initialization order makes
it possible to add the required mmdrop without adding a new error label.

Reported-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 virt/kvm/kvm_main.c |   21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -537,6 +537,16 @@ static struct kvm *kvm_create_vm(unsigne
 	if (!kvm)
 		return ERR_PTR(-ENOMEM);
 
+	spin_lock_init(&kvm->mmu_lock);
+	atomic_inc(&current->mm->mm_count);
+	kvm->mm = current->mm;
+	kvm_eventfd_init(kvm);
+	mutex_init(&kvm->lock);
+	mutex_init(&kvm->irq_lock);
+	mutex_init(&kvm->slots_lock);
+	atomic_set(&kvm->users_count, 1);
+	INIT_LIST_HEAD(&kvm->devices);
+
 	r = kvm_arch_init_vm(kvm, type);
 	if (r)
 		goto out_err_no_disable;
@@ -569,16 +579,6 @@ static struct kvm *kvm_create_vm(unsigne
 			goto out_err;
 	}
 
-	spin_lock_init(&kvm->mmu_lock);
-	kvm->mm = current->mm;
-	atomic_inc(&kvm->mm->mm_count);
-	kvm_eventfd_init(kvm);
-	mutex_init(&kvm->lock);
-	mutex_init(&kvm->irq_lock);
-	mutex_init(&kvm->slots_lock);
-	atomic_set(&kvm->users_count, 1);
-	INIT_LIST_HEAD(&kvm->devices);
-
 	r = kvm_init_mmu_notifier(kvm);
 	if (r)
 		goto out_err;
@@ -603,6 +603,7 @@ out_err_no_disable:
 	for (i = 0; i < KVM_ADDRESS_SPACE_NUM; i++)
 		kvm_free_memslots(kvm, kvm->memslots[i]);
 	kvm_arch_free_vm(kvm);
+	mmdrop(current->mm);
 	return ERR_PTR(r);
 }
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 009/238] KVM: VMX: avoid guest hang on invalid invept instruction
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 008/238] KVM: fix spin_lock_init order on x86 Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 010/238] KVM: VMX: avoid guest hang on invalid invvpid instruction Greg Kroah-Hartman
                   ` (221 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Matlack, Paolo Bonzini

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit 2849eb4f99d54925c543db12917127f88b3c38ff upstream.

A guest executing an invalid invept instruction would hang
because the instruction pointer was not updated.

Fixes: bfd0a56b90005f8c8a004baf407ad90045c2b11e
Reviewed-by: David Matlack <dmatlack@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/vmx.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7398,6 +7398,7 @@ static int handle_invept(struct kvm_vcpu
 	if (!(types & (1UL << type))) {
 		nested_vmx_failValid(vcpu,
 				VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
+		skip_emulated_instruction(vcpu);
 		return 1;
 	}
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 010/238] KVM: VMX: avoid guest hang on invalid invvpid instruction
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 009/238] KVM: VMX: avoid guest hang on invalid invept instruction Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 011/238] KVM: VMX: fix nested vpid for old KVM guests Greg Kroah-Hartman
                   ` (220 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, jmontleo, David Matlack, Paolo Bonzini

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit f6870ee9e53430f2a318ccf0dd5e66bb46194e43 upstream.

A guest executing an invalid invvpid instruction would hang
because the instruction pointer was not updated.

Reported-by: jmontleo@redhat.com
Tested-by: jmontleo@redhat.com
Fixes: 99b83ac893b84ed1a62ad6d1f2b6cc32026b9e85
Reviewed-by: David Matlack <dmatlack@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/vmx.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7457,6 +7457,7 @@ static int handle_invvpid(struct kvm_vcp
 	if (!(types & (1UL << type))) {
 		nested_vmx_failValid(vcpu,
 			VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
+		skip_emulated_instruction(vcpu);
 		return 1;
 	}
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 011/238] KVM: VMX: fix nested vpid for old KVM guests
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 010/238] KVM: VMX: avoid guest hang on invalid invvpid instruction Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 012/238] perf/core: Fix perf_sched_count derailment Greg Kroah-Hartman
                   ` (219 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, jmontleo, David Matlack, Paolo Bonzini

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Paolo Bonzini <pbonzini@redhat.com>

commit ef697a712a6165aea7779c295604b099e8bfae2e upstream.

Old KVM guests invoke single-context invvpid without actually checking
whether it is supported.  This was fixed by commit 518c8ae ("KVM: VMX:
Make sure single type invvpid is supported before issuing invvpid
instruction", 2010-08-01) and the patch after, but pre-2.6.36
kernels lack it including RHEL 6.

Reported-by: jmontleo@redhat.com
Tested-by: jmontleo@redhat.com
Fixes: 99b83ac893b84ed1a62ad6d1f2b6cc32026b9e85
Reviewed-by: David Matlack <dmatlack@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/vmx.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2702,8 +2702,15 @@ static void nested_vmx_setup_ctls_msrs(s
 	} else
 		vmx->nested.nested_vmx_ept_caps = 0;
 
+	/*
+	 * Old versions of KVM use the single-context version without
+	 * checking for support, so declare that it is supported even
+	 * though it is treated as global context.  The alternative is
+	 * not failing the single-context invvpid, and it is worse.
+	 */
 	if (enable_vpid)
 		vmx->nested.nested_vmx_vpid_caps = VMX_VPID_INVVPID_BIT |
+				VMX_VPID_EXTENT_SINGLE_CONTEXT_BIT |
 				VMX_VPID_EXTENT_GLOBAL_CONTEXT_BIT;
 	else
 		vmx->nested.nested_vmx_vpid_caps = 0;
@@ -7474,12 +7481,17 @@ static int handle_invvpid(struct kvm_vcp
 	}
 
 	switch (type) {
+	case VMX_VPID_EXTENT_SINGLE_CONTEXT:
+		/*
+		 * Old versions of KVM use the single-context version so we
+		 * have to support it; just treat it the same as all-context.
+		 */
 	case VMX_VPID_EXTENT_ALL_CONTEXT:
 		__vmx_flush_tlb(vcpu, to_vmx(vcpu)->nested.vpid02);
 		nested_vmx_succeed(vcpu);
 		break;
 	default:
-		/* Trap single context invalidation invvpid calls */
+		/* Trap individual address invalidation invvpid calls */
 		BUG_ON(1);
 		break;
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 012/238] perf/core: Fix perf_sched_count derailment
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 011/238] KVM: VMX: fix nested vpid for old KVM guests Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 013/238] perf tools: Dont stop PMU parsing on alias parse error Greg Kroah-Hartman
                   ` (218 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Shishkin,
	Peter Zijlstra (Intel),
	Arnaldo Carvalho de Melo, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Stephane Eranian, Thomas Gleixner, Vince Weaver,
	vince, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Shishkin <alexander.shishkin@linux.intel.com>

commit 927a5570855836e5d5859a80ce7e91e963545e8f upstream.

The error path in perf_event_open() is such that asking for a sampling
event on a PMU that doesn't generate interrupts will end up in dropping
the perf_sched_count even though it hasn't been incremented for this
event yet.

Given a sufficient amount of these calls, we'll end up disabling
scheduler's jump label even though we'd still have active events in the
system, thereby facilitating the arrival of the infernal regions upon us.

I'm fixing this by moving account_event() inside perf_event_alloc().

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: vince@deater.net
Link: http://lkml.kernel.org/r/1456917854-29427-1-git-send-email-alexander.shishkin@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/events/core.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -8001,6 +8001,9 @@ perf_event_alloc(struct perf_event_attr
 		}
 	}
 
+	/* symmetric to unaccount_event() in _free_event() */
+	account_event(event);
+
 	return event;
 
 err_per_task:
@@ -8364,8 +8367,6 @@ SYSCALL_DEFINE5(perf_event_open,
 		}
 	}
 
-	account_event(event);
-
 	/*
 	 * Special case software events and allow them to be part of
 	 * any hardware group.
@@ -8662,8 +8663,6 @@ perf_event_create_kernel_counter(struct
 	/* Mark owner so we could distinguish it from user events. */
 	event->owner = TASK_TOMBSTONE;
 
-	account_event(event);
-
 	ctx = find_get_context(event->pmu, task, event);
 	if (IS_ERR(ctx)) {
 		err = PTR_ERR(ctx);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 013/238] perf tools: Dont stop PMU parsing on alias parse error
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 012/238] perf/core: Fix perf_sched_count derailment Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 014/238] perf tools: Fix checking asprintf return value Greg Kroah-Hartman
                   ` (217 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andi Kleen, Jiri Olsa,
	Arnaldo Carvalho de Melo

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andi Kleen <ak@linux.intel.com>

commit 940db6dcd3f4659303fdf6befe7416adc4d24118 upstream.

When an error happens during alias parsing currently the complete
parsing of all attributes of the PMU is stopped. This is breaks old perf
on a newer kernel that may have not-yet-know alias attributes (such as
.scale or .per-pkg).

Continue when some attribute is unparseable.

This is IMHO a stable candidate and should be backported to older
versions to avoid problems with newer kernels.

v2: Print warnings when something goes wrong.
v3: Change warning to debug output

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Link: http://lkml.kernel.org/r/1455749095-18358-1-git-send-email-andi@firstfloor.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/pmu.c |   15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

--- a/tools/perf/util/pmu.c
+++ b/tools/perf/util/pmu.c
@@ -284,13 +284,12 @@ static int pmu_aliases_parse(char *dir,
 {
 	struct dirent *evt_ent;
 	DIR *event_dir;
-	int ret = 0;
 
 	event_dir = opendir(dir);
 	if (!event_dir)
 		return -EINVAL;
 
-	while (!ret && (evt_ent = readdir(event_dir))) {
+	while ((evt_ent = readdir(event_dir))) {
 		char path[PATH_MAX];
 		char *name = evt_ent->d_name;
 		FILE *file;
@@ -306,17 +305,19 @@ static int pmu_aliases_parse(char *dir,
 
 		snprintf(path, PATH_MAX, "%s/%s", dir, name);
 
-		ret = -EINVAL;
 		file = fopen(path, "r");
-		if (!file)
-			break;
+		if (!file) {
+			pr_debug("Cannot open %s\n", path);
+			continue;
+		}
 
-		ret = perf_pmu__new_alias(head, dir, name, file);
+		if (perf_pmu__new_alias(head, dir, name, file) < 0)
+			pr_debug("Cannot set up %s\n", name);
 		fclose(file);
 	}
 
 	closedir(event_dir);
-	return ret;
+	return 0;
 }
 
 /*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 014/238] perf tools: Fix checking asprintf return value
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 013/238] perf tools: Dont stop PMU parsing on alias parse error Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 015/238] perf tools: Fix python extension build Greg Kroah-Hartman
                   ` (216 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wang Nan, Adrian Hunter,
	Alexei Starovoitov, Brendan Gregg, Cody P Schafer, He Kuang,
	Jeremie Galarneau, Jiri Olsa, Kirill Smelkov, Li Zefan,
	Masami Hiramatsu, Namhyung Kim, Peter Zijlstra, pi3orama,
	Arnaldo Carvalho de Melo

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Wang Nan <wangnan0@huawei.com>

commit 26dee028d365fbc0e3326606a8520260b4462381 upstream.

According to man pages, asprintf returns -1 when failure. This patch
fixes two incorrect return value checker.

Signed-off-by: Wang Nan <wangnan0@huawei.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Brendan Gregg <brendan.d.gregg@gmail.com>
Cc: Cody P Schafer <dev@codyps.com>
Cc: He Kuang <hekuang@huawei.com>
Cc: Jeremie Galarneau <jeremie.galarneau@efficios.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kirill Smelkov <kirr@nexedi.com>
Cc: Li Zefan <lizefan@huawei.com>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Zefan Li <lizefan@huawei.com>
Cc: pi3orama@163.com
Fixes: ffeb883e5662 ("perf tools: Show proper error message for wrong terms of hw/sw events")
Link: http://lkml.kernel.org/r/1455882283-79592-5-git-send-email-wangnan0@huawei.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/parse-events.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/tools/perf/util/parse-events.c
+++ b/tools/perf/util/parse-events.c
@@ -2101,11 +2101,11 @@ char *parse_events_formats_error_string(
 
 	/* valid terms */
 	if (additional_terms) {
-		if (!asprintf(&str, "valid terms: %s,%s",
-			      additional_terms, static_terms))
+		if (asprintf(&str, "valid terms: %s,%s",
+			     additional_terms, static_terms) < 0)
 			goto fail;
 	} else {
-		if (!asprintf(&str, "valid terms: %s", static_terms))
+		if (asprintf(&str, "valid terms: %s", static_terms) < 0)
 			goto fail;
 	}
 	return str;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 015/238] perf tools: Fix python extension build
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 014/238] perf tools: Fix checking asprintf return value Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 016/238] Thermal: Ignore invalid trip points Greg Kroah-Hartman
                   ` (215 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jeff Bastian, Jiri Olsa, Josh Boyer,
	David Ahern, Namhyung Kim, Peter Zijlstra,
	Arnaldo Carvalho de Melo

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Olsa <jolsa@redhat.com>

commit 67d5268908283c187e0a460048a423256c2fb288 upstream.

The util/python-ext-sources file contains source files required to build
the python extension relative to $(srctree)/tools/perf,

Such a file path $(FILE).c is handed over to the python extension build
system, which builds the final object in the
$(PYTHON_EXTBUILD)/tmp/$(FILE).o path.

After the build is done all files from $(PYTHON_EXTBUILD)lib/ are
carried as the result binaries.

Above system fails when we add source file relative to ../lib, which we
do for:

  ../lib/bitmap.c
  ../lib/find_bit.c
  ../lib/hweight.c
  ../lib/rbtree.c

All above objects will be built like:

  $(PYTHON_EXTBUILD)/tmp/../lib/bitmap.c
  $(PYTHON_EXTBUILD)/tmp/../lib/find_bit.c
  $(PYTHON_EXTBUILD)/tmp/../lib/hweight.c
  $(PYTHON_EXTBUILD)/tmp/../lib/rbtree.c

which accidentally happens to be final library path:

  $(PYTHON_EXTBUILD)/lib/

Changing setup.py to pass full paths of source files to Extension build
class and thus keep all built objects under $(PYTHON_EXTBUILD)tmp
directory.

Reported-by: Jeff Bastian <jbastian@redhat.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Tested-by: Josh Boyer <jwboyer@fedoraproject.org>
Cc: David Ahern <dsahern@gmail.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: http://lkml.kernel.org/r/20160227201350.GB28494@krava.redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/perf/util/setup.py |    4 ++++
 1 file changed, 4 insertions(+)

--- a/tools/perf/util/setup.py
+++ b/tools/perf/util/setup.py
@@ -22,6 +22,7 @@ cflags = getenv('CFLAGS', '').split()
 # switch off several checks (need to be at the end of cflags list)
 cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter' ]
 
+src_perf  = getenv('srctree') + '/tools/perf'
 build_lib = getenv('PYTHON_EXTBUILD_LIB')
 build_tmp = getenv('PYTHON_EXTBUILD_TMP')
 libtraceevent = getenv('LIBTRACEEVENT')
@@ -30,6 +31,9 @@ libapikfs = getenv('LIBAPI')
 ext_sources = [f.strip() for f in file('util/python-ext-sources')
 				if len(f.strip()) > 0 and f[0] != '#']
 
+# use full paths with source files
+ext_sources = map(lambda x: '%s/%s' % (src_perf, x) , ext_sources)
+
 perf = Extension('perf',
 		  sources = ext_sources,
 		  include_dirs = ['util/include'],

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 016/238] Thermal: Ignore invalid trip points
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 015/238] perf tools: Fix python extension build Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 017/238] sched/cputime: Fix steal_account_process_tick() to always return jiffies Greg Kroah-Hartman
                   ` (214 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhang Rui

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Zhang Rui <rui.zhang@intel.com>

commit 81ad4276b505e987dd8ebbdf63605f92cd172b52 upstream.

In some cases, platform thermal driver may report invalid trip points,
thermal core should not take any action for these trip points.

This fixed a regression that bogus trip point starts to screw up thermal
control on some Lenovo laptops, after
commit bb431ba26c5cd0a17c941ca6c3a195a3a6d5d461
Author: Zhang Rui <rui.zhang@intel.com>
Date:   Fri Oct 30 16:31:47 2015 +0800

    Thermal: initialize thermal zone device correctly

    After thermal zone device registered, as we have not read any
    temperature before, thus tz->temperature should not be 0,
    which actually means 0C, and thermal trend is not available.
    In this case, we need specially handling for the first
    thermal_zone_device_update().

    Both thermal core framework and step_wise governor is
    enhanced to handle this. And since the step_wise governor
    is the only one that uses trends, so it's the only thermal
    governor that needs to be updated.

    Tested-by: Manuel Krause <manuelkrause@netscape.net>
    Tested-by: szegad <szegadlo@poczta.onet.pl>
    Tested-by: prash <prash.n.rao@gmail.com>
    Tested-by: amish <ammdispose-arch@yahoo.com>
    Tested-by: Matthias <morpheusxyz123@yahoo.de>
    Reviewed-by: Javi Merino <javi.merino@arm.com>
    Signed-off-by: Zhang Rui <rui.zhang@intel.com>
    Signed-off-by: Chen Yu <yu.c.chen@intel.com>

Link: https://bugzilla.redhat.com/show_bug.cgi?id=1317190
Link: https://bugzilla.kernel.org/show_bug.cgi?id=114551
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/thermal/thermal_core.c |   13 ++++++++++++-
 include/linux/thermal.h        |    2 ++
 2 files changed, 14 insertions(+), 1 deletion(-)

--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -454,6 +454,10 @@ static void handle_thermal_trip(struct t
 {
 	enum thermal_trip_type type;
 
+	/* Ignore disabled trip points */
+	if (test_bit(trip, &tz->trips_disabled))
+		return;
+
 	tz->ops->get_trip_type(tz, trip, &type);
 
 	if (type == THERMAL_TRIP_CRITICAL || type == THERMAL_TRIP_HOT)
@@ -1800,6 +1804,7 @@ struct thermal_zone_device *thermal_zone
 {
 	struct thermal_zone_device *tz;
 	enum thermal_trip_type trip_type;
+	int trip_temp;
 	int result;
 	int count;
 	int passive = 0;
@@ -1871,9 +1876,15 @@ struct thermal_zone_device *thermal_zone
 		goto unregister;
 
 	for (count = 0; count < trips; count++) {
-		tz->ops->get_trip_type(tz, count, &trip_type);
+		if (tz->ops->get_trip_type(tz, count, &trip_type))
+			set_bit(count, &tz->trips_disabled);
 		if (trip_type == THERMAL_TRIP_PASSIVE)
 			passive = 1;
+		if (tz->ops->get_trip_temp(tz, count, &trip_temp))
+			set_bit(count, &tz->trips_disabled);
+		/* Check for bogus trip points */
+		if (trip_temp == 0)
+			set_bit(count, &tz->trips_disabled);
 	}
 
 	if (!passive) {
--- a/include/linux/thermal.h
+++ b/include/linux/thermal.h
@@ -156,6 +156,7 @@ struct thermal_attr {
  * @trip_hyst_attrs:	attributes for trip points for sysfs: trip hysteresis
  * @devdata:	private pointer for device private data
  * @trips:	number of trip points the thermal zone supports
+ * @trips_disabled;	bitmap for disabled trips
  * @passive_delay:	number of milliseconds to wait between polls when
  *			performing passive cooling.
  * @polling_delay:	number of milliseconds to wait between polls when
@@ -191,6 +192,7 @@ struct thermal_zone_device {
 	struct thermal_attr *trip_hyst_attrs;
 	void *devdata;
 	int trips;
+	unsigned long trips_disabled;	/* bitmap for disabled trips */
 	int passive_delay;
 	int polling_delay;
 	int temperature;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 017/238] sched/cputime: Fix steal_account_process_tick() to always return jiffies
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 016/238] Thermal: Ignore invalid trip points Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 018/238] sched/fair: Avoid using decay_load_missed() with a negative value Greg Kroah-Hartman
                   ` (213 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Friesen, Peter Zijlstra (Intel),
	Thomas Gleixner, Frederic Weisbecker, Linus Torvalds,
	Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chris Friesen <cbf123@mail.usask.ca>

commit f9c904b7613b8b4c85b10cd6b33ad41b2843fa9d upstream.

The callers of steal_account_process_tick() expect it to return
whether a jiffy should be considered stolen or not.

Currently the return value of steal_account_process_tick() is in
units of cputime, which vary between either jiffies or nsecs
depending on CONFIG_VIRT_CPU_ACCOUNTING_GEN.

If cputime has nsecs granularity and there is a tiny amount of
stolen time (a few nsecs, say) then we will consider the entire
tick stolen and will not account the tick on user/system/idle,
causing /proc/stats to show invalid data.

The fix is to change steal_account_process_tick() to accumulate
the stolen time and only account it once it's worth a jiffy.

(Thanks to Frederic Weisbecker for suggestions to fix a bug in my
first version of the patch.)

Signed-off-by: Chris Friesen <chris.friesen@windriver.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/56DBBDB8.40305@mail.usask.ca
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/sched/cputime.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/kernel/sched/cputime.c
+++ b/kernel/sched/cputime.c
@@ -262,21 +262,21 @@ static __always_inline bool steal_accoun
 #ifdef CONFIG_PARAVIRT
 	if (static_key_false(&paravirt_steal_enabled)) {
 		u64 steal;
-		cputime_t steal_ct;
+		unsigned long steal_jiffies;
 
 		steal = paravirt_steal_clock(smp_processor_id());
 		steal -= this_rq()->prev_steal_time;
 
 		/*
-		 * cputime_t may be less precise than nsecs (eg: if it's
-		 * based on jiffies). Lets cast the result to cputime
+		 * steal is in nsecs but our caller is expecting steal
+		 * time in jiffies. Lets cast the result to jiffies
 		 * granularity and account the rest on the next rounds.
 		 */
-		steal_ct = nsecs_to_cputime(steal);
-		this_rq()->prev_steal_time += cputime_to_nsecs(steal_ct);
+		steal_jiffies = nsecs_to_jiffies(steal);
+		this_rq()->prev_steal_time += jiffies_to_nsecs(steal_jiffies);
 
-		account_steal_time(steal_ct);
-		return steal_ct;
+		account_steal_time(jiffies_to_cputime(steal_jiffies));
+		return steal_jiffies;
 	}
 #endif
 	return false;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 018/238] sched/fair: Avoid using decay_load_missed() with a negative value
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 017/238] sched/cputime: Fix steal_account_process_tick() to always return jiffies Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 019/238] sched/preempt, sh: kmap_coherent relies on disabled preemption Greg Kroah-Hartman
                   ` (212 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dietmar Eggemann, Byungchul Park,
	Peter Zijlstra (Intel),
	Chris Metcalf, Christoph Lameter, Frederic Weisbecker,
	Linus Torvalds, Luiz Capitulino, Mike Galbraith,
	Paul E . McKenney, Rik van Riel, Thomas Gleixner, perterz,
	Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Byungchul Park <byungchul.park@lge.com>

commit 7400d3bbaa229eb8e7631d28fb34afd7cd2c96ff upstream.

decay_load_missed() cannot handle nagative values, so we need to prevent
using the function with a negative value.

Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Signed-off-by: Byungchul Park <byungchul.park@lge.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Paul E . McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: perterz@infradead.org
Fixes: 59543275488d ("sched/fair: Prepare __update_cpu_load() to handle active tickless")
Link: http://lkml.kernel.org/r/20160115070749.GA1914@X58A-UD3R
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/sched/fair.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -4459,9 +4459,17 @@ static void __update_cpu_load(struct rq
 
 		/* scale is effectively 1 << i now, and >> i divides by scale */
 
-		old_load = this_rq->cpu_load[i] - tickless_load;
+		old_load = this_rq->cpu_load[i];
 		old_load = decay_load_missed(old_load, pending_updates - 1, i);
-		old_load += tickless_load;
+		if (tickless_load) {
+			old_load -= decay_load_missed(tickless_load, pending_updates - 1, i);
+			/*
+			 * old_load can never be a negative value because a
+			 * decayed tickless_load cannot be greater than the
+			 * original tickless_load.
+			 */
+			old_load += tickless_load;
+		}
 		new_load = this_load;
 		/*
 		 * Round up the averaging division if load is increasing. This

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 019/238] sched/preempt, sh: kmap_coherent relies on disabled preemption
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 018/238] sched/fair: Avoid using decay_load_missed() with a negative value Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 020/238] EDAC/sb_edac: Fix computation of channel address Greg Kroah-Hartman
                   ` (211 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, David Hildenbrand,
	Hans Verkuil, Rich Felker

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Hildenbrand <dahi@linux.vnet.ibm.com>

commit b15d53d009558d14c4f394a6d1fa2039c7f45c43 upstream.

kmap_coherent needs disabled preemption to not schedule in the critical
section, just like kmap_coherent on mips and kmap_atomic in general.

Fixes: 8222dbe21e79 "sched/preempt, mm/fault: Decouple preemption from the page fault logic"
Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Tested-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Rich Felker <dalias@libc.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/sh/mm/kmap.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/sh/mm/kmap.c
+++ b/arch/sh/mm/kmap.c
@@ -36,6 +36,7 @@ void *kmap_coherent(struct page *page, u
 
 	BUG_ON(!test_bit(PG_dcache_clean, &page->flags));
 
+	preempt_disable();
 	pagefault_disable();
 
 	idx = FIX_CMAP_END -
@@ -64,4 +65,5 @@ void kunmap_coherent(void *kvaddr)
 	}
 
 	pagefault_enable();
+	preempt_enable();
 }

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 020/238] EDAC/sb_edac: Fix computation of channel address
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 019/238] sched/preempt, sh: kmap_coherent relies on disabled preemption Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 021/238] EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr() Greg Kroah-Hartman
                   ` (210 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Luck, Aristeu Rozanski,
	Borislav Petkov, Linus Torvalds, Mauro Carvalho Chehab,
	Peter Zijlstra, Thomas Gleixner, linux-edac, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tony Luck <tony.luck@intel.com>

commit eb1af3b71f9d83e45f2fd2fd649356e98e1c582c upstream.

Large memory Haswell-EX systems with multiple DIMMs per channel were
sometimes reporting the wrong DIMM.

Found three problems:

 1) Debug printouts for socket and channel interleave were not interpreting
    the register fields correctly. The socket interleave field is a 2^X
    value (0=1, 1=2, 2=4, 3=8). The channel interleave is X+1 (0=1, 1=2,
    2=3. 3=4).

 2) Actual use of the socket interleave value didn't interpret as 2^X

 3) Conversion of address to channel address was complicated, and wrong.

Signed-off-by: Tony Luck <tony.luck@intel.com>
Acked-by: Aristeu Rozanski <arozansk@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-edac@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/edac/sb_edac.c |   26 ++++++++++----------------
 1 file changed, 10 insertions(+), 16 deletions(-)

--- a/drivers/edac/sb_edac.c
+++ b/drivers/edac/sb_edac.c
@@ -1839,8 +1839,8 @@ static void get_memory_layout(const stru
 		edac_dbg(0, "TAD#%d: up to %u.%03u GB (0x%016Lx), socket interleave %d, memory interleave %d, TGT: %d, %d, %d, %d, reg=0x%08x\n",
 			 n_tads, gb, (mb*1000)/1024,
 			 ((u64)tmp_mb) << 20L,
-			 (u32)TAD_SOCK(reg),
-			 (u32)TAD_CH(reg),
+			 (u32)(1 << TAD_SOCK(reg)),
+			 (u32)TAD_CH(reg) + 1,
 			 (u32)TAD_TGT0(reg),
 			 (u32)TAD_TGT1(reg),
 			 (u32)TAD_TGT2(reg),
@@ -2118,7 +2118,7 @@ static int get_memory_error_data(struct
 	}
 
 	ch_way = TAD_CH(reg) + 1;
-	sck_way = TAD_SOCK(reg) + 1;
+	sck_way = 1 << TAD_SOCK(reg);
 
 	if (ch_way == 3)
 		idx = addr >> 6;
@@ -2175,7 +2175,7 @@ static int get_memory_error_data(struct
 		 n_tads,
 		 addr,
 		 limit,
-		 (u32)TAD_SOCK(reg),
+		 sck_way,
 		 ch_way,
 		 offset,
 		 idx,
@@ -2190,18 +2190,12 @@ static int get_memory_error_data(struct
 			offset, addr);
 		return -EINVAL;
 	}
-	addr -= offset;
-	/* Store the low bits [0:6] of the addr */
-	ch_addr = addr & 0x7f;
-	/* Remove socket wayness and remove 6 bits */
-	addr >>= 6;
-	addr = div_u64(addr, sck_xch);
-#if 0
-	/* Divide by channel way */
-	addr = addr / ch_way;
-#endif
-	/* Recover the last 6 bits */
-	ch_addr |= addr << 6;
+
+	ch_addr = addr - offset;
+	ch_addr >>= (6 + shiftup);
+	ch_addr /= ch_way * sck_way;
+	ch_addr <<= (6 + shiftup);
+	ch_addr |= addr & ((1 << (6 + shiftup)) - 1);
 
 	/*
 	 * Step 3) Decode rank

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 021/238] EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 020/238] EDAC/sb_edac: Fix computation of channel address Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 022/238] s390: fix floating pointer register corruption (again) Greg Kroah-Hartman
                   ` (209 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter,
	Aravind Gopalakrishnan, linux-edac, Borislav Petkov

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 6f3508f61c814ee852c199988a62bd954c50dfc1 upstream.

dct_sel_base_off is declared as a u64 but we're only using the lower 32
bits because of a shift wrapping bug. This can possibly truncate the
upper 16 bits of DctSelBaseOffset[47:26], causing us to misdecode the CS
row.

Fixes: c8e518d5673d ('amd64_edac: Sanitize f10_get_base_addr_offset')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Aravind Gopalakrishnan <Aravind.Gopalakrishnan@amd.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/20160120095451.GB19898@mwanda
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/edac/amd64_edac.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/edac/amd64_edac.c
+++ b/drivers/edac/amd64_edac.c
@@ -1452,7 +1452,7 @@ static u64 f1x_get_norm_dct_addr(struct
 	u64 chan_off;
 	u64 dram_base		= get_dram_base(pvt, range);
 	u64 hole_off		= f10_dhar_offset(pvt);
-	u64 dct_sel_base_off	= (pvt->dct_sel_hi & 0xFFFFFC00) << 16;
+	u64 dct_sel_base_off	= (u64)(pvt->dct_sel_hi & 0xFFFFFC00) << 16;
 
 	if (hi_rng) {
 		/*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 022/238] s390: fix floating pointer register corruption (again)
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 021/238] EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr() Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 023/238] s390/cpumf: add missing lpp magic initialization Greg Kroah-Hartman
                   ` (208 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Borntraeger, Martin Schwidefsky

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin Schwidefsky <schwidefsky@de.ibm.com>

commit e370e4769463a65dcf8806fa26d2874e0542ac41 upstream.

There is a tricky interaction between the machine check handler
and the critical sections of load_fpu_regs and save_fpu_regs
functions. If the machine check interrupts one of the two
functions the critical section cleanup will complete the function
before the machine check handler s390_do_machine_check is called.
Trouble is that the machine check handler needs to validate the
floating point registers *before* and not *after* the completion
of load_fpu_regs/save_fpu_regs.

The simplest solution is to rewind the PSW to the start of the
load_fpu_regs/save_fpu_regs and retry the function after the
return from the machine check handler.

Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kernel/entry.S |  106 -----------------------------------------------
 1 file changed, 2 insertions(+), 104 deletions(-)

--- a/arch/s390/kernel/entry.S
+++ b/arch/s390/kernel/entry.S
@@ -1199,114 +1199,12 @@ cleanup_critical:
 	.quad	.Lpsw_idle_lpsw
 
 .Lcleanup_save_fpu_regs:
-	TSTMSK	__LC_CPU_FLAGS,_CIF_FPU
-	bor	%r14
-	clg	%r9,BASED(.Lcleanup_save_fpu_regs_done)
-	jhe	5f
-	clg	%r9,BASED(.Lcleanup_save_fpu_regs_fp)
-	jhe	4f
-	clg	%r9,BASED(.Lcleanup_save_fpu_regs_vx_high)
-	jhe	3f
-	clg	%r9,BASED(.Lcleanup_save_fpu_regs_vx_low)
-	jhe	2f
-	clg	%r9,BASED(.Lcleanup_save_fpu_fpc_end)
-	jhe	1f
-	lg	%r2,__LC_CURRENT
-	aghi	%r2,__TASK_thread
-0:	# Store floating-point controls
-	stfpc	__THREAD_FPU_fpc(%r2)
-1:	# Load register save area and check if VX is active
-	lg	%r3,__THREAD_FPU_regs(%r2)
-	TSTMSK	__LC_MACHINE_FLAGS,MACHINE_FLAG_VX
-	jz	4f			  # no VX -> store FP regs
-2:	# Store vector registers (V0-V15)
-	VSTM	%v0,%v15,0,%r3		  # vstm 0,15,0(3)
-3:	# Store vector registers (V16-V31)
-	VSTM	%v16,%v31,256,%r3	  # vstm 16,31,256(3)
-	j	5f			  # -> done, set CIF_FPU flag
-4:	# Store floating-point registers
-	std	0,0(%r3)
-	std	1,8(%r3)
-	std	2,16(%r3)
-	std	3,24(%r3)
-	std	4,32(%r3)
-	std	5,40(%r3)
-	std	6,48(%r3)
-	std	7,56(%r3)
-	std	8,64(%r3)
-	std	9,72(%r3)
-	std	10,80(%r3)
-	std	11,88(%r3)
-	std	12,96(%r3)
-	std	13,104(%r3)
-	std	14,112(%r3)
-	std	15,120(%r3)
-5:	# Set CIF_FPU flag
-	oi	__LC_CPU_FLAGS+7,_CIF_FPU
-	lg	%r9,48(%r11)		# return from save_fpu_regs
+	larl	%r9,save_fpu_regs
 	br	%r14
-.Lcleanup_save_fpu_fpc_end:
-	.quad	.Lsave_fpu_regs_fpc_end
-.Lcleanup_save_fpu_regs_vx_low:
-	.quad	.Lsave_fpu_regs_vx_low
-.Lcleanup_save_fpu_regs_vx_high:
-	.quad	.Lsave_fpu_regs_vx_high
-.Lcleanup_save_fpu_regs_fp:
-	.quad	.Lsave_fpu_regs_fp
-.Lcleanup_save_fpu_regs_done:
-	.quad	.Lsave_fpu_regs_done
 
 .Lcleanup_load_fpu_regs:
-	TSTMSK	__LC_CPU_FLAGS,_CIF_FPU
-	bnor	%r14
-	clg	%r9,BASED(.Lcleanup_load_fpu_regs_done)
-	jhe	1f
-	clg	%r9,BASED(.Lcleanup_load_fpu_regs_fp)
-	jhe	2f
-	clg	%r9,BASED(.Lcleanup_load_fpu_regs_vx_high)
-	jhe	3f
-	clg	%r9,BASED(.Lcleanup_load_fpu_regs_vx)
-	jhe	4f
-	lg	%r4,__LC_CURRENT
-	aghi	%r4,__TASK_thread
-	lfpc	__THREAD_FPU_fpc(%r4)
-	TSTMSK	__LC_MACHINE_FLAGS,MACHINE_FLAG_VX
-	lg	%r4,__THREAD_FPU_regs(%r4)	# %r4 <- reg save area
-	jz	2f				# -> no VX, load FP regs
-4:	# Load V0 ..V15 registers
-	VLM	%v0,%v15,0,%r4
-3:	# Load V16..V31 registers
-	VLM	%v16,%v31,256,%r4
-	j	1f
-2:	# Load floating-point registers
-	ld	0,0(%r4)
-	ld	1,8(%r4)
-	ld	2,16(%r4)
-	ld	3,24(%r4)
-	ld	4,32(%r4)
-	ld	5,40(%r4)
-	ld	6,48(%r4)
-	ld	7,56(%r4)
-	ld	8,64(%r4)
-	ld	9,72(%r4)
-	ld	10,80(%r4)
-	ld	11,88(%r4)
-	ld	12,96(%r4)
-	ld	13,104(%r4)
-	ld	14,112(%r4)
-	ld	15,120(%r4)
-1:	# Clear CIF_FPU bit
-	ni	__LC_CPU_FLAGS+7,255-_CIF_FPU
-	lg	%r9,48(%r11)		# return from load_fpu_regs
+	larl	%r9,load_fpu_regs
 	br	%r14
-.Lcleanup_load_fpu_regs_vx:
-	.quad	.Lload_fpu_regs_vx
-.Lcleanup_load_fpu_regs_vx_high:
-	.quad	.Lload_fpu_regs_vx_high
-.Lcleanup_load_fpu_regs_fp:
-	.quad	.Lload_fpu_regs_fp
-.Lcleanup_load_fpu_regs_done:
-	.quad	.Lload_fpu_regs_done
 
 /*
  * Integer constants

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 023/238] s390/cpumf: add missing lpp magic initialization
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 022/238] s390: fix floating pointer register corruption (again) Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 024/238] s390/pci: enforce fmb page boundary rule Greg Kroah-Hartman
                   ` (207 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shu Juan Zhang,
	Christian Borntraeger, Heiko Carstens, Martin Schwidefsky

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Carstens <heiko.carstens@de.ibm.com>

commit 8f100bb1ff27873dd71f636da670e503b9ade3c6 upstream.

Add the missing lpp magic initialization for cpu 0. Without this all
samples on cpu 0 do not have the most significant bit set in the
program parameter field, which we use to distinguish between guest and
host samples if the pid is also 0.

We did initialize the lpp magic in the absolute zero lowcore but
forgot that when switching to the allocated lowcore on cpu 0 only.

Reported-by: Shu Juan Zhang <zhshuj@cn.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Fixes: e22cf8ca6f75 ("s390/cpumf: rework program parameter setting to detect guest samples")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kernel/setup.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/s390/kernel/setup.c
+++ b/arch/s390/kernel/setup.c
@@ -327,6 +327,7 @@ static void __init setup_lowcore(void)
 		+ PAGE_SIZE - STACK_FRAME_OVERHEAD - sizeof(struct pt_regs);
 	lc->current_task = (unsigned long) init_thread_union.thread_info.task;
 	lc->thread_info = (unsigned long) &init_thread_union;
+	lc->lpp = LPP_MAGIC;
 	lc->machine_flags = S390_lowcore.machine_flags;
 	lc->stfl_fac_list = S390_lowcore.stfl_fac_list;
 	memcpy(lc->stfle_fac_list, S390_lowcore.stfle_fac_list,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 024/238] s390/pci: enforce fmb page boundary rule
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 023/238] s390/cpumf: add missing lpp magic initialization Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 025/238] pinctrl-bcm2835: Fix cut-and-paste error in "pull" parsing Greg Kroah-Hartman
                   ` (206 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sebastian Ott, Martin Schwidefsky

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Ott <sebott@linux.vnet.ibm.com>

commit 80c544ded25ac14d7cc3e555abb8ed2c2da99b84 upstream.

The function measurement block must not cross a page boundary. Ensure
that by raising the alignment requirement to the smallest power of 2
larger than the size of the fmb.

Fixes: d0b088531 ("s390/pci: performance statistics and debug infrastructure")
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/include/asm/pci.h |    2 +-
 arch/s390/pci/pci.c         |    5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

--- a/arch/s390/include/asm/pci.h
+++ b/arch/s390/include/asm/pci.h
@@ -45,7 +45,7 @@ struct zpci_fmb {
 	u64 rpcit_ops;
 	u64 dma_rbytes;
 	u64 dma_wbytes;
-} __packed __aligned(16);
+} __packed __aligned(64);
 
 enum zpci_state {
 	ZPCI_FN_STATE_RESERVED,
--- a/arch/s390/pci/pci.c
+++ b/arch/s390/pci/pci.c
@@ -864,8 +864,11 @@ static inline int barsize(u8 size)
 
 static int zpci_mem_init(void)
 {
+	BUILD_BUG_ON(!is_power_of_2(__alignof__(struct zpci_fmb)) ||
+		     __alignof__(struct zpci_fmb) < sizeof(struct zpci_fmb));
+
 	zdev_fmb_cache = kmem_cache_create("PCI_FMB_cache", sizeof(struct zpci_fmb),
-				16, 0, NULL);
+					   __alignof__(struct zpci_fmb), 0, NULL);
 	if (!zdev_fmb_cache)
 		goto error_fmb;
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 025/238] pinctrl-bcm2835: Fix cut-and-paste error in "pull" parsing
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 024/238] s390/pci: enforce fmb page boundary rule Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 026/238] PCI: Disable IO/MEM decoding for devices with non-compliant BARs Greg Kroah-Hartman
                   ` (205 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Anholt, Phil Elwell,
	Stephen Warren, Linus Walleij

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Phil Elwell <phil@raspberrypi.org>

commit 2c7e3306d23864d49f686f22e56e180ff0fffb7f upstream.

The DT bindings for pinctrl-bcm2835 allow both the function and pull
to contain either one entry or one per pin. However, an error in the
DT parsing can cause failures if the number of pulls differs from the
number of functions.

Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Phil Elwell <phil@raspberrypi.org>
Reviewed-by: Stephen Warren <swarren@wwwdotorg.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pinctrl/bcm/pinctrl-bcm2835.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pinctrl/bcm/pinctrl-bcm2835.c
+++ b/drivers/pinctrl/bcm/pinctrl-bcm2835.c
@@ -779,7 +779,7 @@ static int bcm2835_pctl_dt_node_to_map(s
 		}
 		if (num_pulls) {
 			err = of_property_read_u32_index(np, "brcm,pull",
-					(num_funcs > 1) ? i : 0, &pull);
+					(num_pulls > 1) ? i : 0, &pull);
 			if (err)
 				goto out;
 			err = bcm2835_pctl_dt_node_to_map_pull(pc, np, pin,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 026/238] PCI: Disable IO/MEM decoding for devices with non-compliant BARs
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 025/238] pinctrl-bcm2835: Fix cut-and-paste error in "pull" parsing Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-11 23:45   ` Ben Hutchings
  2016-04-10 18:33 ` [PATCH 4.5 027/238] PCI: ACPI: IA64: fix IO port generic range check Greg Kroah-Hartman
                   ` (204 subsequent siblings)
  229 siblings, 1 reply; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bjorn Helgaas, Andi Kleen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bjorn Helgaas <bhelgaas@google.com>

commit b84106b4e2290c081cdab521fa832596cdfea246 upstream.

The PCI config header (first 64 bytes of each device's config space) is
defined by the PCI spec so generic software can identify the device and
manage its usage of I/O, memory, and IRQ resources.

Some non-spec-compliant devices put registers other than BARs where the
BARs should be.  When the PCI core sizes these "BARs", the reads and writes
it does may have unwanted side effects, and the "BAR" may appear to
describe non-sensical address space.

Add a flag bit to mark non-compliant devices so we don't touch their BARs.
Turn off IO/MEM decoding to prevent the devices from consuming address
space, since we can't read the BARs to find out what that address space
would be.

Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/probe.c |   14 ++++++++++++++
 include/linux/pci.h |    1 +
 2 files changed, 15 insertions(+)

--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -179,6 +179,9 @@ int __pci_read_base(struct pci_dev *dev,
 	u16 orig_cmd;
 	struct pci_bus_region region, inverted_region;
 
+	if (dev->non_compliant_bars)
+		return 0;
+
 	mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
 
 	/* No printks while decoding is disabled! */
@@ -1171,6 +1174,7 @@ static void pci_msi_setup_pci_dev(struct
 int pci_setup_device(struct pci_dev *dev)
 {
 	u32 class;
+	u16 cmd;
 	u8 hdr_type;
 	int pos = 0;
 	struct pci_bus_region region;
@@ -1214,6 +1218,16 @@ int pci_setup_device(struct pci_dev *dev
 	/* device class may be changed after fixup */
 	class = dev->class >> 8;
 
+	if (dev->non_compliant_bars) {
+		pci_read_config_word(dev, PCI_COMMAND, &cmd);
+		if (cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) {
+			dev_info(&dev->dev, "device has non-compliant BARs; disabling IO/MEM decoding\n");
+			cmd &= ~PCI_COMMAND_IO;
+			cmd &= ~PCI_COMMAND_MEMORY;
+			pci_write_config_word(dev, PCI_COMMAND, cmd);
+		}
+	}
+
 	switch (dev->hdr_type) {		    /* header type */
 	case PCI_HEADER_TYPE_NORMAL:		    /* standard header */
 		if (class == PCI_CLASS_BRIDGE_PCI)
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -359,6 +359,7 @@ struct pci_dev {
 	unsigned int	io_window_1k:1;	/* Intel P2P bridge 1K I/O windows */
 	unsigned int	irq_managed:1;
 	unsigned int	has_secondary_link:1;
+	unsigned int	non_compliant_bars:1;	/* broken BARs; ignore them */
 	pci_dev_flags_t dev_flags;
 	atomic_t	enable_cnt;	/* pci_enable_device has been called */
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 027/238] PCI: ACPI: IA64: fix IO port generic range check
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 026/238] PCI: Disable IO/MEM decoding for devices with non-compliant BARs Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 028/238] x86/irq: Cure live lock in fixup_irqs() Greg Kroah-Hartman
                   ` (203 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lorenzo Pieralisi, Rafael J. Wysocki

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>

commit 4a2e7aab4ffce1e0e79b303dc2f9a03aa9f3a332 upstream.

The [0 - 64k] ACPI PCI IO port resource boundary check in:

acpi_dev_ioresource_flags()

is currently applied blindly in the ACPI resource parsing to all
architectures, but only x86 suffers from that IO space limitation.

On arches (ie IA64 and ARM64) where IO space is memory mapped,
the PCI root bridges IO resource windows are firstly initialized from
the _CRS (in acpi_decode_space()) and contain the CPU physical address
at which a root bridge decodes IO space in the CPU physical address
space with the offset value representing the offset required to translate
the PCI bus address into the CPU physical address.

The IO resource windows are then parsed and updated in arch code
before creating and enumerating PCI buses (eg IA64 add_io_space())
to map in an arch specific way the obtained CPU physical address range
to a slice of virtual address space reserved to map PCI IO space,
ending up with PCI bridges resource windows containing IO
resources like the following on a working IA64 configuration:

PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [io  0x1000000-0x100ffff window] (bus
address [0x0000-0xffff])
pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000fffff window]
pci_bus 0000:00: root bus resource [mem 0x80000000-0x8fffffff window]
pci_bus 0000:00: root bus resource [mem 0x80004000000-0x800ffffffff window]
pci_bus 0000:00: root bus resource [bus 00]

This implies that the [0 - 64K] check in acpi_dev_ioresource_flags()
leaves platforms with memory mapped IO space (ie IA64) broken (ie kernel
can't claim IO resources since the host bridge IO resource is disabled
and discarded by ACPI core code, see log on IA64 with missing root bridge
IO resource, silently filtered by current [0 - 64k] check in
acpi_dev_ioresource_flags()):

PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000fffff window]
pci_bus 0000:00: root bus resource [mem 0x80000000-0x8fffffff window]
pci_bus 0000:00: root bus resource [mem 0x80004000000-0x800ffffffff window]
pci_bus 0000:00: root bus resource [bus 00]

[...]

pci 0000:00:03.0: [1002:515e] type 00 class 0x030000
pci 0000:00:03.0: reg 0x10: [mem 0x80000000-0x87ffffff pref]
pci 0000:00:03.0: reg 0x14: [io  0x1000-0x10ff]
pci 0000:00:03.0: reg 0x18: [mem 0x88020000-0x8802ffff]
pci 0000:00:03.0: reg 0x30: [mem 0x88000000-0x8801ffff pref]
pci 0000:00:03.0: supports D1 D2
pci 0000:00:03.0: can't claim BAR 1 [io  0x1000-0x10ff]: no compatible
bridge window

For this reason, the IO port resources boundaries check in generic ACPI
parsing code should be guarded with a CONFIG_X86 guard so that more arches
(ie ARM64) can benefit from the generic ACPI resources parsing interface
without incurring in unexpected resource filtering, fixing at the same
time current breakage on IA64.

This patch factors out IO ports boundary [0 - 64k] check in generic ACPI
code and makes the IO space check X86 specific to make sure that IO
space resources are usable on other arches too.

Fixes: 3772aea7d6f3 (ia64/PCI/ACPI: Use common ACPI resource parsing interface for host bridge)
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/resource.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -27,8 +27,20 @@
 
 #ifdef CONFIG_X86
 #define valid_IRQ(i) (((i) != 0) && ((i) != 2))
+static inline bool acpi_iospace_resource_valid(struct resource *res)
+{
+	/* On X86 IO space is limited to the [0 - 64K] IO port range */
+	return res->end < 0x10003;
+}
 #else
 #define valid_IRQ(i) (true)
+/*
+ * ACPI IO descriptors on arches other than X86 contain MMIO CPU physical
+ * addresses mapping IO space in CPU physical address space, IO space
+ * resources can be placed anywhere in the 64-bit physical address space.
+ */
+static inline bool
+acpi_iospace_resource_valid(struct resource *res) { return true; }
 #endif
 
 static bool acpi_dev_resource_len_valid(u64 start, u64 end, u64 len, bool io)
@@ -127,7 +139,7 @@ static void acpi_dev_ioresource_flags(st
 	if (!acpi_dev_resource_len_valid(res->start, res->end, len, true))
 		res->flags |= IORESOURCE_DISABLED | IORESOURCE_UNSET;
 
-	if (res->end >= 0x10003)
+	if (!acpi_iospace_resource_valid(res))
 		res->flags |= IORESOURCE_DISABLED | IORESOURCE_UNSET;
 
 	if (io_decode == ACPI_DECODE_16)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 028/238] x86/irq: Cure live lock in fixup_irqs()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 027/238] PCI: ACPI: IA64: fix IO port generic range check Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 029/238] x86/apic: Fix suspicious RCU usage in smp_trace_call_function_interrupt() Greg Kroah-Hartman
                   ` (202 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harry Junior, Tony Luck,
	Thomas Gleixner, Peter Zijlstra, Joe Lawrence, Borislav Petkov,
	Ben Hutchings

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit 551adc60573cb68e3d55cacca9ba1b7437313df7 upstream.

Harry reported, that he's able to trigger a system freeze with cpu hot
unplug. The freeze turned out to be a live lock caused by recent changes in
irq_force_complete_move().

When fixup_irqs() and from there irq_force_complete_move() is called on the
dying cpu, then all other cpus are in stop machine an wait for the dying cpu
to complete the teardown. If there is a move of an interrupt pending then
irq_force_complete_move() sends the cleanup IPI to the cpus in the old_domain
mask and waits for them to clear the mask. That's obviously impossible as
those cpus are firmly stuck in stop machine with interrupts disabled.

I should have known that, but I completely overlooked it being concentrated on
the locking issues around the vectors. And the existance of the call to
__irq_complete_move() in the code, which actually sends the cleanup IPI made
it reasonable to wait for that cleanup to complete. That call was bogus even
before the recent changes as it was just a pointless distraction.

We have to look at two cases:

1) The move_in_progress flag of the interrupt is set

   This means the ioapic has been updated with the new vector, but it has not
   fired yet. In theory there is a race:

   set_ioapic(new_vector) <-- Interrupt is raised before update is effective,
   			      i.e. it's raised on the old vector.

   So if the target cpu cannot handle that interrupt before the old vector is
   cleaned up, we get a spurious interrupt and in the worst case the ioapic
   irq line becomes stale, but my experiments so far have only resulted in
   spurious interrupts.

   But in case of cpu hotplug this should be a non issue because if the
   affinity update happens right before all cpus rendevouz in stop machine,
   there is no way that the interrupt can be blocked on the target cpu because
   all cpus loops first with interrupts enabled in stop machine, so the old
   vector is not yet cleaned up when the interrupt fires.

   So the only way to run into this issue is if the delivery of the interrupt
   on the apic/system bus would be delayed beyond the point where the target
   cpu disables interrupts in stop machine. I doubt that it can happen, but at
   least there is a theroretical chance. Virtualization might be able to
   expose this, but AFAICT the IOAPIC emulation is not as stupid as the real
   hardware.

   I've spent quite some time over the weekend to enforce that situation,
   though I was not able to trigger the delayed case.

2) The move_in_progress flag is not set and the old_domain cpu mask is not
   empty.

   That means, that an interrupt was delivered after the change and the
   cleanup IPI has been sent to the cpus in old_domain, but not all CPUs have
   responded to it yet.

In both cases we can assume that the next interrupt will arrive on the new
vector, so we can cleanup the old vectors on the cpus in the old_domain cpu
mask.

Fixes: 98229aa36caa "x86/irq: Plug vector cleanup race"
Reported-by: Harry Junior <harryjr@outlook.fr>
Tested-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Joe Lawrence <joe.lawrence@stratus.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Ben Hutchings <ben@decadent.org.uk>
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1603140931430.3657@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/hw_irq.h |    1 
 arch/x86/kernel/apic/vector.c |   88 +++++++++++++++++++++++++++++++++---------
 2 files changed, 71 insertions(+), 18 deletions(-)

--- a/arch/x86/include/asm/hw_irq.h
+++ b/arch/x86/include/asm/hw_irq.h
@@ -141,6 +141,7 @@ struct irq_alloc_info {
 struct irq_cfg {
 	unsigned int		dest_apicid;
 	u8			vector;
+	u8			old_vector;
 };
 
 extern struct irq_cfg *irq_cfg(unsigned int irq);
--- a/arch/x86/kernel/apic/vector.c
+++ b/arch/x86/kernel/apic/vector.c
@@ -213,6 +213,7 @@ update:
 	 */
 	cpumask_and(d->old_domain, d->old_domain, cpu_online_mask);
 	d->move_in_progress = !cpumask_empty(d->old_domain);
+	d->cfg.old_vector = d->move_in_progress ? d->cfg.vector : 0;
 	d->cfg.vector = vector;
 	cpumask_copy(d->domain, vector_cpumask);
 success:
@@ -655,46 +656,97 @@ void irq_complete_move(struct irq_cfg *c
 }
 
 /*
- * Called with @desc->lock held and interrupts disabled.
+ * Called from fixup_irqs() with @desc->lock held and interrupts disabled.
  */
 void irq_force_complete_move(struct irq_desc *desc)
 {
 	struct irq_data *irqdata = irq_desc_get_irq_data(desc);
 	struct apic_chip_data *data = apic_chip_data(irqdata);
 	struct irq_cfg *cfg = data ? &data->cfg : NULL;
+	unsigned int cpu;
 
 	if (!cfg)
 		return;
 
-	__irq_complete_move(cfg, cfg->vector);
-
 	/*
 	 * This is tricky. If the cleanup of @data->old_domain has not been
 	 * done yet, then the following setaffinity call will fail with
 	 * -EBUSY. This can leave the interrupt in a stale state.
 	 *
-	 * The cleanup cannot make progress because we hold @desc->lock. So in
-	 * case @data->old_domain is not yet cleaned up, we need to drop the
-	 * lock and acquire it again. @desc cannot go away, because the
-	 * hotplug code holds the sparse irq lock.
+	 * All CPUs are stuck in stop machine with interrupts disabled so
+	 * calling __irq_complete_move() would be completely pointless.
 	 */
 	raw_spin_lock(&vector_lock);
-	/* Clean out all offline cpus (including ourself) first. */
+	/*
+	 * Clean out all offline cpus (including the outgoing one) from the
+	 * old_domain mask.
+	 */
 	cpumask_and(data->old_domain, data->old_domain, cpu_online_mask);
-	while (!cpumask_empty(data->old_domain)) {
+
+	/*
+	 * If move_in_progress is cleared and the old_domain mask is empty,
+	 * then there is nothing to cleanup. fixup_irqs() will take care of
+	 * the stale vectors on the outgoing cpu.
+	 */
+	if (!data->move_in_progress && cpumask_empty(data->old_domain)) {
 		raw_spin_unlock(&vector_lock);
-		raw_spin_unlock(&desc->lock);
-		cpu_relax();
-		raw_spin_lock(&desc->lock);
+		return;
+	}
+
+	/*
+	 * 1) The interrupt is in move_in_progress state. That means that we
+	 *    have not seen an interrupt since the io_apic was reprogrammed to
+	 *    the new vector.
+	 *
+	 * 2) The interrupt has fired on the new vector, but the cleanup IPIs
+	 *    have not been processed yet.
+	 */
+	if (data->move_in_progress) {
 		/*
-		 * Reevaluate apic_chip_data. It might have been cleared after
-		 * we dropped @desc->lock.
+		 * In theory there is a race:
+		 *
+		 * set_ioapic(new_vector) <-- Interrupt is raised before update
+		 *			      is effective, i.e. it's raised on
+		 *			      the old vector.
+		 *
+		 * So if the target cpu cannot handle that interrupt before
+		 * the old vector is cleaned up, we get a spurious interrupt
+		 * and in the worst case the ioapic irq line becomes stale.
+		 *
+		 * But in case of cpu hotplug this should be a non issue
+		 * because if the affinity update happens right before all
+		 * cpus rendevouz in stop machine, there is no way that the
+		 * interrupt can be blocked on the target cpu because all cpus
+		 * loops first with interrupts enabled in stop machine, so the
+		 * old vector is not yet cleaned up when the interrupt fires.
+		 *
+		 * So the only way to run into this issue is if the delivery
+		 * of the interrupt on the apic/system bus would be delayed
+		 * beyond the point where the target cpu disables interrupts
+		 * in stop machine. I doubt that it can happen, but at least
+		 * there is a theroretical chance. Virtualization might be
+		 * able to expose this, but AFAICT the IOAPIC emulation is not
+		 * as stupid as the real hardware.
+		 *
+		 * Anyway, there is nothing we can do about that at this point
+		 * w/o refactoring the whole fixup_irq() business completely.
+		 * We print at least the irq number and the old vector number,
+		 * so we have the necessary information when a problem in that
+		 * area arises.
 		 */
-		data = apic_chip_data(irqdata);
-		if (!data)
-			return;
-		raw_spin_lock(&vector_lock);
+		pr_warn("IRQ fixup: irq %d move in progress, old vector %d\n",
+			irqdata->irq, cfg->old_vector);
 	}
+	/*
+	 * If old_domain is not empty, then other cpus still have the irq
+	 * descriptor set in their vector array. Clean it up.
+	 */
+	for_each_cpu(cpu, data->old_domain)
+		per_cpu(vector_irq, cpu)[cfg->old_vector] = VECTOR_UNUSED;
+
+	/* Cleanup the left overs of the (half finished) move */
+	cpumask_clear(data->old_domain);
+	data->move_in_progress = 0;
 	raw_spin_unlock(&vector_lock);
 }
 #endif

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 029/238] x86/apic: Fix suspicious RCU usage in smp_trace_call_function_interrupt()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 028/238] x86/irq: Cure live lock in fixup_irqs() Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 030/238] x86/iopl/64: Properly context-switch IOPL on Xen PV Greg Kroah-Hartman
                   ` (201 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andi Kleen, Thomas Gleixner, Dave Jones

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Jones <davej@codemonkey.org.uk>

commit 7834c10313fb823e538f2772be78edcdeed2e6e3 upstream.

Since 4.4, I've been able to trigger this occasionally:

===============================
[ INFO: suspicious RCU usage. ]
4.5.0-rc7-think+ #3 Not tainted
Cc: Andi Kleen <ak@linux.intel.com>
Link: http://lkml.kernel.org/r/20160315012054.GA17765@codemonkey.org.uk
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

-------------------------------
./arch/x86/include/asm/msr-trace.h:47 suspicious rcu_dereference_check() usage!

other info that might help us debug this:

RCU used illegally from idle CPU!
rcu_scheduler_active = 1, debug_locks = 1
RCU used illegally from extended quiescent state!
no locks held by swapper/3/0.

stack backtrace:
CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.5.0-rc7-think+ #3
 ffffffff92f821e0 1f3e5c340597d7fc ffff880468e07f10 ffffffff92560c2a
 ffff880462145280 0000000000000001 ffff880468e07f40 ffffffff921376a6
 ffffffff93665ea0 0000cc7c876d28da 0000000000000005 ffffffff9383dd60
Call Trace:
 <IRQ>  [<ffffffff92560c2a>] dump_stack+0x67/0x9d
 [<ffffffff921376a6>] lockdep_rcu_suspicious+0xe6/0x100
 [<ffffffff925ae7a7>] do_trace_write_msr+0x127/0x1a0
 [<ffffffff92061c83>] native_apic_msr_eoi_write+0x23/0x30
 [<ffffffff92054408>] smp_trace_call_function_interrupt+0x38/0x360
 [<ffffffff92d1ca60>] trace_call_function_interrupt+0x90/0xa0
 <EOI>  [<ffffffff92ac5124>] ? cpuidle_enter_state+0x1b4/0x520

Move the entering_irq() call before ack_APIC_irq(), because entering_irq()
tells the RCU susbstems to end the extended quiescent state, so that the
following trace call in ack_APIC_irq() works correctly.

Suggested-by: Andi Kleen <ak@linux.intel.com>
Fixes: 4787c368a9bc "x86/tracing: Add irq_enter/exit() in smp_trace_reschedule_interrupt()"
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

---
 arch/x86/include/asm/apic.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/include/asm/apic.h
+++ b/arch/x86/include/asm/apic.h
@@ -644,8 +644,8 @@ static inline void entering_irq(void)
 
 static inline void entering_ack_irq(void)
 {
-	ack_APIC_irq();
 	entering_irq();
+	ack_APIC_irq();
 }
 
 static inline void ipi_entering_ack_irq(void)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 030/238] x86/iopl/64: Properly context-switch IOPL on Xen PV
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 029/238] x86/apic: Fix suspicious RCU usage in smp_trace_call_function_interrupt() Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 031/238] x86/iopl: Fix iopl capability check " Greg Kroah-Hartman
                   ` (200 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, Andrew Cooper,
	Andy Lutomirski, Boris Ostrovsky, Borislav Petkov, Brian Gerst,
	David Vrabel, Denys Vlasenko, H. Peter Anvin, Jan Beulich,
	Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@kernel.org>

commit b7a584598aea7ca73140cb87b40319944dd3393f upstream.

On Xen PV, regs->flags doesn't reliably reflect IOPL and the
exit-to-userspace code doesn't change IOPL.  We need to context
switch it manually.

I'm doing this without going through paravirt because this is
specific to Xen PV.  After the dust settles, we can merge this with
the 32-bit code, tidy up the iopl syscall implementation, and remove
the set_iopl pvop entirely.

Fixes XSA-171.

Reviewewd-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/693c3bd7aeb4d3c27c92c622b7d0f554a458173c.1458162709.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/xen/hypervisor.h |    2 ++
 arch/x86/kernel/process_64.c          |   12 ++++++++++++
 arch/x86/xen/enlighten.c              |    2 +-
 3 files changed, 15 insertions(+), 1 deletion(-)

--- a/arch/x86/include/asm/xen/hypervisor.h
+++ b/arch/x86/include/asm/xen/hypervisor.h
@@ -62,4 +62,6 @@ void xen_arch_register_cpu(int num);
 void xen_arch_unregister_cpu(int num);
 #endif
 
+extern void xen_set_iopl_mask(unsigned mask);
+
 #endif /* _ASM_X86_XEN_HYPERVISOR_H */
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -48,6 +48,7 @@
 #include <asm/syscalls.h>
 #include <asm/debugreg.h>
 #include <asm/switch_to.h>
+#include <asm/xen/hypervisor.h>
 
 asmlinkage extern void ret_from_fork(void);
 
@@ -411,6 +412,17 @@ __switch_to(struct task_struct *prev_p,
 		     task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV))
 		__switch_to_xtra(prev_p, next_p, tss);
 
+#ifdef CONFIG_XEN
+	/*
+	 * On Xen PV, IOPL bits in pt_regs->flags have no effect, and
+	 * current_pt_regs()->flags may not match the current task's
+	 * intended IOPL.  We need to switch it manually.
+	 */
+	if (unlikely(static_cpu_has(X86_FEATURE_XENPV) &&
+		     prev->iopl != next->iopl))
+		xen_set_iopl_mask(next->iopl);
+#endif
+
 	if (static_cpu_has_bug(X86_BUG_SYSRET_SS_ATTRS)) {
 		/*
 		 * AMD CPUs have a misfeature: SYSRET sets the SS selector but
--- a/arch/x86/xen/enlighten.c
+++ b/arch/x86/xen/enlighten.c
@@ -961,7 +961,7 @@ static void xen_load_sp0(struct tss_stru
 	tss->x86_tss.sp0 = thread->sp0;
 }
 
-static void xen_set_iopl_mask(unsigned mask)
+void xen_set_iopl_mask(unsigned mask)
 {
 	struct physdev_set_iopl set_iopl;
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 031/238] x86/iopl: Fix iopl capability check on Xen PV
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 030/238] x86/iopl/64: Properly context-switch IOPL on Xen PV Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 032/238] x86/mm: TLB_REMOTE_SEND_IPI should count pages Greg Kroah-Hartman
                   ` (199 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, Andrew Cooper,
	Andy Lutomirski, Boris Ostrovsky, Borislav Petkov, Brian Gerst,
	David Vrabel, Denys Vlasenko, H. Peter Anvin, Jan Beulich,
	Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andy Lutomirski <luto@kernel.org>

commit c29016cf41fe9fa994a5ecca607cf5f1cd98801e upstream.

iopl(3) is supposed to work if iopl is already 3, even if
unprivileged.  This didn't work right on Xen PV.  Fix it.

Reviewewd-by: Jan Beulich <JBeulich@suse.com>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/8ce12013e6e4c0a44a97e316be4a6faff31bd5ea.1458162709.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/ioport.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -96,9 +96,14 @@ asmlinkage long sys_ioperm(unsigned long
 SYSCALL_DEFINE1(iopl, unsigned int, level)
 {
 	struct pt_regs *regs = current_pt_regs();
-	unsigned int old = (regs->flags >> 12) & 3;
 	struct thread_struct *t = &current->thread;
 
+	/*
+	 * Careful: the IOPL bits in regs->flags are undefined under Xen PV
+	 * and changing them has no effect.
+	 */
+	unsigned int old = t->iopl >> X86_EFLAGS_IOPL_BIT;
+
 	if (level > 3)
 		return -EINVAL;
 	/* Trying to gain more privileges? */
@@ -106,8 +111,9 @@ SYSCALL_DEFINE1(iopl, unsigned int, leve
 		if (!capable(CAP_SYS_RAWIO))
 			return -EPERM;
 	}
-	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
-	t->iopl = level << 12;
+	regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
+		(level << X86_EFLAGS_IOPL_BIT);
+	t->iopl = level << X86_EFLAGS_IOPL_BIT;
 	set_iopl_mask(t->iopl);
 
 	return 0;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 032/238] x86/mm: TLB_REMOTE_SEND_IPI should count pages
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 031/238] x86/iopl: Fix iopl capability check " Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33   ` Greg Kroah-Hartman
                   ` (198 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nadav Amit, Mel Gorman, Rik van Riel,
	Dave Hansen, Ingo Molnar, Andrew Morton, Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nadav Amit <namit@vmware.com>

commit 18c98243ddf05a1827ad2c359c5ac051101e7ff7 upstream.

TLB_REMOTE_SEND_IPI was recently introduced, but it counts bytes instead
of pages.  In addition, it does not report correctly the case in which
flush_tlb_page flushes a page.  Fix it to be consistent with other TLB
counters.

Fixes: 5b74283ab251b9d ("x86, mm: trace when an IPI is about to be sent")
Signed-off-by: Nadav Amit <namit@vmware.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Rik van Riel <riel@redhat.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/mm/tlb.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -106,8 +106,6 @@ static void flush_tlb_func(void *info)
 
 	if (f->flush_mm != this_cpu_read(cpu_tlbstate.active_mm))
 		return;
-	if (!f->flush_end)
-		f->flush_end = f->flush_start + PAGE_SIZE;
 
 	count_vm_tlb_event(NR_TLB_REMOTE_FLUSH_RECEIVED);
 	if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK) {
@@ -135,12 +133,20 @@ void native_flush_tlb_others(const struc
 				 unsigned long end)
 {
 	struct flush_tlb_info info;
+
+	if (end == 0)
+		end = start + PAGE_SIZE;
 	info.flush_mm = mm;
 	info.flush_start = start;
 	info.flush_end = end;
 
 	count_vm_tlb_event(NR_TLB_REMOTE_FLUSH);
-	trace_tlb_flush(TLB_REMOTE_SEND_IPI, end - start);
+	if (end == TLB_FLUSH_ALL)
+		trace_tlb_flush(TLB_REMOTE_SEND_IPI, TLB_FLUSH_ALL);
+	else
+		trace_tlb_flush(TLB_REMOTE_SEND_IPI,
+				(end - start) >> PAGE_SHIFT);
+
 	if (is_uv_system()) {
 		unsigned int cpu;
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 033/238] sg: fix dxferp in from_to case
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
@ 2016-04-10 18:33   ` Greg Kroah-Hartman
  2016-04-10 18:32 ` [PATCH 4.5 002/238] x86/microcode: Untangle from BLK_DEV_INITRD Greg Kroah-Hartman
                     ` (228 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Douglas Gilbert, Ewan Milne,
	Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Douglas Gilbert <dgilbert@interlog.com>

commit 5ecee0a3ee8d74b6950cb41e8989b0c2174568d4 upstream.

One of the strange things that the original sg driver did was let the
user provide both a data-out buffer (it followed the sg_header+cdb)
_and_ specify a reply length greater than zero. What happened was that
the user data-out buffer was copied into some kernel buffers and then
the mid level was told a read type operation would take place with the
data from the device overwriting the same kernel buffers. The user would
then read those kernel buffers back into the user space.

>From what I can tell, the above action was broken by commit fad7f01e61bf
("sg: set dxferp to NULL for READ with the older SG interface") in 2008
and syzkaller found that out recently.

Make sure that a user space pointer is passed through when data follows
the sg_header structure and command.  Fix the abnormal case when a
non-zero reply_len is also given.

Fixes: fad7f01e61bf737fe8a3740d803f000db57ecac6
Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
Reviewed-by: Ewan Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sg.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -652,7 +652,8 @@ sg_write(struct file *filp, const char _
 	else
 		hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV : SG_DXFER_NONE;
 	hp->dxfer_len = mxsize;
-	if (hp->dxfer_direction == SG_DXFER_TO_DEV)
+	if ((hp->dxfer_direction == SG_DXFER_TO_DEV) ||
+	    (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV))
 		hp->dxferp = (char __user *)buf + cmd_size;
 	else
 		hp->dxferp = NULL;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 033/238] sg: fix dxferp in from_to case
@ 2016-04-10 18:33   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Douglas Gilbert, Ewan Milne,
	Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Douglas Gilbert <dgilbert@interlog.com>

commit 5ecee0a3ee8d74b6950cb41e8989b0c2174568d4 upstream.

One of the strange things that the original sg driver did was let the
user provide both a data-out buffer (it followed the sg_header+cdb)
_and_ specify a reply length greater than zero. What happened was that
the user data-out buffer was copied into some kernel buffers and then
the mid level was told a read type operation would take place with the
data from the device overwriting the same kernel buffers. The user would
then read those kernel buffers back into the user space.

>>From what I can tell, the above action was broken by commit fad7f01e61bf
("sg: set dxferp to NULL for READ with the older SG interface") in 2008
and syzkaller found that out recently.

Make sure that a user space pointer is passed through when data follows
the sg_header structure and command.  Fix the abnormal case when a
non-zero reply_len is also given.

Fixes: fad7f01e61bf737fe8a3740d803f000db57ecac6
Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
Reviewed-by: Ewan Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sg.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -652,7 +652,8 @@ sg_write(struct file *filp, const char _
 	else
 		hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV : SG_DXFER_NONE;
 	hp->dxfer_len = mxsize;
-	if (hp->dxfer_direction == SG_DXFER_TO_DEV)
+	if ((hp->dxfer_direction == SG_DXFER_TO_DEV) ||
+	    (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV))
 		hp->dxferp = (char __user *)buf + cmd_size;
 	else
 		hp->dxferp = NULL;



^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 034/238] aacraid: Fix RRQ overload
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2016-04-10 18:33   ` Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 035/238] aacraid: Fix memory leak in aac_fib_map_free Greg Kroah-Hartman
                   ` (196 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Raghava Aditya Renukunta,
	Johannes Thumshirn, Tomas Henzl, Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>

commit 3f4ce057d51a9c0ed9b01ba693df685d230ffcae upstream.

The driver utilizes an array of atomic variables to keep track of IO
submissions to each vector. To submit an IO multiple threads iterate
through the array to find a vector which has empty slots to send an
IO. The reading and updating of the variable is not atomic, causing race
conditions when a thread uses a full vector to submit an IO.

Fixed by mapping each FIB to a vector, the submission path then uses
said vector to submit IO thereby removing the possibly of a race
condition.The vector assignment is started from 1 since vector 0 is
reserved for the use of AIF management FIBS.If the number of MSIx
vectors is 1 (MSI or INTx mode) then all the fibs are allocated to
vector 0.

Fixes: 495c0217 "aacraid: MSI-x support"
Signed-off-by: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/aacraid/aacraid.h |    2 ++
 drivers/scsi/aacraid/commsup.c |   28 ++++++++++++++++++++++++++++
 drivers/scsi/aacraid/src.c     |   30 +++++++-----------------------
 3 files changed, 37 insertions(+), 23 deletions(-)

--- a/drivers/scsi/aacraid/aacraid.h
+++ b/drivers/scsi/aacraid/aacraid.h
@@ -944,6 +944,7 @@ struct fib {
 	 */
 	struct list_head	fiblink;
 	void			*data;
+	u32			vector_no;
 	struct hw_fib		*hw_fib_va;		/* Actual shared object */
 	dma_addr_t		hw_fib_pa;		/* physical address of hw_fib*/
 };
@@ -2113,6 +2114,7 @@ static inline unsigned int cap_to_cyls(s
 int aac_acquire_irq(struct aac_dev *dev);
 void aac_free_irq(struct aac_dev *dev);
 const char *aac_driverinfo(struct Scsi_Host *);
+void aac_fib_vector_assign(struct aac_dev *dev);
 struct fib *aac_fib_alloc(struct aac_dev *dev);
 int aac_fib_setup(struct aac_dev *dev);
 void aac_fib_map_free(struct aac_dev *dev);
--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -90,6 +90,28 @@ void aac_fib_map_free(struct aac_dev *de
 	dev->hw_fib_pa = 0;
 }
 
+void aac_fib_vector_assign(struct aac_dev *dev)
+{
+	u32 i = 0;
+	u32 vector = 1;
+	struct fib *fibptr = NULL;
+
+	for (i = 0, fibptr = &dev->fibs[i];
+		i < (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB);
+		i++, fibptr++) {
+		if ((dev->max_msix == 1) ||
+		  (i > ((dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB - 1)
+			- dev->vector_cap))) {
+			fibptr->vector_no = 0;
+		} else {
+			fibptr->vector_no = vector;
+			vector++;
+			if (vector == dev->max_msix)
+				vector = 1;
+		}
+	}
+}
+
 /**
  *	aac_fib_setup	-	setup the fibs
  *	@dev: Adapter to set up
@@ -151,6 +173,12 @@ int aac_fib_setup(struct aac_dev * dev)
 		hw_fib_pa = hw_fib_pa +
 			dev->max_fib_size + sizeof(struct aac_fib_xporthdr);
 	}
+
+	/*
+	 *Assign vector numbers to fibs
+	 */
+	aac_fib_vector_assign(dev);
+
 	/*
 	 *	Add the fib chain to the free list
 	 */
--- a/drivers/scsi/aacraid/src.c
+++ b/drivers/scsi/aacraid/src.c
@@ -156,8 +156,8 @@ static irqreturn_t aac_src_intr_message(
 				break;
 			if (dev->msi_enabled && dev->max_msix > 1)
 				atomic_dec(&dev->rrq_outstanding[vector_no]);
-			aac_intr_normal(dev, handle-1, 0, isFastResponse, NULL);
 			dev->host_rrq[index++] = 0;
+			aac_intr_normal(dev, handle-1, 0, isFastResponse, NULL);
 			if (index == (vector_no + 1) * dev->vector_cap)
 				index = vector_no * dev->vector_cap;
 			dev->host_rrq_idx[vector_no] = index;
@@ -452,36 +452,20 @@ static int aac_src_deliver_message(struc
 #endif
 
 	u16 hdr_size = le16_to_cpu(fib->hw_fib_va->header.Size);
+	u16 vector_no;
 
 	atomic_inc(&q->numpending);
 
 	if (dev->msi_enabled && fib->hw_fib_va->header.Command != AifRequest &&
 	    dev->max_msix > 1) {
-		u_int16_t vector_no, first_choice = 0xffff;
-
-		vector_no = dev->fibs_pushed_no % dev->max_msix;
-		do {
-			vector_no += 1;
-			if (vector_no == dev->max_msix)
-				vector_no = 1;
-			if (atomic_read(&dev->rrq_outstanding[vector_no]) <
-			    dev->vector_cap)
-				break;
-			if (0xffff == first_choice)
-				first_choice = vector_no;
-			else if (vector_no == first_choice)
-				break;
-		} while (1);
-		if (vector_no == first_choice)
-			vector_no = 0;
-		atomic_inc(&dev->rrq_outstanding[vector_no]);
-		if (dev->fibs_pushed_no == 0xffffffff)
-			dev->fibs_pushed_no = 0;
-		else
-			dev->fibs_pushed_no++;
+		vector_no = fib->vector_no;
 		fib->hw_fib_va->header.Handle += (vector_no << 16);
+	} else {
+		vector_no = 0;
 	}
 
+	atomic_inc(&dev->rrq_outstanding[vector_no]);
+
 	if (dev->comm_interface == AAC_COMM_MESSAGE_TYPE2) {
 		/* Calculate the amount to the fibsize bits */
 		fibsize = (hdr_size + 127) / 128 - 1;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 035/238] aacraid: Fix memory leak in aac_fib_map_free
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 034/238] aacraid: Fix RRQ overload Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 036/238] aacraid: Set correct msix count for EEH recovery Greg Kroah-Hartman
                   ` (195 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Raghava Aditya Renukunta,
	Johannes Thumshirn, Tomas Henzl, Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>

commit f88fa79a61726ce9434df9b4aede36961f709f17 upstream.

aac_fib_map_free() calls pci_free_consistent() without checking that
dev->hw_fib_va is not NULL and dev->max_fib_size is not zero.If they are
indeed NULL/0, this will result in a hang as pci_free_consistent() will
attempt to invalidate cache for the entire 64-bit address space
(which would take a very long time).

Fixed by adding a check to make sure that dev->hw_fib_va and
dev->max_fib_size are not NULL and 0 respectively.

Fixes: 9ad5204d6 - "[SCSI]aacraid: incorrect dma mapping mask during blinked recover or user initiated reset"
Signed-off-by: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/aacraid/commsup.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -83,9 +83,12 @@ static int fib_map_alloc(struct aac_dev
 
 void aac_fib_map_free(struct aac_dev *dev)
 {
-	pci_free_consistent(dev->pdev,
-	  dev->max_fib_size * (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB),
-	  dev->hw_fib_va, dev->hw_fib_pa);
+	if (dev->hw_fib_va && dev->max_fib_size) {
+		pci_free_consistent(dev->pdev,
+		(dev->max_fib_size *
+		(dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB)),
+		dev->hw_fib_va, dev->hw_fib_pa);
+	}
 	dev->hw_fib_va = NULL;
 	dev->hw_fib_pa = 0;
 }

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 036/238] aacraid: Set correct msix count for EEH recovery
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 035/238] aacraid: Fix memory leak in aac_fib_map_free Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-12  0:29   ` Ben Hutchings
  2016-04-10 18:33 ` [PATCH 4.5 037/238] sd: Fix discard granularity when LBPRZ=1 Greg Kroah-Hartman
                   ` (194 subsequent siblings)
  229 siblings, 1 reply; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Raghava Aditya Renukunta,
	Shane Seymour, Johannes Thumshirn, Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>

commit ecc479e00db8eb110b200afe1effcb3df20ca7ae upstream.

During EEH recovery number of online CPU's might change thereby changing
the number of MSIx vectors. Since each fib is allocated to a vector,
changes in the number of vectors causes fib to be sent thru invalid
vectors.In addition the correct number of MSIx vectors is not updated in
the INIT struct sent to the controller, when it is reinitialized.

Fixed by reassigning vectors to fibs based on the updated number of MSIx
vectors and updating the INIT structure before sending to controller.

Fixes: MSI-X vector calculation for suspend/resume
Signed-off-by: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
Reviewed-by: Shane Seymour <shane.seymour@hpe.com>
Reviewed-by: Johannes Thumshirn <jthushirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/aacraid/linit.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -1404,8 +1404,18 @@ static int aac_acquire_resources(struct
 
 	aac_adapter_enable_int(dev);
 
-	if (!dev->sync_mode)
+	/*max msix may change  after EEH
+	 * Re-assign vectors to fibs
+	 */
+	aac_fib_vector_assign(dev);
+
+	if (!dev->sync_mode) {
+		/* After EEH recovery or suspend resume, max_msix count
+		 * may change, therfore updating in init as well.
+		 */
 		aac_adapter_start(dev);
+		dev->init->Sa_MSIXVectors = cpu_to_le32(dev->max_msix);
+	}
 	return 0;
 
 error_iounmap:

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 037/238] sd: Fix discard granularity when LBPRZ=1
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 036/238] aacraid: Set correct msix count for EEH recovery Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 038/238] ncr5380: Correctly clear command pointers and lists after bus reset Greg Kroah-Hartman
                   ` (193 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin K. Petersen, Mike Snitzer,
	Ewan Milne, Bart Van Assche

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martin K. Petersen <martin.petersen@oracle.com>

commit 6540a65da90c09590897310e31993b1f6e28485a upstream.

Commit 397737223c59 ("sd: Make discard granularity match logical block
size when LBPRZ=1") accidentally set the granularity to one byte instead
of one logical block on devices that provide deterministic zeroes after
UNMAP.

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Reported-by: Mike Snitzer <snitzer@redhat.com>
Reviewed-by: Ewan Milne <emilne@redhat.com>
Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
Fixes: 397737223c59e89dca7305feb6528caef8fbef84
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sd.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -648,7 +648,7 @@ static void sd_config_discard(struct scs
 	 */
 	if (sdkp->lbprz) {
 		q->limits.discard_alignment = 0;
-		q->limits.discard_granularity = 1;
+		q->limits.discard_granularity = logical_block_size;
 	} else {
 		q->limits.discard_alignment = sdkp->unmap_alignment *
 			logical_block_size;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 038/238] ncr5380: Correctly clear command pointers and lists after bus reset
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 037/238] sd: Fix discard granularity when LBPRZ=1 Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 039/238] ncr5380: Dont release lock for PIO transfer Greg Kroah-Hartman
                   ` (192 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Michael Schmitz,
	Finn Thain, Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

commit 1884c2838f31e6bf20f21459ed9921f8c92ed3ef upstream.

Commands subject to exception handling are to be returned to the scsi
mid-layer. Make sure that the various command pointers and command lists
in the low-level driver are correctly cleansed of affected commands.

This fixes some bugs that I accidentally introduced in v4.5-rc1 including
the removal of INIT_LIST_HEAD for the 'autosense' and 'disconnected'
command lists, and the possible NULL pointer dereference in
NCR5380_bus_reset() that was reported by Dan Carpenter.

hostdata->sensing may also point to an affected command so this pointer
also has to be cleared. The abort handler calls complete_cmd() to take
care of this; let's have the bus reset handler do the same.

The issue queue may also contain an affected command. If so, remove it.
This also follows the abort handler logic.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 62717f537e1b ("ncr5380: Implement new eh_bus_reset_handler")
Tested-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/NCR5380.c       |   19 ++++++++++++-------
 drivers/scsi/atari_NCR5380.c |   19 ++++++++++++-------
 2 files changed, 24 insertions(+), 14 deletions(-)

--- a/drivers/scsi/NCR5380.c
+++ b/drivers/scsi/NCR5380.c
@@ -2450,7 +2450,16 @@ static int NCR5380_bus_reset(struct scsi
 	 * commands!
 	 */
 
-	hostdata->selecting = NULL;
+	if (list_del_cmd(&hostdata->unissued, cmd)) {
+		cmd->result = DID_RESET << 16;
+		cmd->scsi_done(cmd);
+	}
+
+	if (hostdata->selecting) {
+		hostdata->selecting->result = DID_RESET << 16;
+		complete_cmd(instance, hostdata->selecting);
+		hostdata->selecting = NULL;
+	}
 
 	list_for_each_entry(ncmd, &hostdata->disconnected, list) {
 		struct scsi_cmnd *cmd = NCR5380_to_scmd(ncmd);
@@ -2458,6 +2467,7 @@ static int NCR5380_bus_reset(struct scsi
 		set_host_byte(cmd, DID_RESET);
 		cmd->scsi_done(cmd);
 	}
+	INIT_LIST_HEAD(&hostdata->disconnected);
 
 	list_for_each_entry(ncmd, &hostdata->autosense, list) {
 		struct scsi_cmnd *cmd = NCR5380_to_scmd(ncmd);
@@ -2465,6 +2475,7 @@ static int NCR5380_bus_reset(struct scsi
 		set_host_byte(cmd, DID_RESET);
 		cmd->scsi_done(cmd);
 	}
+	INIT_LIST_HEAD(&hostdata->autosense);
 
 	if (hostdata->connected) {
 		set_host_byte(hostdata->connected, DID_RESET);
@@ -2472,12 +2483,6 @@ static int NCR5380_bus_reset(struct scsi
 		hostdata->connected = NULL;
 	}
 
-	if (hostdata->sensing) {
-		set_host_byte(hostdata->connected, DID_RESET);
-		complete_cmd(instance, hostdata->sensing);
-		hostdata->sensing = NULL;
-	}
-
 	for (i = 0; i < 8; ++i)
 		hostdata->busy[i] = 0;
 #ifdef REAL_DMA
--- a/drivers/scsi/atari_NCR5380.c
+++ b/drivers/scsi/atari_NCR5380.c
@@ -2646,7 +2646,16 @@ static int NCR5380_bus_reset(struct scsi
 	 * commands!
 	 */
 
-	hostdata->selecting = NULL;
+	if (list_del_cmd(&hostdata->unissued, cmd)) {
+		cmd->result = DID_RESET << 16;
+		cmd->scsi_done(cmd);
+	}
+
+	if (hostdata->selecting) {
+		hostdata->selecting->result = DID_RESET << 16;
+		complete_cmd(instance, hostdata->selecting);
+		hostdata->selecting = NULL;
+	}
 
 	list_for_each_entry(ncmd, &hostdata->disconnected, list) {
 		struct scsi_cmnd *cmd = NCR5380_to_scmd(ncmd);
@@ -2654,6 +2663,7 @@ static int NCR5380_bus_reset(struct scsi
 		set_host_byte(cmd, DID_RESET);
 		cmd->scsi_done(cmd);
 	}
+	INIT_LIST_HEAD(&hostdata->disconnected);
 
 	list_for_each_entry(ncmd, &hostdata->autosense, list) {
 		struct scsi_cmnd *cmd = NCR5380_to_scmd(ncmd);
@@ -2661,6 +2671,7 @@ static int NCR5380_bus_reset(struct scsi
 		set_host_byte(cmd, DID_RESET);
 		cmd->scsi_done(cmd);
 	}
+	INIT_LIST_HEAD(&hostdata->autosense);
 
 	if (hostdata->connected) {
 		set_host_byte(hostdata->connected, DID_RESET);
@@ -2668,12 +2679,6 @@ static int NCR5380_bus_reset(struct scsi
 		hostdata->connected = NULL;
 	}
 
-	if (hostdata->sensing) {
-		set_host_byte(hostdata->connected, DID_RESET);
-		complete_cmd(instance, hostdata->sensing);
-		hostdata->sensing = NULL;
-	}
-
 #ifdef SUPPORT_TAGS
 	free_all_tags(hostdata);
 #endif

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 039/238] ncr5380: Dont release lock for PIO transfer
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 038/238] ncr5380: Correctly clear command pointers and lists after bus reset Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 040/238] ncr5380: Dont re-enter NCR5380_select() Greg Kroah-Hartman
                   ` (191 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Finn Thain, Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

commit 1678847ec93040ae8280d19c42ae0ba8a4233e6d upstream.

The calls to NCR5380_transfer_pio() for DATA IN and DATA OUT phases will
modify cmd->SCp.this_residual, cmd->SCp.ptr and cmd->SCp.buffer. That
works as long as EH does not intervene, which became possible in
atari_NCR5380.c when I changed the locking to bring it closer to
NCR5380.c.

If error recovery aborts the command, the scsi_cmnd in question and its
buffer will be returned to the mid-layer. So the transfer has to cease,
but it can't be stopped by the initiator because the target controls the
bus phase.

The problem does not arise if the lock is not released. That was fine for
atari_scsi, because it implements DMA. For the other drivers, we have to
release the lock and re-enable interrupts for long PIO data transfers.

The solution is to split the transfer into small chunks. In between chunks
the main loop releases the lock and re-enables interrupts. Thus interrupts
can be serviced and eh_bus_reset_handler can intervene if need be.

This fixes an oops in NCR5380_transfer_pio() that can happen when the EH
abort handler is invoked during DATA IN or DATA OUT phase.

Fixes: 11d2f63b9cf5 ("ncr5380: Change instance->host_lock to hostdata->lock")
Reported-and-tested-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/NCR5380.c       |   16 +++++++++-------
 drivers/scsi/atari_NCR5380.c |   16 +++++++++-------
 2 files changed, 18 insertions(+), 14 deletions(-)

--- a/drivers/scsi/NCR5380.c
+++ b/drivers/scsi/NCR5380.c
@@ -1759,9 +1759,7 @@ static void NCR5380_information_transfer
 	unsigned char msgout = NOP;
 	int sink = 0;
 	int len;
-#if defined(PSEUDO_DMA) || defined(REAL_DMA_POLL)
 	int transfersize;
-#endif
 	unsigned char *data;
 	unsigned char phase, tmp, extended_msg[10], old_phase = 0xff;
 	struct scsi_cmnd *cmd;
@@ -1854,13 +1852,17 @@ static void NCR5380_information_transfer
 				} else
 #endif				/* defined(PSEUDO_DMA) || defined(REAL_DMA_POLL) */
 				{
-					spin_unlock_irq(&hostdata->lock);
-					NCR5380_transfer_pio(instance, &phase,
-					                     (int *)&cmd->SCp.this_residual,
+					/* Break up transfer into 3 ms chunks,
+					 * presuming 6 accesses per handshake.
+					 */
+					transfersize = min((unsigned long)cmd->SCp.this_residual,
+					                   hostdata->accesses_per_ms / 2);
+					len = transfersize;
+					NCR5380_transfer_pio(instance, &phase, &len,
 					                     (unsigned char **)&cmd->SCp.ptr);
-					spin_lock_irq(&hostdata->lock);
+					cmd->SCp.this_residual -= transfersize - len;
 				}
-				break;
+				return;
 			case PHASE_MSGIN:
 				len = 1;
 				data = &tmp;
--- a/drivers/scsi/atari_NCR5380.c
+++ b/drivers/scsi/atari_NCR5380.c
@@ -1838,9 +1838,7 @@ static void NCR5380_information_transfer
 	unsigned char msgout = NOP;
 	int sink = 0;
 	int len;
-#if defined(REAL_DMA)
 	int transfersize;
-#endif
 	unsigned char *data;
 	unsigned char phase, tmp, extended_msg[10], old_phase = 0xff;
 	struct scsi_cmnd *cmd;
@@ -1983,18 +1981,22 @@ static void NCR5380_information_transfer
 				} else
 #endif /* defined(REAL_DMA) */
 				{
-					spin_unlock_irq(&hostdata->lock);
-					NCR5380_transfer_pio(instance, &phase,
-					                     (int *)&cmd->SCp.this_residual,
+					/* Break up transfer into 3 ms chunks,
+					 * presuming 6 accesses per handshake.
+					 */
+					transfersize = min((unsigned long)cmd->SCp.this_residual,
+					                   hostdata->accesses_per_ms / 2);
+					len = transfersize;
+					NCR5380_transfer_pio(instance, &phase, &len,
 					                     (unsigned char **)&cmd->SCp.ptr);
-					spin_lock_irq(&hostdata->lock);
+					cmd->SCp.this_residual -= transfersize - len;
 				}
 #if defined(CONFIG_SUN3) && defined(REAL_DMA)
 				/* if we had intended to dma that command clear it */
 				if (sun3_dma_setup_done == cmd)
 					sun3_dma_setup_done = NULL;
 #endif
-				break;
+				return;
 			case PHASE_MSGIN:
 				len = 1;
 				data = &tmp;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 040/238] ncr5380: Dont re-enter NCR5380_select()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 039/238] ncr5380: Dont release lock for PIO transfer Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 041/238] ncr5380: Forget aborted commands Greg Kroah-Hartman
                   ` (190 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Finn Thain, Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

commit 71a00593ec0c2e2c1720e4041cf2926ff1d07826 upstream.

Calling NCR5380_select() from the abort handler causes various problems.
Firstly, it means potentially re-entering NCR5380_select(). Secondly, it
means that the lock is released, which permits the EH handlers to be
re-entered. The combination results in crashes. Don't do it.

Fixes: 8b00c3d5d40d ("ncr5380: Implement new eh_abort_handler")
Reported-and-tested-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/NCR5380.c       |   16 ++++++++--------
 drivers/scsi/atari_NCR5380.c |   16 ++++++++--------
 2 files changed, 16 insertions(+), 16 deletions(-)

--- a/drivers/scsi/NCR5380.c
+++ b/drivers/scsi/NCR5380.c
@@ -2302,6 +2302,9 @@ static bool list_del_cmd(struct list_hea
  * If cmd was not found at all then presumably it has already been completed,
  * in which case return SUCCESS to try to avoid further EH measures.
  * If the command has not completed yet, we must not fail to find it.
+ *
+ * The lock protects driver data structures, but EH handlers also use it
+ * to serialize their own execution and prevent their own re-entry.
  */
 
 static int NCR5380_abort(struct scsi_cmnd *cmd)
@@ -2338,14 +2341,11 @@ static int NCR5380_abort(struct scsi_cmn
 	if (list_del_cmd(&hostdata->disconnected, cmd)) {
 		dsprintk(NDEBUG_ABORT, instance,
 		         "abort: removed %p from disconnected list\n", cmd);
-		cmd->result = DID_ERROR << 16;
-		if (!hostdata->connected)
-			NCR5380_select(instance, cmd);
-		if (hostdata->connected != cmd) {
-			complete_cmd(instance, cmd);
-			result = FAILED;
-			goto out;
-		}
+		/* Can't call NCR5380_select() and send ABORT because that
+		 * means releasing the lock. Need a bus reset.
+		 */
+		result = FAILED;
+		goto out;
 	}
 
 	if (hostdata->connected == cmd) {
--- a/drivers/scsi/atari_NCR5380.c
+++ b/drivers/scsi/atari_NCR5380.c
@@ -2497,6 +2497,9 @@ static bool list_del_cmd(struct list_hea
  * If cmd was not found at all then presumably it has already been completed,
  * in which case return SUCCESS to try to avoid further EH measures.
  * If the command has not completed yet, we must not fail to find it.
+ *
+ * The lock protects driver data structures, but EH handlers also use it
+ * to serialize their own execution and prevent their own re-entry.
  */
 
 static int NCR5380_abort(struct scsi_cmnd *cmd)
@@ -2533,14 +2536,11 @@ static int NCR5380_abort(struct scsi_cmn
 	if (list_del_cmd(&hostdata->disconnected, cmd)) {
 		dsprintk(NDEBUG_ABORT, instance,
 		         "abort: removed %p from disconnected list\n", cmd);
-		cmd->result = DID_ERROR << 16;
-		if (!hostdata->connected)
-			NCR5380_select(instance, cmd);
-		if (hostdata->connected != cmd) {
-			complete_cmd(instance, cmd);
-			result = FAILED;
-			goto out;
-		}
+		/* Can't call NCR5380_select() and send ABORT because that
+		 * means releasing the lock. Need a bus reset.
+		 */
+		result = FAILED;
+		goto out;
 	}
 
 	if (hostdata->connected == cmd) {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 041/238] ncr5380: Forget aborted commands
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 040/238] ncr5380: Dont re-enter NCR5380_select() Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 042/238] ncr5380: Fix NCR5380_select() EH checks and result handling Greg Kroah-Hartman
                   ` (189 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Schmitz, Finn Thain,
	Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

commit dc183965282d28c82f192e39cbfa91da85505a6f upstream.

The list structures and related logic used in the NCR5380 driver mean that
a command cannot be queued twice (i.e. can't appear on more than one queue
and can't appear on the same queue more than once).

The abort handler must forget the command so that the mid-layer can re-use
it. E.g. the ML may send it back to the LLD via via scsi_eh_get_sense().

Fix this and also fix two error paths, so that commands get forgotten iff
completed.

Fixes: 8b00c3d5d40d ("ncr5380: Implement new eh_abort_handler")
Tested-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/NCR5380.c       |   62 +++++++++++--------------------------------
 drivers/scsi/atari_NCR5380.c |   62 +++++++++++--------------------------------
 2 files changed, 34 insertions(+), 90 deletions(-)

--- a/drivers/scsi/NCR5380.c
+++ b/drivers/scsi/NCR5380.c
@@ -1796,6 +1796,7 @@ static void NCR5380_information_transfer
 				do_abort(instance);
 				cmd->result = DID_ERROR << 16;
 				complete_cmd(instance, cmd);
+				hostdata->connected = NULL;
 				return;
 #endif
 			case PHASE_DATAIN:
@@ -1845,7 +1846,6 @@ static void NCR5380_information_transfer
 						sink = 1;
 						do_abort(instance);
 						cmd->result = DID_ERROR << 16;
-						complete_cmd(instance, cmd);
 						/* XXX - need to source or sink data here, as appropriate */
 					} else
 						cmd->SCp.this_residual -= transfersize - len;
@@ -2294,14 +2294,14 @@ static bool list_del_cmd(struct list_hea
  * [disconnected -> connected ->]...
  * [autosense -> connected ->] done
  *
- * If cmd is unissued then just remove it.
- * If cmd is disconnected, try to select the target.
- * If cmd is connected, try to send an abort message.
- * If cmd is waiting for autosense, give it a chance to complete but check
- * that it isn't left connected.
  * If cmd was not found at all then presumably it has already been completed,
  * in which case return SUCCESS to try to avoid further EH measures.
+ *
  * If the command has not completed yet, we must not fail to find it.
+ * We have no option but to forget the aborted command (even if it still
+ * lacks sense data). The mid-layer may re-issue a command that is in error
+ * recovery (see scsi_send_eh_cmnd), but the logic and data structures in
+ * this driver are such that a command can appear on one queue only.
  *
  * The lock protects driver data structures, but EH handlers also use it
  * to serialize their own execution and prevent their own re-entry.
@@ -2327,6 +2327,7 @@ static int NCR5380_abort(struct scsi_cmn
 		         "abort: removed %p from issue queue\n", cmd);
 		cmd->result = DID_ABORT << 16;
 		cmd->scsi_done(cmd); /* No tag or busy flag to worry about */
+		goto out;
 	}
 
 	if (hostdata->selecting == cmd) {
@@ -2344,6 +2345,8 @@ static int NCR5380_abort(struct scsi_cmn
 		/* Can't call NCR5380_select() and send ABORT because that
 		 * means releasing the lock. Need a bus reset.
 		 */
+		set_host_byte(cmd, DID_ERROR);
+		complete_cmd(instance, cmd);
 		result = FAILED;
 		goto out;
 	}
@@ -2351,45 +2354,9 @@ static int NCR5380_abort(struct scsi_cmn
 	if (hostdata->connected == cmd) {
 		dsprintk(NDEBUG_ABORT, instance, "abort: cmd %p is connected\n", cmd);
 		hostdata->connected = NULL;
-		if (do_abort(instance)) {
-			set_host_byte(cmd, DID_ERROR);
-			complete_cmd(instance, cmd);
-			result = FAILED;
-			goto out;
-		}
-		set_host_byte(cmd, DID_ABORT);
 #ifdef REAL_DMA
 		hostdata->dma_len = 0;
 #endif
-		if (cmd->cmnd[0] == REQUEST_SENSE)
-			complete_cmd(instance, cmd);
-		else {
-			struct NCR5380_cmd *ncmd = scsi_cmd_priv(cmd);
-
-			/* Perform autosense for this command */
-			list_add(&ncmd->list, &hostdata->autosense);
-		}
-	}
-
-	if (list_find_cmd(&hostdata->autosense, cmd)) {
-		dsprintk(NDEBUG_ABORT, instance,
-		         "abort: found %p on sense queue\n", cmd);
-		spin_unlock_irqrestore(&hostdata->lock, flags);
-		queue_work(hostdata->work_q, &hostdata->main_task);
-		msleep(1000);
-		spin_lock_irqsave(&hostdata->lock, flags);
-		if (list_del_cmd(&hostdata->autosense, cmd)) {
-			dsprintk(NDEBUG_ABORT, instance,
-			         "abort: removed %p from sense queue\n", cmd);
-			set_host_byte(cmd, DID_ABORT);
-			complete_cmd(instance, cmd);
-			goto out;
-		}
-	}
-
-	if (hostdata->connected == cmd) {
-		dsprintk(NDEBUG_ABORT, instance, "abort: cmd %p is connected\n", cmd);
-		hostdata->connected = NULL;
 		if (do_abort(instance)) {
 			set_host_byte(cmd, DID_ERROR);
 			complete_cmd(instance, cmd);
@@ -2397,9 +2364,14 @@ static int NCR5380_abort(struct scsi_cmn
 			goto out;
 		}
 		set_host_byte(cmd, DID_ABORT);
-#ifdef REAL_DMA
-		hostdata->dma_len = 0;
-#endif
+		complete_cmd(instance, cmd);
+		goto out;
+	}
+
+	if (list_del_cmd(&hostdata->autosense, cmd)) {
+		dsprintk(NDEBUG_ABORT, instance,
+		         "abort: removed %p from sense queue\n", cmd);
+		set_host_byte(cmd, DID_ERROR);
 		complete_cmd(instance, cmd);
 	}
 
--- a/drivers/scsi/atari_NCR5380.c
+++ b/drivers/scsi/atari_NCR5380.c
@@ -1907,6 +1907,7 @@ static void NCR5380_information_transfer
 				do_abort(instance);
 				cmd->result = DID_ERROR << 16;
 				complete_cmd(instance, cmd);
+				hostdata->connected = NULL;
 				return;
 #endif
 			case PHASE_DATAIN:
@@ -1964,7 +1965,6 @@ static void NCR5380_information_transfer
 						sink = 1;
 						do_abort(instance);
 						cmd->result = DID_ERROR << 16;
-						complete_cmd(instance, cmd);
 						/* XXX - need to source or sink data here, as appropriate */
 					} else {
 #ifdef REAL_DMA
@@ -2489,14 +2489,14 @@ static bool list_del_cmd(struct list_hea
  * [disconnected -> connected ->]...
  * [autosense -> connected ->] done
  *
- * If cmd is unissued then just remove it.
- * If cmd is disconnected, try to select the target.
- * If cmd is connected, try to send an abort message.
- * If cmd is waiting for autosense, give it a chance to complete but check
- * that it isn't left connected.
  * If cmd was not found at all then presumably it has already been completed,
  * in which case return SUCCESS to try to avoid further EH measures.
+ *
  * If the command has not completed yet, we must not fail to find it.
+ * We have no option but to forget the aborted command (even if it still
+ * lacks sense data). The mid-layer may re-issue a command that is in error
+ * recovery (see scsi_send_eh_cmnd), but the logic and data structures in
+ * this driver are such that a command can appear on one queue only.
  *
  * The lock protects driver data structures, but EH handlers also use it
  * to serialize their own execution and prevent their own re-entry.
@@ -2522,6 +2522,7 @@ static int NCR5380_abort(struct scsi_cmn
 		         "abort: removed %p from issue queue\n", cmd);
 		cmd->result = DID_ABORT << 16;
 		cmd->scsi_done(cmd); /* No tag or busy flag to worry about */
+		goto out;
 	}
 
 	if (hostdata->selecting == cmd) {
@@ -2539,6 +2540,8 @@ static int NCR5380_abort(struct scsi_cmn
 		/* Can't call NCR5380_select() and send ABORT because that
 		 * means releasing the lock. Need a bus reset.
 		 */
+		set_host_byte(cmd, DID_ERROR);
+		complete_cmd(instance, cmd);
 		result = FAILED;
 		goto out;
 	}
@@ -2546,45 +2549,9 @@ static int NCR5380_abort(struct scsi_cmn
 	if (hostdata->connected == cmd) {
 		dsprintk(NDEBUG_ABORT, instance, "abort: cmd %p is connected\n", cmd);
 		hostdata->connected = NULL;
-		if (do_abort(instance)) {
-			set_host_byte(cmd, DID_ERROR);
-			complete_cmd(instance, cmd);
-			result = FAILED;
-			goto out;
-		}
-		set_host_byte(cmd, DID_ABORT);
 #ifdef REAL_DMA
 		hostdata->dma_len = 0;
 #endif
-		if (cmd->cmnd[0] == REQUEST_SENSE)
-			complete_cmd(instance, cmd);
-		else {
-			struct NCR5380_cmd *ncmd = scsi_cmd_priv(cmd);
-
-			/* Perform autosense for this command */
-			list_add(&ncmd->list, &hostdata->autosense);
-		}
-	}
-
-	if (list_find_cmd(&hostdata->autosense, cmd)) {
-		dsprintk(NDEBUG_ABORT, instance,
-		         "abort: found %p on sense queue\n", cmd);
-		spin_unlock_irqrestore(&hostdata->lock, flags);
-		queue_work(hostdata->work_q, &hostdata->main_task);
-		msleep(1000);
-		spin_lock_irqsave(&hostdata->lock, flags);
-		if (list_del_cmd(&hostdata->autosense, cmd)) {
-			dsprintk(NDEBUG_ABORT, instance,
-			         "abort: removed %p from sense queue\n", cmd);
-			set_host_byte(cmd, DID_ABORT);
-			complete_cmd(instance, cmd);
-			goto out;
-		}
-	}
-
-	if (hostdata->connected == cmd) {
-		dsprintk(NDEBUG_ABORT, instance, "abort: cmd %p is connected\n", cmd);
-		hostdata->connected = NULL;
 		if (do_abort(instance)) {
 			set_host_byte(cmd, DID_ERROR);
 			complete_cmd(instance, cmd);
@@ -2592,9 +2559,14 @@ static int NCR5380_abort(struct scsi_cmn
 			goto out;
 		}
 		set_host_byte(cmd, DID_ABORT);
-#ifdef REAL_DMA
-		hostdata->dma_len = 0;
-#endif
+		complete_cmd(instance, cmd);
+		goto out;
+	}
+
+	if (list_del_cmd(&hostdata->autosense, cmd)) {
+		dsprintk(NDEBUG_ABORT, instance,
+		         "abort: removed %p from sense queue\n", cmd);
+		set_host_byte(cmd, DID_ERROR);
 		complete_cmd(instance, cmd);
 	}
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 042/238] ncr5380: Fix NCR5380_select() EH checks and result handling
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 041/238] ncr5380: Forget aborted commands Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 043/238] ncr5380: Call scsi_eh_prep_cmnd() and scsi_eh_restore_cmnd() as and when appropriate Greg Kroah-Hartman
                   ` (188 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Schmitz, Finn Thain,
	Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

commit ccf6efd78317ef6265829c81a3e1a19f628b1a2d upstream.

Add missing checks for EH abort during arbitration and selection.
Rework the handling of NCR5380_select() result to improve clarity.

Fixes: 707d62b37fbb ("ncr5380: Fix EH during arbitration and selection")
Tested-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/NCR5380.c       |   16 +++++++++++-----
 drivers/scsi/atari_NCR5380.c |   16 +++++++++++-----
 2 files changed, 22 insertions(+), 10 deletions(-)

--- a/drivers/scsi/NCR5380.c
+++ b/drivers/scsi/NCR5380.c
@@ -815,15 +815,17 @@ static void NCR5380_main(struct work_str
 	struct NCR5380_hostdata *hostdata =
 		container_of(work, struct NCR5380_hostdata, main_task);
 	struct Scsi_Host *instance = hostdata->host;
-	struct scsi_cmnd *cmd;
 	int done;
 
 	do {
 		done = 1;
 
 		spin_lock_irq(&hostdata->lock);
-		while (!hostdata->connected &&
-		       (cmd = dequeue_next_cmd(instance))) {
+		while (!hostdata->connected && !hostdata->selecting) {
+			struct scsi_cmnd *cmd = dequeue_next_cmd(instance);
+
+			if (!cmd)
+				break;
 
 			dsprintk(NDEBUG_MAIN, instance, "main: dequeued %p\n", cmd);
 
@@ -840,8 +842,7 @@ static void NCR5380_main(struct work_str
 			 * entire unit.
 			 */
 
-			cmd = NCR5380_select(instance, cmd);
-			if (!cmd) {
+			if (!NCR5380_select(instance, cmd)) {
 				dsprintk(NDEBUG_MAIN, instance, "main: select complete\n");
 			} else {
 				dsprintk(NDEBUG_MAIN | NDEBUG_QUEUES, instance,
@@ -1056,6 +1057,11 @@ static struct scsi_cmnd *NCR5380_select(
 		/* Reselection interrupt */
 		goto out;
 	}
+	if (!hostdata->selecting) {
+		/* Command was aborted */
+		NCR5380_write(MODE_REG, MR_BASE);
+		goto out;
+	}
 	if (err < 0) {
 		NCR5380_write(MODE_REG, MR_BASE);
 		shost_printk(KERN_ERR, instance,
--- a/drivers/scsi/atari_NCR5380.c
+++ b/drivers/scsi/atari_NCR5380.c
@@ -923,7 +923,6 @@ static void NCR5380_main(struct work_str
 	struct NCR5380_hostdata *hostdata =
 		container_of(work, struct NCR5380_hostdata, main_task);
 	struct Scsi_Host *instance = hostdata->host;
-	struct scsi_cmnd *cmd;
 	int done;
 
 	/*
@@ -936,8 +935,11 @@ static void NCR5380_main(struct work_str
 		done = 1;
 
 		spin_lock_irq(&hostdata->lock);
-		while (!hostdata->connected &&
-		       (cmd = dequeue_next_cmd(instance))) {
+		while (!hostdata->connected && !hostdata->selecting) {
+			struct scsi_cmnd *cmd = dequeue_next_cmd(instance);
+
+			if (!cmd)
+				break;
 
 			dsprintk(NDEBUG_MAIN, instance, "main: dequeued %p\n", cmd);
 
@@ -960,8 +962,7 @@ static void NCR5380_main(struct work_str
 #ifdef SUPPORT_TAGS
 			cmd_get_tag(cmd, cmd->cmnd[0] != REQUEST_SENSE);
 #endif
-			cmd = NCR5380_select(instance, cmd);
-			if (!cmd) {
+			if (!NCR5380_select(instance, cmd)) {
 				dsprintk(NDEBUG_MAIN, instance, "main: select complete\n");
 				maybe_release_dma_irq(instance);
 			} else {
@@ -1257,6 +1258,11 @@ static struct scsi_cmnd *NCR5380_select(
 		/* Reselection interrupt */
 		goto out;
 	}
+	if (!hostdata->selecting) {
+		/* Command was aborted */
+		NCR5380_write(MODE_REG, MR_BASE);
+		goto out;
+	}
 	if (err < 0) {
 		NCR5380_write(MODE_REG, MR_BASE);
 		shost_printk(KERN_ERR, instance,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 043/238] ncr5380: Call scsi_eh_prep_cmnd() and scsi_eh_restore_cmnd() as and when appropriate
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 042/238] ncr5380: Fix NCR5380_select() EH checks and result handling Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 044/238] scsi: storvsc: fix SRB_STATUS_ABORTED handling Greg Kroah-Hartman
                   ` (187 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Finn Thain, Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Finn Thain <fthain@telegraphics.com.au>

commit 8d5dbec3bcb24a7d071962448e0fecaca8c75cc7 upstream.

This bug causes the wrong command to have its sense pointer overwritten,
which sometimes leads to a NULL pointer deref. Fix this by checking which
command is being requeued before restoring the scsi_eh_save data.

It turns out that some targets will disconnect a REQUEST SENSE command.
The autosense algorithm doesn't anticipate this. Hence multiple commands
can end up undergoing autosense simultaneously, and they will all try to
use the same scsi_eh_save struct, which won't work. Defer autosense when
the scsi_eh_save storage is in use by another command.

Fixes: f27db8eb98a1 ("ncr5380: Fix autosense bugs")
Reported-and-tested-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/NCR5380.c       |    4 ++--
 drivers/scsi/atari_NCR5380.c |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/scsi/NCR5380.c
+++ b/drivers/scsi/NCR5380.c
@@ -760,7 +760,7 @@ static struct scsi_cmnd *dequeue_next_cm
 	struct NCR5380_cmd *ncmd;
 	struct scsi_cmnd *cmd;
 
-	if (list_empty(&hostdata->autosense)) {
+	if (hostdata->sensing || list_empty(&hostdata->autosense)) {
 		list_for_each_entry(ncmd, &hostdata->unissued, list) {
 			cmd = NCR5380_to_scmd(ncmd);
 			dsprintk(NDEBUG_QUEUES, instance, "dequeue: cmd=%p target=%d busy=0x%02x lun=%llu\n",
@@ -793,7 +793,7 @@ static void requeue_cmd(struct Scsi_Host
 	struct NCR5380_hostdata *hostdata = shost_priv(instance);
 	struct NCR5380_cmd *ncmd = scsi_cmd_priv(cmd);
 
-	if (hostdata->sensing) {
+	if (hostdata->sensing == cmd) {
 		scsi_eh_restore_cmnd(cmd, &hostdata->ses);
 		list_add(&ncmd->list, &hostdata->autosense);
 		hostdata->sensing = NULL;
--- a/drivers/scsi/atari_NCR5380.c
+++ b/drivers/scsi/atari_NCR5380.c
@@ -862,7 +862,7 @@ static struct scsi_cmnd *dequeue_next_cm
 	struct NCR5380_cmd *ncmd;
 	struct scsi_cmnd *cmd;
 
-	if (list_empty(&hostdata->autosense)) {
+	if (hostdata->sensing || list_empty(&hostdata->autosense)) {
 		list_for_each_entry(ncmd, &hostdata->unissued, list) {
 			cmd = NCR5380_to_scmd(ncmd);
 			dsprintk(NDEBUG_QUEUES, instance, "dequeue: cmd=%p target=%d busy=0x%02x lun=%llu\n",
@@ -901,7 +901,7 @@ static void requeue_cmd(struct Scsi_Host
 	struct NCR5380_hostdata *hostdata = shost_priv(instance);
 	struct NCR5380_cmd *ncmd = scsi_cmd_priv(cmd);
 
-	if (hostdata->sensing) {
+	if (hostdata->sensing == cmd) {
 		scsi_eh_restore_cmnd(cmd, &hostdata->ses);
 		list_add(&ncmd->list, &hostdata->autosense);
 		hostdata->sensing = NULL;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 044/238] scsi: storvsc: fix SRB_STATUS_ABORTED handling
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 043/238] ncr5380: Call scsi_eh_prep_cmnd() and scsi_eh_restore_cmnd() as and when appropriate Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 045/238] be2iscsi: set the boot_kset pointer to NULL in case of failure Greg Kroah-Hartman
                   ` (186 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vitaly Kuznetsov, K. Y. Srinivasan,
	Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vitaly Kuznetsov <vkuznets@redhat.com>

commit ff06c5ffbcb4ffa542fb80c897be977956fafecc upstream.

Commit 3209f9d780d1 ("scsi: storvsc: Fix a bug in the handling of SRB
status flags") filtered SRB_STATUS_AUTOSENSE_VALID out effectively making
the (SRB_STATUS_ABORTED | SRB_STATUS_AUTOSENSE_VALID) case a dead code. The
logic from this branch (e.g. storvsc_device_scan() call) is still required,
fix the check.

Fixes: 3209f9d780d1 ("scsi: storvsc: Fix a bug in the handling of SRB status flags")
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Acked-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/storvsc_drv.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -914,8 +914,9 @@ static void storvsc_handle_error(struct
 		do_work = true;
 		process_err_fn = storvsc_remove_lun;
 		break;
-	case (SRB_STATUS_ABORTED | SRB_STATUS_AUTOSENSE_VALID):
-		if ((asc == 0x2a) && (ascq == 0x9)) {
+	case SRB_STATUS_ABORTED:
+		if (vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID &&
+		    (asc == 0x2a) && (ascq == 0x9)) {
 			do_work = true;
 			process_err_fn = storvsc_device_scan;
 			/*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 045/238] be2iscsi: set the boot_kset pointer to NULL in case of failure
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 044/238] scsi: storvsc: fix SRB_STATUS_ABORTED handling Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 046/238] aic7xxx: Fix queue depth handling Greg Kroah-Hartman
                   ` (185 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maurizio Lombardi,
	Johannes Thumshirn, Jitendra Bhivare, Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maurizio Lombardi <mlombard@redhat.com>

commit 84bd64993f916bcf86270c67686ecf4cea7b8933 upstream.

In beiscsi_setup_boot_info(), the boot_kset pointer should be set to
NULL in case of failure otherwise an invalid pointer dereference may
occur later.

Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/be2iscsi/be_main.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -4468,6 +4468,7 @@ put_shost:
 	scsi_host_put(phba->shost);
 free_kset:
 	iscsi_boot_destroy_kset(phba->boot_kset);
+	phba->boot_kset = NULL;
 	return -ENOMEM;
 }
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 046/238] aic7xxx: Fix queue depth handling
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 045/238] be2iscsi: set the boot_kset pointer to NULL in case of failure Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 047/238] libnvdimm: Fix security issue with DSM IOCTL Greg Kroah-Hartman
                   ` (184 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alan Cox, Hannes Reinicke,
	Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alan <gnomes@lxorguk.ukuu.org.uk>

commit 5a51a7abca133860a6f4429655a9eda3c4afde32 upstream.

We were setting the queue depth correctly, then setting it back to
two. If you hit this as a bisection point then please send me an email
as it would imply we've been hiding other bugs with this one.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Reviewed-by: Hannes Reinicke <hare@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/aic7xxx/aic7xxx_osm.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/aic7xxx/aic7xxx_osm.c
+++ b/drivers/scsi/aic7xxx/aic7xxx_osm.c
@@ -1336,6 +1336,7 @@ ahc_platform_set_tags(struct ahc_softc *
 	case AHC_DEV_Q_TAGGED:
 		scsi_change_queue_depth(sdev,
 				dev->openings + dev->active);
+		break;
 	default:
 		/*
 		 * We allow the OS to queue 2 untagged transactions to

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 047/238] libnvdimm: Fix security issue with DSM IOCTL.
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 046/238] aic7xxx: Fix queue depth handling Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 048/238] libnvdimm, pmem: fix kmap_atomic() leak in error path Greg Kroah-Hartman
                   ` (183 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jerry Hoemann, Dan Williams

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jerry Hoemann <jerry.hoemann@hpe.com>

commit 07accfa9d1a8bac8262f6d24a94a54d2d1f35149 upstream.

Code attempts to prevent certain IOCTL DSM from being called
when device is opened read only.  This security feature can
be trivially overcome by changing the size portion of the
ioctl_command which isn't used.

Check only the _IOC_NR (i.e. the command).

Signed-off-by: Jerry Hoemann <jerry.hoemann@hpe.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/nvdimm/bus.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/nvdimm/bus.c
+++ b/drivers/nvdimm/bus.c
@@ -513,10 +513,10 @@ static int __nd_ioctl(struct nvdimm_bus
 
 	/* fail write commands (when read-only) */
 	if (read_only)
-		switch (ioctl_cmd) {
-		case ND_IOCTL_VENDOR:
-		case ND_IOCTL_SET_CONFIG_DATA:
-		case ND_IOCTL_ARS_START:
+		switch (cmd) {
+		case ND_CMD_VENDOR:
+		case ND_CMD_SET_CONFIG_DATA:
+		case ND_CMD_ARS_START:
 			dev_dbg(&nvdimm_bus->dev, "'%s' command while read-only.\n",
 					nvdimm ? nvdimm_cmd_name(cmd)
 					: nvdimm_bus_cmd_name(cmd));

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 048/238] libnvdimm, pmem: fix kmap_atomic() leak in error path
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 047/238] libnvdimm: Fix security issue with DSM IOCTL Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 049/238] dm snapshot: disallow the COW and origin devices from being identical Greg Kroah-Hartman
                   ` (182 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ross Zwisler, Vishal Verma, Dan Williams

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Williams <dan.j.williams@intel.com>

commit b5ebc8ec693281c3c1efff7459a069cbd8b9a149 upstream.

When we enounter a bad block we need to kunmap_atomic() before
returning.

Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/nvdimm/pmem.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/nvdimm/pmem.c
+++ b/drivers/nvdimm/pmem.c
@@ -66,22 +66,25 @@ static int pmem_do_bvec(struct pmem_devi
 			unsigned int len, unsigned int off, int rw,
 			sector_t sector)
 {
+	int rc = 0;
 	void *mem = kmap_atomic(page);
 	phys_addr_t pmem_off = sector * 512 + pmem->data_offset;
 	void __pmem *pmem_addr = pmem->virt_addr + pmem_off;
 
 	if (rw == READ) {
 		if (unlikely(is_bad_pmem(&pmem->bb, sector, len)))
-			return -EIO;
-		memcpy_from_pmem(mem + off, pmem_addr, len);
-		flush_dcache_page(page);
+			rc = -EIO;
+		else {
+			memcpy_from_pmem(mem + off, pmem_addr, len);
+			flush_dcache_page(page);
+		}
 	} else {
 		flush_dcache_page(page);
 		memcpy_to_pmem(pmem_addr, mem + off, len);
 	}
 
 	kunmap_atomic(mem);
-	return 0;
+	return rc;
 }
 
 static blk_qc_t pmem_make_request(struct request_queue *q, struct bio *bio)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 049/238] dm snapshot: disallow the COW and origin devices from being identical
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 048/238] libnvdimm, pmem: fix kmap_atomic() leak in error path Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 050/238] dm: fix excessive dm-mq context switching Greg Kroah-Hartman
                   ` (181 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ding Xiang, Mike Snitzer

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: DingXiang <dingxiang@huawei.com>

commit 4df2bf466a9c9c92f40d27c4aa9120f4e8227bfc upstream.

Otherwise loading a "snapshot" table using the same device for the
origin and COW devices, e.g.:

echo "0 20971520 snapshot 253:3 253:3 P 8" | dmsetup create snap

will trigger:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
[ 1958.979934] IP: [<ffffffffa040efba>] dm_exception_store_set_chunk_size+0x7a/0x110 [dm_snapshot]
[ 1958.989655] PGD 0
[ 1958.991903] Oops: 0000 [#1] SMP
...
[ 1959.059647] CPU: 9 PID: 3556 Comm: dmsetup Tainted: G          IO    4.5.0-rc5.snitm+ #150
...
[ 1959.083517] task: ffff8800b9660c80 ti: ffff88032a954000 task.ti: ffff88032a954000
[ 1959.091865] RIP: 0010:[<ffffffffa040efba>]  [<ffffffffa040efba>] dm_exception_store_set_chunk_size+0x7a/0x110 [dm_snapshot]
[ 1959.104295] RSP: 0018:ffff88032a957b30  EFLAGS: 00010246
[ 1959.110219] RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000001
[ 1959.118180] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff880329334a00
[ 1959.126141] RBP: ffff88032a957b50 R08: 0000000000000000 R09: 0000000000000001
[ 1959.134102] R10: 000000000000000a R11: f000000000000000 R12: ffff880330884d80
[ 1959.142061] R13: 0000000000000008 R14: ffffc90001c13088 R15: ffff880330884d80
[ 1959.150021] FS:  00007f8926ba3840(0000) GS:ffff880333440000(0000) knlGS:0000000000000000
[ 1959.159047] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1959.165456] CR2: 0000000000000098 CR3: 000000032f48b000 CR4: 00000000000006e0
[ 1959.173415] Stack:
[ 1959.175656]  ffffc90001c13040 ffff880329334a00 ffff880330884ed0 ffff88032a957bdc
[ 1959.183946]  ffff88032a957bb8 ffffffffa040f225 ffff880329334a30 ffff880300000000
[ 1959.192233]  ffffffffa04133e0 ffff880329334b30 0000000830884d58 00000000569c58cf
[ 1959.200521] Call Trace:
[ 1959.203248]  [<ffffffffa040f225>] dm_exception_store_create+0x1d5/0x240 [dm_snapshot]
[ 1959.211986]  [<ffffffffa040d310>] snapshot_ctr+0x140/0x630 [dm_snapshot]
[ 1959.219469]  [<ffffffffa0005c44>] ? dm_split_args+0x64/0x150 [dm_mod]
[ 1959.226656]  [<ffffffffa0005ea7>] dm_table_add_target+0x177/0x440 [dm_mod]
[ 1959.234328]  [<ffffffffa0009203>] table_load+0x143/0x370 [dm_mod]
[ 1959.241129]  [<ffffffffa00090c0>] ? retrieve_status+0x1b0/0x1b0 [dm_mod]
[ 1959.248607]  [<ffffffffa0009e35>] ctl_ioctl+0x255/0x4d0 [dm_mod]
[ 1959.255307]  [<ffffffff813304e2>] ? memzero_explicit+0x12/0x20
[ 1959.261816]  [<ffffffffa000a0c3>] dm_ctl_ioctl+0x13/0x20 [dm_mod]
[ 1959.268615]  [<ffffffff81215eb6>] do_vfs_ioctl+0xa6/0x5c0
[ 1959.274637]  [<ffffffff81120d2f>] ? __audit_syscall_entry+0xaf/0x100
[ 1959.281726]  [<ffffffff81003176>] ? do_audit_syscall_entry+0x66/0x70
[ 1959.288814]  [<ffffffff81216449>] SyS_ioctl+0x79/0x90
[ 1959.294450]  [<ffffffff8167e4ae>] entry_SYSCALL_64_fastpath+0x12/0x71
...
[ 1959.323277] RIP  [<ffffffffa040efba>] dm_exception_store_set_chunk_size+0x7a/0x110 [dm_snapshot]
[ 1959.333090]  RSP <ffff88032a957b30>
[ 1959.336978] CR2: 0000000000000098
[ 1959.344121] ---[ end trace b049991ccad1169e ]---

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1195899
Signed-off-by: Ding Xiang <dingxiang@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-snap.c          |    9 +++++++++
 drivers/md/dm-table.c         |   36 ++++++++++++++++++++++++------------
 include/linux/device-mapper.h |    2 ++
 3 files changed, 35 insertions(+), 12 deletions(-)

--- a/drivers/md/dm-snap.c
+++ b/drivers/md/dm-snap.c
@@ -1105,6 +1105,7 @@ static int snapshot_ctr(struct dm_target
 	int i;
 	int r = -EINVAL;
 	char *origin_path, *cow_path;
+	dev_t origin_dev, cow_dev;
 	unsigned args_used, num_flush_bios = 1;
 	fmode_t origin_mode = FMODE_READ;
 
@@ -1135,11 +1136,19 @@ static int snapshot_ctr(struct dm_target
 		ti->error = "Cannot get origin device";
 		goto bad_origin;
 	}
+	origin_dev = s->origin->bdev->bd_dev;
 
 	cow_path = argv[0];
 	argv++;
 	argc--;
 
+	cow_dev = dm_get_dev_t(cow_path);
+	if (cow_dev && cow_dev == origin_dev) {
+		ti->error = "COW device cannot be the same as origin device";
+		r = -EINVAL;
+		goto bad_cow;
+	}
+
 	r = dm_get_device(ti, cow_path, dm_table_get_mode(ti->table), &s->cow);
 	if (r) {
 		ti->error = "Cannot get COW device";
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -365,6 +365,26 @@ static int upgrade_mode(struct dm_dev_in
 }
 
 /*
+ * Convert the path to a device
+ */
+dev_t dm_get_dev_t(const char *path)
+{
+	dev_t uninitialized_var(dev);
+	struct block_device *bdev;
+
+	bdev = lookup_bdev(path);
+	if (IS_ERR(bdev))
+		dev = name_to_dev_t(path);
+	else {
+		dev = bdev->bd_dev;
+		bdput(bdev);
+	}
+
+	return dev;
+}
+EXPORT_SYMBOL_GPL(dm_get_dev_t);
+
+/*
  * Add a device to the list, or just increment the usage count if
  * it's already present.
  */
@@ -372,23 +392,15 @@ int dm_get_device(struct dm_target *ti,
 		  struct dm_dev **result)
 {
 	int r;
-	dev_t uninitialized_var(dev);
+	dev_t dev;
 	struct dm_dev_internal *dd;
 	struct dm_table *t = ti->table;
-	struct block_device *bdev;
 
 	BUG_ON(!t);
 
-	/* convert the path to a device */
-	bdev = lookup_bdev(path);
-	if (IS_ERR(bdev)) {
-		dev = name_to_dev_t(path);
-		if (!dev)
-			return -ENODEV;
-	} else {
-		dev = bdev->bd_dev;
-		bdput(bdev);
-	}
+	dev = dm_get_dev_t(path);
+	if (!dev)
+		return -ENODEV;
 
 	dd = find_device(&t->devices, dev);
 	if (!dd) {
--- a/include/linux/device-mapper.h
+++ b/include/linux/device-mapper.h
@@ -124,6 +124,8 @@ struct dm_dev {
 	char name[16];
 };
 
+dev_t dm_get_dev_t(const char *path);
+
 /*
  * Constructors should call these functions to ensure destination devices
  * are opened/closed correctly.

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 050/238] dm: fix excessive dm-mq context switching
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 049/238] dm snapshot: disallow the COW and origin devices from being identical Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 051/238] dm thin metadata: dont issue prefetches if a transaction abort has failed Greg Kroah-Hartman
                   ` (180 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sagi Grimberg, Mike Snitzer, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Snitzer <snitzer@redhat.com>

commit 6acfe68bac7e6f16dc312157b1fa6e2368985013 upstream.

Request-based DM's blk-mq support (dm-mq) was reported to be 50% slower
than if an underlying null_blk device were used directly.  One of the
reasons for this drop in performance is that blk_insert_clone_request()
was calling blk_mq_insert_request() with @async=true.  This forced the
use of kblockd_schedule_delayed_work_on() to run the blk-mq hw queues
which ushered in ping-ponging between process context (fio in this case)
and kblockd's kworker to submit the cloned request.  The ftrace
function_graph tracer showed:

  kworker-2013  =>   fio-12190
  fio-12190    =>  kworker-2013
  ...
  kworker-2013  =>   fio-12190
  fio-12190    =>  kworker-2013
  ...

Fixing blk_insert_clone_request()'s blk_mq_insert_request() call to
_not_ use kblockd to submit the cloned requests isn't enough to
eliminate the observed context switches.

In addition to this dm-mq specific blk-core fix, there are 2 DM core
fixes to dm-mq that (when paired with the blk-core fix) completely
eliminate the observed context switching:

1)  don't blk_mq_run_hw_queues in blk-mq request completion

    Motivated by desire to reduce overhead of dm-mq, punting to kblockd
    just increases context switches.

    In my testing against a really fast null_blk device there was no benefit
    to running blk_mq_run_hw_queues() on completion (and no other blk-mq
    driver does this).  So hopefully this change doesn't induce the need for
    yet another revert like commit 621739b00e16ca2d !

2)  use blk_mq_complete_request() in dm_complete_request()

    blk_complete_request() doesn't offer the traditional q->mq_ops vs
    .request_fn branching pattern that other historic block interfaces
    do (e.g. blk_get_request).  Using blk_mq_complete_request() for
    blk-mq requests is important for performance.  It should be noted
    that, like blk_complete_request(), blk_mq_complete_request() doesn't
    natively handle partial completions -- but the request-based
    DM-multipath target does provide the required partial completion
    support by dm.c:end_clone_bio() triggering requeueing of the request
    via dm-mpath.c:multipath_end_io()'s return of DM_ENDIO_REQUEUE.

dm-mq fix #2 is _much_ more important than #1 for eliminating the
context switches.
Before: cpu          : usr=15.10%, sys=59.39%, ctx=7905181, majf=0, minf=475
After:  cpu          : usr=20.60%, sys=79.35%, ctx=2008, majf=0, minf=472

With these changes multithreaded async read IOPs improved from ~950K
to ~1350K for this dm-mq stacked on null_blk test-case.  The raw read
IOPs of the underlying null_blk device for the same workload is ~1950K.

Fixes: 7fb4898e0 ("block: add blk-mq support to blk_insert_cloned_request()")
Fixes: bfebd1cdb ("dm: add full blk-mq support to request-based DM")
Reported-by: Sagi Grimberg <sagig@dev.mellanox.co.il>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Acked-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/blk-core.c |    2 +-
 drivers/md/dm.c  |   13 ++++++-------
 2 files changed, 7 insertions(+), 8 deletions(-)

--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -2198,7 +2198,7 @@ int blk_insert_cloned_request(struct req
 	if (q->mq_ops) {
 		if (blk_queue_io_stat(q))
 			blk_account_io_start(rq, true);
-		blk_mq_insert_request(rq, false, true, true);
+		blk_mq_insert_request(rq, false, true, false);
 		return 0;
 	}
 
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1109,12 +1109,8 @@ static void rq_completed(struct mapped_d
 	 * back into ->request_fn() could deadlock attempting to grab the
 	 * queue lock again.
 	 */
-	if (run_queue) {
-		if (md->queue->mq_ops)
-			blk_mq_run_hw_queues(md->queue, true);
-		else
-			blk_run_queue_async(md->queue);
-	}
+	if (!md->queue->mq_ops && run_queue)
+		blk_run_queue_async(md->queue);
 
 	/*
 	 * dm_put() must be at the end of this function. See the comment above
@@ -1336,7 +1332,10 @@ static void dm_complete_request(struct r
 	struct dm_rq_target_io *tio = tio_from_request(rq);
 
 	tio->error = error;
-	blk_complete_request(rq);
+	if (!rq->q->mq_ops)
+		blk_complete_request(rq);
+	else
+		blk_mq_complete_request(rq, error);
 }
 
 /*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 051/238] dm thin metadata: dont issue prefetches if a transaction abort has failed
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 050/238] dm: fix excessive dm-mq context switching Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 052/238] dm cache: make sure every metadata function checks fail_io Greg Kroah-Hartman
                   ` (179 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joe Thornber, Mike Snitzer

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Thornber <ejt@redhat.com>

commit 2eae9e4489b4cf83213fa3bd508b5afca3f01780 upstream.

If a transaction abort has failed then we can no longer use the metadata
device.  Typically this happens if the superblock is unreadable.

This fix addresses a crash seen during metadata device failure testing.

Fixes: 8a01a6af75 ("dm thin: prefetch missing metadata pages")
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-thin-metadata.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -1981,5 +1981,8 @@ bool dm_pool_metadata_needs_check(struct
 
 void dm_pool_issue_prefetches(struct dm_pool_metadata *pmd)
 {
-	dm_tm_issue_prefetches(pmd->tm);
+	down_read(&pmd->root_lock);
+	if (!pmd->fail_io)
+		dm_tm_issue_prefetches(pmd->tm);
+	up_read(&pmd->root_lock);
 }

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 052/238] dm cache: make sure every metadata function checks fail_io
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 051/238] dm thin metadata: dont issue prefetches if a transaction abort has failed Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-12  1:27   ` Ben Hutchings
  2016-04-10 18:33 ` [PATCH 4.5 053/238] dm: fix rq_end_stats() NULL pointer in dm_requeue_original_request() Greg Kroah-Hartman
                   ` (178 subsequent siblings)
  229 siblings, 1 reply; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joe Thornber, Mike Snitzer

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joe Thornber <ejt@redhat.com>

commit d14fcf3dd79c0b8a8d0ba469c44a6b04f3a1403b upstream.

Otherwise operations may be attempted that will only ever go on to crash
(since the metadata device is either missing or unreliable if 'fail_io'
is set).

Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm-cache-metadata.c |   98 ++++++++++++++++++++++++-----------------
 drivers/md/dm-cache-metadata.h |    4 -
 drivers/md/dm-cache-target.c   |   12 ++++-
 3 files changed, 71 insertions(+), 43 deletions(-)

--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -867,19 +867,40 @@ static int blocks_are_unmapped_or_clean(
 	return 0;
 }
 
-#define WRITE_LOCK(cmd) \
-	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) \
+#define WRITE_LOCK(cmd)	\
+	down_write(&cmd->root_lock); \
+	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
+		up_write(&cmd->root_lock); \
 		return -EINVAL; \
-	down_write(&cmd->root_lock)
+	}
 
 #define WRITE_LOCK_VOID(cmd) \
-	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) \
+	down_write(&cmd->root_lock); \
+	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
+		up_write(&cmd->root_lock); \
 		return; \
-	down_write(&cmd->root_lock)
+	}
 
 #define WRITE_UNLOCK(cmd) \
 	up_write(&cmd->root_lock)
 
+#define READ_LOCK(cmd) \
+	down_read(&cmd->root_lock); \
+	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
+		up_read(&cmd->root_lock); \
+		return -EINVAL; \
+	}
+
+#define READ_LOCK_VOID(cmd)	\
+	down_read(&cmd->root_lock); \
+	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
+		up_read(&cmd->root_lock); \
+		return; \
+	}
+
+#define READ_UNLOCK(cmd) \
+	up_read(&cmd->root_lock)
+
 int dm_cache_resize(struct dm_cache_metadata *cmd, dm_cblock_t new_cache_size)
 {
 	int r;
@@ -1015,22 +1036,20 @@ int dm_cache_load_discards(struct dm_cac
 {
 	int r;
 
-	down_read(&cmd->root_lock);
+	READ_LOCK(cmd);
 	r = __load_discards(cmd, fn, context);
-	up_read(&cmd->root_lock);
+	READ_UNLOCK(cmd);
 
 	return r;
 }
 
-dm_cblock_t dm_cache_size(struct dm_cache_metadata *cmd)
+int dm_cache_size(struct dm_cache_metadata *cmd, dm_cblock_t *result)
 {
-	dm_cblock_t r;
+	READ_LOCK(cmd);
+	*result = cmd->cache_blocks;
+	READ_UNLOCK(cmd);
 
-	down_read(&cmd->root_lock);
-	r = cmd->cache_blocks;
-	up_read(&cmd->root_lock);
-
-	return r;
+	return 0;
 }
 
 static int __remove(struct dm_cache_metadata *cmd, dm_cblock_t cblock)
@@ -1188,9 +1207,9 @@ int dm_cache_load_mappings(struct dm_cac
 {
 	int r;
 
-	down_read(&cmd->root_lock);
+	READ_LOCK(cmd);
 	r = __load_mappings(cmd, policy, fn, context);
-	up_read(&cmd->root_lock);
+	READ_UNLOCK(cmd);
 
 	return r;
 }
@@ -1215,18 +1234,18 @@ static int __dump_mappings(struct dm_cac
 
 void dm_cache_dump(struct dm_cache_metadata *cmd)
 {
-	down_read(&cmd->root_lock);
+	READ_LOCK_VOID(cmd);
 	__dump_mappings(cmd);
-	up_read(&cmd->root_lock);
+	READ_UNLOCK(cmd);
 }
 
 int dm_cache_changed_this_transaction(struct dm_cache_metadata *cmd)
 {
 	int r;
 
-	down_read(&cmd->root_lock);
+	READ_LOCK(cmd);
 	r = cmd->changed;
-	up_read(&cmd->root_lock);
+	READ_UNLOCK(cmd);
 
 	return r;
 }
@@ -1276,9 +1295,9 @@ int dm_cache_set_dirty(struct dm_cache_m
 void dm_cache_metadata_get_stats(struct dm_cache_metadata *cmd,
 				 struct dm_cache_statistics *stats)
 {
-	down_read(&cmd->root_lock);
+	READ_LOCK_VOID(cmd);
 	*stats = cmd->stats;
-	up_read(&cmd->root_lock);
+	READ_UNLOCK(cmd);
 }
 
 void dm_cache_metadata_set_stats(struct dm_cache_metadata *cmd,
@@ -1312,9 +1331,9 @@ int dm_cache_get_free_metadata_block_cou
 {
 	int r = -EINVAL;
 
-	down_read(&cmd->root_lock);
+	READ_LOCK(cmd);
 	r = dm_sm_get_nr_free(cmd->metadata_sm, result);
-	up_read(&cmd->root_lock);
+	READ_UNLOCK(cmd);
 
 	return r;
 }
@@ -1324,9 +1343,9 @@ int dm_cache_get_metadata_dev_size(struc
 {
 	int r = -EINVAL;
 
-	down_read(&cmd->root_lock);
+	READ_LOCK(cmd);
 	r = dm_sm_get_nr_blocks(cmd->metadata_sm, result);
-	up_read(&cmd->root_lock);
+	READ_UNLOCK(cmd);
 
 	return r;
 }
@@ -1417,7 +1436,13 @@ int dm_cache_write_hints(struct dm_cache
 
 int dm_cache_metadata_all_clean(struct dm_cache_metadata *cmd, bool *result)
 {
-	return blocks_are_unmapped_or_clean(cmd, 0, cmd->cache_blocks, result);
+	int r;
+
+	READ_LOCK(cmd);
+	r = blocks_are_unmapped_or_clean(cmd, 0, cmd->cache_blocks, result);
+	READ_UNLOCK(cmd);
+
+	return r;
 }
 
 void dm_cache_metadata_set_read_only(struct dm_cache_metadata *cmd)
@@ -1440,10 +1465,7 @@ int dm_cache_metadata_set_needs_check(st
 	struct dm_block *sblock;
 	struct cache_disk_superblock *disk_super;
 
-	/*
-	 * We ignore fail_io for this function.
-	 */
-	down_write(&cmd->root_lock);
+	WRITE_LOCK(cmd);
 	set_bit(NEEDS_CHECK, &cmd->flags);
 
 	r = superblock_lock(cmd, &sblock);
@@ -1458,19 +1480,17 @@ int dm_cache_metadata_set_needs_check(st
 	dm_bm_unlock(sblock);
 
 out:
-	up_write(&cmd->root_lock);
+	WRITE_UNLOCK(cmd);
 	return r;
 }
 
-bool dm_cache_metadata_needs_check(struct dm_cache_metadata *cmd)
+int dm_cache_metadata_needs_check(struct dm_cache_metadata *cmd, bool *result)
 {
-	bool needs_check;
+	READ_LOCK(cmd);
+	*result = !!test_bit(NEEDS_CHECK, &cmd->flags);
+	READ_UNLOCK(cmd);
 
-	down_read(&cmd->root_lock);
-	needs_check = !!test_bit(NEEDS_CHECK, &cmd->flags);
-	up_read(&cmd->root_lock);
-
-	return needs_check;
+	return 0;
 }
 
 int dm_cache_metadata_abort(struct dm_cache_metadata *cmd)
--- a/drivers/md/dm-cache-metadata.h
+++ b/drivers/md/dm-cache-metadata.h
@@ -66,7 +66,7 @@ void dm_cache_metadata_close(struct dm_c
  * origin blocks to map to.
  */
 int dm_cache_resize(struct dm_cache_metadata *cmd, dm_cblock_t new_cache_size);
-dm_cblock_t dm_cache_size(struct dm_cache_metadata *cmd);
+int dm_cache_size(struct dm_cache_metadata *cmd, dm_cblock_t *result);
 
 int dm_cache_discard_bitset_resize(struct dm_cache_metadata *cmd,
 				   sector_t discard_block_size,
@@ -137,7 +137,7 @@ int dm_cache_write_hints(struct dm_cache
  */
 int dm_cache_metadata_all_clean(struct dm_cache_metadata *cmd, bool *result);
 
-bool dm_cache_metadata_needs_check(struct dm_cache_metadata *cmd);
+int dm_cache_metadata_needs_check(struct dm_cache_metadata *cmd, bool *result);
 int dm_cache_metadata_set_needs_check(struct dm_cache_metadata *cmd);
 void dm_cache_metadata_set_read_only(struct dm_cache_metadata *cmd);
 void dm_cache_metadata_set_read_write(struct dm_cache_metadata *cmd);
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -984,9 +984,14 @@ static void notify_mode_switch(struct ca
 
 static void set_cache_mode(struct cache *cache, enum cache_metadata_mode new_mode)
 {
-	bool needs_check = dm_cache_metadata_needs_check(cache->cmd);
+	bool needs_check;
 	enum cache_metadata_mode old_mode = get_cache_mode(cache);
 
+	if (dm_cache_metadata_needs_check(cache->cmd, &needs_check)) {
+		DMERR("unable to read needs_check flag, setting failure mode");
+		new_mode = CM_FAIL;
+	}
+
 	if (new_mode == CM_WRITE && needs_check) {
 		DMERR("%s: unable to switch cache to write mode until repaired.",
 		      cache_device_name(cache));
@@ -3510,6 +3515,7 @@ static void cache_status(struct dm_targe
 	char buf[BDEVNAME_SIZE];
 	struct cache *cache = ti->private;
 	dm_cblock_t residency;
+	bool needs_check;
 
 	switch (type) {
 	case STATUSTYPE_INFO:
@@ -3583,7 +3589,9 @@ static void cache_status(struct dm_targe
 		else
 			DMEMIT("rw ");
 
-		if (dm_cache_metadata_needs_check(cache->cmd))
+		r = dm_cache_metadata_needs_check(cache->cmd, &needs_check);
+
+		if (r || needs_check)
 			DMEMIT("needs_check ");
 		else
 			DMEMIT("- ");

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 053/238] dm: fix rq_end_stats() NULL pointer in dm_requeue_original_request()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 052/238] dm cache: make sure every metadata function checks fail_io Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 054/238] usb: retry reset if a device times out Greg Kroah-Hartman
                   ` (177 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bryn M. Reeves, Mike Snitzer

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bryn M. Reeves <bmr@redhat.com>

commit 98dbc9c6c61698792e3a66f32f3bf066201d42d7 upstream.

An "old" (.request_fn) DM 'struct request' stores a pointer to the
associated 'struct dm_rq_target_io' in rq->special.

dm_requeue_original_request(), previously named
dm_requeue_unmapped_original_request(), called dm_unprep_request() to
reset rq->special to NULL.  But rq_end_stats() would go on to hit a NULL
pointer deference because its call to tio_from_request() returned NULL.

Fix this by calling rq_end_stats() _before_ dm_unprep_request()

Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Fixes: e262f34741 ("dm stats: add support for request-based DM devices")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/dm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1210,9 +1210,9 @@ static void dm_requeue_original_request(
 {
 	int rw = rq_data_dir(rq);
 
+	rq_end_stats(md, rq);
 	dm_unprep_request(rq);
 
-	rq_end_stats(md, rq);
 	if (!rq->q->mq_ops)
 		old_requeue_request(rq);
 	else {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 054/238] usb: retry reset if a device times out
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 053/238] dm: fix rq_end_stats() NULL pointer in dm_requeue_original_request() Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 055/238] usb: hub: fix a typo in hub_port_init() leading to wrong logic Greg Kroah-Hartman
                   ` (176 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 264904ccc33c604d4b3141bbd33808152dfac45b upstream.

Some devices I got show an inability to operate right after
power on if they are already connected. They are beyond recovery
if the descriptors are requested multiple times. So in case of
a timeout we rather bail early and reset again. But it must be
done only on the first loop lest we get into a reset/time out
spiral that can be overcome with a retry.

This patch is a rework of a patch that fell through the cracks.
http://www.spinics.net/lists/linux-usb/msg103263.html

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/hub.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4441,7 +4441,13 @@ hub_port_init(struct usb_hub *hub, struc
 						r = -EPROTO;
 					break;
 				}
-				if (r == 0)
+				/*
+				 * Some devices time out if they are powered on
+				 * when already connected. They need a second
+				 * reset. But only on the first attempt,
+				 * lest we get into a time out/reset loop
+				 */
+				if (r == 0  || (r == -ETIMEDOUT && j == 0))
 					break;
 			}
 			udev->descriptor.bMaxPacketSize0 =

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 055/238] usb: hub: fix a typo in hub_port_init() leading to wrong logic
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 054/238] usb: retry reset if a device times out Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 056/238] USB: uas: Reduce can_queue to MAX_CMNDS Greg Kroah-Hartman
                   ` (175 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 0d5ce778c43bf888328231bcdce05d5c860655aa upstream.

A typo of j for i led to a logic bug. To rule out future
confusion, the variable names are made meaningful.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/hub.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -4292,7 +4292,7 @@ hub_port_init(struct usb_hub *hub, struc
 {
 	struct usb_device	*hdev = hub->hdev;
 	struct usb_hcd		*hcd = bus_to_hcd(hdev->bus);
-	int			i, j, retval;
+	int			retries, operations, retval, i;
 	unsigned		delay = HUB_SHORT_RESET_TIME;
 	enum usb_device_speed	oldspeed = udev->speed;
 	const char		*speed;
@@ -4394,7 +4394,7 @@ hub_port_init(struct usb_hub *hub, struc
 	 * first 8 bytes of the device descriptor to get the ep0 maxpacket
 	 * value.
 	 */
-	for (i = 0; i < GET_DESCRIPTOR_TRIES; (++i, msleep(100))) {
+	for (retries = 0; retries < GET_DESCRIPTOR_TRIES; (++retries, msleep(100))) {
 		bool did_new_scheme = false;
 
 		if (use_new_scheme(udev, retry_counter)) {
@@ -4421,7 +4421,7 @@ hub_port_init(struct usb_hub *hub, struc
 			 * 255 is for WUSB devices, we actually need to use
 			 * 512 (WUSB1.0[4.8.1]).
 			 */
-			for (j = 0; j < 3; ++j) {
+			for (operations = 0; operations < 3; ++operations) {
 				buf->bMaxPacketSize0 = 0;
 				r = usb_control_msg(udev, usb_rcvaddr0pipe(),
 					USB_REQ_GET_DESCRIPTOR, USB_DIR_IN,
@@ -4447,7 +4447,7 @@ hub_port_init(struct usb_hub *hub, struc
 				 * reset. But only on the first attempt,
 				 * lest we get into a time out/reset loop
 				 */
-				if (r == 0  || (r == -ETIMEDOUT && j == 0))
+				if (r == 0  || (r == -ETIMEDOUT && retries == 0))
 					break;
 			}
 			udev->descriptor.bMaxPacketSize0 =
@@ -4479,7 +4479,7 @@ hub_port_init(struct usb_hub *hub, struc
 		 * authorization will assign the final address.
 		 */
 		if (udev->wusb == 0) {
-			for (j = 0; j < SET_ADDRESS_TRIES; ++j) {
+			for (operations = 0; operations < SET_ADDRESS_TRIES; ++operations) {
 				retval = hub_set_address(udev, devnum);
 				if (retval >= 0)
 					break;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 056/238] USB: uas: Reduce can_queue to MAX_CMNDS
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 055/238] usb: hub: fix a typo in hub_port_init() leading to wrong logic Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 057/238] USB: cdc-acm: more sanity checking Greg Kroah-Hartman
                   ` (174 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 55ff8cfbc4e12a7d2187df523938cc671fbebdd1 upstream.

The uas driver can never queue more then MAX_CMNDS (- 1) tags and tags
are shared between luns, so there is no need to claim that we can_queue
some random large number.

Not claiming that we can_queue 65536 commands, fixes the uas driver
failing to initialize while allocating the tag map with a "Page allocation
failure (order 7)" error on systems which have been running for a while
and thus have fragmented memory.

Reported-and-tested-by: Yves-Alexis Perez <corsac@corsac.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/storage/uas.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -812,7 +812,7 @@ static struct scsi_host_template uas_hos
 	.slave_configure = uas_slave_configure,
 	.eh_abort_handler = uas_eh_abort_handler,
 	.eh_bus_reset_handler = uas_eh_bus_reset_handler,
-	.can_queue = 65536,	/* Is there a limit on the _host_ ? */
+	.can_queue = MAX_CMNDS,
 	.this_id = -1,
 	.sg_tablesize = SG_NONE,
 	.skip_settle_delay = 1,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 057/238] USB: cdc-acm: more sanity checking
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 056/238] USB: uas: Reduce can_queue to MAX_CMNDS Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors Greg Kroah-Hartman
                   ` (173 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 8835ba4a39cf53f705417b3b3a94eb067673f2c9 upstream.

An attack has become available which pretends to be a quirky
device circumventing normal sanity checks and crashes the kernel
by an insufficient number of interfaces. This patch adds a check
to the code path for quirky devices.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/class/cdc-acm.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1114,6 +1114,9 @@ static int acm_probe(struct usb_interfac
 	if (quirks == NO_UNION_NORMAL) {
 		data_interface = usb_ifnum_to_if(usb_dev, 1);
 		control_interface = usb_ifnum_to_if(usb_dev, 0);
+		/* we would crash */
+		if (!data_interface || !control_interface)
+			return -ENODEV;
 		goto skip_normal_probe;
 	}
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 057/238] USB: cdc-acm: more sanity checking Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-12  1:37   ` Ben Hutchings
  2016-04-10 18:33 ` [PATCH 4.5 059/238] USB: usb_driver_claim_interface: add sanity checking Greg Kroah-Hartman
                   ` (172 subsequent siblings)
  229 siblings, 1 reply; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ralf Spenneberg, Josh Boyer

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josh Boyer <jwboyer@fedoraproject.org>

commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.

The iowarrior driver expects at least one valid endpoint.  If given
malicious descriptors that specify 0 for the number of endpoints,
it will crash in the probe function.  Ensure there is at least
one endpoint on the interface before using it.

The full report of this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/87

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/misc/iowarrior.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_in
 	iface_desc = interface->cur_altsetting;
 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
 
+	if (iface_desc->desc.bNumEndpoints < 1) {
+		dev_err(&interface->dev, "Invalid number of endpoints\n");
+		retval = -EINVAL;
+		goto error;
+	}
+
 	/* set up the endpoint information */
 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
 		endpoint = &iface_desc->endpoint[i].desc;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 059/238] USB: usb_driver_claim_interface: add sanity checking
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 060/238] USB: mct_u232: add sanity checking in probe Greg Kroah-Hartman
                   ` (171 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 0b818e3956fc1ad976bee791eadcbb3b5fec5bfd upstream.

Attacks that trick drivers into passing a NULL pointer
to usb_driver_claim_interface() using forged descriptors are
known. This thwarts them by sanity checking.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/core/driver.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -502,11 +502,15 @@ static int usb_unbind_interface(struct d
 int usb_driver_claim_interface(struct usb_driver *driver,
 				struct usb_interface *iface, void *priv)
 {
-	struct device *dev = &iface->dev;
+	struct device *dev;
 	struct usb_device *udev;
 	int retval = 0;
 	int lpm_disable_error;
 
+	if (!iface)
+		return -ENODEV;
+
+	dev = &iface->dev;
 	if (dev->driver)
 		return -EBUSY;
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 060/238] USB: mct_u232: add sanity checking in probe
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 059/238] USB: usb_driver_claim_interface: add sanity checking Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 061/238] USB: digi_acceleport: do sanity checking for the number of ports Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum, Johan Hovold

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream.

An attack using the lack of sanity checking in probe is known. This
patch checks for the existence of a second port.

CVE-2016-3136

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
[johan: add error message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/mct_u232.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -376,14 +376,21 @@ static void mct_u232_msr_to_state(struct
 
 static int mct_u232_port_probe(struct usb_serial_port *port)
 {
+	struct usb_serial *serial = port->serial;
 	struct mct_u232_private *priv;
 
+	/* check first to simplify error handling */
+	if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+		dev_err(&port->dev, "expected endpoint missing\n");
+		return -ENODEV;
+	}
+
 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
 	if (!priv)
 		return -ENOMEM;
 
 	/* Use second interrupt-in endpoint for reading. */
-	priv->read_urb = port->serial->port[1]->interrupt_in_urb;
+	priv->read_urb = serial->port[1]->interrupt_in_urb;
 	priv->read_urb->context = port;
 
 	spin_lock_init(&priv->lock);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 061/238] USB: digi_acceleport: do sanity checking for the number of ports
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 060/238] USB: mct_u232: add sanity checking in probe Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:33 ` [PATCH 4.5 062/238] USB: cypress_m8: add endpoint sanity check Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum, Johan Hovold

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream.

The driver can be crashed with devices that expose crafted descriptors
with too few endpoints.

See: http://seclists.org/bugtraq/2016/Mar/61

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
[johan: fix OOB endpoint check and add error messages ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/digi_acceleport.c |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1251,8 +1251,27 @@ static int digi_port_init(struct usb_ser
 
 static int digi_startup(struct usb_serial *serial)
 {
+	struct device *dev = &serial->interface->dev;
 	struct digi_serial *serial_priv;
 	int ret;
+	int i;
+
+	/* check whether the device has the expected number of endpoints */
+	if (serial->num_port_pointers < serial->type->num_ports + 1) {
+		dev_err(dev, "OOB endpoints missing\n");
+		return -ENODEV;
+	}
+
+	for (i = 0; i < serial->type->num_ports + 1 ; i++) {
+		if (!serial->port[i]->read_urb) {
+			dev_err(dev, "bulk-in endpoint missing\n");
+			return -ENODEV;
+		}
+		if (!serial->port[i]->write_urb) {
+			dev_err(dev, "bulk-out endpoint missing\n");
+			return -ENODEV;
+		}
+	}
 
 	serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
 	if (!serial_priv)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 062/238] USB: cypress_m8: add endpoint sanity check
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 061/238] USB: digi_acceleport: do sanity checking for the number of ports Greg Kroah-Hartman
@ 2016-04-10 18:33 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 063/238] USB: serial: cp210x: Adding GE Healthcare Device ID Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum, Johan Hovold

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream.

An attack using missing endpoints exists.

CVE-2016-3137

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/cypress_m8.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(st
 	struct usb_serial *serial = port->serial;
 	struct cypress_private *priv;
 
+	if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
+		dev_err(&port->dev, "required endpoint is missing\n");
+		return -ENODEV;
+	}
+
 	priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
 	if (!priv)
 		return -ENOMEM;
@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struc
 		cypress_set_termios(tty, port, &priv->tmp_termios);
 
 	/* setup the port and start reading from the device */
-	if (!port->interrupt_in_urb) {
-		dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
-			__func__);
-		return -1;
-	}
-
 	usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
 		usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
 		port->interrupt_in_urb->transfer_buffer,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 063/238] USB: serial: cp210x: Adding GE Healthcare Device ID
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2016-04-10 18:33 ` [PATCH 4.5 062/238] USB: cypress_m8: add endpoint sanity check Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 064/238] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martyn Welch, Johan Hovold

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Martyn Welch <martyn.welch@collabora.co.uk>

commit cddc9434e3dcc37a85c4412fb8e277d3a582e456 upstream.

The CP2105 is used in the GE Healthcare Remote Alarm Box, with the
Manufacturer ID of 0x1901 and Product ID of 0x0194.

Signed-off-by: Martyn Welch <martyn.welch@collabora.co.uk>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/cp210x.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -165,6 +165,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
 	{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
 	{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
+	{ USB_DEVICE(0x1901, 0x0194) },	/* GE Healthcare Remote Alarm Box */
 	{ USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */
 	{ USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
 	{ USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 064/238] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 063/238] USB: serial: cp210x: Adding GE Healthcare Device ID Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 066/238] rt2x00: add new rt2800usb device Buffalo WLI-UC-G450 Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, thesource, Josh Boyer, Johan Hovold

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josh Boyer <jwboyer@fedoraproject.org>

commit ea6db90e750328068837bed34cb1302b7a177339 upstream.

A Fedora user reports that the ftdi_sio driver works properly for the
ICP DAS I-7561U device.  Further, the user manual for these devices
instructs users to load the driver and add the ids using the sysfs
interface.

Add support for these in the driver directly so that the devices work
out of the box instead of needing manual configuration.

Reported-by: <thesource@mail.ru>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/serial/ftdi_sio.c     |    4 ++++
 drivers/usb/serial/ftdi_sio_ids.h |    8 ++++++++
 2 files changed, 12 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -1004,6 +1004,10 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
 	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
 	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
+	/* ICP DAS I-756xU devices */
+	{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
+	{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
+	{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
 	{ }					/* Terminating entry */
 };
 
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -872,6 +872,14 @@
 #define NOVITUS_BONO_E_PID		0x6010
 
 /*
+ * ICPDAS I-756*U devices
+ */
+#define ICPDAS_VID			0x1b5c
+#define ICPDAS_I7560U_PID		0x0103
+#define ICPDAS_I7561U_PID		0x0104
+#define ICPDAS_I7563U_PID		0x0105
+
+/*
  * RT Systems programming cables for various ham radios
  */
 #define RTSYSTEMS_VID		0x2100	/* Vendor ID */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 066/238] rt2x00: add new rt2800usb device Buffalo WLI-UC-G450
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 064/238] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 067/238] [media] pwc: Add USB id for Philips Spc880nc webcam Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anthony Wong, Stanislaw Gruszka, Kalle Valo

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Anthony Wong <anthony.wong@ubuntu.com>

commit f36f299068794ffc5026f25b6a1b3ed615ea832d upstream.

Add USB ID 0411:01fd for Buffalo WLI-UC-G450 wireless adapter,
RT chipset 3593

Signed-off-by: Anthony Wong <anthony.wong@ubuntu.com>
Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ralink/rt2x00/rt2800usb.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/wireless/ralink/rt2x00/rt2800usb.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2800usb.c
@@ -1026,6 +1026,7 @@ static struct usb_device_id rt2800usb_de
 	{ USB_DEVICE(0x0411, 0x01a2) },
 	{ USB_DEVICE(0x0411, 0x01ee) },
 	{ USB_DEVICE(0x0411, 0x01a8) },
+	{ USB_DEVICE(0x0411, 0x01fd) },
 	/* Corega */
 	{ USB_DEVICE(0x07aa, 0x002f) },
 	{ USB_DEVICE(0x07aa, 0x003c) },

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 067/238] [media] pwc: Add USB id for Philips Spc880nc webcam
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 066/238] rt2x00: add new rt2800usb device Buffalo WLI-UC-G450 Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 068/238] Input: powermate - fix oops with malicious USB descriptors Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kikim, Hans de Goede, Mauro Carvalho Chehab

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 7445e45d19a09e5269dc85f17f9635be29d2f76c upstream.

SPC 880NC PC camera discussions:
	http://www.pclinuxos.com/forum/index.php/topic,135688.0.html

Reported-by: Kikim <klucznik0@op.pl>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/pwc/pwc-if.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/media/usb/pwc/pwc-if.c
+++ b/drivers/media/usb/pwc/pwc-if.c
@@ -91,6 +91,7 @@ static const struct usb_device_id pwc_de
 	{ USB_DEVICE(0x0471, 0x0312) },
 	{ USB_DEVICE(0x0471, 0x0313) }, /* the 'new' 720K */
 	{ USB_DEVICE(0x0471, 0x0329) }, /* Philips SPC 900NC PC Camera */
+	{ USB_DEVICE(0x0471, 0x032C) }, /* Philips SPC 880NC PC Camera */
 	{ USB_DEVICE(0x069A, 0x0001) }, /* Askey */
 	{ USB_DEVICE(0x046D, 0x08B0) }, /* Logitech QuickCam Pro 3000 */
 	{ USB_DEVICE(0x046D, 0x08B1) }, /* Logitech QuickCam Notebook Pro */
@@ -810,6 +811,11 @@ static int usb_pwc_probe(struct usb_inte
 			name = "Philips SPC 900NC webcam";
 			type_id = 740;
 			break;
+		case 0x032C:
+			PWC_INFO("Philips SPC 880NC USB webcam detected.\n");
+			name = "Philips SPC 880NC webcam";
+			type_id = 740;
+			break;
 		default:
 			return -ENODEV;
 			break;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 068/238] Input: powermate - fix oops with malicious USB descriptors
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 067/238] [media] pwc: Add USB id for Philips Spc880nc webcam Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 069/238] ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk() Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ralf Spenneberg, Josh Boyer, Dmitry Torokhov

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Josh Boyer <jwboyer@fedoraproject.org>

commit 9c6ba456711687b794dcf285856fc14e2c76074f upstream.

The powermate driver expects at least one valid USB endpoint in its
probe function.  If given malicious descriptors that specify 0 for
the number of endpoints, it will crash.  Validate the number of
endpoints on the interface before using them.

The full report for this issue can be found here:
http://seclists.org/bugtraq/2016/Mar/85

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/misc/powermate.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/input/misc/powermate.c
+++ b/drivers/input/misc/powermate.c
@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_in
 	int error = -ENOMEM;
 
 	interface = intf->cur_altsetting;
+	if (interface->desc.bNumEndpoints < 1)
+		return -EINVAL;
+
 	endpoint = &interface->endpoint[0].desc;
 	if (!usb_endpoint_is_int_in(endpoint))
 		return -EIO;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 069/238] ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 068/238] Input: powermate - fix oops with malicious USB descriptors Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 070/238] ALSA: usb-audio: Add sanity checks for endpoint accesses Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 0f886ca12765d20124bd06291c82951fd49a33be upstream.

create_fixed_stream_quirk() may cause a NULL-pointer dereference by
accessing the non-existing endpoint when a USB device with a malformed
USB descriptor is used.

This patch avoids it simply by adding a sanity check of bNumEndpoints
before the accesses.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/quirks.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -180,6 +180,12 @@ static int create_fixed_stream_quirk(str
 	}
 	alts = &iface->altsetting[fp->altset_idx];
 	altsd = get_iface_desc(alts);
+	if (altsd->bNumEndpoints < 1) {
+		kfree(fp);
+		kfree(rate_table);
+		return -EINVAL;
+	}
+
 	fp->protocol = altsd->bInterfaceProtocol;
 
 	if (fp->datainterval == 0)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 070/238] ALSA: usb-audio: Add sanity checks for endpoint accesses
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 069/238] ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk() Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 072/238] ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk() Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a upstream.

Add some sanity check codes before actually accessing the endpoint via
get_endpoint() in order to avoid the invalid access through a
malformed USB descriptor.  Mostly just checking bNumEndpoints, but in
one place (snd_microii_spdif_default_get()), the validity of iface and
altsetting index is checked as well.

Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/clock.c        |    2 ++
 sound/usb/endpoint.c     |    3 +++
 sound/usb/mixer_quirks.c |    4 ++++
 sound/usb/pcm.c          |    2 ++
 4 files changed, 11 insertions(+)

--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd
 	unsigned char data[3];
 	int err, crate;
 
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
 	ep = get_endpoint(alts, 0)->bEndpointAddress;
 
 	/* if endpoint doesn't have sampling rate control, bail out */
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -438,6 +438,9 @@ exit_clear:
  *
  * New endpoints will be added to chip->ep_list and must be freed by
  * calling snd_usb_endpoint_free().
+ *
+ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that
+ * bNumEndpoints > 1 beforehand.
  */
 struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
 					      struct usb_host_interface *alts,
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -1519,7 +1519,11 @@ static int snd_microii_spdif_default_get
 
 	/* use known values for that card: interface#1 altsetting#1 */
 	iface = usb_ifnum_to_if(chip->dev, 1);
+	if (!iface || iface->num_altsetting < 2)
+		return -EINVAL;
 	alts = &iface->altsetting[1];
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
 	ep = get_endpoint(alts, 0)->bEndpointAddress;
 
 	err = snd_usb_ctl_msg(chip->dev,
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_
 	unsigned char data[1];
 	int err;
 
+	if (get_iface_desc(alts)->bNumEndpoints < 1)
+		return -EINVAL;
 	ep = get_endpoint(alts, 0)->bEndpointAddress;
 
 	data[0] = 1;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 072/238] ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 070/238] ALSA: usb-audio: Add sanity checks for endpoint accesses Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 073/238] ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 902eb7fd1e4af3ac69b9b30f8373f118c92b9729 upstream.

Just a minor code cleanup: unify the error paths.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/quirks.c |   22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -167,23 +167,18 @@ static int create_fixed_stream_quirk(str
 	stream = (fp->endpoint & USB_DIR_IN)
 		? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
 	err = snd_usb_add_audio_stream(chip, stream, fp);
-	if (err < 0) {
-		kfree(fp);
-		kfree(rate_table);
-		return err;
-	}
+	if (err < 0)
+		goto error;
 	if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber ||
 	    fp->altset_idx >= iface->num_altsetting) {
-		kfree(fp);
-		kfree(rate_table);
-		return -EINVAL;
+		err = -EINVAL;
+		goto error;
 	}
 	alts = &iface->altsetting[fp->altset_idx];
 	altsd = get_iface_desc(alts);
 	if (altsd->bNumEndpoints < 1) {
-		kfree(fp);
-		kfree(rate_table);
-		return -EINVAL;
+		err = -EINVAL;
+		goto error;
 	}
 
 	fp->protocol = altsd->bInterfaceProtocol;
@@ -196,6 +191,11 @@ static int create_fixed_stream_quirk(str
 	snd_usb_init_pitch(chip, fp->iface, alts, fp);
 	snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max);
 	return 0;
+
+ error:
+	kfree(fp);
+	kfree(rate_table);
+	return err;
 }
 
 static int create_auto_pcm_quirk(struct snd_usb_audio *chip,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 073/238] ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 072/238] ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk() Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 074/238] Bluetooth: btusb: Add new AR3012 ID 13d3:3395 Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ralf Spenneberg, Vladis Dronov, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vladis Dronov <vdronov@redhat.com>

commit 836b34a935abc91e13e63053d0a83b24dfb5ea78 upstream.

create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.

This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.

Based on a patch by Takashi Iwai <tiwai@suse.de>

[Note for stable backports:
 this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
 code cleanup in create_fixed_stream_quirk()')]

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/quirks.c |    4 ++++
 sound/usb/stream.c |    6 +++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -150,6 +150,7 @@ static int create_fixed_stream_quirk(str
 		usb_audio_err(chip, "cannot memdup\n");
 		return -ENOMEM;
 	}
+	INIT_LIST_HEAD(&fp->list);
 	if (fp->nr_rates > MAX_NR_RATES) {
 		kfree(fp);
 		return -EINVAL;
@@ -193,6 +194,7 @@ static int create_fixed_stream_quirk(str
 	return 0;
 
  error:
+	list_del(&fp->list); /* unlink for avoiding double-free */
 	kfree(fp);
 	kfree(rate_table);
 	return err;
@@ -468,6 +470,7 @@ static int create_uaxx_quirk(struct snd_
 	fp->ep_attr = get_endpoint(alts, 0)->bmAttributes;
 	fp->datainterval = 0;
 	fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
+	INIT_LIST_HEAD(&fp->list);
 
 	switch (fp->maxpacksize) {
 	case 0x120:
@@ -491,6 +494,7 @@ static int create_uaxx_quirk(struct snd_
 		? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
 	err = snd_usb_add_audio_stream(chip, stream, fp);
 	if (err < 0) {
+		list_del(&fp->list); /* unlink for avoiding double-free */
 		kfree(fp);
 		return err;
 	}
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -314,7 +314,9 @@ static struct snd_pcm_chmap_elem *conver
 /*
  * add this endpoint to the chip instance.
  * if a stream with the same endpoint already exists, append to it.
- * if not, create a new pcm stream.
+ * if not, create a new pcm stream. note, fp is added to the substream
+ * fmt_list and will be freed on the chip instance release. do not free
+ * fp or do remove it from the substream fmt_list to avoid double-free.
  */
 int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
 			     int stream,
@@ -675,6 +677,7 @@ int snd_usb_parse_audio_interface(struct
 					* (fp->maxpacksize & 0x7ff);
 		fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no);
 		fp->clock = clock;
+		INIT_LIST_HEAD(&fp->list);
 
 		/* some quirks for attributes here */
 
@@ -723,6 +726,7 @@ int snd_usb_parse_audio_interface(struct
 		dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint);
 		err = snd_usb_add_audio_stream(chip, stream, fp);
 		if (err < 0) {
+			list_del(&fp->list); /* unlink for avoiding double-free */
 			kfree(fp->rate_table);
 			kfree(fp->chmap);
 			kfree(fp);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 074/238] Bluetooth: btusb: Add new AR3012 ID 13d3:3395
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 073/238] ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 075/238] Bluetooth: btusb: Add a new AR3012 ID 04ca:3014 Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Tunin, Marcel Holtmann

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <hanipouspilot@gmail.com>

commit 609574eb46335cfac1421a07c0505627cbbab1f0 upstream.

T: Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3395 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

BugLink: https://bugs.launchpad.net/bugs/1542564

Reported-and-tested-by: Christopher Simerly <kilikopela29@gmail.com>
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/ath3k.c |    2 ++
 drivers/bluetooth/btusb.c |    1 +
 2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -113,6 +113,7 @@ static const struct usb_device_id ath3k_
 	{ USB_DEVICE(0x13d3, 0x3362) },
 	{ USB_DEVICE(0x13d3, 0x3375) },
 	{ USB_DEVICE(0x13d3, 0x3393) },
+	{ USB_DEVICE(0x13d3, 0x3395) },
 	{ USB_DEVICE(0x13d3, 0x3402) },
 	{ USB_DEVICE(0x13d3, 0x3408) },
 	{ USB_DEVICE(0x13d3, 0x3423) },
@@ -175,6 +176,7 @@ static const struct usb_device_id ath3k_
 	{ USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
+	{ USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -227,6 +227,7 @@ static const struct usb_device_id blackl
 	{ USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
+	{ USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 075/238] Bluetooth: btusb: Add a new AR3012 ID 04ca:3014
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 074/238] Bluetooth: btusb: Add new AR3012 ID 13d3:3395 Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 076/238] Bluetooth: btusb: Add a new AR3012 ID 13d3:3472 Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Tunin, Marcel Holtmann

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <hanipouspilot@gmail.com>

commit 81d90442eac779938217c3444b240aa51fd3db47 upstream.

T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=03 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=04ca ProdID=3014 Rev=00.02
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

BugLink: https://bugs.launchpad.net/bugs/1546694

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/ath3k.c |    2 ++
 drivers/bluetooth/btusb.c |    1 +
 2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -92,6 +92,7 @@ static const struct usb_device_id ath3k_
 	{ USB_DEVICE(0x04CA, 0x300d) },
 	{ USB_DEVICE(0x04CA, 0x300f) },
 	{ USB_DEVICE(0x04CA, 0x3010) },
+	{ USB_DEVICE(0x04CA, 0x3014) },
 	{ USB_DEVICE(0x0930, 0x0219) },
 	{ USB_DEVICE(0x0930, 0x021c) },
 	{ USB_DEVICE(0x0930, 0x0220) },
@@ -155,6 +156,7 @@ static const struct usb_device_id ath3k_
 	{ USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+	{ USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -206,6 +206,7 @@ static const struct usb_device_id blackl
 	{ USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
+	{ USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 076/238] Bluetooth: btusb: Add a new AR3012 ID 13d3:3472
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 075/238] Bluetooth: btusb: Add a new AR3012 ID 04ca:3014 Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 077/238] crypto: ccp - Add hash state import and export support Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Tunin, Marcel Holtmann

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <hanipouspilot@gmail.com>

commit 75c6aca4765dbe3d0c1507ab5052f2e373dc2331 upstream.

T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3472 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

BugLink: https://bugs.launchpad.net/bugs/1552925

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/ath3k.c |    2 ++
 drivers/bluetooth/btusb.c |    1 +
 2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -119,6 +119,7 @@ static const struct usb_device_id ath3k_
 	{ USB_DEVICE(0x13d3, 0x3408) },
 	{ USB_DEVICE(0x13d3, 0x3423) },
 	{ USB_DEVICE(0x13d3, 0x3432) },
+	{ USB_DEVICE(0x13d3, 0x3472) },
 	{ USB_DEVICE(0x13d3, 0x3474) },
 
 	/* Atheros AR5BBU12 with sflash firmware */
@@ -183,6 +184,7 @@ static const struct usb_device_id ath3k_
 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+	{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
 
 	/* Atheros AR5BBU22 with sflash firmware */
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -233,6 +233,7 @@ static const struct usb_device_id blackl
 	{ USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+	{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
 
 	/* Atheros AR5BBU12 with sflash firmware */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 077/238] crypto: ccp - Add hash state import and export support
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 076/238] Bluetooth: btusb: Add a new AR3012 ID 13d3:3472 Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 078/238] crypto: ccp - Limit the amount of information exported Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tom Lendacky, Herbert Xu

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tom Lendacky <thomas.lendacky@amd.com>

commit 952bce9792e6bf36fda09c2e5718abb5d9327369 upstream.

Commit 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero")
added a check to prevent ahash algorithms from successfully registering
if the import and export functions were not implemented. This prevents
an oops in the hash_accept function of algif_hash. This commit causes
the ccp-crypto module SHA support and AES CMAC support from successfully
registering and causing the ccp-crypto module load to fail because the
ahash import and export functions are not implemented.

Update the CCP Crypto API support to provide import and export support
for ahash algorithms.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/ccp/ccp-crypto-aes-cmac.c |   23 +++++++++++++++++++++++
 drivers/crypto/ccp/ccp-crypto-sha.c      |   23 +++++++++++++++++++++++
 2 files changed, 46 insertions(+)

--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
@@ -220,6 +220,26 @@ static int ccp_aes_cmac_digest(struct ah
 	return ccp_aes_cmac_finup(req);
 }
 
+static int ccp_aes_cmac_export(struct ahash_request *req, void *out)
+{
+	struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
+	struct ccp_aes_cmac_req_ctx *state = out;
+
+	*state = *rctx;
+
+	return 0;
+}
+
+static int ccp_aes_cmac_import(struct ahash_request *req, const void *in)
+{
+	struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
+	const struct ccp_aes_cmac_req_ctx *state = in;
+
+	*rctx = *state;
+
+	return 0;
+}
+
 static int ccp_aes_cmac_setkey(struct crypto_ahash *tfm, const u8 *key,
 			       unsigned int key_len)
 {
@@ -352,10 +372,13 @@ int ccp_register_aes_cmac_algs(struct li
 	alg->final = ccp_aes_cmac_final;
 	alg->finup = ccp_aes_cmac_finup;
 	alg->digest = ccp_aes_cmac_digest;
+	alg->export = ccp_aes_cmac_export;
+	alg->import = ccp_aes_cmac_import;
 	alg->setkey = ccp_aes_cmac_setkey;
 
 	halg = &alg->halg;
 	halg->digestsize = AES_BLOCK_SIZE;
+	halg->statesize = sizeof(struct ccp_aes_cmac_req_ctx);
 
 	base = &halg->base;
 	snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "cmac(aes)");
--- a/drivers/crypto/ccp/ccp-crypto-sha.c
+++ b/drivers/crypto/ccp/ccp-crypto-sha.c
@@ -207,6 +207,26 @@ static int ccp_sha_digest(struct ahash_r
 	return ccp_sha_finup(req);
 }
 
+static int ccp_sha_export(struct ahash_request *req, void *out)
+{
+	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
+	struct ccp_sha_req_ctx *state = out;
+
+	*state = *rctx;
+
+	return 0;
+}
+
+static int ccp_sha_import(struct ahash_request *req, const void *in)
+{
+	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
+	const struct ccp_sha_req_ctx *state = in;
+
+	*rctx = *state;
+
+	return 0;
+}
+
 static int ccp_sha_setkey(struct crypto_ahash *tfm, const u8 *key,
 			  unsigned int key_len)
 {
@@ -403,9 +423,12 @@ static int ccp_register_sha_alg(struct l
 	alg->final = ccp_sha_final;
 	alg->finup = ccp_sha_finup;
 	alg->digest = ccp_sha_digest;
+	alg->export = ccp_sha_export;
+	alg->import = ccp_sha_import;
 
 	halg = &alg->halg;
 	halg->digestsize = def->digest_size;
+	halg->statesize = sizeof(struct ccp_sha_req_ctx);
 
 	base = &halg->base;
 	snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", def->name);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 078/238] crypto: ccp - Limit the amount of information exported
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 077/238] crypto: ccp - Add hash state import and export support Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas are aligned Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tom Lendacky, Herbert Xu

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tom Lendacky <thomas.lendacky@amd.com>

commit d1662165ae612ec8b5f94a6b07e65ea58b6dce34 upstream.

Since the exported information can be exposed to user-space, instead of
exporting the entire request context only export the minimum information
needed.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/ccp/ccp-crypto-aes-cmac.c |   16 +++++++++++-----
 drivers/crypto/ccp/ccp-crypto-sha.c      |   20 +++++++++++++++-----
 drivers/crypto/ccp/ccp-crypto.h          |   22 ++++++++++++++++++++++
 3 files changed, 48 insertions(+), 10 deletions(-)

--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
@@ -223,9 +223,12 @@ static int ccp_aes_cmac_digest(struct ah
 static int ccp_aes_cmac_export(struct ahash_request *req, void *out)
 {
 	struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
-	struct ccp_aes_cmac_req_ctx *state = out;
+	struct ccp_aes_cmac_exp_ctx *state = out;
 
-	*state = *rctx;
+	state->null_msg = rctx->null_msg;
+	memcpy(state->iv, rctx->iv, sizeof(state->iv));
+	state->buf_count = rctx->buf_count;
+	memcpy(state->buf, rctx->buf, sizeof(state->buf));
 
 	return 0;
 }
@@ -233,9 +236,12 @@ static int ccp_aes_cmac_export(struct ah
 static int ccp_aes_cmac_import(struct ahash_request *req, const void *in)
 {
 	struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
-	const struct ccp_aes_cmac_req_ctx *state = in;
+	const struct ccp_aes_cmac_exp_ctx *state = in;
 
-	*rctx = *state;
+	rctx->null_msg = state->null_msg;
+	memcpy(rctx->iv, state->iv, sizeof(rctx->iv));
+	rctx->buf_count = state->buf_count;
+	memcpy(rctx->buf, state->buf, sizeof(rctx->buf));
 
 	return 0;
 }
@@ -378,7 +384,7 @@ int ccp_register_aes_cmac_algs(struct li
 
 	halg = &alg->halg;
 	halg->digestsize = AES_BLOCK_SIZE;
-	halg->statesize = sizeof(struct ccp_aes_cmac_req_ctx);
+	halg->statesize = sizeof(struct ccp_aes_cmac_exp_ctx);
 
 	base = &halg->base;
 	snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "cmac(aes)");
--- a/drivers/crypto/ccp/ccp-crypto-sha.c
+++ b/drivers/crypto/ccp/ccp-crypto-sha.c
@@ -210,9 +210,14 @@ static int ccp_sha_digest(struct ahash_r
 static int ccp_sha_export(struct ahash_request *req, void *out)
 {
 	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
-	struct ccp_sha_req_ctx *state = out;
+	struct ccp_sha_exp_ctx *state = out;
 
-	*state = *rctx;
+	state->type = rctx->type;
+	state->msg_bits = rctx->msg_bits;
+	state->first = rctx->first;
+	memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
+	state->buf_count = rctx->buf_count;
+	memcpy(state->buf, rctx->buf, sizeof(state->buf));
 
 	return 0;
 }
@@ -220,9 +225,14 @@ static int ccp_sha_export(struct ahash_r
 static int ccp_sha_import(struct ahash_request *req, const void *in)
 {
 	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
-	const struct ccp_sha_req_ctx *state = in;
+	const struct ccp_sha_exp_ctx *state = in;
 
-	*rctx = *state;
+	rctx->type = state->type;
+	rctx->msg_bits = state->msg_bits;
+	rctx->first = state->first;
+	memcpy(rctx->ctx, state->ctx, sizeof(rctx->ctx));
+	rctx->buf_count = state->buf_count;
+	memcpy(rctx->buf, state->buf, sizeof(rctx->buf));
 
 	return 0;
 }
@@ -428,7 +438,7 @@ static int ccp_register_sha_alg(struct l
 
 	halg = &alg->halg;
 	halg->digestsize = def->digest_size;
-	halg->statesize = sizeof(struct ccp_sha_req_ctx);
+	halg->statesize = sizeof(struct ccp_sha_exp_ctx);
 
 	base = &halg->base;
 	snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", def->name);
--- a/drivers/crypto/ccp/ccp-crypto.h
+++ b/drivers/crypto/ccp/ccp-crypto.h
@@ -129,6 +129,15 @@ struct ccp_aes_cmac_req_ctx {
 	struct ccp_cmd cmd;
 };
 
+struct ccp_aes_cmac_exp_ctx {
+	unsigned int null_msg;
+
+	u8 iv[AES_BLOCK_SIZE];
+
+	unsigned int buf_count;
+	u8 buf[AES_BLOCK_SIZE];
+};
+
 /***** SHA related defines *****/
 #define MAX_SHA_CONTEXT_SIZE	SHA256_DIGEST_SIZE
 #define MAX_SHA_BLOCK_SIZE	SHA256_BLOCK_SIZE
@@ -171,6 +180,19 @@ struct ccp_sha_req_ctx {
 	struct ccp_cmd cmd;
 };
 
+struct ccp_sha_exp_ctx {
+	enum ccp_sha_type type;
+
+	u64 msg_bits;
+
+	unsigned int first;
+
+	u8 ctx[MAX_SHA_CONTEXT_SIZE];
+
+	unsigned int buf_count;
+	u8 buf[MAX_SHA_BLOCK_SIZE];
+};
+
 /***** Common Context Structure *****/
 struct ccp_ctx {
 	int (*complete)(struct crypto_async_request *req, int ret);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas are aligned
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 078/238] crypto: ccp - Limit the amount of information exported Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-12  1:56   ` Ben Hutchings
  2016-04-10 18:34 ` [PATCH 4.5 080/238] crypto: ccp - memset request context to zero during import Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  229 siblings, 1 reply; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tom Lendacky, Herbert Xu

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tom Lendacky <thomas.lendacky@amd.com>

commit b31dde2a5cb1bf764282abf934266b7193c2bc7c upstream.

Use a local variable for the exported and imported state so that
alignment is not an issue. On export, set a local variable from the
request context and then memcpy the contents of the local variable to
the export memory area. On import, memcpy the import memory area into
a local variable and then use the local variable to set the request
context.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/ccp/ccp-crypto-aes-cmac.c |   26 ++++++++++++++---------
 drivers/crypto/ccp/ccp-crypto-sha.c      |   34 ++++++++++++++++++-------------
 2 files changed, 36 insertions(+), 24 deletions(-)

--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
@@ -223,12 +223,15 @@ static int ccp_aes_cmac_digest(struct ah
 static int ccp_aes_cmac_export(struct ahash_request *req, void *out)
 {
 	struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
-	struct ccp_aes_cmac_exp_ctx *state = out;
+	struct ccp_aes_cmac_exp_ctx state;
 
-	state->null_msg = rctx->null_msg;
-	memcpy(state->iv, rctx->iv, sizeof(state->iv));
-	state->buf_count = rctx->buf_count;
-	memcpy(state->buf, rctx->buf, sizeof(state->buf));
+	state.null_msg = rctx->null_msg;
+	memcpy(state.iv, rctx->iv, sizeof(state.iv));
+	state.buf_count = rctx->buf_count;
+	memcpy(state.buf, rctx->buf, sizeof(state.buf));
+
+	/* 'out' may not be aligned so memcpy from local variable */
+	memcpy(out, &state, sizeof(state));
 
 	return 0;
 }
@@ -236,12 +239,15 @@ static int ccp_aes_cmac_export(struct ah
 static int ccp_aes_cmac_import(struct ahash_request *req, const void *in)
 {
 	struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req);
-	const struct ccp_aes_cmac_exp_ctx *state = in;
+	struct ccp_aes_cmac_exp_ctx state;
+
+	/* 'in' may not be aligned so memcpy to local variable */
+	memcpy(&state, in, sizeof(state));
 
-	rctx->null_msg = state->null_msg;
-	memcpy(rctx->iv, state->iv, sizeof(rctx->iv));
-	rctx->buf_count = state->buf_count;
-	memcpy(rctx->buf, state->buf, sizeof(rctx->buf));
+	rctx->null_msg = state.null_msg;
+	memcpy(rctx->iv, state.iv, sizeof(rctx->iv));
+	rctx->buf_count = state.buf_count;
+	memcpy(rctx->buf, state.buf, sizeof(rctx->buf));
 
 	return 0;
 }
--- a/drivers/crypto/ccp/ccp-crypto-sha.c
+++ b/drivers/crypto/ccp/ccp-crypto-sha.c
@@ -210,14 +210,17 @@ static int ccp_sha_digest(struct ahash_r
 static int ccp_sha_export(struct ahash_request *req, void *out)
 {
 	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
-	struct ccp_sha_exp_ctx *state = out;
+	struct ccp_sha_exp_ctx state;
 
-	state->type = rctx->type;
-	state->msg_bits = rctx->msg_bits;
-	state->first = rctx->first;
-	memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
-	state->buf_count = rctx->buf_count;
-	memcpy(state->buf, rctx->buf, sizeof(state->buf));
+	state.type = rctx->type;
+	state.msg_bits = rctx->msg_bits;
+	state.first = rctx->first;
+	memcpy(state.ctx, rctx->ctx, sizeof(state.ctx));
+	state.buf_count = rctx->buf_count;
+	memcpy(state.buf, rctx->buf, sizeof(state.buf));
+
+	/* 'out' may not be aligned so memcpy from local variable */
+	memcpy(out, &state, sizeof(state));
 
 	return 0;
 }
@@ -225,14 +228,17 @@ static int ccp_sha_export(struct ahash_r
 static int ccp_sha_import(struct ahash_request *req, const void *in)
 {
 	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
-	const struct ccp_sha_exp_ctx *state = in;
+	struct ccp_sha_exp_ctx state;
+
+	/* 'in' may not be aligned so memcpy to local variable */
+	memcpy(&state, in, sizeof(state));
 
-	rctx->type = state->type;
-	rctx->msg_bits = state->msg_bits;
-	rctx->first = state->first;
-	memcpy(rctx->ctx, state->ctx, sizeof(rctx->ctx));
-	rctx->buf_count = state->buf_count;
-	memcpy(rctx->buf, state->buf, sizeof(rctx->buf));
+	rctx->type = state.type;
+	rctx->msg_bits = state.msg_bits;
+	rctx->first = state.first;
+	memcpy(rctx->ctx, state.ctx, sizeof(rctx->ctx));
+	rctx->buf_count = state.buf_count;
+	memcpy(rctx->buf, state.buf, sizeof(rctx->buf));
 
 	return 0;
 }

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 080/238] crypto: ccp - memset request context to zero during import
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas are aligned Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 081/238] crypto: keywrap - memzero the correct memory Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tom Lendacky, Herbert Xu

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tom Lendacky <thomas.lendacky@amd.com>

commit ce0ae266feaf35930394bd770c69778e4ef03ba9 upstream.

Since a crypto_ahash_import() can be called against a request context
that has not had a crypto_ahash_init() performed, the request context
needs to be cleared to insure there is no random data present. If not,
the random data can result in a kernel oops during crypto_ahash_update().

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/ccp/ccp-crypto-aes-cmac.c |    1 +
 drivers/crypto/ccp/ccp-crypto-sha.c      |    1 +
 2 files changed, 2 insertions(+)

--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c
@@ -244,6 +244,7 @@ static int ccp_aes_cmac_import(struct ah
 	/* 'in' may not be aligned so memcpy to local variable */
 	memcpy(&state, in, sizeof(state));
 
+	memset(rctx, 0, sizeof(*rctx));
 	rctx->null_msg = state.null_msg;
 	memcpy(rctx->iv, state.iv, sizeof(rctx->iv));
 	rctx->buf_count = state.buf_count;
--- a/drivers/crypto/ccp/ccp-crypto-sha.c
+++ b/drivers/crypto/ccp/ccp-crypto-sha.c
@@ -233,6 +233,7 @@ static int ccp_sha_import(struct ahash_r
 	/* 'in' may not be aligned so memcpy to local variable */
 	memcpy(&state, in, sizeof(state));
 
+	memset(rctx, 0, sizeof(*rctx));
 	rctx->type = state.type;
 	rctx->msg_bits = state.msg_bits;
 	rctx->first = state.first;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 081/238] crypto: keywrap - memzero the correct memory
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 080/238] crypto: ccp - memset request context to zero during import Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 082/238] crypto: atmel - fix checks of error code returned by devm_ioremap_resource() Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Stephan Mueller, Herbert Xu

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 2b8b28fd232233c22fb61009dd8b0587390d2875 upstream.

We're clearing the wrong memory.  The memory corruption is likely
harmless because we weren't going to use that stack memory again but not
zeroing is a potential information leak.

Fixes: e28facde3c39 ('crypto: keywrap - add key wrapping block chaining mode')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/keywrap.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/crypto/keywrap.c
+++ b/crypto/keywrap.c
@@ -212,7 +212,7 @@ static int crypto_kw_decrypt(struct blkc
 			  SEMIBSIZE))
 		ret = -EBADMSG;
 
-	memzero_explicit(&block, sizeof(struct crypto_kw_block));
+	memzero_explicit(block, sizeof(struct crypto_kw_block));
 
 	return ret;
 }
@@ -297,7 +297,7 @@ static int crypto_kw_encrypt(struct blkc
 	/* establish the IV for the caller to pick up */
 	memcpy(desc->info, block->A, SEMIBSIZE);
 
-	memzero_explicit(&block, sizeof(struct crypto_kw_block));
+	memzero_explicit(block, sizeof(struct crypto_kw_block));
 
 	return 0;
 }

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 082/238] crypto: atmel - fix checks of error code returned by devm_ioremap_resource()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 081/238] crypto: keywrap - memzero the correct memory Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 083/238] crypto: ux500 " Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vladimir Zapolskiy, Herbert Xu

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vladimir Zapolskiy <vz@mleia.com>

commit 9b52d55f4f0e2bb9a34abbcf99e05e17f1b3b281 upstream.

The change fixes potential oops while accessing iomem on invalid
address, if devm_ioremap_resource() fails due to some reason.

The devm_ioremap_resource() function returns ERR_PTR() and never
returns NULL, which makes useless a following check for NULL.

Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Fixes: b0e8b3417a62 ("crypto: atmel - use devm_xxx() managed function")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/atmel-aes.c  |    4 ++--
 drivers/crypto/atmel-sha.c  |    4 ++--
 drivers/crypto/atmel-tdes.c |    4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/crypto/atmel-aes.c
+++ b/drivers/crypto/atmel-aes.c
@@ -2085,9 +2085,9 @@ static int atmel_aes_probe(struct platfo
 	}
 
 	aes_dd->io_base = devm_ioremap_resource(&pdev->dev, aes_res);
-	if (!aes_dd->io_base) {
+	if (IS_ERR(aes_dd->io_base)) {
 		dev_err(dev, "can't ioremap\n");
-		err = -ENOMEM;
+		err = PTR_ERR(aes_dd->io_base);
 		goto res_err;
 	}
 
--- a/drivers/crypto/atmel-sha.c
+++ b/drivers/crypto/atmel-sha.c
@@ -1404,9 +1404,9 @@ static int atmel_sha_probe(struct platfo
 	}
 
 	sha_dd->io_base = devm_ioremap_resource(&pdev->dev, sha_res);
-	if (!sha_dd->io_base) {
+	if (IS_ERR(sha_dd->io_base)) {
 		dev_err(dev, "can't ioremap\n");
-		err = -ENOMEM;
+		err = PTR_ERR(sha_dd->io_base);
 		goto res_err;
 	}
 
--- a/drivers/crypto/atmel-tdes.c
+++ b/drivers/crypto/atmel-tdes.c
@@ -1417,9 +1417,9 @@ static int atmel_tdes_probe(struct platf
 	}
 
 	tdes_dd->io_base = devm_ioremap_resource(&pdev->dev, tdes_res);
-	if (!tdes_dd->io_base) {
+	if (IS_ERR(tdes_dd->io_base)) {
 		dev_err(dev, "can't ioremap\n");
-		err = -ENOMEM;
+		err = PTR_ERR(tdes_dd->io_base);
 		goto res_err;
 	}
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 083/238] crypto: ux500 - fix checks of error code returned by devm_ioremap_resource()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 082/238] crypto: atmel - fix checks of error code returned by devm_ioremap_resource() Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 084/238] crypto: marvell/cesa - forward devm_ioremap_resource() error code Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vladimir Zapolskiy, Herbert Xu

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vladimir Zapolskiy <vz@mleia.com>

commit b62917a2622ebcb03a500ef20da47be80d8c8951 upstream.

The change fixes potential oops while accessing iomem on invalid
address, if devm_ioremap_resource() fails due to some reason.

The devm_ioremap_resource() function returns ERR_PTR() and never
returns NULL, which makes useless a following check for NULL.

Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Fixes: 5a4eea2658c93 ("crypto: ux500 - Use devm_xxx() managed function")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/ux500/cryp/cryp_core.c |    4 ++--
 drivers/crypto/ux500/hash/hash_core.c |    4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/crypto/ux500/cryp/cryp_core.c
+++ b/drivers/crypto/ux500/cryp/cryp_core.c
@@ -1440,9 +1440,9 @@ static int ux500_cryp_probe(struct platf
 
 	device_data->phybase = res->start;
 	device_data->base = devm_ioremap_resource(dev, res);
-	if (!device_data->base) {
+	if (IS_ERR(device_data->base)) {
 		dev_err(dev, "[%s]: ioremap failed!", __func__);
-		ret = -ENOMEM;
+		ret = PTR_ERR(device_data->base);
 		goto out;
 	}
 
--- a/drivers/crypto/ux500/hash/hash_core.c
+++ b/drivers/crypto/ux500/hash/hash_core.c
@@ -1659,9 +1659,9 @@ static int ux500_hash_probe(struct platf
 
 	device_data->phybase = res->start;
 	device_data->base = devm_ioremap_resource(dev, res);
-	if (!device_data->base) {
+	if (IS_ERR(device_data->base)) {
 		dev_err(dev, "%s: ioremap() failed!\n", __func__);
-		ret = -ENOMEM;
+		ret = PTR_ERR(device_data->base);
 		goto out;
 	}
 	spin_lock_init(&device_data->ctx_lock);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 084/238] crypto: marvell/cesa - forward devm_ioremap_resource() error code
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 083/238] crypto: ux500 " Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 085/238] X.509: Fix leap year handling again Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Boris Brezillon,
	Russell King - ARM Linux, Herbert Xu

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Boris BREZILLON <boris.brezillon@free-electrons.com>

commit dfe97ad30e8c038261663a18b9e04b8b5bc07bea upstream.

Forward devm_ioremap_resource() error code instead of returning
-ENOMEM.

Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Reported-by: Russell King - ARM Linux <linux@arm.linux.org.uk>
Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/marvell/cesa.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/crypto/marvell/cesa.c
+++ b/drivers/crypto/marvell/cesa.c
@@ -420,7 +420,7 @@ static int mv_cesa_probe(struct platform
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "regs");
 	cesa->regs = devm_ioremap_resource(dev, res);
 	if (IS_ERR(cesa->regs))
-		return -ENOMEM;
+		return PTR_ERR(cesa->regs);
 
 	ret = mv_cesa_dev_dma_init(cesa);
 	if (ret)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 085/238] X.509: Fix leap year handling again
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 084/238] crypto: marvell/cesa - forward devm_ioremap_resource() error code Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 086/238] mei: bus: check if the device is enabled before data transfer Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rudolf Polzer, David Howells,
	David Woodhouse, Arnd Bergmann

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>

commit ac4cbedfdf55455b4c447f17f0fa027dbf02b2a6 upstream.

There are still a couple of minor issues in the X.509 leap year handling:

 (1) To avoid doing a modulus-by-400 in addition to a modulus-by-100 when
     determining whether the year is a leap year or not, I divided the year
     by 100 after doing the modulus-by-100, thereby letting the compiler do
     one instruction for both, and then did a modulus-by-4.

     Unfortunately, I then passed the now-modified year value to mktime64()
     to construct a time value.

     Since this isn't a fast path and since mktime64() does a bunch of
     divisions, just condense down to "% 400".  It's also easier to read.

 (2) The default month length for any February where the year doesn't
     divide by four exactly is obtained from the month_length[] array where
     the value is 29, not 28.

     This is fixed by altering the table.

Reported-by: Rudolf Polzer <rpolzer@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/asymmetric_keys/x509_cert_parser.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -494,7 +494,7 @@ int x509_decode_time(time64_t *_t,  size
 		     unsigned char tag,
 		     const unsigned char *value, size_t vlen)
 {
-	static const unsigned char month_lengths[] = { 31, 29, 31, 30, 31, 30,
+	static const unsigned char month_lengths[] = { 31, 28, 31, 30, 31, 30,
 						       31, 31, 30, 31, 30, 31 };
 	const unsigned char *p = value;
 	unsigned year, mon, day, hour, min, sec, mon_len;
@@ -540,9 +540,9 @@ int x509_decode_time(time64_t *_t,  size
 		if (year % 4 == 0) {
 			mon_len = 29;
 			if (year % 100 == 0) {
-				year /= 100;
-				if (year % 4 != 0)
-					mon_len = 28;
+				mon_len = 28;
+				if (year % 400 == 0)
+					mon_len = 29;
 			}
 		}
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 086/238] mei: bus: check if the device is enabled before data transfer
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 085/238] X.509: Fix leap year handling again Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 087/238] tpm: fix the rollback in tpm_chip_register() Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Usyskin, Tomas Winkler

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit 15c13dfcad883a1e76b714480fb27be96247fd82 upstream.

The bus data transfer interface was missing the check if the device is
in enabled state, this may lead to stack corruption during link reset.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/mei/bus.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/drivers/misc/mei/bus.c
+++ b/drivers/misc/mei/bus.c
@@ -53,6 +53,11 @@ ssize_t __mei_cl_send(struct mei_cl *cl,
 	bus = cl->dev;
 
 	mutex_lock(&bus->device_lock);
+	if (bus->dev_state != MEI_DEV_ENABLED) {
+		rets = -ENODEV;
+		goto out;
+	}
+
 	if (!mei_cl_is_connected(cl)) {
 		rets = -ENODEV;
 		goto out;
@@ -109,6 +114,10 @@ ssize_t __mei_cl_recv(struct mei_cl *cl,
 	bus = cl->dev;
 
 	mutex_lock(&bus->device_lock);
+	if (bus->dev_state != MEI_DEV_ENABLED) {
+		rets = -ENODEV;
+		goto out;
+	}
 
 	cb = mei_cl_read_cb(cl, NULL);
 	if (cb)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 087/238] tpm: fix the rollback in tpm_chip_register()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 086/238] mei: bus: check if the device is enabled before data transfer Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 088/238] tpm_crb: tpm2_shutdown() must be called before tpm_chip_unregister() Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jarkko Sakkinen, Jason Gunthorpe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

commit 72c91ce8523ae5828fe5e4417ae0aaab53707a08 upstream.

Fixed the rollback and gave more self-documenting names for the
functions.

Fixes: d972b0523f ("tpm: fix call order in tpm-chip.c")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm-chip.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -140,7 +140,7 @@ struct tpm_chip *tpmm_chip_alloc(struct
 }
 EXPORT_SYMBOL_GPL(tpmm_chip_alloc);
 
-static int tpm_dev_add_device(struct tpm_chip *chip)
+static int tpm_add_char_device(struct tpm_chip *chip)
 {
 	int rc;
 
@@ -151,7 +151,6 @@ static int tpm_dev_add_device(struct tpm
 			chip->devname, MAJOR(chip->dev.devt),
 			MINOR(chip->dev.devt), rc);
 
-		device_unregister(&chip->dev);
 		return rc;
 	}
 
@@ -162,13 +161,14 @@ static int tpm_dev_add_device(struct tpm
 			chip->devname, MAJOR(chip->dev.devt),
 			MINOR(chip->dev.devt), rc);
 
+		cdev_del(&chip->cdev);
 		return rc;
 	}
 
 	return rc;
 }
 
-static void tpm_dev_del_device(struct tpm_chip *chip)
+static void tpm_del_char_device(struct tpm_chip *chip)
 {
 	cdev_del(&chip->cdev);
 	device_unregister(&chip->dev);
@@ -222,7 +222,7 @@ int tpm_chip_register(struct tpm_chip *c
 
 	tpm_add_ppi(chip);
 
-	rc = tpm_dev_add_device(chip);
+	rc = tpm_add_char_device(chip);
 	if (rc)
 		goto out_err;
 
@@ -274,6 +274,6 @@ void tpm_chip_unregister(struct tpm_chip
 		sysfs_remove_link(&chip->pdev->kobj, "ppi");
 
 	tpm1_chip_unregister(chip);
-	tpm_dev_del_device(chip);
+	tpm_del_char_device(chip);
 }
 EXPORT_SYMBOL_GPL(tpm_chip_unregister);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 088/238] tpm_crb: tpm2_shutdown() must be called before tpm_chip_unregister()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 087/238] tpm: fix the rollback in tpm_chip_register() Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 089/238] tpm_eventlog.c: fix binary_bios_measurements Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jason Gunthorpe, Jarkko Sakkinen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

commit 99cda8cb4639de81cde785b5bab9bc52e916e594 upstream.

Wrong call order.

Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Fixes: 74d6b3ceaa17
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_crb.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -302,11 +302,11 @@ static int crb_acpi_remove(struct acpi_d
 	struct device *dev = &device->dev;
 	struct tpm_chip *chip = dev_get_drvdata(dev);
 
-	tpm_chip_unregister(chip);
-
 	if (chip->flags & TPM_CHIP_FLAG_TPM2)
 		tpm2_shutdown(chip, TPM2_SU_CLEAR);
 
+	tpm_chip_unregister(chip);
+
 	return 0;
 }
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 089/238] tpm_eventlog.c: fix binary_bios_measurements
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 088/238] tpm_crb: tpm2_shutdown() must be called before tpm_chip_unregister() Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 090/238] tpm: fix the cleanup of struct tpm_chip Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Harald Hoyer, Jarkko Sakkinen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Harald Hoyer <harald@redhat.com>

commit 186d124f07da193a8f47e491af85cb695d415f2f upstream.

The commit 0cc698af36ff ("vTPM: support little endian guests") copied
the event, but without the event data, did an endian conversion on the
size and tried to output the event data from the copied version, which
has only have one byte of the data, resulting in garbage event data.

[jarkko.sakkinen@linux.intel.com: fixed minor coding style issues and
 renamed the local variable tempPtr as temp_ptr now that there is an
 excuse to do this.]

Signed-off-by: Harald Hoyer <harald@redhat.com>
Fixes: 0cc698af36ff ("vTPM: support little endian guests")
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm_eventlog.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/char/tpm/tpm_eventlog.c
+++ b/drivers/char/tpm/tpm_eventlog.c
@@ -232,7 +232,7 @@ static int tpm_binary_bios_measurements_
 {
 	struct tcpa_event *event = v;
 	struct tcpa_event temp_event;
-	char *tempPtr;
+	char *temp_ptr;
 	int i;
 
 	memcpy(&temp_event, event, sizeof(struct tcpa_event));
@@ -242,10 +242,16 @@ static int tpm_binary_bios_measurements_
 	temp_event.event_type = do_endian_conversion(event->event_type);
 	temp_event.event_size = do_endian_conversion(event->event_size);
 
-	tempPtr = (char *)&temp_event;
+	temp_ptr = (char *) &temp_event;
 
-	for (i = 0; i < sizeof(struct tcpa_event) + temp_event.event_size; i++)
-		seq_putc(m, tempPtr[i]);
+	for (i = 0; i < (sizeof(struct tcpa_event) - 1) ; i++)
+		seq_putc(m, temp_ptr[i]);
+
+	temp_ptr = (char *) v;
+
+	for (i = (sizeof(struct tcpa_event) - 1);
+	     i < (sizeof(struct tcpa_event) + temp_event.event_size); i++)
+		seq_putc(m, temp_ptr[i]);
 
 	return 0;
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 090/238] tpm: fix the cleanup of struct tpm_chip
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 089/238] tpm_eventlog.c: fix binary_bios_measurements Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 091/238] HID: logitech: fix Dual Action gamepad support Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jarkko Sakkinen, Jason Gunthorpe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

commit 8e0ee3c9faed7ca68807ea45141775856c438ac0 upstream.

If the initialization fails before tpm_chip_register(), put_device()
will be not called, which causes release callback not to be called.
This patch fixes the issue by adding put_device() to devres list of
the parent device.

Fixes: 313d21eeab ("tpm: device class for tpm")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/tpm/tpm-chip.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -136,6 +136,8 @@ struct tpm_chip *tpmm_chip_alloc(struct
 	chip->cdev.owner = chip->pdev->driver->owner;
 	chip->cdev.kobj.parent = &chip->dev.kobj;
 
+	devm_add_action(dev, (void (*)(void *)) put_device, &chip->dev);
+
 	return chip;
 }
 EXPORT_SYMBOL_GPL(tpmm_chip_alloc);
@@ -171,7 +173,7 @@ static int tpm_add_char_device(struct tp
 static void tpm_del_char_device(struct tpm_chip *chip)
 {
 	cdev_del(&chip->cdev);
-	device_unregister(&chip->dev);
+	device_del(&chip->dev);
 }
 
 static int tpm1_chip_register(struct tpm_chip *chip)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 091/238] HID: logitech: fix Dual Action gamepad support
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 090/238] tpm: fix the cleanup of struct tpm_chip Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 092/238] HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report() Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vitaly Katraew, Grazvydas Ignotas,
	Jiri Kosina

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Grazvydas Ignotas <notasas@gmail.com>

commit 5d74325a2201376a95520a4a38a1ce2c65761c49 upstream.

The patch that added Logitech Dual Action gamepad support forgot to
update the special driver list for the device. This caused the logitech
driver not to probe unless kernel module load order was favorable.
Update the special driver list to fix it. Thanks to Simon Wood for the
idea.

Cc: Vitaly Katraew <zawullon@gmail.com>
Fixes: 56d0c8b7c8fb ("HID: add support for Logitech Dual Action gamepads")
Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-core.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1891,6 +1891,7 @@ static const struct hid_device_id hid_ha
 	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_ELITE_KBD) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_CORDLESS_DESKTOP_LX500) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_EXTREME_3D) },
+	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_DUAL_ACTION) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_WHEEL) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_RUMBLEPAD_CORD) },
 	{ HID_USB_DEVICE(USB_VENDOR_ID_LOGITECH, USB_DEVICE_ID_LOGITECH_RUMBLEPAD) },

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 092/238] HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 091/238] HID: logitech: fix Dual Action gamepad support Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 093/238] HID: multitouch: force retrieving of Win8 signature blob Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Potapenko, Dmitry Torokhov,
	Benjamin Tissoires, Jiri Kosina

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <dtor@chromium.org>

commit 3b654288b196ceaa156029d9457ccbded0489b98 upstream.

Even though hid_hw_* checks that passed in data_len is less than
HID_MAX_BUFFER_SIZE it is not enough, as i2c-hid does not necessarily
allocate buffers of HID_MAX_BUFFER_SIZE but rather checks all device
reports and select largest size. In-kernel users normally just send as much
data as report needs, so there is no problem, but hidraw users can do
whatever they please:

BUG: KASAN: slab-out-of-bounds in memcpy+0x34/0x54 at addr ffffffc07135ea80
Write of size 4101 by task syz-executor/8747
CPU: 2 PID: 8747 Comm: syz-executor Tainted: G    BU         3.18.0 #37
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020ebcc>] dump_backtrace+0x0/0x258 arch/arm64/kernel/traps.c:83
[<ffffffc00020ee40>] show_stack+0x1c/0x2c arch/arm64/kernel/traps.c:172
[<     inline     >] __dump_stack lib/dump_stack.c:15
[<ffffffc001958114>] dump_stack+0x90/0x140 lib/dump_stack.c:50
[<     inline     >] print_error_description mm/kasan/report.c:97
[<     inline     >] kasan_report_error mm/kasan/report.c:278
[<ffffffc0004597dc>] kasan_report+0x268/0x530 mm/kasan/report.c:305
[<ffffffc0004592e8>] __asan_storeN+0x20/0x150 mm/kasan/kasan.c:718
[<ffffffc0004594e0>] memcpy+0x30/0x54 mm/kasan/kasan.c:299
[<ffffffc001306354>] __i2c_hid_command+0x2b0/0x7b4 drivers/hid/i2c-hid/i2c-hid.c:178
[<     inline     >] i2c_hid_set_or_send_report drivers/hid/i2c-hid/i2c-hid.c:321
[<ffffffc0013079a0>] i2c_hid_output_raw_report.isra.2+0x3d4/0x4b8 drivers/hid/i2c-hid/i2c-hid.c:589
[<ffffffc001307ad8>] i2c_hid_output_report+0x54/0x68 drivers/hid/i2c-hid/i2c-hid.c:602
[<     inline     >] hid_hw_output_report include/linux/hid.h:1039
[<ffffffc0012cc7a0>] hidraw_send_report+0x400/0x414 drivers/hid/hidraw.c:154
[<ffffffc0012cc7f4>] hidraw_write+0x40/0x64 drivers/hid/hidraw.c:177
[<ffffffc0004681dc>] vfs_write+0x1d4/0x3cc fs/read_write.c:534
[<     inline     >] SYSC_pwrite64 fs/read_write.c:627
[<ffffffc000468984>] SyS_pwrite64+0xec/0x144 fs/read_write.c:614
Object at ffffffc07135ea80, in cache kmalloc-512
Object allocated with size 268 bytes.

Let's check data length against the buffer size before attempting to copy
data over.

Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Dmitry Torokhov <dtor@chromium.org>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/i2c-hid/i2c-hid.c |   16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -283,17 +283,21 @@ static int i2c_hid_set_or_send_report(st
 	u16 dataRegister = le16_to_cpu(ihid->hdesc.wDataRegister);
 	u16 outputRegister = le16_to_cpu(ihid->hdesc.wOutputRegister);
 	u16 maxOutputLength = le16_to_cpu(ihid->hdesc.wMaxOutputLength);
+	u16 size;
+	int args_len;
+	int index = 0;
+
+	i2c_hid_dbg(ihid, "%s\n", __func__);
+
+	if (data_len > ihid->bufsize)
+		return -EINVAL;
 
-	/* hid_hw_* already checked that data_len < HID_MAX_BUFFER_SIZE */
-	u16 size =	2			/* size */ +
+	size =		2			/* size */ +
 			(reportID ? 1 : 0)	/* reportID */ +
 			data_len		/* buf */;
-	int args_len =	(reportID >= 0x0F ? 1 : 0) /* optional third byte */ +
+	args_len =	(reportID >= 0x0F ? 1 : 0) /* optional third byte */ +
 			2			/* dataRegister */ +
 			size			/* args */;
-	int index = 0;
-
-	i2c_hid_dbg(ihid, "%s\n", __func__);
 
 	if (!use_data && maxOutputLength == 0)
 		return -ENOSYS;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 093/238] HID: multitouch: force retrieving of Win8 signature blob
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 092/238] HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report() Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 094/238] HID: fix hid_ignore_special_drivers module parameter Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Benjamin Tissoires, Jiri Kosina

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Benjamin Tissoires <benjamin.tissoires@redhat.com>

commit 45c5c6828214605eaefa6755c47bd1a2c7eb203e upstream.

The Synaptics 0x11e5 over I2C found in the Asus T100-CHI requires to
fetch the signature blob to actually start sending events.

With this patch, we should be close enough to the Windows driver which
checks the content of the blob at plugin to validate or not the
touchscreen.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=113481
Fixes: 6d4f5440 ("HID: multitouch: Fetch feature reports on demand for Win8 devices")
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-multitouch.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -396,6 +396,11 @@ static void mt_feature_mapping(struct hi
 			td->is_buttonpad = true;
 
 		break;
+	case 0xff0000c5:
+		/* Retrieve the Win8 blob once to enable some devices */
+		if (usage->usage_index == 0)
+			mt_get_feature(hdev, field->report);
+		break;
 	}
 }
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 094/238] HID: fix hid_ignore_special_drivers module parameter
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 093/238] HID: multitouch: force retrieving of Win8 signature blob Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 095/238] staging: comedi: ni_tiocmd: change mistaken use of start_src for start_arg Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Benjamin Tissoires, Jiri Kosina

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Benjamin Tissoires <benjamin.tissoires@redhat.com>

commit 4392bf333388cabdad5afe5b1500002d7b9c318e upstream.

hid_ignore_special_drivers works fine until hid_scan_report autodetects and
reassign devices (for hid-multitouch, hid-microsoft and hid-rmi).

Simplify the handling of the parameter: if it is there, use hid-generic, no
matter what, and if not, scan the device or rely on the hid_have_special_driver
table.

This was detected while trying to disable hid-multitouch on a Surface Pro cover
which prevented to use the keyboard.

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hid/hid-core.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2616,9 +2616,10 @@ int hid_add_device(struct hid_device *hd
 	/*
 	 * Scan generic devices for group information
 	 */
-	if (hid_ignore_special_drivers ||
-	    (!hdev->group &&
-	     !hid_match_id(hdev, hid_have_special_driver))) {
+	if (hid_ignore_special_drivers) {
+		hdev->group = HID_GROUP_GENERIC;
+	} else if (!hdev->group &&
+		   !hid_match_id(hdev, hid_have_special_driver)) {
 		ret = hid_scan_report(hdev);
 		if (ret)
 			hid_warn(hdev, "bad device descriptor (%d)\n", ret);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 095/238] staging: comedi: ni_tiocmd: change mistaken use of start_src for start_arg
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 094/238] HID: fix hid_ignore_special_drivers module parameter Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 096/238] staging: android: ion_test: fix check of platform_device_register_simple() error code Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Spencer E. Olson, Ian Abbott

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Spencer E. Olson <olsonse@umich.edu>

commit 1fd24a4702d2af0ea4d5845126cf57d4d1796216 upstream.

This fixes a bug in function ni_tio_input_inttrig().  The trigger number
should be compared to cmd->start_arg, not cmd->start_src.

Fixes: 6a760394d7eb ("staging: comedi: ni_tiocmd: clarify the cmd->start_arg validation and use")
Signed-off-by: Spencer E. Olson <olsonse@umich.edu>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/ni_tiocmd.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/comedi/drivers/ni_tiocmd.c
+++ b/drivers/staging/comedi/drivers/ni_tiocmd.c
@@ -92,7 +92,7 @@ static int ni_tio_input_inttrig(struct c
 	unsigned long flags;
 	int ret = 0;
 
-	if (trig_num != cmd->start_src)
+	if (trig_num != cmd->start_arg)
 		return -EINVAL;
 
 	spin_lock_irqsave(&counter->lock, flags);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 096/238] staging: android: ion_test: fix check of platform_device_register_simple() error code
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 095/238] staging: comedi: ni_tiocmd: change mistaken use of start_src for start_arg Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 097/238] staging: comedi: ni_mio_common: fix the ni_write[blw]() functions Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vladimir Zapolskiy

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vladimir Zapolskiy <vz@mleia.com>

commit ccbc2a9e7878ff09bcaed4893c2a2d3adbb797e2 upstream.

On error platform_device_register_simple() returns ERR_PTR() value,
check for NULL always fails. The change corrects the check itself and
propagates the returned error upwards.

Fixes: 81fb0b901397 ("staging: android: ion_test: unregister the platform device")
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/android/ion/ion_test.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/staging/android/ion/ion_test.c
+++ b/drivers/staging/android/ion/ion_test.c
@@ -285,8 +285,8 @@ static int __init ion_test_init(void)
 {
 	ion_test_pdev = platform_device_register_simple("ion-test",
 							-1, NULL, 0);
-	if (!ion_test_pdev)
-		return -ENODEV;
+	if (IS_ERR(ion_test_pdev))
+		return PTR_ERR(ion_test_pdev);
 
 	return platform_driver_probe(&ion_test_platform_driver, ion_test_probe);
 }

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 097/238] staging: comedi: ni_mio_common: fix the ni_write[blw]() functions
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 096/238] staging: android: ion_test: fix check of platform_device_register_simple() error code Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 098/238] tty: Fix GPF in flush_to_ldisc(), part 2 Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, H Hartley Sweeten, Ian Abbott

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: H Hartley Sweeten <hsweeten@visionengravers.com>

commit bd3a3cd6c27b117fb9a43a38c8072c95332beecc upstream.

Memory mapped io (dev->mmio) should not also be writing to the ioport
(dev->iobase) registers. Add the missing 'else' to these functions.

Fixes: 0953ee4acca0 ("staging: comedi: ni_mio_common: checkpatch.pl cleanup (else not useful)")
Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/comedi/drivers/ni_mio_common.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/staging/comedi/drivers/ni_mio_common.c
+++ b/drivers/staging/comedi/drivers/ni_mio_common.c
@@ -246,24 +246,24 @@ static void ni_writel(struct comedi_devi
 {
 	if (dev->mmio)
 		writel(data, dev->mmio + reg);
-
-	outl(data, dev->iobase + reg);
+	else
+		outl(data, dev->iobase + reg);
 }
 
 static void ni_writew(struct comedi_device *dev, uint16_t data, int reg)
 {
 	if (dev->mmio)
 		writew(data, dev->mmio + reg);
-
-	outw(data, dev->iobase + reg);
+	else
+		outw(data, dev->iobase + reg);
 }
 
 static void ni_writeb(struct comedi_device *dev, uint8_t data, int reg)
 {
 	if (dev->mmio)
 		writeb(data, dev->mmio + reg);
-
-	outb(data, dev->iobase + reg);
+	else
+		outb(data, dev->iobase + reg);
 }
 
 static uint32_t ni_readl(struct comedi_device *dev, int reg)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 098/238] tty: Fix GPF in flush_to_ldisc(), part 2
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 097/238] staging: comedi: ni_mio_common: fix the ni_write[blw]() functions Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 099/238] net: irda: Fix use-after-free in irtty_open() Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Hurley

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Hurley <peter@hurleysoftware.com>

commit f33798deecbd59a2955f40ac0ae2bc7dff54c069 upstream.

commit 9ce119f318ba ("tty: Fix GPF in flush_to_ldisc()") fixed a
GPF caused by a line discipline which does not define a receive_buf()
method.

However, the vt driver (and speakup driver also) pushes selection
data directly to the line discipline receive_buf() method via
tty_ldisc_receive_buf(). Fix the same problem in tty_ldisc_receive_buf().

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/tty.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/tty.h
+++ b/include/linux/tty.h
@@ -589,7 +589,7 @@ static inline int tty_ldisc_receive_buf(
 		count = ld->ops->receive_buf2(ld->tty, p, f, count);
 	else {
 		count = min_t(int, count, ld->tty->receive_room);
-		if (count)
+		if (count && ld->ops->receive_buf)
 			ld->ops->receive_buf(ld->tty, p, f, count);
 	}
 	return count;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 099/238] net: irda: Fix use-after-free in irtty_open()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 098/238] tty: Fix GPF in flush_to_ldisc(), part 2 Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 100/238] 8250: use callbacks to access UART_DLL/UART_DLM Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Hurley

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Hurley <peter@hurleysoftware.com>

commit 401879c57f01cbf2da204ad2e8db910525c6dbea upstream.

The N_IRDA line discipline may access the previous line discipline's closed
and already-fre private data on open [1].

The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).

[1]
    ==================================================================
    BUG: KASAN: use-after-free in irtty_open+0x422/0x550 at addr ffff8800331dd068
    Read of size 4 by task a.out/13960
    =============================================================================
    BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
    -----------------------------------------------------------------------------
    ...
    Call Trace:
     [<ffffffff815fa2ae>] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:279
     [<ffffffff836938a2>] irtty_open+0x422/0x550 drivers/net/irda/irtty-sir.c:436
     [<ffffffff829f1b80>] tty_ldisc_open.isra.2+0x60/0xa0 drivers/tty/tty_ldisc.c:447
     [<ffffffff829f21c0>] tty_set_ldisc+0x1a0/0x940 drivers/tty/tty_ldisc.c:567
     [<     inline     >] tiocsetd drivers/tty/tty_io.c:2650
     [<ffffffff829da49e>] tty_ioctl+0xace/0x1fd0 drivers/tty/tty_io.c:2883
     [<     inline     >] vfs_ioctl fs/ioctl.c:43
     [<ffffffff816708ac>] do_vfs_ioctl+0x57c/0xe60 fs/ioctl.c:607
     [<     inline     >] SYSC_ioctl fs/ioctl.c:622
     [<ffffffff81671204>] SyS_ioctl+0x74/0x80 fs/ioctl.c:613
     [<ffffffff852a7876>] entry_SYSCALL_64_fastpath+0x16/0x7a

Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/irda/irtty-sir.c |   10 ----------
 1 file changed, 10 deletions(-)

--- a/drivers/net/irda/irtty-sir.c
+++ b/drivers/net/irda/irtty-sir.c
@@ -430,16 +430,6 @@ static int irtty_open(struct tty_struct
 
 	/* Module stuff handled via irda_ldisc.owner - Jean II */
 
-	/* First make sure we're not already connected. */
-	if (tty->disc_data != NULL) {
-		priv = tty->disc_data;
-		if (priv && priv->magic == IRTTY_MAGIC) {
-			ret = -EEXIST;
-			goto out;
-		}
-		tty->disc_data = NULL;		/* ### */
-	}
-
 	/* stop the underlying  driver */
 	irtty_stop_receiver(tty, TRUE);
 	if (tty->ops->stop)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 100/238] 8250: use callbacks to access UART_DLL/UART_DLM
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 099/238] net: irda: Fix use-after-free in irtty_open() Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 101/238] [media] saa7134: Fix bytesperline not being set correctly for planar formats Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sebastian Frias, Peter Hurley

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sebastian Frias <sf84@laposte.net>

commit 0b41ce991052022c030fd868e03877700220b090 upstream.

Some UART HW has a single register combining UART_DLL/UART_DLM
(this was probably forgotten in the change that introduced the
callbacks, commit b32b19b8ffc05cbd3bf91c65e205f6a912ca15d9)

Fixes: b32b19b8ffc0 ("[SERIAL] 8250: set divisor register correctly ...")

Signed-off-by: Sebastian Frias <sf84@laposte.net>
Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/8250/8250_port.c |   18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -731,22 +731,16 @@ static int size_fifo(struct uart_8250_po
  */
 static unsigned int autoconfig_read_divisor_id(struct uart_8250_port *p)
 {
-	unsigned char old_dll, old_dlm, old_lcr;
-	unsigned int id;
+	unsigned char old_lcr;
+	unsigned int id, old_dl;
 
 	old_lcr = serial_in(p, UART_LCR);
 	serial_out(p, UART_LCR, UART_LCR_CONF_MODE_A);
+	old_dl = serial_dl_read(p);
+	serial_dl_write(p, 0);
+	id = serial_dl_read(p);
+	serial_dl_write(p, old_dl);
 
-	old_dll = serial_in(p, UART_DLL);
-	old_dlm = serial_in(p, UART_DLM);
-
-	serial_out(p, UART_DLL, 0);
-	serial_out(p, UART_DLM, 0);
-
-	id = serial_in(p, UART_DLL) | serial_in(p, UART_DLM) << 8;
-
-	serial_out(p, UART_DLL, old_dll);
-	serial_out(p, UART_DLM, old_dlm);
 	serial_out(p, UART_LCR, old_lcr);
 
 	return id;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 101/238] [media] saa7134: Fix bytesperline not being set correctly for planar formats
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 100/238] 8250: use callbacks to access UART_DLL/UART_DLM Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 102/238] [media] adv7511: TX_EDID_PRESENT is still 1 after a disconnect Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Hans Verkuil,
	Mauro Carvalho Chehab

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 3e71da19f9dc22e39a755d6ae9678661abb66adc upstream.

bytesperline should be the bytesperline for the first plane for planar
formats, not that of all planes combined.

This fixes a crash in xawtv caused by the wrong bpl.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1305389
Reported-and-tested-by: Stas Sergeev <stsp@list.ru>

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/pci/saa7134/saa7134-video.c |   18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

--- a/drivers/media/pci/saa7134/saa7134-video.c
+++ b/drivers/media/pci/saa7134/saa7134-video.c
@@ -1219,10 +1219,13 @@ static int saa7134_g_fmt_vid_cap(struct
 	f->fmt.pix.height       = dev->height;
 	f->fmt.pix.field        = dev->field;
 	f->fmt.pix.pixelformat  = dev->fmt->fourcc;
-	f->fmt.pix.bytesperline =
-		(f->fmt.pix.width * dev->fmt->depth) >> 3;
+	if (dev->fmt->planar)
+		f->fmt.pix.bytesperline = f->fmt.pix.width;
+	else
+		f->fmt.pix.bytesperline =
+			(f->fmt.pix.width * dev->fmt->depth) / 8;
 	f->fmt.pix.sizeimage =
-		f->fmt.pix.height * f->fmt.pix.bytesperline;
+		(f->fmt.pix.height * f->fmt.pix.width * dev->fmt->depth) / 8;
 	f->fmt.pix.colorspace   = V4L2_COLORSPACE_SMPTE170M;
 	return 0;
 }
@@ -1298,10 +1301,13 @@ static int saa7134_try_fmt_vid_cap(struc
 	if (f->fmt.pix.height > maxh)
 		f->fmt.pix.height = maxh;
 	f->fmt.pix.width &= ~0x03;
-	f->fmt.pix.bytesperline =
-		(f->fmt.pix.width * fmt->depth) >> 3;
+	if (fmt->planar)
+		f->fmt.pix.bytesperline = f->fmt.pix.width;
+	else
+		f->fmt.pix.bytesperline =
+			(f->fmt.pix.width * fmt->depth) / 8;
 	f->fmt.pix.sizeimage =
-		f->fmt.pix.height * f->fmt.pix.bytesperline;
+		(f->fmt.pix.height * f->fmt.pix.width * fmt->depth) / 8;
 	f->fmt.pix.colorspace   = V4L2_COLORSPACE_SMPTE170M;
 
 	return 0;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 102/238] [media] adv7511: TX_EDID_PRESENT is still 1 after a disconnect
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 101/238] [media] saa7134: Fix bytesperline not being set correctly for planar formats Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 103/238] [media] bttv: Width must be a multiple of 16 when capturing planar formats Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Mauro Carvalho Chehab

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans Verkuil <hverkuil@xs4all.nl>

commit b339a72e04a62f0b1882c43492fc712f1176b3e6 upstream.

The V4L2_CID_TX_EDID_PRESENT control reports if an EDID is present.
The adv7511 however still reported the EDID present after disconnecting
the HDMI cable. Fix the logic regarding this control. And when the EDID
is disconnected also call ADV7511_EDID_DETECT to notify the bridge driver.
This was also missing.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/i2c/adv7511.c |   21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

--- a/drivers/media/i2c/adv7511.c
+++ b/drivers/media/i2c/adv7511.c
@@ -1161,12 +1161,23 @@ static void adv7511_dbg_dump_edid(int lv
 	}
 }
 
+static void adv7511_notify_no_edid(struct v4l2_subdev *sd)
+{
+	struct adv7511_state *state = get_adv7511_state(sd);
+	struct adv7511_edid_detect ed;
+
+	/* We failed to read the EDID, so send an event for this. */
+	ed.present = false;
+	ed.segment = adv7511_rd(sd, 0xc4);
+	v4l2_subdev_notify(sd, ADV7511_EDID_DETECT, (void *)&ed);
+	v4l2_ctrl_s_ctrl(state->have_edid0_ctrl, 0x0);
+}
+
 static void adv7511_edid_handler(struct work_struct *work)
 {
 	struct delayed_work *dwork = to_delayed_work(work);
 	struct adv7511_state *state = container_of(dwork, struct adv7511_state, edid_handler);
 	struct v4l2_subdev *sd = &state->sd;
-	struct adv7511_edid_detect ed;
 
 	v4l2_dbg(1, debug, sd, "%s:\n", __func__);
 
@@ -1191,9 +1202,7 @@ static void adv7511_edid_handler(struct
 	}
 
 	/* We failed to read the EDID, so send an event for this. */
-	ed.present = false;
-	ed.segment = adv7511_rd(sd, 0xc4);
-	v4l2_subdev_notify(sd, ADV7511_EDID_DETECT, (void *)&ed);
+	adv7511_notify_no_edid(sd);
 	v4l2_dbg(1, debug, sd, "%s: no edid found\n", __func__);
 }
 
@@ -1264,7 +1273,6 @@ static void adv7511_check_monitor_presen
 	/* update read only ctrls */
 	v4l2_ctrl_s_ctrl(state->hotplug_ctrl, adv7511_have_hotplug(sd) ? 0x1 : 0x0);
 	v4l2_ctrl_s_ctrl(state->rx_sense_ctrl, adv7511_have_rx_sense(sd) ? 0x1 : 0x0);
-	v4l2_ctrl_s_ctrl(state->have_edid0_ctrl, state->edid.segments ? 0x1 : 0x0);
 
 	if ((status & MASK_ADV7511_HPD_DETECT) && ((status & MASK_ADV7511_MSEN_DETECT) || state->edid.segments)) {
 		v4l2_dbg(1, debug, sd, "%s: hotplug and (rx-sense or edid)\n", __func__);
@@ -1294,6 +1302,7 @@ static void adv7511_check_monitor_presen
 		}
 		adv7511_s_power(sd, false);
 		memset(&state->edid, 0, sizeof(struct adv7511_state_edid));
+		adv7511_notify_no_edid(sd);
 	}
 }
 
@@ -1370,6 +1379,7 @@ static bool adv7511_check_edid_status(st
 		}
 		/* one more segment read ok */
 		state->edid.segments = segment + 1;
+		v4l2_ctrl_s_ctrl(state->have_edid0_ctrl, 0x1);
 		if (((state->edid.data[0x7e] >> 1) + 1) > state->edid.segments) {
 			/* Request next EDID segment */
 			v4l2_dbg(1, debug, sd, "%s: request segment %d\n", __func__, state->edid.segments);
@@ -1389,7 +1399,6 @@ static bool adv7511_check_edid_status(st
 		ed.present = true;
 		ed.segment = 0;
 		state->edid_detect_counter++;
-		v4l2_ctrl_s_ctrl(state->have_edid0_ctrl, state->edid.segments ? 0x1 : 0x0);
 		v4l2_subdev_notify(sd, ADV7511_EDID_DETECT, (void *)&ed);
 		return ed.present;
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 103/238] [media] bttv: Width must be a multiple of 16 when capturing planar formats
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 102/238] [media] adv7511: TX_EDID_PRESENT is still 1 after a disconnect Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 104/238] [media] coda: fix first encoded frame payload Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Hans Verkuil,
	Mauro Carvalho Chehab

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hans de Goede <hdegoede@redhat.com>

commit 5c915c68763889f0183a1cc61c84bb228b60124a upstream.

On my bttv card "Hauppauge WinTV [card=10]" capturing in YV12 fmt at max
size results in a solid green rectangle being captured (all colors 0 in
YUV).

This turns out to be caused by max-width (924) not being a multiple of 16.

We've likely never hit this problem before since normally xawtv / tvtime,
etc. will prefer packed pixel formats. But when using a video card which
is using xf86-video-modesetting + glamor, only planar XVideo fmts are
available, and xawtv will chose a matching capture format to avoid needing
to do conversion, triggering the solid green window problem.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/pci/bt8xx/bttv-driver.c |   26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

--- a/drivers/media/pci/bt8xx/bttv-driver.c
+++ b/drivers/media/pci/bt8xx/bttv-driver.c
@@ -2334,6 +2334,19 @@ static int bttv_g_fmt_vid_overlay(struct
 	return 0;
 }
 
+static void bttv_get_width_mask_vid_cap(const struct bttv_format *fmt,
+					unsigned int *width_mask,
+					unsigned int *width_bias)
+{
+	if (fmt->flags & FORMAT_FLAGS_PLANAR) {
+		*width_mask = ~15; /* width must be a multiple of 16 pixels */
+		*width_bias = 8;   /* nearest */
+	} else {
+		*width_mask = ~3; /* width must be a multiple of 4 pixels */
+		*width_bias = 2;  /* nearest */
+	}
+}
+
 static int bttv_try_fmt_vid_cap(struct file *file, void *priv,
 						struct v4l2_format *f)
 {
@@ -2343,6 +2356,7 @@ static int bttv_try_fmt_vid_cap(struct f
 	enum v4l2_field field;
 	__s32 width, height;
 	__s32 height2;
+	unsigned int width_mask, width_bias;
 	int rc;
 
 	fmt = format_by_fourcc(f->fmt.pix.pixelformat);
@@ -2375,9 +2389,9 @@ static int bttv_try_fmt_vid_cap(struct f
 	width = f->fmt.pix.width;
 	height = f->fmt.pix.height;
 
+	bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias);
 	rc = limit_scaled_size_lock(fh, &width, &height, field,
-			       /* width_mask: 4 pixels */ ~3,
-			       /* width_bias: nearest */ 2,
+			       width_mask, width_bias,
 			       /* adjust_size */ 1,
 			       /* adjust_crop */ 0);
 	if (0 != rc)
@@ -2410,6 +2424,7 @@ static int bttv_s_fmt_vid_cap(struct fil
 	struct bttv_fh *fh = priv;
 	struct bttv *btv = fh->btv;
 	__s32 width, height;
+	unsigned int width_mask, width_bias;
 	enum v4l2_field field;
 
 	retval = bttv_switch_type(fh, f->type);
@@ -2424,9 +2439,10 @@ static int bttv_s_fmt_vid_cap(struct fil
 	height = f->fmt.pix.height;
 	field = f->fmt.pix.field;
 
+	fmt = format_by_fourcc(f->fmt.pix.pixelformat);
+	bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias);
 	retval = limit_scaled_size_lock(fh, &width, &height, f->fmt.pix.field,
-			       /* width_mask: 4 pixels */ ~3,
-			       /* width_bias: nearest */ 2,
+			       width_mask, width_bias,
 			       /* adjust_size */ 1,
 			       /* adjust_crop */ 1);
 	if (0 != retval)
@@ -2434,8 +2450,6 @@ static int bttv_s_fmt_vid_cap(struct fil
 
 	f->fmt.pix.field = field;
 
-	fmt = format_by_fourcc(f->fmt.pix.pixelformat);
-
 	/* update our state informations */
 	fh->fmt              = fmt;
 	fh->cap.field        = f->fmt.pix.field;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 104/238] [media] coda: fix first encoded frame payload
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 103/238] [media] bttv: Width must be a multiple of 16 when capturing planar formats Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 105/238] [media] media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32 Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Olbrich, Philipp Zabel,
	Jan Luebbe, Hans Verkuil, Mauro Carvalho Chehab

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Philipp Zabel <p.zabel@pengutronix.de>

commit 74dc385cb450089b28c28be2c8a0baca296b95f9 upstream.

During the recent vb2_buffer restructuring, the calculation of the
buffer payload reported to userspace was accidentally broken for the
first encoded frame, counting only the length of the headers.
This patch re-adds the length of the actual frame data.

Fixes: 2d7007153f0c ("[media] media: videobuf2: Restructure vb2_buffer")

Reported-by: Michael Olbrich <m.olbrich@pengutronix.de>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Tested-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/platform/coda/coda-bit.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/platform/coda/coda-bit.c
+++ b/drivers/media/platform/coda/coda-bit.c
@@ -1342,7 +1342,7 @@ static void coda_finish_encode(struct co
 
 	/* Calculate bytesused field */
 	if (dst_buf->sequence == 0) {
-		vb2_set_plane_payload(&dst_buf->vb2_buf, 0,
+		vb2_set_plane_payload(&dst_buf->vb2_buf, 0, wr_ptr - start_ptr +
 					ctx->vpu_header_size[0] +
 					ctx->vpu_header_size[1] +
 					ctx->vpu_header_size[2]);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 105/238] [media] media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 104/238] [media] coda: fix first encoded frame payload Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 106/238] mtip32xx: Avoid issuing standby immediate cmd during FTL rebuild Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tiffany Lin, Laurent Pinchart,
	Hans Verkuil, Mauro Carvalho Chehab

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tiffany Lin <tiffany.lin@mediatek.com>

commit 7df5ab8774aa383c6d2bff00688d004585d96dfd upstream.

In v4l2-compliance utility, test QUERYBUF required correct length
value to go through each planar to check planar's length in
multi-planar buffer type

Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/v4l2-core/v4l2-compat-ioctl32.c |   21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -415,7 +415,8 @@ static int get_v4l2_buffer32(struct v4l2
 		get_user(kp->index, &up->index) ||
 		get_user(kp->type, &up->type) ||
 		get_user(kp->flags, &up->flags) ||
-		get_user(kp->memory, &up->memory))
+		get_user(kp->memory, &up->memory) ||
+		get_user(kp->length, &up->length))
 			return -EFAULT;
 
 	if (V4L2_TYPE_IS_OUTPUT(kp->type))
@@ -427,9 +428,6 @@ static int get_v4l2_buffer32(struct v4l2
 			return -EFAULT;
 
 	if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
-		if (get_user(kp->length, &up->length))
-			return -EFAULT;
-
 		num_planes = kp->length;
 		if (num_planes == 0) {
 			kp->m.planes = NULL;
@@ -462,16 +460,14 @@ static int get_v4l2_buffer32(struct v4l2
 	} else {
 		switch (kp->memory) {
 		case V4L2_MEMORY_MMAP:
-			if (get_user(kp->length, &up->length) ||
-				get_user(kp->m.offset, &up->m.offset))
+			if (get_user(kp->m.offset, &up->m.offset))
 				return -EFAULT;
 			break;
 		case V4L2_MEMORY_USERPTR:
 			{
 			compat_long_t tmp;
 
-			if (get_user(kp->length, &up->length) ||
-			    get_user(tmp, &up->m.userptr))
+			if (get_user(tmp, &up->m.userptr))
 				return -EFAULT;
 
 			kp->m.userptr = (unsigned long)compat_ptr(tmp);
@@ -513,7 +509,8 @@ static int put_v4l2_buffer32(struct v4l2
 		copy_to_user(&up->timecode, &kp->timecode, sizeof(struct v4l2_timecode)) ||
 		put_user(kp->sequence, &up->sequence) ||
 		put_user(kp->reserved2, &up->reserved2) ||
-		put_user(kp->reserved, &up->reserved))
+		put_user(kp->reserved, &up->reserved) ||
+		put_user(kp->length, &up->length))
 			return -EFAULT;
 
 	if (V4L2_TYPE_IS_MULTIPLANAR(kp->type)) {
@@ -536,13 +533,11 @@ static int put_v4l2_buffer32(struct v4l2
 	} else {
 		switch (kp->memory) {
 		case V4L2_MEMORY_MMAP:
-			if (put_user(kp->length, &up->length) ||
-				put_user(kp->m.offset, &up->m.offset))
+			if (put_user(kp->m.offset, &up->m.offset))
 				return -EFAULT;
 			break;
 		case V4L2_MEMORY_USERPTR:
-			if (put_user(kp->length, &up->length) ||
-				put_user(kp->m.userptr, &up->m.userptr))
+			if (put_user(kp->m.userptr, &up->m.userptr))
 				return -EFAULT;
 			break;
 		case V4L2_MEMORY_OVERLAY:

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 106/238] mtip32xx: Avoid issuing standby immediate cmd during FTL rebuild
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 105/238] [media] media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32 Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 107/238] mtip32xx: Fix broken service thread handling Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Selvan Mani, Vignesh Gunasekaran,
	Asai Thambi S P, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Asai Thambi SP <asamymuthupa@micron.com>

commit d8a18d2d8f5de55666c6011ed175939d22c8e3d8 upstream.

Prevent standby immediate command from being issued in remove,
suspend and shutdown paths, while drive is in FTL rebuild process.

Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Vignesh Gunasekaran <vgunasekaran@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/mtip32xx/mtip32xx.c |   20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -3263,20 +3263,25 @@ out1:
 	return rv;
 }
 
-static void mtip_standby_drive(struct driver_data *dd)
+static int mtip_standby_drive(struct driver_data *dd)
 {
-	if (dd->sr)
-		return;
+	int rv = 0;
 
+	if (dd->sr || !dd->port)
+		return -ENODEV;
 	/*
 	 * Send standby immediate (E0h) to the drive so that it
 	 * saves its state.
 	 */
 	if (!test_bit(MTIP_PF_REBUILD_BIT, &dd->port->flags) &&
-	    !test_bit(MTIP_DDF_SEC_LOCK_BIT, &dd->dd_flag))
-		if (mtip_standby_immediate(dd->port))
+	    !test_bit(MTIP_DDF_REBUILD_FAILED_BIT, &dd->dd_flag) &&
+	    !test_bit(MTIP_DDF_SEC_LOCK_BIT, &dd->dd_flag)) {
+		rv = mtip_standby_immediate(dd->port);
+		if (rv)
 			dev_warn(&dd->pdev->dev,
 				"STANDBY IMMEDIATE failed\n");
+	}
+	return rv;
 }
 
 /*
@@ -3334,8 +3339,7 @@ static int mtip_hw_shutdown(struct drive
 	 * Send standby immediate (E0h) to the drive so that it
 	 * saves its state.
 	 */
-	if (!dd->sr && dd->port)
-		mtip_standby_immediate(dd->port);
+	mtip_standby_drive(dd);
 
 	return 0;
 }
@@ -3358,7 +3362,7 @@ static int mtip_hw_suspend(struct driver
 	 * Send standby immediate (E0h) to the drive
 	 * so that it saves its state.
 	 */
-	if (mtip_standby_immediate(dd->port) != 0) {
+	if (mtip_standby_drive(dd) != 0) {
 		dev_err(&dd->pdev->dev,
 			"Failed standby-immediate command\n");
 		return -EFAULT;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 107/238] mtip32xx: Fix broken service thread handling
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 106/238] mtip32xx: Avoid issuing standby immediate cmd during FTL rebuild Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 108/238] mtip32xx: Remove unwanted code from taskfile error handler Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Selvan Mani, Asai Thambi S P, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Asai Thambi SP <asamymuthupa@micron.com>

commit cfc05bd31384c4898bf2437a4de5557f3cf9803a upstream.

Service thread does not detect the need for taskfile error hanlding. Fixed the
flag condition to process taskfile error.

Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/mtip32xx/mtip32xx.c |    6 +++---
 drivers/block/mtip32xx/mtip32xx.h |    5 +++++
 2 files changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -2917,9 +2917,7 @@ static int mtip_service_thread(void *dat
 		 * is in progress nor error handling is active
 		 */
 		wait_event_interruptible(port->svc_wait, (port->flags) &&
-			!(port->flags & MTIP_PF_PAUSE_IO));
-
-		set_bit(MTIP_PF_SVC_THD_ACTIVE_BIT, &port->flags);
+			(port->flags & MTIP_PF_SVC_THD_WORK));
 
 		if (kthread_should_stop() ||
 			test_bit(MTIP_PF_SVC_THD_STOP_BIT, &port->flags))
@@ -2929,6 +2927,8 @@ static int mtip_service_thread(void *dat
 				&dd->dd_flag)))
 			goto st_out;
 
+		set_bit(MTIP_PF_SVC_THD_ACTIVE_BIT, &port->flags);
+
 restart_eh:
 		/* Demux bits: start with error handling */
 		if (test_bit(MTIP_PF_EH_ACTIVE_BIT, &port->flags)) {
--- a/drivers/block/mtip32xx/mtip32xx.h
+++ b/drivers/block/mtip32xx/mtip32xx.h
@@ -144,6 +144,11 @@ enum {
 	MTIP_PF_REBUILD_BIT         = 6,
 	MTIP_PF_SVC_THD_STOP_BIT    = 8,
 
+	MTIP_PF_SVC_THD_WORK	= ((1 << MTIP_PF_EH_ACTIVE_BIT) |
+				  (1 << MTIP_PF_ISSUE_CMDS_BIT) |
+				  (1 << MTIP_PF_REBUILD_BIT) |
+				  (1 << MTIP_PF_SVC_THD_STOP_BIT)),
+
 	/* below are bit numbers in 'dd_flag' defined in driver_data */
 	MTIP_DDF_SEC_LOCK_BIT	    = 0,
 	MTIP_DDF_REMOVE_PENDING_BIT = 1,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 108/238] mtip32xx: Remove unwanted code from taskfile error handler
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 107/238] mtip32xx: Fix broken service thread handling Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 109/238] mtip32xx: Print exact time when an internal command is interrupted Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Selvan Mani, Rajesh Kumar Sambandam,
	Asai Thambi S P, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Asai Thambi SP <asamymuthupa@micron.com>

commit e35b94738a2f7caa12017f69ef385cb6b8028965 upstream.

Remove setting and clearing MTIP_PF_EH_ACTIVE_BIT flag in
mtip_handle_tfe() as they are redundant. Also avoid waking
up service thread from mtip_handle_tfe() because it is
already woken up in case of taskfile error.

Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Rajesh Kumar Sambandam <rsambandam@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/mtip32xx/mtip32xx.c |    9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -618,8 +618,6 @@ static void mtip_handle_tfe(struct drive
 
 	port = dd->port;
 
-	set_bit(MTIP_PF_EH_ACTIVE_BIT, &port->flags);
-
 	if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &port->flags)) {
 		cmd = mtip_cmd_from_tag(dd, MTIP_TAG_INTERNAL);
 		dbg_printk(MTIP_DRV_NAME " TFE for the internal command\n");
@@ -628,7 +626,7 @@ static void mtip_handle_tfe(struct drive
 			cmd->comp_func(port, MTIP_TAG_INTERNAL,
 					cmd, PORT_IRQ_TF_ERR);
 		}
-		goto handle_tfe_exit;
+		return;
 	}
 
 	/* clear the tag accumulator */
@@ -771,11 +769,6 @@ static void mtip_handle_tfe(struct drive
 		}
 	}
 	print_tags(dd, "reissued (TFE)", tagaccum, cmd_cnt);
-
-handle_tfe_exit:
-	/* clear eh_active */
-	clear_bit(MTIP_PF_EH_ACTIVE_BIT, &port->flags);
-	wake_up_interruptible(&port->svc_wait);
 }
 
 /*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 109/238] mtip32xx: Print exact time when an internal command is interrupted
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 108/238] mtip32xx: Remove unwanted code from taskfile error handler Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-12  2:48   ` Ben Hutchings
  2016-04-10 18:34 ` [PATCH 4.5 110/238] mtip32xx: Fix for rmmod crash when drive is in FTL rebuild Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  229 siblings, 1 reply; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Selvan Mani, Rajesh Kumar Sambandam,
	Asai Thambi S P, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Asai Thambi SP <asamymuthupa@micron.com>

commit 5b7e0a8ac85e2dfd83830dc9e0b3554d153a37e3 upstream.

Print exact time when an internal command is interrupted.

Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Rajesh Kumar Sambandam <rsambandam@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/mtip32xx/mtip32xx.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -1092,6 +1092,7 @@ static int mtip_exec_internal_command(st
 	struct mtip_cmd *int_cmd;
 	struct driver_data *dd = port->dd;
 	int rv = 0;
+	unsigned long start;
 
 	/* Make sure the buffer is 8 byte aligned. This is asic specific. */
 	if (buffer & 0x00000007) {
@@ -1155,6 +1156,8 @@ static int mtip_exec_internal_command(st
 	/* Populate the command header */
 	int_cmd->command_header->byte_count = 0;
 
+	start = jiffies;
+
 	/* Issue the command to the hardware */
 	mtip_issue_non_ncq_command(port, MTIP_TAG_INTERNAL);
 
@@ -1165,8 +1168,9 @@ static int mtip_exec_internal_command(st
 				msecs_to_jiffies(timeout))) <= 0) {
 			if (rv == -ERESTARTSYS) { /* interrupted */
 				dev_err(&dd->pdev->dev,
-					"Internal command [%02X] was interrupted after %lu ms\n",
-					fis->command, timeout);
+					"Internal command [%02X] was interrupted after %u ms\n",
+					fis->command,
+					jiffies_to_msecs(jiffies - start));
 				rv = -EINTR;
 				goto exec_ic_exit;
 			} else if (rv == 0) /* timeout */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 110/238] mtip32xx: Fix for rmmod crash when drive is in FTL rebuild
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 109/238] mtip32xx: Print exact time when an internal command is interrupted Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 111/238] mtip32xx: Handle safe removal during IO Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Selvan Mani, Asai Thambi S P, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Asai Thambi SP <asamymuthupa@micron.com>

commit 59cf70e236c96594d9f1e065755d8fce9df5356b upstream.

When FTL rebuild is in progress, alloc_disk() initializes the disk
but device node will be created by add_disk() only after successful
completion of FTL rebuild. So, skip deletion of device node in
removal path when FTL rebuild is in progress.

Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/mtip32xx/mtip32xx.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -2968,10 +2968,8 @@ restart_eh:
 		}
 
 		if (test_bit(MTIP_PF_REBUILD_BIT, &port->flags)) {
-			if (mtip_ftl_rebuild_poll(dd) < 0)
-				set_bit(MTIP_DDF_REBUILD_FAILED_BIT,
-							&dd->dd_flag);
-			clear_bit(MTIP_PF_REBUILD_BIT, &port->flags);
+			if (mtip_ftl_rebuild_poll(dd) == 0)
+				clear_bit(MTIP_PF_REBUILD_BIT, &port->flags);
 		}
 	}
 
@@ -3851,7 +3849,6 @@ static int mtip_block_initialize(struct
 
 	mtip_hw_debugfs_init(dd);
 
-skip_create_disk:
 	memset(&dd->tags, 0, sizeof(dd->tags));
 	dd->tags.ops = &mtip_mq_ops;
 	dd->tags.nr_hw_queues = 1;
@@ -3881,6 +3878,7 @@ skip_create_disk:
 	dd->disk->queue		= dd->queue;
 	dd->queue->queuedata	= dd;
 
+skip_create_disk:
 	/* Initialize the protocol layer. */
 	wait_for_rebuild = mtip_hw_get_identify(dd);
 	if (wait_for_rebuild < 0) {
@@ -4041,7 +4039,8 @@ static int mtip_block_remove(struct driv
 		dd->bdev = NULL;
 	}
 	if (dd->disk) {
-		del_gendisk(dd->disk);
+		if (test_bit(MTIP_DDF_INIT_DONE_BIT, &dd->dd_flag))
+			del_gendisk(dd->disk);
 		if (dd->disk->queue) {
 			blk_cleanup_queue(dd->queue);
 			blk_mq_free_tag_set(&dd->tags);
@@ -4082,7 +4081,8 @@ static int mtip_block_shutdown(struct dr
 		dev_info(&dd->pdev->dev,
 			"Shutting down %s ...\n", dd->disk->disk_name);
 
-		del_gendisk(dd->disk);
+		if (test_bit(MTIP_DDF_INIT_DONE_BIT, &dd->dd_flag))
+			del_gendisk(dd->disk);
 		if (dd->disk->queue) {
 			blk_cleanup_queue(dd->queue);
 			blk_mq_free_tag_set(&dd->tags);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 111/238] mtip32xx: Handle safe removal during IO
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 110/238] mtip32xx: Fix for rmmod crash when drive is in FTL rebuild Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 112/238] mtip32xx: Handle FTL rebuild failure state during device initialization Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Selvan Mani, Rajesh Kumar Sambandam,
	Asai Thambi S P, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Asai Thambi SP <asamymuthupa@micron.com>

commit 51c6570eb922146470c2fe660c34585414679bd6 upstream.

Flush inflight IOs using fsync_bdev() when the device is safely
removed. Also, block further IOs in device open function.

Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Rajesh Kumar Sambandam <rsambandam@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/mtip32xx/mtip32xx.c |   34 ++++++++++++++++++++++++++++++++--
 drivers/block/mtip32xx/mtip32xx.h |    1 +
 2 files changed, 33 insertions(+), 2 deletions(-)

--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -3595,6 +3595,28 @@ static int mtip_block_getgeo(struct bloc
 	return 0;
 }
 
+static int mtip_block_open(struct block_device *dev, fmode_t mode)
+{
+	struct driver_data *dd;
+
+	if (dev && dev->bd_disk) {
+		dd = (struct driver_data *) dev->bd_disk->private_data;
+
+		if (dd) {
+			if (test_bit(MTIP_DDF_REMOVAL_BIT,
+							&dd->dd_flag)) {
+				return -ENODEV;
+			}
+			return 0;
+		}
+	}
+	return -ENODEV;
+}
+
+void mtip_block_release(struct gendisk *disk, fmode_t mode)
+{
+}
+
 /*
  * Block device operation function.
  *
@@ -3602,6 +3624,8 @@ static int mtip_block_getgeo(struct bloc
  * layer.
  */
 static const struct block_device_operations mtip_block_ops = {
+	.open		= mtip_block_open,
+	.release	= mtip_block_release,
 	.ioctl		= mtip_block_ioctl,
 #ifdef CONFIG_COMPAT
 	.compat_ioctl	= mtip_block_compat_ioctl,
@@ -4427,7 +4451,7 @@ static void mtip_pci_remove(struct pci_d
 	struct driver_data *dd = pci_get_drvdata(pdev);
 	unsigned long flags, to;
 
-	set_bit(MTIP_DDF_REMOVE_PENDING_BIT, &dd->dd_flag);
+	set_bit(MTIP_DDF_REMOVAL_BIT, &dd->dd_flag);
 
 	spin_lock_irqsave(&dev_lock, flags);
 	list_del_init(&dd->online_list);
@@ -4444,12 +4468,18 @@ static void mtip_pci_remove(struct pci_d
 	} while (atomic_read(&dd->irq_workers_active) != 0 &&
 		time_before(jiffies, to));
 
+	fsync_bdev(dd->bdev);
+
 	if (atomic_read(&dd->irq_workers_active) != 0) {
 		dev_warn(&dd->pdev->dev,
 			"Completion workers still active!\n");
 	}
 
-	blk_mq_stop_hw_queues(dd->queue);
+	if (dd->sr)
+		blk_mq_stop_hw_queues(dd->queue);
+
+	set_bit(MTIP_DDF_REMOVE_PENDING_BIT, &dd->dd_flag);
+
 	/* Clean up the block layer. */
 	mtip_block_remove(dd);
 
--- a/drivers/block/mtip32xx/mtip32xx.h
+++ b/drivers/block/mtip32xx/mtip32xx.h
@@ -158,6 +158,7 @@ enum {
 	MTIP_DDF_RESUME_BIT         = 6,
 	MTIP_DDF_INIT_DONE_BIT      = 7,
 	MTIP_DDF_REBUILD_FAILED_BIT = 8,
+	MTIP_DDF_REMOVAL_BIT	    = 9,
 
 	MTIP_DDF_STOP_IO      = ((1 << MTIP_DDF_REMOVE_PENDING_BIT) |
 				(1 << MTIP_DDF_SEC_LOCK_BIT) |

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 112/238] mtip32xx: Handle FTL rebuild failure state during device initialization
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 111/238] mtip32xx: Handle safe removal during IO Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 113/238] mtip32xx: Implement timeout handler Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Selvan Mani, Vignesh Gunasekaran,
	Asai Thambi S P, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Asai Thambi SP <asamymuthupa@micron.com>

commit aae4a033868c496adae86fc6f9c3e0c405bbf360 upstream.

Allow device initialization to finish gracefully when it is in
FTL rebuild failure state. Also, recover device out of this state
after successfully secure erasing it.

Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Vignesh Gunasekaran <vgunasekaran@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/mtip32xx/mtip32xx.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -699,7 +699,7 @@ static void mtip_handle_tfe(struct drive
 			fail_reason = "thermal shutdown";
 		}
 		if (buf[288] == 0xBF) {
-			set_bit(MTIP_DDF_SEC_LOCK_BIT, &dd->dd_flag);
+			set_bit(MTIP_DDF_REBUILD_FAILED_BIT, &dd->dd_flag);
 			dev_info(&dd->pdev->dev,
 				"Drive indicates rebuild has failed. Secure erase required.\n");
 			fail_all_ncq_cmds = 1;
@@ -1000,6 +1000,7 @@ static bool mtip_pause_ncq(struct mtip_p
 			(fis->features == 0x27 || fis->features == 0x72 ||
 			 fis->features == 0x62 || fis->features == 0x26))) {
 		clear_bit(MTIP_DDF_SEC_LOCK_BIT, &port->dd->dd_flag);
+		clear_bit(MTIP_DDF_REBUILD_FAILED_BIT, &port->dd->dd_flag);
 		/* Com reset after secure erase or lowlevel format */
 		mtip_restart_port(port);
 		clear_bit(MTIP_PF_SE_ACTIVE_BIT, &port->flags);
@@ -1166,6 +1167,7 @@ static int mtip_exec_internal_command(st
 		if ((rv = wait_for_completion_interruptible_timeout(
 				&wait,
 				msecs_to_jiffies(timeout))) <= 0) {
+
 			if (rv == -ERESTARTSYS) { /* interrupted */
 				dev_err(&dd->pdev->dev,
 					"Internal command [%02X] was interrupted after %u ms\n",
@@ -3084,7 +3086,7 @@ static int mtip_hw_get_identify(struct d
 		if (buf[288] == 0xBF) {
 			dev_info(&dd->pdev->dev,
 				"Drive indicates rebuild has failed.\n");
-			/* TODO */
+			set_bit(MTIP_DDF_REBUILD_FAILED_BIT, &dd->dd_flag);
 		}
 	}
 
@@ -3687,10 +3689,9 @@ static int mtip_submit_request(struct bl
 				rq_data_dir(rq))) {
 			return -ENODATA;
 		}
-		if (unlikely(test_bit(MTIP_DDF_SEC_LOCK_BIT, &dd->dd_flag)))
+		if (unlikely(test_bit(MTIP_DDF_SEC_LOCK_BIT, &dd->dd_flag) ||
+			test_bit(MTIP_DDF_REBUILD_FAILED_BIT, &dd->dd_flag)))
 			return -ENODATA;
-		if (test_bit(MTIP_DDF_REBUILD_FAILED_BIT, &dd->dd_flag))
-			return -ENXIO;
 	}
 
 	if (rq->cmd_flags & REQ_DISCARD) {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 113/238] mtip32xx: Implement timeout handler
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 112/238] mtip32xx: Handle FTL rebuild failure state during device initialization Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-12  2:49   ` Ben Hutchings
  2016-04-10 18:34 ` [PATCH 4.5 114/238] mtip32xx: Cleanup queued requests after surprise removal Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  229 siblings, 1 reply; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Selvan Mani, Rajesh Kumar Sambandam,
	Asai Thambi S P, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Asai Thambi SP <asamymuthupa@micron.com>

commit abb0ccd185c9e31847709b86192e6c815d1f57ad upstream.

Added timeout handler. Replaced blk_mq_end_request() with
blk_mq_complete_request() to avoid double completion of a request.

Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Rajesh Kumar Sambandam <rsambandam@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/mtip32xx/mtip32xx.c |   95 ++++++++++++++++++++++++++++++++++----
 drivers/block/mtip32xx/mtip32xx.h |    7 ++
 2 files changed, 92 insertions(+), 10 deletions(-)

--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -233,15 +233,9 @@ static void mtip_async_complete(struct m
 			"Command tag %d failed due to TFE\n", tag);
 	}
 
-	/* Unmap the DMA scatter list entries */
-	dma_unmap_sg(&dd->pdev->dev, cmd->sg, cmd->scatter_ents, cmd->direction);
-
 	rq = mtip_rq_from_tag(dd, tag);
 
-	if (unlikely(cmd->unaligned))
-		up(&port->cmd_slot_unal);
-
-	blk_mq_end_request(rq, status ? -EIO : 0);
+	blk_mq_complete_request(rq, status);
 }
 
 /*
@@ -2889,6 +2883,42 @@ static int mtip_ftl_rebuild_poll(struct
 	return -EFAULT;
 }
 
+static void mtip_softirq_done_fn(struct request *rq)
+{
+	struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq);
+	struct driver_data *dd = rq->q->queuedata;
+
+	/* Unmap the DMA scatter list entries */
+	dma_unmap_sg(&dd->pdev->dev, cmd->sg, cmd->scatter_ents,
+							cmd->direction);
+
+	if (unlikely(cmd->unaligned))
+		up(&dd->port->cmd_slot_unal);
+
+	blk_mq_end_request(rq, rq->errors);
+}
+
+static void mtip_abort_cmd(struct request *req, void *data,
+							bool reserved)
+{
+	struct driver_data *dd = data;
+
+	dbg_printk(MTIP_DRV_NAME " Aborting request, tag = %d\n", req->tag);
+
+	clear_bit(req->tag, dd->port->cmds_to_issue);
+	req->errors = -EIO;
+	mtip_softirq_done_fn(req);
+}
+
+static void mtip_queue_cmd(struct request *req, void *data,
+							bool reserved)
+{
+	struct driver_data *dd = data;
+
+	set_bit(req->tag, dd->port->cmds_to_issue);
+	blk_abort_request(req);
+}
+
 /*
  * service thread to issue queued commands
  *
@@ -2901,7 +2931,7 @@ static int mtip_ftl_rebuild_poll(struct
 static int mtip_service_thread(void *data)
 {
 	struct driver_data *dd = (struct driver_data *)data;
-	unsigned long slot, slot_start, slot_wrap;
+	unsigned long slot, slot_start, slot_wrap, to;
 	unsigned int num_cmd_slots = dd->slot_groups * 32;
 	struct mtip_port *port = dd->port;
 
@@ -2938,6 +2968,32 @@ restart_eh:
 		if (test_bit(MTIP_PF_EH_ACTIVE_BIT, &port->flags))
 			goto restart_eh;
 
+		if (test_bit(MTIP_PF_TO_ACTIVE_BIT, &port->flags)) {
+			to = jiffies + msecs_to_jiffies(5000);
+
+			do {
+				mdelay(100);
+			} while (atomic_read(&dd->irq_workers_active) != 0 &&
+				time_before(jiffies, to));
+
+			if (atomic_read(&dd->irq_workers_active) != 0)
+				dev_warn(&dd->pdev->dev,
+					"Completion workers still active!");
+
+			spin_lock(dd->queue->queue_lock);
+			blk_mq_all_tag_busy_iter(*dd->tags.tags,
+							mtip_queue_cmd, dd);
+			spin_unlock(dd->queue->queue_lock);
+
+			set_bit(MTIP_PF_ISSUE_CMDS_BIT, &dd->port->flags);
+
+			if (mtip_device_reset(dd))
+				blk_mq_all_tag_busy_iter(*dd->tags.tags,
+							mtip_abort_cmd, dd);
+
+			clear_bit(MTIP_PF_TO_ACTIVE_BIT, &dd->port->flags);
+		}
+
 		if (test_bit(MTIP_PF_ISSUE_CMDS_BIT, &port->flags)) {
 			slot = 1;
 			/* used to restrict the loop to one iteration */
@@ -3803,11 +3859,33 @@ static int mtip_init_cmd(void *data, str
 	return 0;
 }
 
+static enum blk_eh_timer_return mtip_cmd_timeout(struct request *req,
+								bool reserved)
+{
+	struct driver_data *dd = req->q->queuedata;
+	int ret = BLK_EH_RESET_TIMER;
+
+	if (reserved)
+		goto exit_handler;
+
+	if (test_bit(req->tag, dd->port->cmds_to_issue))
+		goto exit_handler;
+
+	if (test_and_set_bit(MTIP_PF_TO_ACTIVE_BIT, &dd->port->flags))
+		goto exit_handler;
+
+	wake_up_interruptible(&dd->port->svc_wait);
+exit_handler:
+	return ret;
+}
+
 static struct blk_mq_ops mtip_mq_ops = {
 	.queue_rq	= mtip_queue_rq,
 	.map_queue	= blk_mq_map_queue,
 	.init_request	= mtip_init_cmd,
 	.exit_request	= mtip_free_cmd,
+	.complete	= mtip_softirq_done_fn,
+	.timeout        = mtip_cmd_timeout,
 };
 
 /*
@@ -3883,6 +3961,7 @@ static int mtip_block_initialize(struct
 	dd->tags.numa_node = dd->numa_node;
 	dd->tags.flags = BLK_MQ_F_SHOULD_MERGE;
 	dd->tags.driver_data = dd;
+	dd->tags.timeout = MTIP_NCQ_CMD_TIMEOUT_MS;
 
 	rv = blk_mq_alloc_tag_set(&dd->tags);
 	if (rv) {
--- a/drivers/block/mtip32xx/mtip32xx.h
+++ b/drivers/block/mtip32xx/mtip32xx.h
@@ -134,10 +134,12 @@ enum {
 	MTIP_PF_EH_ACTIVE_BIT       = 1, /* error handling */
 	MTIP_PF_SE_ACTIVE_BIT       = 2, /* secure erase */
 	MTIP_PF_DM_ACTIVE_BIT       = 3, /* download microcde */
+	MTIP_PF_TO_ACTIVE_BIT       = 9, /* timeout handling */
 	MTIP_PF_PAUSE_IO      =	((1 << MTIP_PF_IC_ACTIVE_BIT) |
 				(1 << MTIP_PF_EH_ACTIVE_BIT) |
 				(1 << MTIP_PF_SE_ACTIVE_BIT) |
-				(1 << MTIP_PF_DM_ACTIVE_BIT)),
+				(1 << MTIP_PF_DM_ACTIVE_BIT) |
+				(1 << MTIP_PF_TO_ACTIVE_BIT)),
 
 	MTIP_PF_SVC_THD_ACTIVE_BIT  = 4,
 	MTIP_PF_ISSUE_CMDS_BIT      = 5,
@@ -147,7 +149,8 @@ enum {
 	MTIP_PF_SVC_THD_WORK	= ((1 << MTIP_PF_EH_ACTIVE_BIT) |
 				  (1 << MTIP_PF_ISSUE_CMDS_BIT) |
 				  (1 << MTIP_PF_REBUILD_BIT) |
-				  (1 << MTIP_PF_SVC_THD_STOP_BIT)),
+				  (1 << MTIP_PF_SVC_THD_STOP_BIT) |
+				  (1 << MTIP_PF_TO_ACTIVE_BIT)),
 
 	/* below are bit numbers in 'dd_flag' defined in driver_data */
 	MTIP_DDF_SEC_LOCK_BIT	    = 0,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 114/238] mtip32xx: Cleanup queued requests after surprise removal
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 113/238] mtip32xx: Implement timeout handler Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 115/238] ALSA: hda - Fix unexpected resume through regmap code path Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vignesh Gunasekaran, Selvan Mani,
	Asai Thambi S P, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Asai Thambi SP <asamymuthupa@micron.com>

commit 008e56d200225321371748d95908e6222436f06d upstream.

Fail all pending requests after surprise removal of a drive.

Signed-off-by: Vignesh Gunasekaran <vgunasekaran@micron.com>
Signed-off-by: Selvan Mani <smani@micron.com>
Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/mtip32xx/mtip32xx.c |   78 +++++++++++++++++++++++++++++---------
 1 file changed, 60 insertions(+), 18 deletions(-)

--- a/drivers/block/mtip32xx/mtip32xx.c
+++ b/drivers/block/mtip32xx/mtip32xx.c
@@ -173,7 +173,13 @@ static struct mtip_cmd *mtip_get_int_com
 {
 	struct request *rq;
 
+	if (mtip_check_surprise_removal(dd->pdev))
+		return NULL;
+
 	rq = blk_mq_alloc_request(dd->queue, 0, BLK_MQ_REQ_RESERVED);
+	if (IS_ERR(rq))
+		return NULL;
+
 	return blk_mq_rq_to_pdu(rq);
 }
 
@@ -575,6 +581,8 @@ static void mtip_completion(struct mtip_
 		dev_warn(&port->dd->pdev->dev,
 			"Internal command %d completed with TFE\n", tag);
 
+	command->comp_func = NULL;
+	command->comp_data = NULL;
 	complete(waiting);
 }
 
@@ -1009,12 +1017,14 @@ static bool mtip_pause_ncq(struct mtip_p
  *
  * @port    Pointer to port data structure
  * @timeout Max duration to wait (ms)
+ * @atomic  gfp_t flag to indicate blockable context or not
  *
  * return value
  *	0	Success
  *	-EBUSY  Commands still active
  */
-static int mtip_quiesce_io(struct mtip_port *port, unsigned long timeout)
+static int mtip_quiesce_io(struct mtip_port *port, unsigned long timeout,
+								gfp_t atomic)
 {
 	unsigned long to;
 	unsigned int n;
@@ -1025,16 +1035,21 @@ static int mtip_quiesce_io(struct mtip_p
 	to = jiffies + msecs_to_jiffies(timeout);
 	do {
 		if (test_bit(MTIP_PF_SVC_THD_ACTIVE_BIT, &port->flags) &&
-			test_bit(MTIP_PF_ISSUE_CMDS_BIT, &port->flags)) {
+			test_bit(MTIP_PF_ISSUE_CMDS_BIT, &port->flags) &&
+			atomic == GFP_KERNEL) {
 			msleep(20);
 			continue; /* svc thd is actively issuing commands */
 		}
 
-		msleep(100);
+		if (atomic == GFP_KERNEL)
+			msleep(100);
+		else {
+			cpu_relax();
+			udelay(100);
+		}
+
 		if (mtip_check_surprise_removal(port->dd->pdev))
 			goto err_fault;
-		if (test_bit(MTIP_DDF_REMOVE_PENDING_BIT, &port->dd->dd_flag))
-			goto err_fault;
 
 		/*
 		 * Ignore s_active bit 0 of array element 0.
@@ -1096,6 +1111,10 @@ static int mtip_exec_internal_command(st
 	}
 
 	int_cmd = mtip_get_int_command(dd);
+	if (!int_cmd) {
+		dbg_printk(MTIP_DRV_NAME "Unable to allocate tag for PIO cmd\n");
+		return -EFAULT;
+	}
 
 	set_bit(MTIP_PF_IC_ACTIVE_BIT, &port->flags);
 
@@ -1108,7 +1127,7 @@ static int mtip_exec_internal_command(st
 		if (fis->command != ATA_CMD_STANDBYNOW1) {
 			/* wait for io to complete if non atomic */
 			if (mtip_quiesce_io(port,
-					MTIP_QUIESCE_IO_TIMEOUT_MS) < 0) {
+				MTIP_QUIESCE_IO_TIMEOUT_MS, atomic) < 0) {
 				dev_warn(&dd->pdev->dev,
 					"Failed to quiesce IO\n");
 				mtip_put_int_command(dd, int_cmd);
@@ -3347,10 +3366,6 @@ static int mtip_standby_drive(struct dri
  */
 static int mtip_hw_exit(struct driver_data *dd)
 {
-	/*
-	 * Send standby immediate (E0h) to the drive so that it
-	 * saves its state.
-	 */
 	if (!dd->sr) {
 		/* de-initialize the port. */
 		mtip_deinit_port(dd->port);
@@ -3967,7 +3982,7 @@ static int mtip_block_initialize(struct
 	if (rv) {
 		dev_err(&dd->pdev->dev,
 			"Unable to allocate request queue\n");
-		goto block_queue_alloc_init_error;
+		goto block_queue_alloc_tag_error;
 	}
 
 	/* Allocate the request queue. */
@@ -4079,8 +4094,9 @@ kthread_run_error:
 read_capacity_error:
 init_hw_cmds_error:
 	blk_cleanup_queue(dd->queue);
-	blk_mq_free_tag_set(&dd->tags);
 block_queue_alloc_init_error:
+	blk_mq_free_tag_set(&dd->tags);
+block_queue_alloc_tag_error:
 	mtip_hw_debugfs_exit(dd);
 disk_index_error:
 	spin_lock(&rssd_index_lock);
@@ -4097,6 +4113,22 @@ protocol_init_error:
 	return rv;
 }
 
+static void mtip_no_dev_cleanup(struct request *rq, void *data, bool reserv)
+{
+	struct driver_data *dd = (struct driver_data *)data;
+	struct mtip_cmd *cmd;
+
+	if (likely(!reserv))
+		blk_mq_complete_request(rq, -ENODEV);
+	else if (test_bit(MTIP_PF_IC_ACTIVE_BIT, &dd->port->flags)) {
+
+		cmd = mtip_cmd_from_tag(dd, MTIP_TAG_INTERNAL);
+		if (cmd->comp_func)
+			cmd->comp_func(dd->port, MTIP_TAG_INTERNAL,
+					cmd, -ENODEV);
+	}
+}
+
 /*
  * Block layer deinitialization function.
  *
@@ -4128,12 +4160,23 @@ static int mtip_block_remove(struct driv
 		}
 	}
 
-	if (!dd->sr)
-		mtip_standby_drive(dd);
+	if (!dd->sr) {
+		/*
+		 * Explicitly wait here for IOs to quiesce,
+		 * as mtip_standby_drive usually won't wait for IOs.
+		 */
+		if (!mtip_quiesce_io(dd->port, MTIP_QUIESCE_IO_TIMEOUT_MS,
+								GFP_KERNEL))
+			mtip_standby_drive(dd);
+	}
 	else
 		dev_info(&dd->pdev->dev, "device %s surprise removal\n",
 						dd->disk->disk_name);
 
+	blk_mq_freeze_queue_start(dd->queue);
+	blk_mq_stop_hw_queues(dd->queue);
+	blk_mq_all_tag_busy_iter(dd->tags.tags[0], mtip_no_dev_cleanup, dd);
+
 	/*
 	 * Delete our gendisk structure. This also removes the device
 	 * from /dev
@@ -4548,16 +4591,15 @@ static void mtip_pci_remove(struct pci_d
 	} while (atomic_read(&dd->irq_workers_active) != 0 &&
 		time_before(jiffies, to));
 
-	fsync_bdev(dd->bdev);
+	if (!dd->sr)
+		fsync_bdev(dd->bdev);
 
 	if (atomic_read(&dd->irq_workers_active) != 0) {
 		dev_warn(&dd->pdev->dev,
 			"Completion workers still active!\n");
 	}
 
-	if (dd->sr)
-		blk_mq_stop_hw_queues(dd->queue);
-
+	blk_set_queue_dying(dd->queue);
 	set_bit(MTIP_DDF_REMOVE_PENDING_BIT, &dd->dd_flag);
 
 	/* Clean up the block layer. */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 115/238] ALSA: hda - Fix unexpected resume through regmap code path
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 114/238] mtip32xx: Cleanup queued requests after surprise removal Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 116/238] ALSA: hda - Apply reboot D3 fix for CX20724 codec, too Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit fc4f000bf8c0cbf38f44de6bd5e225574e572ed4 upstream.

HD-audio driver has a mechanism to trigger the runtime resume
automatically at accessing the verbs.  This auto-resume, however,
causes the mutex deadlock when invoked from the regmap handler since
the regmap keeps the mutex while auto-resuming.  For avoiding that,
there is some tricky check in the HDA regmap handler to return -EAGAIN
error to back-off when the codec is powered down.  Then the caller of
regmap r/w will retry after properly turning on the codec power.

This works in most cases, but there seems a slight race between the
codec power check and the actual on-demand auto-resume trigger.  This
resulted in the lockdep splat, eventually leading to a real deadlock.

This patch tries to address the race window by getting the runtime PM
refcount at the check time using pm_runtime_get_if_in_use().  With
this call, we can keep the power on only when the codec has been
already turned on, and back off if not.

For keeping the code consistency, the code touching the runtime PM is
stored in hdac_device.c although it's used only locally in
hdac_regmap.c.

Reported-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/sound/hdaudio.h |    2 +
 sound/hda/hdac_device.c |   16 +++++++++++
 sound/hda/hdac_regmap.c |   69 ++++++++++++++++++++++++++++++++----------------
 3 files changed, 64 insertions(+), 23 deletions(-)

--- a/include/sound/hdaudio.h
+++ b/include/sound/hdaudio.h
@@ -168,11 +168,13 @@ int snd_hdac_power_up(struct hdac_device
 int snd_hdac_power_down(struct hdac_device *codec);
 int snd_hdac_power_up_pm(struct hdac_device *codec);
 int snd_hdac_power_down_pm(struct hdac_device *codec);
+int snd_hdac_keep_power_up(struct hdac_device *codec);
 #else
 static inline int snd_hdac_power_up(struct hdac_device *codec) { return 0; }
 static inline int snd_hdac_power_down(struct hdac_device *codec) { return 0; }
 static inline int snd_hdac_power_up_pm(struct hdac_device *codec) { return 0; }
 static inline int snd_hdac_power_down_pm(struct hdac_device *codec) { return 0; }
+static inline int snd_hdac_keep_power_up(struct hdac_device *codec) { return 0; }
 #endif
 
 /*
--- a/sound/hda/hdac_device.c
+++ b/sound/hda/hdac_device.c
@@ -611,6 +611,22 @@ int snd_hdac_power_up_pm(struct hdac_dev
 }
 EXPORT_SYMBOL_GPL(snd_hdac_power_up_pm);
 
+/* like snd_hdac_power_up_pm(), but only increment the pm count when
+ * already powered up.  Returns -1 if not powered up, 1 if incremented
+ * or 0 if unchanged.  Only used in hdac_regmap.c
+ */
+int snd_hdac_keep_power_up(struct hdac_device *codec)
+{
+	if (!atomic_inc_not_zero(&codec->in_pm)) {
+		int ret = pm_runtime_get_if_in_use(&codec->dev);
+		if (!ret)
+			return -1;
+		if (ret < 0)
+			return 0;
+	}
+	return 1;
+}
+
 /**
  * snd_hdac_power_down_pm - power down the codec
  * @codec: the codec object
--- a/sound/hda/hdac_regmap.c
+++ b/sound/hda/hdac_regmap.c
@@ -21,13 +21,16 @@
 #include <sound/hdaudio.h>
 #include <sound/hda_regmap.h>
 
-#ifdef CONFIG_PM
-#define codec_is_running(codec)				\
-	(atomic_read(&(codec)->in_pm) ||		\
-	 !pm_runtime_suspended(&(codec)->dev))
-#else
-#define codec_is_running(codec)		true
-#endif
+static int codec_pm_lock(struct hdac_device *codec)
+{
+	return snd_hdac_keep_power_up(codec);
+}
+
+static void codec_pm_unlock(struct hdac_device *codec, int lock)
+{
+	if (lock == 1)
+		snd_hdac_power_down_pm(codec);
+}
 
 #define get_verb(reg)	(((reg) >> 8) & 0xfff)
 
@@ -238,20 +241,28 @@ static int hda_reg_read(void *context, u
 	struct hdac_device *codec = context;
 	int verb = get_verb(reg);
 	int err;
+	int pm_lock = 0;
 
-	if (!codec_is_running(codec) && verb != AC_VERB_GET_POWER_STATE)
-		return -EAGAIN;
+	if (verb != AC_VERB_GET_POWER_STATE) {
+		pm_lock = codec_pm_lock(codec);
+		if (pm_lock < 0)
+			return -EAGAIN;
+	}
 	reg |= (codec->addr << 28);
-	if (is_stereo_amp_verb(reg))
-		return hda_reg_read_stereo_amp(codec, reg, val);
-	if (verb == AC_VERB_GET_PROC_COEF)
-		return hda_reg_read_coef(codec, reg, val);
+	if (is_stereo_amp_verb(reg)) {
+		err = hda_reg_read_stereo_amp(codec, reg, val);
+		goto out;
+	}
+	if (verb == AC_VERB_GET_PROC_COEF) {
+		err = hda_reg_read_coef(codec, reg, val);
+		goto out;
+	}
 	if ((verb & 0x700) == AC_VERB_SET_AMP_GAIN_MUTE)
 		reg &= ~AC_AMP_FAKE_MUTE;
 
 	err = snd_hdac_exec_verb(codec, reg, 0, val);
 	if (err < 0)
-		return err;
+		goto out;
 	/* special handling for asymmetric reads */
 	if (verb == AC_VERB_GET_POWER_STATE) {
 		if (*val & AC_PWRST_ERROR)
@@ -259,7 +270,9 @@ static int hda_reg_read(void *context, u
 		else /* take only the actual state */
 			*val = (*val >> 4) & 0x0f;
 	}
-	return 0;
+ out:
+	codec_pm_unlock(codec, pm_lock);
+	return err;
 }
 
 static int hda_reg_write(void *context, unsigned int reg, unsigned int val)
@@ -267,6 +280,7 @@ static int hda_reg_write(void *context,
 	struct hdac_device *codec = context;
 	unsigned int verb;
 	int i, bytes, err;
+	int pm_lock = 0;
 
 	if (codec->caps_overwriting)
 		return 0;
@@ -275,14 +289,21 @@ static int hda_reg_write(void *context,
 	reg |= (codec->addr << 28);
 	verb = get_verb(reg);
 
-	if (!codec_is_running(codec) && verb != AC_VERB_SET_POWER_STATE)
-		return codec->lazy_cache ? 0 : -EAGAIN;
+	if (verb != AC_VERB_SET_POWER_STATE) {
+		pm_lock = codec_pm_lock(codec);
+		if (pm_lock < 0)
+			return codec->lazy_cache ? 0 : -EAGAIN;
+	}
 
-	if (is_stereo_amp_verb(reg))
-		return hda_reg_write_stereo_amp(codec, reg, val);
+	if (is_stereo_amp_verb(reg)) {
+		err = hda_reg_write_stereo_amp(codec, reg, val);
+		goto out;
+	}
 
-	if (verb == AC_VERB_SET_PROC_COEF)
-		return hda_reg_write_coef(codec, reg, val);
+	if (verb == AC_VERB_SET_PROC_COEF) {
+		err = hda_reg_write_coef(codec, reg, val);
+		goto out;
+	}
 
 	switch (verb & 0xf00) {
 	case AC_VERB_SET_AMP_GAIN_MUTE:
@@ -319,10 +340,12 @@ static int hda_reg_write(void *context,
 		reg |= (verb + i) << 8 | ((val >> (8 * i)) & 0xff);
 		err = snd_hdac_exec_verb(codec, reg, 0, NULL);
 		if (err < 0)
-			return err;
+			goto out;
 	}
 
-	return 0;
+ out:
+	codec_pm_unlock(codec, pm_lock);
+	return err;
 }
 
 static const struct regmap_config hda_regmap_cfg = {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 116/238] ALSA: hda - Apply reboot D3 fix for CX20724 codec, too
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 115/238] ALSA: hda - Fix unexpected resume through regmap code path Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 117/238] ALSA: pcm: Avoid "BUG:" string for warnings again Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 56dc66ff1c6d71f9a38c4a7c000b72b921fe4c89 upstream.

Just like CX20722, CX7024 codec also requires the power down at reboot
in order to reduce the noise at reboot/shutdown.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=113511
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_conexant.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -204,8 +204,13 @@ static void cx_auto_reboot_notify(struct
 {
 	struct conexant_spec *spec = codec->spec;
 
-	if (codec->core.vendor_id != 0x14f150f2)
+	switch (codec->core.vendor_id) {
+	case 0x14f150f2: /* CX20722 */
+	case 0x14f150f4: /* CX20724 */
+		break;
+	default:
 		return;
+	}
 
 	/* Turn the CX20722 codec into D3 to avoid spurious noises
 	   from the internal speaker during (and after) reboot */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 117/238] ALSA: pcm: Avoid "BUG:" string for warnings again
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 116/238] ALSA: hda - Apply reboot D3 fix for CX20724 codec, too Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 118/238] ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41 Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 0ab1ace856205d10cbc1924b2d931c01ffd216a6 upstream.

The commit [d507941beb1e: ALSA: pcm: Correct PCM BUG error message]
made the warning prefix back to "BUG:" due to its previous wrong
prefix.  But a kernel message containing "BUG:" seems taken as an Oops
message wrongly by some brain-dead daemons, and it annoys users in the
end.  Instead of teaching daemons, change the string again to a more
reasonable one.

Fixes: 507941beb1e ('ALSA: pcm: Correct PCM BUG error message')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/core/pcm_lib.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -322,7 +322,7 @@ static int snd_pcm_update_hw_ptr0(struct
 			char name[16];
 			snd_pcm_debug_name(substream, name, sizeof(name));
 			pcm_err(substream->pcm,
-				"BUG: %s, pos = %ld, buffer size = %ld, period size = %ld\n",
+				"invalid position: %s, pos = %ld, buffer size = %ld, period size = %ld\n",
 				name, pos, runtime->buffer_size,
 				runtime->period_size);
 		}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 118/238] ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41.
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 117/238] ALSA: pcm: Avoid "BUG:" string for warnings again Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 119/238] ALSA: hda - Dont handle ELD notify from invalid port Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vittorio Gambaletta, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vittorio Gambaletta (VittGam) <linuxbugs@vittgam.net>

commit 4061db03dd71d195b9973ee466f6ed32f6a3fc16 upstream.

The clock measurement on the AC'97 audio card found in the IBM ThinkPad X41
will often fail, so add a quirk entry to fix it.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=441087
Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/intel8x0.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/intel8x0.c
+++ b/sound/pci/intel8x0.c
@@ -2879,6 +2879,7 @@ static void intel8x0_measure_ac97_clock(
 
 static struct snd_pci_quirk intel8x0_clock_list[] = {
 	SND_PCI_QUIRK(0x0e11, 0x008a, "AD1885", 41000),
+	SND_PCI_QUIRK(0x1014, 0x0581, "AD1981B", 48000),
 	SND_PCI_QUIRK(0x1028, 0x00be, "AD1885", 44100),
 	SND_PCI_QUIRK(0x1028, 0x0177, "AD1980", 48000),
 	SND_PCI_QUIRK(0x1028, 0x01ad, "AD1981B", 48000),

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 119/238] ALSA: hda - Dont handle ELD notify from invalid port
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 118/238] ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41 Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 120/238] ALSA: hda - fix the mic mute button and led problem for a Lenovo AIO Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stefan Assmann, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 4f8e4f3537cafc4de128e6bfdf83baa78bc60eb1 upstream.

The current Intel HDMI codec driver supports only three fixed ports
from port B to port D.  However, i915 driver may assign a DP on other
ports, e.g. port A, when no eDP is used.  This incompatibility is
caught later at pin_nid_to_pin_index() and results in a warning
message like "HDMI: pin nid 4 not registered" at each time.

This patch filters out such invalid events beforehand, so that the
kernel won't be too grumbling.

Reported-by: Stefan Assmann <sassmann@kpanic.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_hdmi.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -2432,6 +2432,10 @@ static void intel_pin_eld_notify(void *a
 	struct hda_codec *codec = audio_ptr;
 	int pin_nid = port + 0x04;
 
+	/* we assume only from port-B to port-D */
+	if (port < 1 || port > 3)
+		return;
+
 	/* skip notification during system suspend (but not in runtime PM);
 	 * the state will be updated at resume
 	 */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 120/238] ALSA: hda - fix the mic mute button and led problem for a Lenovo AIO
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 119/238] ALSA: hda - Dont handle ELD notify from invalid port Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 121/238] ALSA: hda - Add new GPU codec ID 0x10de0082 to snd-hda Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hui Wang, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hui Wang <hui.wang@canonical.com>

commit 6ef2f68fa38bf415830f67903d87180d933e0f47 upstream.

This Lenovo ThinkCentre AIO also uses Line2 as mic mute button and
uses GPIO2 to control the mic mute led, so applying this quirk can
make both the button and led work.

BugLink: https://bugs.launchpad.net/bugs/1555912
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5556,6 +5556,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
 	SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC293_FIXUP_LENOVO_SPK_NOISE),
 	SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+	SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
 	SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
 	SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
 	SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 121/238] ALSA: hda - Add new GPU codec ID 0x10de0082 to snd-hda
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 120/238] ALSA: hda - fix the mic mute button and led problem for a Lenovo AIO Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:34 ` [PATCH 4.5 122/238] ALSA: hda - Fix unconditional GPIO toggle via automute Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Aaron Plattner, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aaron Plattner <aplattner@nvidia.com>

commit 2d369c748c2ecc2a012ee85412a04007e67913ec upstream.

Vendor ID 0x10de0082 is used by a yet-to-be-named GPU chip.

This chip also has the 2-ch audio swapping bug, so patch_nvhdmi is
appropriate here.

Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_hdmi.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -3663,6 +3663,7 @@ HDA_CODEC_ENTRY(0x10de0070, "GPU 70 HDMI
 HDA_CODEC_ENTRY(0x10de0071, "GPU 71 HDMI/DP",	patch_nvhdmi),
 HDA_CODEC_ENTRY(0x10de0072, "GPU 72 HDMI/DP",	patch_nvhdmi),
 HDA_CODEC_ENTRY(0x10de007d, "GPU 7d HDMI/DP",	patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de0082, "GPU 82 HDMI/DP",	patch_nvhdmi),
 HDA_CODEC_ENTRY(0x10de0083, "GPU 83 HDMI/DP",	patch_nvhdmi),
 HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI",	patch_nvhdmi_2ch),
 HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP",	patch_via_hdmi),

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 122/238] ALSA: hda - Fix unconditional GPIO toggle via automute
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 121/238] ALSA: hda - Add new GPU codec ID 0x10de0082 to snd-hda Greg Kroah-Hartman
@ 2016-04-10 18:34 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 126/238] ALSA: hda - Fix forgotten HDMI monitor_present update Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit 1f7c6658962fa1260c1658d681bd6bb0c746b99a upstream.

Cirrus HD-audio driver may adjust GPIO pins for EAPD dynamically
depending on the jack plug state.  This works fine for the auto-mute
mode where the speaker gets muted upon the HP jack plug.   OTOH, when
the auto-mute mode is off, this turns off the EAPD unexpectedly
depending on the jack state, which results in the silent speaker
output.

This patch fixes the silent speaker output issue by setting GPIO bits
constantly when the auto-mute mode is off.

Reported-and-tested-by: moosotc@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_cirrus.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/sound/pci/hda/patch_cirrus.c
+++ b/sound/pci/hda/patch_cirrus.c
@@ -174,8 +174,12 @@ static void cs_automute(struct hda_codec
 	snd_hda_gen_update_outputs(codec);
 
 	if (spec->gpio_eapd_hp || spec->gpio_eapd_speaker) {
-		spec->gpio_data = spec->gen.hp_jack_present ?
-			spec->gpio_eapd_hp : spec->gpio_eapd_speaker;
+		if (spec->gen.automute_speaker)
+			spec->gpio_data = spec->gen.hp_jack_present ?
+				spec->gpio_eapd_hp : spec->gpio_eapd_speaker;
+		else
+			spec->gpio_data =
+				spec->gpio_eapd_hp | spec->gpio_eapd_speaker;
 		snd_hda_codec_write(codec, 0x01, 0,
 				    AC_VERB_SET_GPIO_DATA, spec->gpio_data);
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 126/238] ALSA: hda - Fix forgotten HDMI monitor_present update
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2016-04-10 18:34 ` [PATCH 4.5 122/238] ALSA: hda - Fix unconditional GPIO toggle via automute Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 128/238] ALSA: hda - Fix missing ELD update at unplugging Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit bd48128539ab89986b24ad08ecd3e027dd1993a1 upstream.

We forgot to copy monitor_present value when updating the ELD
information.  This won't change the ELD retrieval and the jack
notification behavior, but appears only in the proc output.   In that
sense, it's no fatal error, but a bug is a bug is a bug.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_hdmi.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1566,6 +1566,7 @@ static void update_eld(struct hda_codec
 			   eld->eld_size) != 0)
 			eld_changed = true;
 
+	pin_eld->monitor_present = eld->monitor_present;
 	pin_eld->eld_valid = eld->eld_valid;
 	pin_eld->eld_size = eld->eld_size;
 	if (eld->eld_valid)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 128/238] ALSA: hda - Fix missing ELD update at unplugging
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 126/238] ALSA: hda - Fix forgotten HDMI monitor_present update Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-12 18:39   ` Paul Bolle
  2016-04-10 18:35 ` [PATCH 4.5 129/238] tools/hv: Use include/uapi with __EXPORTED_HEADERS__ Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  229 siblings, 1 reply; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Libin Yang, Takashi Iwai

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <tiwai@suse.de>

commit c64c1437afb14ebc900e40910f31ffb20bf652ad upstream.

i915 get_eld ops may return an error when no encoder is connected, and
currently we regard the error as fatal and skip the whole ELD
handling.  This ended up with the missing ELD update at unplugging.

This patch fixes the issue by treating the error as the unplugged
state, instead of skipping the rest.

Reported-by: Libin Yang <libin.yang@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_hdmi.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1670,11 +1670,10 @@ static void sync_eld_via_acomp(struct hd
 	int size;
 
 	mutex_lock(&per_pin->lock);
+	eld->monitor_present = false;
 	size = snd_hdac_acomp_get_eld(&codec->bus->core, per_pin->pin_nid,
 				      &eld->monitor_present, eld->eld_buffer,
 				      ELD_MAX_SIZE);
-	if (size < 0)
-		goto unlock;
 	if (size > 0) {
 		size = min(size, ELD_MAX_SIZE);
 		if (snd_hdmi_parse_eld(codec, &eld->info,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 129/238] tools/hv: Use include/uapi with __EXPORTED_HEADERS__
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 128/238] ALSA: hda - Fix missing ELD update at unplugging Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 130/238] jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kamal Mostafa, K. Y. Srinivasan

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kamal Mostafa <kamal@canonical.com>

commit 50fe6dd10069e7c062e27f29606f6e91ea979399 upstream.

Use the local uapi headers to keep in sync with "recently" added #define's
(e.g. VSS_OP_REGISTER1).

Fixes: 3eb2094c59e8 ("Adding makefile for tools/hv")
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/hv/Makefile |    2 ++
 1 file changed, 2 insertions(+)

--- a/tools/hv/Makefile
+++ b/tools/hv/Makefile
@@ -5,6 +5,8 @@ PTHREAD_LIBS = -lpthread
 WARNINGS = -Wall -Wextra
 CFLAGS = $(WARNINGS) -g $(PTHREAD_LIBS) $(shell getconf LFS_CFLAGS)
 
+CFLAGS += -D__EXPORTED_HEADERS__ -I../../include/uapi -I../../include
+
 all: hv_kvp_daemon hv_vss_daemon hv_fcopy_daemon
 %: %.c
 	$(CC) $(CFLAGS) -o $@ $^

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 130/238] jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 129/238] tools/hv: Use include/uapi with __EXPORTED_HEADERS__ Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 131/238] gpio: pca953x: Fix pca953x_gpio_set_multiple() on 64-bit Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, OGAWA Hirofumi, Theodore Tso

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

commit c0a2ad9b50dd80eeccd73d9ff962234590d5ec93 upstream.

On umount path, jbd2_journal_destroy() writes latest transaction ID
(->j_tail_sequence) to be used at next mount.

The bug is that ->j_tail_sequence is not holding latest transaction ID
in some cases. So, at next mount, there is chance to conflict with
remaining (not overwritten yet) transactions.

	mount (id=10)
	write transaction (id=11)
	write transaction (id=12)
	umount (id=10) <= the bug doesn't write latest ID

	mount (id=10)
	write transaction (id=11)
	crash

	mount
	[recovery process]
		transaction (id=11)
		transaction (id=12) <= valid transaction ID, but old commit
                                       must not replay

Like above, this bug become the cause of recovery failure, or FS
corruption.

So why ->j_tail_sequence doesn't point latest ID?

Because if checkpoint transactions was reclaimed by memory pressure
(i.e. bdev_try_to_free_page()), then ->j_tail_sequence is not updated.
(And another case is, __jbd2_journal_clean_checkpoint_list() is called
with empty transaction.)

So in above cases, ->j_tail_sequence is not pointing latest
transaction ID at umount path. Plus, REQ_FLUSH for checkpoint is not
done too.

So, to fix this problem with minimum changes, this patch updates
->j_tail_sequence, and issue REQ_FLUSH.  (With more complex changes,
some optimizations would be possible to avoid unnecessary REQ_FLUSH
for example though.)

BTW,

	journal->j_tail_sequence =
		++journal->j_transaction_sequence;

Increment of ->j_transaction_sequence seems to be unnecessary, but
ext3 does this.

Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/jbd2/journal.c |   17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -1408,11 +1408,12 @@ out:
 /**
  * jbd2_mark_journal_empty() - Mark on disk journal as empty.
  * @journal: The journal to update.
+ * @write_op: With which operation should we write the journal sb
  *
  * Update a journal's dynamic superblock fields to show that journal is empty.
  * Write updated superblock to disk waiting for IO to complete.
  */
-static void jbd2_mark_journal_empty(journal_t *journal)
+static void jbd2_mark_journal_empty(journal_t *journal, int write_op)
 {
 	journal_superblock_t *sb = journal->j_superblock;
 
@@ -1430,7 +1431,7 @@ static void jbd2_mark_journal_empty(jour
 	sb->s_start    = cpu_to_be32(0);
 	read_unlock(&journal->j_state_lock);
 
-	jbd2_write_superblock(journal, WRITE_FUA);
+	jbd2_write_superblock(journal, write_op);
 
 	/* Log is no longer empty */
 	write_lock(&journal->j_state_lock);
@@ -1716,7 +1717,13 @@ int jbd2_journal_destroy(journal_t *jour
 	if (journal->j_sb_buffer) {
 		if (!is_journal_aborted(journal)) {
 			mutex_lock(&journal->j_checkpoint_mutex);
-			jbd2_mark_journal_empty(journal);
+
+			write_lock(&journal->j_state_lock);
+			journal->j_tail_sequence =
+				++journal->j_transaction_sequence;
+			write_unlock(&journal->j_state_lock);
+
+			jbd2_mark_journal_empty(journal, WRITE_FLUSH_FUA);
 			mutex_unlock(&journal->j_checkpoint_mutex);
 		} else
 			err = -EIO;
@@ -1975,7 +1982,7 @@ int jbd2_journal_flush(journal_t *journa
 	 * the magic code for a fully-recovered superblock.  Any future
 	 * commits of data to the journal will restore the current
 	 * s_start value. */
-	jbd2_mark_journal_empty(journal);
+	jbd2_mark_journal_empty(journal, WRITE_FUA);
 	mutex_unlock(&journal->j_checkpoint_mutex);
 	write_lock(&journal->j_state_lock);
 	J_ASSERT(!journal->j_running_transaction);
@@ -2021,7 +2028,7 @@ int jbd2_journal_wipe(journal_t *journal
 	if (write) {
 		/* Lock to make assertions happy... */
 		mutex_lock(&journal->j_checkpoint_mutex);
-		jbd2_mark_journal_empty(journal);
+		jbd2_mark_journal_empty(journal, WRITE_FUA);
 		mutex_unlock(&journal->j_checkpoint_mutex);
 	}
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 131/238] gpio: pca953x: Fix pca953x_gpio_set_multiple() on 64-bit
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 130/238] jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 132/238] arm64: Update PTE_RDONLY in set_pte_at() for PROT_NONE permission Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Phil Reid, Linus Walleij

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <geert+renesas@glider.be>

commit e0a8604f1300cefab4aeafe214fc57954a7b4487 upstream.

pca953x_gpio_set_multiple() divides by 4 to convert from longs to bytes,
which assumes a 32-bit platform, and is not correct on 64-bit platforms.
Use "sizeof(...)" instead to fix this.

Fixes: b4818afeacbd8182 ("gpio: pca953x: Add set_multiple to allow multiple bits to be set in one write.")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Phil Reid <preid@electromag.com.au>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpio/gpio-pca953x.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/gpio/gpio-pca953x.c
+++ b/drivers/gpio/gpio-pca953x.c
@@ -367,9 +367,11 @@ static void pca953x_gpio_set_multiple(st
 	memcpy(reg_val, chip->reg_output, NBANK(chip));
 	mutex_lock(&chip->i2c_lock);
 	for(bank=0; bank<NBANK(chip); bank++) {
-		unsigned bankmask = mask[bank/4] >> ((bank % 4) * 8);
+		unsigned bankmask = mask[bank / sizeof(*mask)] >>
+				    ((bank % sizeof(*mask)) * 8);
 		if(bankmask) {
-			unsigned bankval  = bits[bank/4] >> ((bank % 4) * 8);
+			unsigned bankval  = bits[bank / sizeof(*bits)] >>
+					    ((bank % sizeof(*bits)) * 8);
 			reg_val[bank] = (reg_val[bank] & ~bankmask) | bankval;
 		}
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 132/238] arm64: Update PTE_RDONLY in set_pte_at() for PROT_NONE permission
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 131/238] gpio: pca953x: Fix pca953x_gpio_set_multiple() on 64-bit Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 133/238] brd: Fix discard request processing Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Catalin Marinas, Ganapatrao Kulkarni,
	Ganapatrao Kulkarni

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Catalin Marinas <catalin.marinas@arm.com>

commit fdc69e7df3cb24f18a93192641786e5b7ecd1dfe upstream.

The set_pte_at() function must update the hardware PTE_RDONLY bit
depending on the state of the PTE_WRITE and PTE_DIRTY bits of the given
entry value. However, it currently only performs this for pte_valid()
entries, ignoring PTE_PROT_NONE. The side-effect is that PROT_NONE
mappings would not have the PTE_RDONLY bit set. Without
CONFIG_ARM64_HW_AFDBM, this is not an issue since such PROT_NONE pages
are not accessible anyway.

With commit 2f4b829c625e ("arm64: Add support for hardware updates of
the access and dirty pte bits"), the ptep_set_wrprotect() function was
re-written to cope with automatic hardware updates of the dirty state.
As an optimisation, only PTE_RDONLY is checked to assess the "dirty"
status. Since set_pte_at() does not set this bit for PROT_NONE mappings,
such pages may be considered "dirty" as a result of
ptep_set_wrprotect().

This patch updates the pte_valid() check to pte_present() in
set_pte_at(). It also adds PTE_PROT_NONE to the swap entry bits comment.

Fixes: 2f4b829c625e ("arm64: Add support for hardware updates of the access and dirty pte bits")
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Reported-by: Ganapatrao Kulkarni <gkulkarni@caviumnetworks.com>
Tested-by: Ganapatrao Kulkarni <gkulkarni@cavium.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/include/asm/pgtable.h |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/arm64/include/asm/pgtable.h
+++ b/arch/arm64/include/asm/pgtable.h
@@ -279,7 +279,7 @@ extern void __sync_icache_dcache(pte_t p
 static inline void set_pte_at(struct mm_struct *mm, unsigned long addr,
 			      pte_t *ptep, pte_t pte)
 {
-	if (pte_valid(pte)) {
+	if (pte_present(pte)) {
 		if (pte_sw_dirty(pte) && pte_write(pte))
 			pte_val(pte) &= ~PTE_RDONLY;
 		else
@@ -649,6 +649,7 @@ extern pgd_t idmap_pg_dir[PTRS_PER_PGD];
  *	bits 0-1:	present (must be zero)
  *	bits 2-7:	swap type
  *	bits 8-57:	swap offset
+ *	bit  58:	PTE_PROT_NONE (must be zero)
  */
 #define __SWP_TYPE_SHIFT	2
 #define __SWP_TYPE_BITS		6

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 133/238] brd: Fix discard request processing
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 132/238] arm64: Update PTE_RDONLY in set_pte_at() for PROT_NONE permission Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 134/238] IB/srpt: Simplify srpt_handle_tsk_mgmt() Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Jan Kara,
	Christoph Hellwig, Robert Elliot, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@sandisk.com>

commit 5e4298be45e83ecdffaabb370eea9396889b07f1 upstream.

Avoid that discard requests with size => PAGE_SIZE fail with
-EIO. Refuse discard requests if the discard size is not a
multiple of the page size.

Fixes: 2dbe54957636 ("brd: Refuse improperly aligned discard requests")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Jan Kara <jack@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Robert Elliot <elliott@hp.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/brd.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -341,7 +341,7 @@ static blk_qc_t brd_make_request(struct
 
 	if (unlikely(bio->bi_rw & REQ_DISCARD)) {
 		if (sector & ((PAGE_SIZE >> SECTOR_SHIFT) - 1) ||
-		    bio->bi_iter.bi_size & PAGE_MASK)
+		    bio->bi_iter.bi_size & ~PAGE_MASK)
 			goto io_error;
 		discard_from_brd(brd, sector, bio->bi_iter.bi_size);
 		goto out;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 134/238] IB/srpt: Simplify srpt_handle_tsk_mgmt()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 133/238] brd: Fix discard request processing Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 135/238] bcache: cleaned up error handling around register_cache() Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Alex Estrin,
	Christoph Hellwig, Nicholas Bellinger, Sagi Grimberg,
	Doug Ledford

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Bart Van Assche <bart.vanassche@sandisk.com>

commit 51093254bf879bc9ce96590400a87897c7498463 upstream.

Let the target core check task existence instead of the SRP target
driver. Additionally, let the target core check the validity of the
task management request instead of the ib_srpt driver.

This patch fixes the following kernel crash:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
IP: [<ffffffffa0565f37>] srpt_handle_new_iu+0x6d7/0x790 [ib_srpt]
Oops: 0002 [#1] SMP
Call Trace:
 [<ffffffffa05660ce>] srpt_process_completion+0xde/0x570 [ib_srpt]
 [<ffffffffa056669f>] srpt_compl_thread+0x13f/0x160 [ib_srpt]
 [<ffffffff8109726f>] kthread+0xcf/0xe0
 [<ffffffff81613cfc>] ret_from_fork+0x7c/0xb0

Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Fixes: 3e4f574857ee ("ib_srpt: Convert TMR path to target_submit_tmr")
Tested-by: Alex Estrin <alex.estrin@intel.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: Nicholas Bellinger <nab@linux-iscsi.org>
Cc: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/ulp/srpt/ib_srpt.c |   59 ----------------------------------
 1 file changed, 1 insertion(+), 58 deletions(-)

--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1670,47 +1670,6 @@ send_sense:
 	return -1;
 }
 
-/**
- * srpt_rx_mgmt_fn_tag() - Process a task management function by tag.
- * @ch: RDMA channel of the task management request.
- * @fn: Task management function to perform.
- * @req_tag: Tag of the SRP task management request.
- * @mgmt_ioctx: I/O context of the task management request.
- *
- * Returns zero if the target core will process the task management
- * request asynchronously.
- *
- * Note: It is assumed that the initiator serializes tag-based task management
- * requests.
- */
-static int srpt_rx_mgmt_fn_tag(struct srpt_send_ioctx *ioctx, u64 tag)
-{
-	struct srpt_device *sdev;
-	struct srpt_rdma_ch *ch;
-	struct srpt_send_ioctx *target;
-	int ret, i;
-
-	ret = -EINVAL;
-	ch = ioctx->ch;
-	BUG_ON(!ch);
-	BUG_ON(!ch->sport);
-	sdev = ch->sport->sdev;
-	BUG_ON(!sdev);
-	spin_lock_irq(&sdev->spinlock);
-	for (i = 0; i < ch->rq_size; ++i) {
-		target = ch->ioctx_ring[i];
-		if (target->cmd.se_lun == ioctx->cmd.se_lun &&
-		    target->cmd.tag == tag &&
-		    srpt_get_cmd_state(target) != SRPT_STATE_DONE) {
-			ret = 0;
-			/* now let the target core abort &target->cmd; */
-			break;
-		}
-	}
-	spin_unlock_irq(&sdev->spinlock);
-	return ret;
-}
-
 static int srp_tmr_to_tcm(int fn)
 {
 	switch (fn) {
@@ -1745,7 +1704,6 @@ static void srpt_handle_tsk_mgmt(struct
 	struct se_cmd *cmd;
 	struct se_session *sess = ch->sess;
 	uint64_t unpacked_lun;
-	uint32_t tag = 0;
 	int tcm_tmr;
 	int rc;
 
@@ -1761,25 +1719,10 @@ static void srpt_handle_tsk_mgmt(struct
 	srpt_set_cmd_state(send_ioctx, SRPT_STATE_MGMT);
 	send_ioctx->cmd.tag = srp_tsk->tag;
 	tcm_tmr = srp_tmr_to_tcm(srp_tsk->tsk_mgmt_func);
-	if (tcm_tmr < 0) {
-		send_ioctx->cmd.se_tmr_req->response =
-			TMR_TASK_MGMT_FUNCTION_NOT_SUPPORTED;
-		goto fail;
-	}
 	unpacked_lun = srpt_unpack_lun((uint8_t *)&srp_tsk->lun,
 				       sizeof(srp_tsk->lun));
-
-	if (srp_tsk->tsk_mgmt_func == SRP_TSK_ABORT_TASK) {
-		rc = srpt_rx_mgmt_fn_tag(send_ioctx, srp_tsk->task_tag);
-		if (rc < 0) {
-			send_ioctx->cmd.se_tmr_req->response =
-					TMR_TASK_DOES_NOT_EXIST;
-			goto fail;
-		}
-		tag = srp_tsk->task_tag;
-	}
 	rc = target_submit_tmr(&send_ioctx->cmd, sess, NULL, unpacked_lun,
-				srp_tsk, tcm_tmr, GFP_KERNEL, tag,
+				srp_tsk, tcm_tmr, GFP_KERNEL, srp_tsk->task_tag,
 				TARGET_SCF_ACK_KREF);
 	if (rc != 0) {
 		send_ioctx->cmd.se_tmr_req->response = TMR_FUNCTION_REJECTED;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 135/238] bcache: cleaned up error handling around register_cache()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 134/238] IB/srpt: Simplify srpt_handle_tsk_mgmt() Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 136/238] bcache: fix race of writeback thread starting before complete initialization Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Wheeler, Marc MERLIN

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Wheeler <git@linux.ewheeler.net>

commit 9b299728ed777428b3908ac72ace5f8f84b97789 upstream.

Fix null pointer dereference by changing register_cache() to return an int
instead of being void.  This allows it to return -ENOMEM or -ENODEV and
enables upper layers to handle the OOM case without NULL pointer issues.

See this thread:
  http://thread.gmane.org/gmane.linux.kernel.bcache.devel/3521

Fixes this error:
  gargamel:/sys/block/md5/bcache# echo /dev/sdh2 > /sys/fs/bcache/register

  bcache: register_cache() error opening sdh2: cannot allocate memory
  BUG: unable to handle kernel NULL pointer dereference at 00000000000009b8
  IP: [<ffffffffc05a7e8d>] cache_set_flush+0x102/0x15c [bcache]
  PGD 120dff067 PUD 1119a3067 PMD 0
  Oops: 0000 [#1] SMP
  Modules linked in: veth ip6table_filter ip6_tables
  (...)
  CPU: 4 PID: 3371 Comm: kworker/4:3 Not tainted 4.4.2-amd64-i915-volpreempt-20160213bc1 #3
  Hardware name: System manufacturer System Product Name/P8H67-M PRO, BIOS 3904 04/27/2013
  Workqueue: events cache_set_flush [bcache]
  task: ffff88020d5dc280 ti: ffff88020b6f8000 task.ti: ffff88020b6f8000
  RIP: 0010:[<ffffffffc05a7e8d>]  [<ffffffffc05a7e8d>] cache_set_flush+0x102/0x15c [bcache]

Signed-off-by: Eric Wheeler <bcache@linux.ewheeler.net>
Tested-by: Marc MERLIN <marc@merlins.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/bcache/super.c |   34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1828,11 +1828,12 @@ static int cache_alloc(struct cache_sb *
 	return 0;
 }
 
-static void register_cache(struct cache_sb *sb, struct page *sb_page,
+static int register_cache(struct cache_sb *sb, struct page *sb_page,
 				struct block_device *bdev, struct cache *ca)
 {
 	char name[BDEVNAME_SIZE];
-	const char *err = "cannot allocate memory";
+	const char *err = NULL;
+	int ret = 0;
 
 	memcpy(&ca->sb, sb, sizeof(struct cache_sb));
 	ca->bdev = bdev;
@@ -1847,27 +1848,35 @@ static void register_cache(struct cache_
 	if (blk_queue_discard(bdev_get_queue(ca->bdev)))
 		ca->discard = CACHE_DISCARD(&ca->sb);
 
-	if (cache_alloc(sb, ca) != 0)
+	ret = cache_alloc(sb, ca);
+	if (ret != 0)
 		goto err;
 
-	err = "error creating kobject";
-	if (kobject_add(&ca->kobj, &part_to_dev(bdev->bd_part)->kobj, "bcache"))
-		goto err;
+	if (kobject_add(&ca->kobj, &part_to_dev(bdev->bd_part)->kobj, "bcache")) {
+		err = "error calling kobject_add";
+		ret = -ENOMEM;
+		goto out;
+	}
 
 	mutex_lock(&bch_register_lock);
 	err = register_cache_set(ca);
 	mutex_unlock(&bch_register_lock);
 
-	if (err)
-		goto err;
+	if (err) {
+		ret = -ENODEV;
+		goto out;
+	}
 
 	pr_info("registered cache device %s", bdevname(bdev, name));
+
 out:
 	kobject_put(&ca->kobj);
-	return;
+
 err:
-	pr_notice("error opening %s: %s", bdevname(bdev, name), err);
-	goto out;
+	if (err)
+		pr_notice("error opening %s: %s", bdevname(bdev, name), err);
+
+	return ret;
 }
 
 /* Global interfaces/init */
@@ -1965,7 +1974,8 @@ static ssize_t register_bcache(struct ko
 		if (!ca)
 			goto err_close;
 
-		register_cache(sb, sb_page, bdev, ca);
+		if (register_cache(sb, sb_page, bdev, ca) != 0)
+			goto err_close;
 	}
 out:
 	if (sb_page)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 136/238] bcache: fix race of writeback thread starting before complete initialization
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 135/238] bcache: cleaned up error handling around register_cache() Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 137/238] bcache: fix cache_set_flush() NULL pointer dereference on OOM Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Wheeler, Marc MERLIN, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Wheeler <git@linux.ewheeler.net>

commit 07cc6ef8edc47f8b4fc1e276d31127a0a5863d4d upstream.

The bch_writeback_thread might BUG_ON in read_dirty() if
dc->sb==BDEV_STATE_DIRTY and bch_sectors_dirty_init has not yet completed
its related initialization.  This patch downs the dc->writeback_lock until
after initialization is complete, thus preventing bch_writeback_thread
from proceeding prematurely.

See this thread:
  http://thread.gmane.org/gmane.linux.kernel.bcache.devel/3453

Signed-off-by: Eric Wheeler <bcache@linux.ewheeler.net>
Tested-by: Marc MERLIN <marc@merlins.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/bcache/super.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1015,8 +1015,12 @@ int bch_cached_dev_attach(struct cached_
 	 */
 	atomic_set(&dc->count, 1);
 
-	if (bch_cached_dev_writeback_start(dc))
+	/* Block writeback thread, but spawn it */
+	down_write(&dc->writeback_lock);
+	if (bch_cached_dev_writeback_start(dc)) {
+		up_write(&dc->writeback_lock);
 		return -ENOMEM;
+	}
 
 	if (BDEV_STATE(&dc->sb) == BDEV_STATE_DIRTY) {
 		bch_sectors_dirty_init(dc);
@@ -1028,6 +1032,9 @@ int bch_cached_dev_attach(struct cached_
 	bch_cached_dev_run(dc);
 	bcache_device_link(&dc->disk, c, "bdev");
 
+	/* Allow the writeback thread to proceed */
+	up_write(&dc->writeback_lock);
+
 	pr_info("Caching %s as %s on set %pU",
 		bdevname(dc->bdev, buf), dc->disk.disk->disk_name,
 		dc->disk.c->sb.set_uuid);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 137/238] bcache: fix cache_set_flush() NULL pointer dereference on OOM
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 136/238] bcache: fix race of writeback thread starting before complete initialization Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 138/238] mm: memcontrol: reclaim when shrinking memory.high below usage Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Wheeler

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Wheeler <git@linux.ewheeler.net>

commit f8b11260a445169989d01df75d35af0f56178f95 upstream.

When bch_cache_set_alloc() fails to kzalloc the cache_set, the
asyncronous closure handling tries to dereference a cache_set that
hadn't yet been allocated inside of cache_set_flush() which is called
by __cache_set_unregister() during cleanup.  This appears to happen only
during an OOM condition on bcache_register.

Signed-off-by: Eric Wheeler <bcache@linux.ewheeler.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/bcache/super.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1373,6 +1373,9 @@ static void cache_set_flush(struct closu
 	struct btree *b;
 	unsigned i;
 
+	if (!c)
+		closure_return(cl);
+
 	bch_cache_accounting_destroy(&c->accounting);
 
 	kobject_put(&c->internal);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 138/238] mm: memcontrol: reclaim when shrinking memory.high below usage
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 137/238] bcache: fix cache_set_flush() NULL pointer dereference on OOM Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 139/238] mm: memcontrol: reclaim and OOM kill when shrinking memory.max " Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Weiner, Michal Hocko,
	Vladimir Davydov, Andrew Morton, Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Weiner <hannes@cmpxchg.org>

commit 588083bb37a3cea8533c392370a554417c8f29cb upstream.

When setting memory.high below usage, nothing happens until the next
charge comes along, and then it will only reclaim its own charge and not
the now potentially huge excess of the new memory.high.  This can cause
groups to stay in excess of their memory.high indefinitely.

To fix that, when shrinking memory.high, kick off a reclaim cycle that
goes after the delta.

Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Vladimir Davydov <vdavydov@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/memcontrol.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -5051,6 +5051,7 @@ static ssize_t memory_high_write(struct
 				 char *buf, size_t nbytes, loff_t off)
 {
 	struct mem_cgroup *memcg = mem_cgroup_from_css(of_css(of));
+	unsigned long nr_pages;
 	unsigned long high;
 	int err;
 
@@ -5061,6 +5062,11 @@ static ssize_t memory_high_write(struct
 
 	memcg->high = high;
 
+	nr_pages = page_counter_read(&memcg->memory);
+	if (nr_pages > high)
+		try_to_free_mem_cgroup_pages(memcg, nr_pages - high,
+					     GFP_KERNEL, true);
+
 	memcg_wb_domain_size_changed(memcg);
 	return nbytes;
 }

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 139/238] mm: memcontrol: reclaim and OOM kill when shrinking memory.max below usage
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 138/238] mm: memcontrol: reclaim when shrinking memory.high below usage Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 140/238] ia64: define ioremap_uc() Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Weiner, Michal Hocko,
	Vladimir Davydov, Andrew Morton, Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johannes Weiner <hannes@cmpxchg.org>

commit b6e6edcfa40561e9c8abe5eecf1c96f8e5fd9c6f upstream.

Setting the original memory.limit_in_bytes hardlimit is subject to a
race condition when the desired value is below the current usage.  The
code tries a few times to first reclaim and then see if the usage has
dropped to where we would like it to be, but there is no locking, and
the workload is free to continue making new charges up to the old limit.
Thus, attempting to shrink a workload relies on pure luck and hope that
the workload happens to cooperate.

To fix this in the cgroup2 memory.max knob, do it the other way round:
set the limit first, then try enforcement.  And if reclaim is not able
to succeed, trigger OOM kills in the group.  Keep going until the new
limit is met, we run out of OOM victims and there's only unreclaimable
memory left, or the task writing to memory.max is killed.  This allows
users to shrink groups reliably, and the behavior is consistent with
what happens when new charges are attempted in excess of memory.max.

Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Vladimir Davydov <vdavydov@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/cgroup-v2.txt |    6 ++++++
 mm/memcontrol.c             |   38 ++++++++++++++++++++++++++++++++++----
 2 files changed, 40 insertions(+), 4 deletions(-)

--- a/Documentation/cgroup-v2.txt
+++ b/Documentation/cgroup-v2.txt
@@ -1368,6 +1368,12 @@ system than killing the group.  Otherwis
 limit this type of spillover and ultimately contain buggy or even
 malicious applications.
 
+Setting the original memory.limit_in_bytes below the current usage was
+subject to a race condition, where concurrent charges could cause the
+limit setting to fail. memory.max on the other hand will first set the
+limit to prevent new charges, and then reclaim and OOM kill until the
+new limit is met - or the task writing to memory.max is killed.
+
 The combined memory+swap accounting and limiting is replaced by real
 control over swap space.
 
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -1262,7 +1262,7 @@ static unsigned long mem_cgroup_get_limi
 	return limit;
 }
 
-static void mem_cgroup_out_of_memory(struct mem_cgroup *memcg, gfp_t gfp_mask,
+static bool mem_cgroup_out_of_memory(struct mem_cgroup *memcg, gfp_t gfp_mask,
 				     int order)
 {
 	struct oom_control oc = {
@@ -1340,6 +1340,7 @@ static void mem_cgroup_out_of_memory(str
 	}
 unlock:
 	mutex_unlock(&oom_lock);
+	return chosen;
 }
 
 #if MAX_NUMNODES > 1
@@ -5088,6 +5089,8 @@ static ssize_t memory_max_write(struct k
 				char *buf, size_t nbytes, loff_t off)
 {
 	struct mem_cgroup *memcg = mem_cgroup_from_css(of_css(of));
+	unsigned int nr_reclaims = MEM_CGROUP_RECLAIM_RETRIES;
+	bool drained = false;
 	unsigned long max;
 	int err;
 
@@ -5096,9 +5099,36 @@ static ssize_t memory_max_write(struct k
 	if (err)
 		return err;
 
-	err = mem_cgroup_resize_limit(memcg, max);
-	if (err)
-		return err;
+	xchg(&memcg->memory.limit, max);
+
+	for (;;) {
+		unsigned long nr_pages = page_counter_read(&memcg->memory);
+
+		if (nr_pages <= max)
+			break;
+
+		if (signal_pending(current)) {
+			err = -EINTR;
+			break;
+		}
+
+		if (!drained) {
+			drain_all_stock(memcg);
+			drained = true;
+			continue;
+		}
+
+		if (nr_reclaims) {
+			if (!try_to_free_mem_cgroup_pages(memcg, nr_pages - max,
+							  GFP_KERNEL, true))
+				nr_reclaims--;
+			continue;
+		}
+
+		mem_cgroup_events(memcg, MEMCG_OOM, 1);
+		if (!mem_cgroup_out_of_memory(memcg, GFP_KERNEL, 0))
+			break;
+	}
 
 	memcg_wb_domain_size_changed(memcg);
 	return nbytes;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 140/238] ia64: define ioremap_uc()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 139/238] mm: memcontrol: reclaim and OOM kill when shrinking memory.max " Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 141/238] drivers/firmware/broadcom/bcm47xx_nvram.c: fix incorrect __ioread32_copy Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luis R. Rodriguez, kbuild test robot,
	Tony Luck, Andrew Morton, Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Luis R. Rodriguez <mcgrof@kernel.org>

commit b0f84ac352762ed02d7ea9f284942a8cab7f9077 upstream.

All architectures now need ioremap_uc(), ia64 seems defines this already
through its ioremap_nocache() and it already ensures it *only* uses UC.

This is needed since v4.3 to complete an allyesconfig compile on ia64,
there were others archs that needed this, and this one seems to have
fallen through the cracks.

Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Acked-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/ia64/include/asm/io.h |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/ia64/include/asm/io.h
+++ b/arch/ia64/include/asm/io.h
@@ -433,6 +433,7 @@ static inline void __iomem * ioremap_cac
 	return ioremap(phys_addr, size);
 }
 #define ioremap_cache ioremap_cache
+#define ioremap_uc ioremap_nocache
 
 
 /*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 141/238] drivers/firmware/broadcom/bcm47xx_nvram.c: fix incorrect __ioread32_copy
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 140/238] ia64: define ioremap_uc() Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 142/238] watchdog: dont run proc_watchdog_update if new value is same as old Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, Stephen Boyd,
	Rafal Milecki, Hauke Mehrtens, Andrew Morton, Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aaro Koskinen <aaro.koskinen@iki.fi>

commit 4c11e554fb894b381a3dc47069259d87a2e6ffc9 upstream.

Commit 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use
__ioread32_copy() instead of open-coding") switched to use a generic
copy function, but failed to notice that the header pointer is updated
between the two copies, resulting in bogus data being copied in the
latter one.  Fix by keeping the old header pointer.

The patch fixes totally broken networking on WRT54GL router (both LAN and
WLAN interfaces fail to probe).

Fixes: 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use __ioread32_copy() instead of open-coding")
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
Cc: Rafal Milecki <zajec5@gmail.com>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/firmware/broadcom/bcm47xx_nvram.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/firmware/broadcom/bcm47xx_nvram.c
+++ b/drivers/firmware/broadcom/bcm47xx_nvram.c
@@ -94,15 +94,14 @@ static int nvram_find_and_copy(void __io
 
 found:
 	__ioread32_copy(nvram_buf, header, sizeof(*header) / 4);
-	header = (struct nvram_header *)nvram_buf;
-	nvram_len = header->len;
+	nvram_len = ((struct nvram_header *)(nvram_buf))->len;
 	if (nvram_len > size) {
 		pr_err("The nvram size according to the header seems to be bigger than the partition on flash\n");
 		nvram_len = size;
 	}
 	if (nvram_len >= NVRAM_SPACE) {
 		pr_err("nvram on flash (%i bytes) is bigger than the reserved space in memory, will just copy the first %i bytes\n",
-		       header->len, NVRAM_SPACE - 1);
+		       nvram_len, NVRAM_SPACE - 1);
 		nvram_len = NVRAM_SPACE - 1;
 	}
 	/* proceed reading data after header */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 142/238] watchdog: dont run proc_watchdog_update if new value is same as old
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 141/238] drivers/firmware/broadcom/bcm47xx_nvram.c: fix incorrect __ioread32_copy Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-12 22:41   ` Ben Hutchings
  2016-04-10 18:35 ` [PATCH 4.5 143/238] watchdog: rc32434_wdt: fix ioctl error handling Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  229 siblings, 1 reply; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josh Hunt, Don Zickus, Aaron Tomlin,
	Ulrich Obergfell, Andrew Morton, Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joshua Hunt <johunt@akamai.com>

commit a1ee1932aa6bea0bb074f5e3ced112664e4637ed upstream.

While working on a script to restore all sysctl params before a series of
tests I found that writing any value into the
/proc/sys/kernel/{nmi_watchdog,soft_watchdog,watchdog,watchdog_thresh}
causes them to call proc_watchdog_update().

  NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
  NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
  NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
  NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.

There doesn't appear to be a reason for doing this work every time a write
occurs, so only do it when the values change.

Signed-off-by: Josh Hunt <johunt@akamai.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Reviewed-by: Aaron Tomlin <atomlin@redhat.com>
Cc: Ulrich Obergfell <uobergfe@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/watchdog.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/kernel/watchdog.c
+++ b/kernel/watchdog.c
@@ -923,6 +923,9 @@ static int proc_watchdog_common(int whic
 		 * both lockup detectors are disabled if proc_watchdog_update()
 		 * returns an error.
 		 */
+		if (old == new)
+			goto out;
+
 		err = proc_watchdog_update();
 	}
 out:
@@ -967,7 +970,7 @@ int proc_soft_watchdog(struct ctl_table
 int proc_watchdog_thresh(struct ctl_table *table, int write,
 			 void __user *buffer, size_t *lenp, loff_t *ppos)
 {
-	int err, old;
+	int err, old, new;
 
 	get_online_cpus();
 	mutex_lock(&watchdog_proc_mutex);
@@ -987,6 +990,10 @@ int proc_watchdog_thresh(struct ctl_tabl
 	/*
 	 * Update the sample period. Restore on failure.
 	 */
+	new = ACCESS_ONCE(watchdog_thresh);
+	if (old == new)
+		goto out;
+
 	set_sample_period();
 	err = proc_watchdog_update();
 	if (err) {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 143/238] watchdog: rc32434_wdt: fix ioctl error handling
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 142/238] watchdog: dont run proc_watchdog_update if new value is same as old Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 144/238] Bluetooth: Add new AR3012 ID 0489:e095 Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael S. Tsirkin, Guenter Roeck,
	Wim Van Sebroeck

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Michael S. Tsirkin <mst@redhat.com>

commit 10e7ac22cdd4d211cef99afcb9371b70cb175be6 upstream.

Calling return copy_to_user(...) in an ioctl will not do the right thing
if there's a pagefault: copy_to_user returns the number of bytes not
copied in this case.

Fix up watchdog/rc32434_wdt to do
	return copy_to_user(...)) ?  -EFAULT : 0;

instead.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/watchdog/rc32434_wdt.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/watchdog/rc32434_wdt.c
+++ b/drivers/watchdog/rc32434_wdt.c
@@ -237,7 +237,7 @@ static long rc32434_wdt_ioctl(struct fil
 			return -EINVAL;
 		/* Fall through */
 	case WDIOC_GETTIMEOUT:
-		return copy_to_user(argp, &timeout, sizeof(int));
+		return copy_to_user(argp, &timeout, sizeof(int)) ? -EFAULT : 0;
 	default:
 		return -ENOTTY;
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 144/238] Bluetooth: Add new AR3012 ID 0489:e095
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 143/238] watchdog: rc32434_wdt: fix ioctl error handling Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 145/238] Bluetooth: Fix potential buffer overflow with Add Advertising Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Tunin, Marcel Holtmann

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Tunin <hanipouspilot@gmail.com>

commit 28c971d82fb58ef7cba22e5308be6d2d2590473d upstream.

T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=02 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e095 Rev=00.01
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

This device requires ar3k/AthrBT_0x31010100.dfu and
ar3k/ramps_0x31010100_40.dfu firmware files that are not in
linux-firmware yet.

BugLink: https://bugs.launchpad.net/bugs/1542944

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/ath3k.c |    2 ++
 drivers/bluetooth/btusb.c |    1 +
 2 files changed, 3 insertions(+)

--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -82,6 +82,7 @@ static const struct usb_device_id ath3k_
 	{ USB_DEVICE(0x0489, 0xe05f) },
 	{ USB_DEVICE(0x0489, 0xe076) },
 	{ USB_DEVICE(0x0489, 0xe078) },
+	{ USB_DEVICE(0x0489, 0xe095) },
 	{ USB_DEVICE(0x04c5, 0x1330) },
 	{ USB_DEVICE(0x04CA, 0x3004) },
 	{ USB_DEVICE(0x04CA, 0x3005) },
@@ -147,6 +148,7 @@ static const struct usb_device_id ath3k_
 	{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+	{ USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -196,6 +196,7 @@ static const struct usb_device_id blackl
 	{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
+	{ USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
 	{ USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 145/238] Bluetooth: Fix potential buffer overflow with Add Advertising
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 144/238] Bluetooth: Add new AR3012 ID 0489:e095 Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 146/238] cgroup: ignore css_sets associated with dead cgroups during migration Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hedberg, Marcel Holtmann

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hedberg <johan.hedberg@intel.com>

commit 6a0e78072c2ae7b20b14e0249d8108441ea928d2 upstream.

The Add Advertising command handler does the appropriate checks for
the AD and Scan Response data, however fails to take into account the
general length of the mgmt command itself, which could lead to
potential buffer overflows. This patch adds the necessary check that
the mgmt command length is consistent with the given ad and scan_rsp
lengths.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/mgmt.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5979,6 +5979,10 @@ static int add_advertising(struct sock *
 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
 				       MGMT_STATUS_INVALID_PARAMS);
 
+	if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
+		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
+				       MGMT_STATUS_INVALID_PARAMS);
+
 	flags = __le32_to_cpu(cp->flags);
 	timeout = __le16_to_cpu(cp->timeout);
 	duration = __le16_to_cpu(cp->duration);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 146/238] cgroup: ignore css_sets associated with dead cgroups during migration
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 145/238] Bluetooth: Fix potential buffer overflow with Add Advertising Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 147/238] net: mvneta: enable change MAC address when interface is up Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tejun Heo

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>

commit 2b021cbf3cb6208f0d40fd2f1869f237934340ed upstream.

Before 2e91fa7f6d45 ("cgroup: keep zombies associated with their
original cgroups"), all dead tasks were associated with init_css_set.
If a zombie task is requested for migration, while migration prep
operations would still be performed on init_css_set, the actual
migration would ignore zombie tasks.  As init_css_set is always valid,
this worked fine.

However, after 2e91fa7f6d45, zombie tasks stay with the css_set it was
associated with at the time of death.  Let's say a task T associated
with cgroup A on hierarchy H-1 and cgroup B on hiearchy H-2.  After T
becomes a zombie, it would still remain associated with A and B.  If A
only contains zombie tasks, it can be removed.  On removal, A gets
marked offline but stays pinned until all zombies are drained.  At
this point, if migration is initiated on T to a cgroup C on hierarchy
H-2, migration path would try to prepare T's css_set for migration and
trigger the following.

 WARNING: CPU: 0 PID: 1576 at kernel/cgroup.c:474 cgroup_get+0x121/0x160()
 CPU: 0 PID: 1576 Comm: bash Not tainted 4.4.0-work+ #289
 ...
 Call Trace:
  [<ffffffff8127e63c>] dump_stack+0x4e/0x82
  [<ffffffff810445e8>] warn_slowpath_common+0x78/0xb0
  [<ffffffff810446d5>] warn_slowpath_null+0x15/0x20
  [<ffffffff810c33e1>] cgroup_get+0x121/0x160
  [<ffffffff810c349b>] link_css_set+0x7b/0x90
  [<ffffffff810c4fbc>] find_css_set+0x3bc/0x5e0
  [<ffffffff810c5269>] cgroup_migrate_prepare_dst+0x89/0x1f0
  [<ffffffff810c7547>] cgroup_attach_task+0x157/0x230
  [<ffffffff810c7a17>] __cgroup_procs_write+0x2b7/0x470
  [<ffffffff810c7bdc>] cgroup_tasks_write+0xc/0x10
  [<ffffffff810c4790>] cgroup_file_write+0x30/0x1b0
  [<ffffffff811c68fc>] kernfs_fop_write+0x13c/0x180
  [<ffffffff81151673>] __vfs_write+0x23/0xe0
  [<ffffffff81152494>] vfs_write+0xa4/0x1a0
  [<ffffffff811532d4>] SyS_write+0x44/0xa0
  [<ffffffff814af2d7>] entry_SYSCALL_64_fastpath+0x12/0x6f

It doesn't make sense to prepare migration for css_sets pointing to
dead cgroups as they are guaranteed to contain only zombies which are
ignored later during migration.  This patch makes cgroup destruction
path mark all affected css_sets as dead and updates the migration path
to ignore them during preparation.

Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 2e91fa7f6d45 ("cgroup: keep zombies associated with their original cgroups")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/cgroup-defs.h |    3 +++
 kernel/cgroup.c             |   20 ++++++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

--- a/include/linux/cgroup-defs.h
+++ b/include/linux/cgroup-defs.h
@@ -210,6 +210,9 @@ struct css_set {
 	/* all css_task_iters currently walking this cset */
 	struct list_head task_iters;
 
+	/* dead and being drained, ignore for migration */
+	bool dead;
+
 	/* For RCU-protected deletion */
 	struct rcu_head rcu_head;
 };
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2474,6 +2474,14 @@ static void cgroup_migrate_add_src(struc
 	lockdep_assert_held(&cgroup_mutex);
 	lockdep_assert_held(&css_set_lock);
 
+	/*
+	 * If ->dead, @src_set is associated with one or more dead cgroups
+	 * and doesn't contain any migratable tasks.  Ignore it early so
+	 * that the rest of migration path doesn't get confused by it.
+	 */
+	if (src_cset->dead)
+		return;
+
 	src_cgrp = cset_cgroup_from_root(src_cset, dst_cgrp->root);
 
 	if (!list_empty(&src_cset->mg_preload_node))
@@ -5114,6 +5122,7 @@ static int cgroup_destroy_locked(struct
 	__releases(&cgroup_mutex) __acquires(&cgroup_mutex)
 {
 	struct cgroup_subsys_state *css;
+	struct cgrp_cset_link *link;
 	int ssid;
 
 	lockdep_assert_held(&cgroup_mutex);
@@ -5134,11 +5143,18 @@ static int cgroup_destroy_locked(struct
 		return -EBUSY;
 
 	/*
-	 * Mark @cgrp dead.  This prevents further task migration and child
-	 * creation by disabling cgroup_lock_live_group().
+	 * Mark @cgrp and the associated csets dead.  The former prevents
+	 * further task migration and child creation by disabling
+	 * cgroup_lock_live_group().  The latter makes the csets ignored by
+	 * the migration path.
 	 */
 	cgrp->self.flags &= ~CSS_ONLINE;
 
+	spin_lock_bh(&css_set_lock);
+	list_for_each_entry(link, &cgrp->cset_links, cset_link)
+		link->cset->dead = true;
+	spin_unlock_bh(&css_set_lock);
+
 	/* initiate massacre of all css's */
 	for_each_css(css, ssid, cgrp)
 		kill_css(css);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 147/238] net: mvneta: enable change MAC address when interface is up
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 146/238] cgroup: ignore css_sets associated with dead cgroups during migration Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 149/238] of: alloc anywhere from memblock if range not specified Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitri Epshtein, Gregory CLEMENT,
	David S. Miller

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitri Epshtein <dima@marvell.com>

commit 928b6519afeb2a5e2dc61154380b545ed66c476a upstream.

Function eth_prepare_mac_addr_change() is called as part of MAC
address change. This function check if interface is running.
To enable change MAC address when interface is running:
IFF_LIVE_ADDR_CHANGE flag must be set to dev->priv_flags field

Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP
network unit")
Signed-off-by: Dmitri Epshtein <dima@marvell.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/ethernet/marvell/mvneta.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -3720,7 +3720,7 @@ static int mvneta_probe(struct platform_
 	dev->features = NETIF_F_SG | NETIF_F_IP_CSUM | NETIF_F_TSO;
 	dev->hw_features |= dev->features;
 	dev->vlan_features |= dev->features;
-	dev->priv_flags |= IFF_UNICAST_FLT;
+	dev->priv_flags |= IFF_UNICAST_FLT | IFF_LIVE_ADDR_CHANGE;
 	dev->gso_max_segs = MVNETA_MAX_TSO_SEGS;
 
 	err = register_netdev(dev);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 149/238] of: alloc anywhere from memblock if range not specified
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 147/238] net: mvneta: enable change MAC address when interface is up Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 150/238] vfs: show_vfsstat: do not ignore errors from show_devname method Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Vinayak Menon, Rob Herring

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vinayak Menon <vinmenon@codeaurora.org>

commit e53b50c0cbe392c946807abf7d07615a3c588642 upstream.

early_init_dt_alloc_reserved_memory_arch passes end as 0 to
__memblock_alloc_base, when limits are not specified. But
__memblock_alloc_base takes end value of 0 as MEMBLOCK_ALLOC_ACCESSIBLE
and limits the end to memblock.current_limit. This results in regions
never being placed in HIGHMEM area, for e.g. CMA.
Let __memblock_alloc_base allocate from anywhere in memory if limits are
not specified.

Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/of/of_reserved_mem.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/of/of_reserved_mem.c
+++ b/drivers/of/of_reserved_mem.c
@@ -32,11 +32,13 @@ int __init __weak early_init_dt_alloc_re
 	phys_addr_t align, phys_addr_t start, phys_addr_t end, bool nomap,
 	phys_addr_t *res_base)
 {
+	phys_addr_t base;
 	/*
 	 * We use __memblock_alloc_base() because memblock_alloc_base()
 	 * panic()s on allocation failure.
 	 */
-	phys_addr_t base = __memblock_alloc_base(size, align, end);
+	end = !end ? MEMBLOCK_ALLOC_ANYWHERE : end;
+	base = __memblock_alloc_base(size, align, end);
 	if (!base)
 		return -ENOMEM;
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 150/238] vfs: show_vfsstat: do not ignore errors from show_devname method
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 149/238] of: alloc anywhere from memblock if range not specified Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 151/238] splice: handle zero nr_pages in splice_to_pipe() Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry V. Levin, Al Viro

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry V. Levin <ldv@altlinux.org>

commit 5f8d498d4364f544fee17125787a47553db02afa upstream.

Explicitly check show_devname method return code and bail out in case
of an error.  This fixes regression introduced by commit 9d4d65748a5c.

Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/proc_namespace.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/proc_namespace.c
+++ b/fs/proc_namespace.c
@@ -199,6 +199,8 @@ static int show_vfsstat(struct seq_file
 	if (sb->s_op->show_devname) {
 		seq_puts(m, "device ");
 		err = sb->s_op->show_devname(m, mnt_path.dentry);
+		if (err)
+			goto out;
 	} else {
 		if (r->mnt_devname) {
 			seq_puts(m, "device ");

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 151/238] splice: handle zero nr_pages in splice_to_pipe()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 150/238] vfs: show_vfsstat: do not ignore errors from show_devname method Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 152/238] xtensa: ISS: dont hang if stdin EOF is reached Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rabin Vincent, Christoph Hellwig, Al Viro

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Rabin Vincent <rabin@rab.in>

commit d6785d9152147596f60234157da2b02540c3e60f upstream.

Running the following command:

 busybox cat /sys/kernel/debug/tracing/trace_pipe > /dev/null

with any tracing enabled pretty very quickly leads to various NULL
pointer dereferences and VM BUG_ON()s, such as these:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
 IP: [<ffffffff8119df6c>] generic_pipe_buf_release+0xc/0x40
 Call Trace:
  [<ffffffff811c48a3>] splice_direct_to_actor+0x143/0x1e0
  [<ffffffff811c42e0>] ? generic_pipe_buf_nosteal+0x10/0x10
  [<ffffffff811c49cf>] do_splice_direct+0x8f/0xb0
  [<ffffffff81196869>] do_sendfile+0x199/0x380
  [<ffffffff81197600>] SyS_sendfile64+0x90/0xa0
  [<ffffffff8192cbee>] entry_SYSCALL_64_fastpath+0x12/0x6d

 page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_count) == 0)
 kernel BUG at include/linux/mm.h:367!
 invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
 RIP: [<ffffffff8119df9c>] generic_pipe_buf_release+0x3c/0x40
 Call Trace:
  [<ffffffff811c48a3>] splice_direct_to_actor+0x143/0x1e0
  [<ffffffff811c42e0>] ? generic_pipe_buf_nosteal+0x10/0x10
  [<ffffffff811c49cf>] do_splice_direct+0x8f/0xb0
  [<ffffffff81196869>] do_sendfile+0x199/0x380
  [<ffffffff81197600>] SyS_sendfile64+0x90/0xa0
  [<ffffffff8192cd1e>] tracesys_phase2+0x84/0x89

(busybox's cat uses sendfile(2), unlike the coreutils version)

This is because tracing_splice_read_pipe() can call splice_to_pipe()
with spd->nr_pages == 0.  spd_pages underflows in splice_to_pipe() and
we fill the page pointers and the other fields of the pipe_buffers with
garbage.

All other callers of splice_to_pipe() avoid calling it when nr_pages ==
0, and we could make tracing_splice_read_pipe() do that too, but it
seems reasonable to have splice_to_page() handle this condition
gracefully.

Signed-off-by: Rabin Vincent <rabin@rab.in>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/splice.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/splice.c
+++ b/fs/splice.c
@@ -185,6 +185,9 @@ ssize_t splice_to_pipe(struct pipe_inode
 	unsigned int spd_pages = spd->nr_pages;
 	int ret, do_wakeup, page_nr;
 
+	if (!spd_pages)
+		return 0;
+
 	ret = 0;
 	do_wakeup = 0;
 	page_nr = 0;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 152/238] xtensa: ISS: dont hang if stdin EOF is reached
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 151/238] splice: handle zero nr_pages in splice_to_pipe() Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 153/238] xtensa: fix preemption in {clear,copy}_user_highpage Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 362014c8d9d51d504c167c44ac280169457732be upstream.

Simulator stdin may be connected to a file, when its end is reached
kernel hangs in infinite loop inside rs_poll, because simc_poll always
signals that descriptor 0 is readable and simc_read always returns 0.
Check simc_read return value and exit loop if it's not positive. Also
don't rewind polling timer if it's zero.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/xtensa/platforms/iss/console.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/arch/xtensa/platforms/iss/console.c
+++ b/arch/xtensa/platforms/iss/console.c
@@ -100,21 +100,23 @@ static void rs_poll(unsigned long priv)
 {
 	struct tty_port *port = (struct tty_port *)priv;
 	int i = 0;
+	int rd = 1;
 	unsigned char c;
 
 	spin_lock(&timer_lock);
 
 	while (simc_poll(0)) {
-		simc_read(0, &c, 1);
+		rd = simc_read(0, &c, 1);
+		if (rd <= 0)
+			break;
 		tty_insert_flip_char(port, c, TTY_NORMAL);
 		i++;
 	}
 
 	if (i)
 		tty_flip_buffer_push(port);
-
-
-	mod_timer(&serial_timer, jiffies + SERIAL_TIMER_VALUE);
+	if (rd)
+		mod_timer(&serial_timer, jiffies + SERIAL_TIMER_VALUE);
 	spin_unlock(&timer_lock);
 }
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 153/238] xtensa: fix preemption in {clear,copy}_user_highpage
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 152/238] xtensa: ISS: dont hang if stdin EOF is reached Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 154/238] xtensa: clear all DBREAKC registers on start Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit a67cc9aa2dfc6e66addf240bbd79e16e01565e81 upstream.

Disabling pagefault makes little sense there, preemption disabling is
what was meant.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/xtensa/mm/cache.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/xtensa/mm/cache.c
+++ b/arch/xtensa/mm/cache.c
@@ -97,11 +97,11 @@ void clear_user_highpage(struct page *pa
 	unsigned long paddr;
 	void *kvaddr = coherent_kvaddr(page, TLBTEMP_BASE_1, vaddr, &paddr);
 
-	pagefault_disable();
+	preempt_disable();
 	kmap_invalidate_coherent(page, vaddr);
 	set_bit(PG_arch_1, &page->flags);
 	clear_page_alias(kvaddr, paddr);
-	pagefault_enable();
+	preempt_enable();
 }
 
 void copy_user_highpage(struct page *dst, struct page *src,
@@ -113,11 +113,11 @@ void copy_user_highpage(struct page *dst
 	void *src_vaddr = coherent_kvaddr(src, TLBTEMP_BASE_2, vaddr,
 					  &src_paddr);
 
-	pagefault_disable();
+	preempt_disable();
 	kmap_invalidate_coherent(dst, vaddr);
 	set_bit(PG_arch_1, &dst->flags);
 	copy_page_alias(dst_vaddr, src_vaddr, dst_paddr, src_paddr);
-	pagefault_enable();
+	preempt_enable();
 }
 
 #endif /* DCACHE_WAY_SIZE > PAGE_SIZE */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 154/238] xtensa: clear all DBREAKC registers on start
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 153/238] xtensa: fix preemption in {clear,copy}_user_highpage Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 155/238] ARC: [plat-axs10x] add Ethernet PHY description in .dts Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit 7de7ac785ae18a2cdc78d7560f48e3213d9ea0ab upstream.

There are XCHAL_NUM_DBREAK registers, clear them all.
This also fixes cryptic assembler error message with binutils 2.25 when
XCHAL_NUM_DBREAK is 0:

  as: out of memory allocating 18446744073709551575 bytes after a total
  of 495616 bytes

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/xtensa/kernel/head.S |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/xtensa/kernel/head.S
+++ b/arch/xtensa/kernel/head.S
@@ -128,7 +128,7 @@ ENTRY(_startup)
 	wsr	a0, icountlevel
 
 	.set	_index, 0
-	.rept	XCHAL_NUM_DBREAK - 1
+	.rept	XCHAL_NUM_DBREAK
 	wsr	a0, SREG_DBREAKC + _index
 	.set	_index, _index + 1
 	.endr

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 155/238] ARC: [plat-axs10x] add Ethernet PHY description in .dts
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 154/238] xtensa: clear all DBREAKC registers on start Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 156/238] ARC: [BE] readl()/writel() to work in Big Endian CPU configuration Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Brodkin, Rob Herring,
	Phil Reid, David S. Miller, netdev, Sergei Shtylyov,
	Vineet Gupta

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Brodkin <Alexey.Brodkin@synopsys.com>

commit 667a490bdb6e27db0887d2ca515b907d6aa87118 upstream.

Commit e34d65696d2e ("stmmac: create of compatible mdio bus for stmmac
driver") broke DW GMAC functionality on ARC AXS10x boards:

That's what happens on eth0 up:
  --------------------------->8------------------------
| libphy: PHY stmmac-0:ffffffff not found
| eth0: Could not attach to PHY
| stmmac_open: Cannot attach to PHY (error: -19)
  --------------------------->8------------------------

Simplest solution is to add PHY description in board's .dts.
And so we do here.

Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Rob Herring <robh@kernel.org>
Cc: Phil Reid <preid@electromag.com.au>
Cc: David S. Miller <davem@davemloft.net>
Cc: linux-kernel@vger.kernel.org
Cc: netdev@vger.kernel.org
Reviewed-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arc/boot/dts/axs10x_mb.dtsi |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/arch/arc/boot/dts/axs10x_mb.dtsi
+++ b/arch/arc/boot/dts/axs10x_mb.dtsi
@@ -47,6 +47,14 @@
 			clocks = <&apbclk>;
 			clock-names = "stmmaceth";
 			max-speed = <100>;
+			mdio0 {
+				#address-cells = <1>;
+				#size-cells = <0>;
+				compatible = "snps,dwmac-mdio";
+				phy1: ethernet-phy@1 {
+					reg = <1>;
+				};
+			};
 		};
 
 		ehci@0x40000 {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 156/238] ARC: [BE] readl()/writel() to work in Big Endian CPU configuration
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 155/238] ARC: [plat-axs10x] add Ethernet PHY description in .dts Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 157/238] ARC: bitops: Remove non relevant comments Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Brodkin, Arnd Bergmann,
	Lada Trimasova, Vineet Gupta

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lada Trimasova <ltrimas@synopsys.com>

commit f778cc65717687a3d3f26dd21bef62cd059f1b8b upstream.

read{l,w}() write{l,w}() primitives should use le{16,32}_to_cpu() and
cpu_to_le{16,32}() respectively to ensure device registers are read
correctly in Big Endian CPU configuration.

Per Arnd Bergmann
| Most drivers using readl() or readl_relaxed() expect those to perform byte
| swaps on big-endian architectures, as the registers tend to be fixed endian

This was needed for getting UART to work correctly on a Big Endian ARC.

The ARC accessors originally were fine, and the bug got introduced
inadventently by commit b8a033023994 ("ARCv2: barriers")

Fixes: b8a033023994 ("ARCv2: barriers")
Link: http://lkml.kernel.org/r/201603100845.30602.arnd@arndb.de
Cc: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Lada Trimasova <ltrimas@synopsys.com>
[vgupta: beefed up changelog, added Fixes/stable tags]
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arc/include/asm/io.h |   18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

--- a/arch/arc/include/asm/io.h
+++ b/arch/arc/include/asm/io.h
@@ -129,15 +129,23 @@ static inline void __raw_writel(u32 w, v
 #define writel(v,c)		({ __iowmb(); writel_relaxed(v,c); })
 
 /*
- * Relaxed API for drivers which can handle any ordering themselves
+ * Relaxed API for drivers which can handle barrier ordering themselves
+ *
+ * Also these are defined to perform little endian accesses.
+ * To provide the typical device register semantics of fixed endian,
+ * swap the byte order for Big Endian
+ *
+ * http://lkml.kernel.org/r/201603100845.30602.arnd@arndb.de
  */
 #define readb_relaxed(c)	__raw_readb(c)
-#define readw_relaxed(c)	__raw_readw(c)
-#define readl_relaxed(c)	__raw_readl(c)
+#define readw_relaxed(c) ({ u16 __r = le16_to_cpu((__force __le16) \
+					__raw_readw(c)); __r; })
+#define readl_relaxed(c) ({ u32 __r = le32_to_cpu((__force __le32) \
+					__raw_readl(c)); __r; })
 
 #define writeb_relaxed(v,c)	__raw_writeb(v,c)
-#define writew_relaxed(v,c)	__raw_writew(v,c)
-#define writel_relaxed(v,c)	__raw_writel(v,c)
+#define writew_relaxed(v,c)	__raw_writew((__force u16) cpu_to_le16(v),c)
+#define writel_relaxed(v,c)	__raw_writel((__force u32) cpu_to_le32(v),c)
 
 #include <asm-generic/io.h>
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 157/238] ARC: bitops: Remove non relevant comments
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 156/238] ARC: [BE] readl()/writel() to work in Big Endian CPU configuration Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 158/238] quota: Fix possible GPF due to uninitialised pointers Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vineet Gupta

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vineet Gupta <vgupta@synopsys.com>

commit 2a41b6dc28dc71c1a3f1622612a26edc58f7561e upstream.

commit 80f420842ff42 removed the ARC bitops microoptimization but failed
to prune the comments to same effect

Fixes: 80f420842ff42 ("ARC: Make ARC bitops "safer" (add anti-optimization)")
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arc/include/asm/bitops.h |   15 ---------------
 1 file changed, 15 deletions(-)

--- a/arch/arc/include/asm/bitops.h
+++ b/arch/arc/include/asm/bitops.h
@@ -35,21 +35,6 @@ static inline void op##_bit(unsigned lon
 									\
 	m += nr >> 5;							\
 									\
-	/*								\
-	 * ARC ISA micro-optimization:					\
-	 *								\
-	 * Instructions dealing with bitpos only consider lower 5 bits	\
-	 * e.g (x << 33) is handled like (x << 1) by ASL instruction	\
-	 *  (mem pointer still needs adjustment to point to next word)	\
-	 *								\
-	 * Hence the masking to clamp @nr arg can be elided in general.	\
-	 *								\
-	 * However if @nr is a constant (above assumed in a register),	\
-	 * and greater than 31, gcc can optimize away (x << 33) to 0,	\
-	 * as overflow, given the 32-bit ISA. Thus masking needs to be	\
-	 * done for const @nr, but no code is generated due to gcc	\
-	 * const prop.							\
-	 */								\
 	nr &= 0x1f;							\
 									\
 	__asm__ __volatile__(						\

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 158/238] quota: Fix possible GPF due to uninitialised pointers
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 157/238] ARC: bitops: Remove non relevant comments Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 159/238] xfs: fix two memory leaks in xfs_attr_list.c error paths Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nikolay Borisov, Jan Kara

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nikolay Borisov <kernel@kyup.com>

commit ab73ef46398e2c0159f3a71de834586422d2a44a upstream.

When dqget() in __dquot_initialize() fails e.g. due to IO error,
__dquot_initialize() will pass an array of uninitialized pointers to
dqput_all() and thus can lead to deference of random data. Fix the
problem by properly initializing the array.

Signed-off-by: Nikolay Borisov <kernel@kyup.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/quota/dquot.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -1398,7 +1398,7 @@ static int dquot_active(const struct ino
 static int __dquot_initialize(struct inode *inode, int type)
 {
 	int cnt, init_needed = 0;
-	struct dquot **dquots, *got[MAXQUOTAS];
+	struct dquot **dquots, *got[MAXQUOTAS] = {};
 	struct super_block *sb = inode->i_sb;
 	qsize_t rsv;
 	int ret = 0;
@@ -1415,7 +1415,6 @@ static int __dquot_initialize(struct ino
 		int rc;
 		struct dquot *dquot;
 
-		got[cnt] = NULL;
 		if (type != -1 && cnt != type)
 			continue;
 		/*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 159/238] xfs: fix two memory leaks in xfs_attr_list.c error paths
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 158/238] quota: Fix possible GPF due to uninitialised pointers Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 160/238] raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mateusz Guzik, Eric Sandeen, Dave Chinner

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mateusz Guzik <mguzik@redhat.com>

commit 2e83b79b2d6c78bf1b4aa227938a214dcbddc83f upstream.

This plugs 2 trivial leaks in xfs_attr_shortform_list and
xfs_attr3_leaf_list_int.

Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/xfs/xfs_attr_list.c |   19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

--- a/fs/xfs/xfs_attr_list.c
+++ b/fs/xfs/xfs_attr_list.c
@@ -202,8 +202,10 @@ xfs_attr_shortform_list(xfs_attr_list_co
 					sbp->namelen,
 					sbp->valuelen,
 					&sbp->name[sbp->namelen]);
-		if (error)
+		if (error) {
+			kmem_free(sbuf);
 			return error;
+		}
 		if (context->seen_enough)
 			break;
 		cursor->offset++;
@@ -454,14 +456,13 @@ xfs_attr3_leaf_list_int(
 				args.rmtblkcnt = xfs_attr3_rmt_blocks(
 							args.dp->i_mount, valuelen);
 				retval = xfs_attr_rmtval_get(&args);
-				if (retval)
-					return retval;
-				retval = context->put_listent(context,
-						entry->flags,
-						name_rmt->name,
-						(int)name_rmt->namelen,
-						valuelen,
-						args.value);
+				if (!retval)
+					retval = context->put_listent(context,
+							entry->flags,
+							name_rmt->name,
+							(int)name_rmt->namelen,
+							valuelen,
+							args.value);
 				kmem_free(args.value);
 			} else {
 				retval = context->put_listent(context,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 160/238] raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 159/238] xfs: fix two memory leaks in xfs_attr_list.c error paths Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 161/238] md/raid5: Compare apples to apples (or sectors to sectors) Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nate Dailey, Shaohua Li

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Nate Dailey <nate.dailey@stratus.com>

commit ccfc7bf1f09d6190ef86693ddc761d5fe3fa47cb upstream.

If raid1d is handling a mix of read and write errors, handle_read_error's
call to freeze_array can get stuck.

This can happen because, though the bio_end_io_list is initially drained,
writes can be added to it via handle_write_finished as the retry_list
is processed. These writes contribute to nr_pending but are not included
in nr_queued.

If a later entry on the retry_list triggers a call to handle_read_error,
freeze array hangs waiting for nr_pending == nr_queued+extra. The writes
on the bio_end_io_list aren't included in nr_queued so the condition will
never be satisfied.

To prevent the hang, include bio_end_io_list writes in nr_queued.

There's probably a better way to handle decrementing nr_queued, but this
seemed like the safest way to avoid breaking surrounding code.

I'm happy to supply the script I used to repro this hang.

Fixes: 55ce74d4bfe1b(md/raid1: ensure device failure recorded before write request returns.)
Signed-off-by: Nate Dailey <nate.dailey@stratus.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid1.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -2274,6 +2274,7 @@ static void handle_write_finished(struct
 	if (fail) {
 		spin_lock_irq(&conf->device_lock);
 		list_add(&r1_bio->retry_list, &conf->bio_end_io_list);
+		conf->nr_queued++;
 		spin_unlock_irq(&conf->device_lock);
 		md_wakeup_thread(conf->mddev->thread);
 	} else {
@@ -2391,8 +2392,10 @@ static void raid1d(struct md_thread *thr
 		LIST_HEAD(tmp);
 		spin_lock_irqsave(&conf->device_lock, flags);
 		if (!test_bit(MD_CHANGE_PENDING, &mddev->flags)) {
-			list_add(&tmp, &conf->bio_end_io_list);
-			list_del_init(&conf->bio_end_io_list);
+			while (!list_empty(&conf->bio_end_io_list)) {
+				list_move(conf->bio_end_io_list.prev, &tmp);
+				conf->nr_queued--;
+			}
 		}
 		spin_unlock_irqrestore(&conf->device_lock, flags);
 		while (!list_empty(&tmp)) {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 161/238] md/raid5: Compare apples to apples (or sectors to sectors)
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 160/238] raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 162/238] RAID5: check_reshape() shouldnt call mddev_suspend Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jes Sorensen, Shaohua Li

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jes Sorensen <Jes.Sorensen@redhat.com>

commit e7597e69dec59b65c5525db1626b9d34afdfa678 upstream.

'max_discard_sectors' is in sectors, while 'stripe' is in bytes.

This fixes the problem where DISCARD would get disabled on some larger
RAID5 configurations (6 or more drives in my testing), while it worked
as expected with smaller configurations.

Fixes: 620125f2bf8 ("MD: raid5 trim support")
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid5.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -7014,8 +7014,8 @@ static int raid5_run(struct mddev *mddev
 		}
 
 		if (discard_supported &&
-		   mddev->queue->limits.max_discard_sectors >= stripe &&
-		   mddev->queue->limits.discard_granularity >= stripe)
+		    mddev->queue->limits.max_discard_sectors >= (stripe >> 9) &&
+		    mddev->queue->limits.discard_granularity >= stripe)
 			queue_flag_set_unlocked(QUEUE_FLAG_DISCARD,
 						mddev->queue);
 		else

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 162/238] RAID5: check_reshape() shouldnt call mddev_suspend
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 161/238] md/raid5: Compare apples to apples (or sectors to sectors) Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 163/238] RAID5: revert e9e4c377e2f563 to fix a livelock Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, NeilBrown, Shaohua Li

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shaohua Li <shli@fb.com>

commit 27a353c026a879a1001e5eac4bda75b16262c44a upstream.

check_reshape() is called from raid5d thread. raid5d thread shouldn't
call mddev_suspend(), because mddev_suspend() waits for all IO finish
but IO is handled in raid5d thread, we could easily deadlock here.

This issue is introduced by
738a273 ("md/raid5: fix allocation of 'scribble' array.")

Reported-and-tested-by: Artur Paszkiewicz <artur.paszkiewicz@intel.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid5.c |   18 ++++++++++++++++++
 drivers/md/raid5.h |    2 ++
 2 files changed, 20 insertions(+)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -2089,6 +2089,14 @@ static int resize_chunks(struct r5conf *
 	unsigned long cpu;
 	int err = 0;
 
+	/*
+	 * Never shrink. And mddev_suspend() could deadlock if this is called
+	 * from raid5d. In that case, scribble_disks and scribble_sectors
+	 * should equal to new_disks and new_sectors
+	 */
+	if (conf->scribble_disks >= new_disks &&
+	    conf->scribble_sectors >= new_sectors)
+		return 0;
 	mddev_suspend(conf->mddev);
 	get_online_cpus();
 	for_each_present_cpu(cpu) {
@@ -2110,6 +2118,10 @@ static int resize_chunks(struct r5conf *
 	}
 	put_online_cpus();
 	mddev_resume(conf->mddev);
+	if (!err) {
+		conf->scribble_disks = new_disks;
+		conf->scribble_sectors = new_sectors;
+	}
 	return err;
 }
 
@@ -6413,6 +6425,12 @@ static int raid5_alloc_percpu(struct r5c
 	}
 	put_online_cpus();
 
+	if (!err) {
+		conf->scribble_disks = max(conf->raid_disks,
+			conf->previous_raid_disks);
+		conf->scribble_sectors = max(conf->chunk_sectors,
+			conf->prev_chunk_sectors);
+	}
 	return err;
 }
 
--- a/drivers/md/raid5.h
+++ b/drivers/md/raid5.h
@@ -510,6 +510,8 @@ struct r5conf {
 					      * conversions
 					      */
 	} __percpu *percpu;
+	int scribble_disks;
+	int scribble_sectors;
 #ifdef CONFIG_HOTPLUG_CPU
 	struct notifier_block	cpu_notify;
 #endif

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 163/238] RAID5: revert e9e4c377e2f563 to fix a livelock
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 162/238] RAID5: check_reshape() shouldnt call mddev_suspend Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 164/238] raid10: include bio_end_io_list in nr_queued to prevent freeze_array hang Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yuanhan Liu, NeilBrown, Shaohua Li

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shaohua Li <shli@fb.com>

commit 6ab2a4b806ae21b6c3e47c5ff1285ec06d505325 upstream.

Revert commit
e9e4c377e2f563(md/raid5: per hash value and exclusive wait_for_stripe)

The problem is raid5_get_active_stripe waits on
conf->wait_for_stripe[hash]. Assume hash is 0. My test release stripes
in this order:
- release all stripes with hash 0
- raid5_get_active_stripe still sleeps since active_stripes >
  max_nr_stripes * 3 / 4
- release all stripes with hash other than 0. active_stripes becomes 0
- raid5_get_active_stripe still sleeps, since nobody wakes up
  wait_for_stripe[0]
The system live locks. The problem is active_stripes isn't a per-hash
count. Revert the patch makes the live lock go away.

Cc: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Cc: NeilBrown <neilb@suse.de>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid5.c |   27 ++++++++-------------------
 drivers/md/raid5.h |    2 +-
 2 files changed, 9 insertions(+), 20 deletions(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -340,8 +340,7 @@ static void release_inactive_stripe_list
 					 int hash)
 {
 	int size;
-	unsigned long do_wakeup = 0;
-	int i = 0;
+	bool do_wakeup = false;
 	unsigned long flags;
 
 	if (hash == NR_STRIPE_HASH_LOCKS) {
@@ -362,19 +361,15 @@ static void release_inactive_stripe_list
 			    !list_empty(list))
 				atomic_dec(&conf->empty_inactive_list_nr);
 			list_splice_tail_init(list, conf->inactive_list + hash);
-			do_wakeup |= 1 << hash;
+			do_wakeup = true;
 			spin_unlock_irqrestore(conf->hash_locks + hash, flags);
 		}
 		size--;
 		hash--;
 	}
 
-	for (i = 0; i < NR_STRIPE_HASH_LOCKS; i++) {
-		if (do_wakeup & (1 << i))
-			wake_up(&conf->wait_for_stripe[i]);
-	}
-
 	if (do_wakeup) {
+		wake_up(&conf->wait_for_stripe);
 		if (atomic_read(&conf->active_stripes) == 0)
 			wake_up(&conf->wait_for_quiescent);
 		if (conf->retry_read_aligned)
@@ -687,15 +682,14 @@ raid5_get_active_stripe(struct r5conf *c
 			if (!sh) {
 				set_bit(R5_INACTIVE_BLOCKED,
 					&conf->cache_state);
-				wait_event_exclusive_cmd(
-					conf->wait_for_stripe[hash],
+				wait_event_lock_irq(
+					conf->wait_for_stripe,
 					!list_empty(conf->inactive_list + hash) &&
 					(atomic_read(&conf->active_stripes)
 					 < (conf->max_nr_stripes * 3 / 4)
 					 || !test_bit(R5_INACTIVE_BLOCKED,
 						      &conf->cache_state)),
-					spin_unlock_irq(conf->hash_locks + hash),
-					spin_lock_irq(conf->hash_locks + hash));
+					*(conf->hash_locks + hash));
 				clear_bit(R5_INACTIVE_BLOCKED,
 					  &conf->cache_state);
 			} else {
@@ -720,9 +714,6 @@ raid5_get_active_stripe(struct r5conf *c
 		}
 	} while (sh == NULL);
 
-	if (!list_empty(conf->inactive_list + hash))
-		wake_up(&conf->wait_for_stripe[hash]);
-
 	spin_unlock_irq(conf->hash_locks + hash);
 	return sh;
 }
@@ -2202,7 +2193,7 @@ static int resize_stripes(struct r5conf
 	cnt = 0;
 	list_for_each_entry(nsh, &newstripes, lru) {
 		lock_device_hash_lock(conf, hash);
-		wait_event_exclusive_cmd(conf->wait_for_stripe[hash],
+		wait_event_cmd(conf->wait_for_stripe,
 				    !list_empty(conf->inactive_list + hash),
 				    unlock_device_hash_lock(conf, hash),
 				    lock_device_hash_lock(conf, hash));
@@ -6521,9 +6512,7 @@ static struct r5conf *setup_conf(struct
 	seqcount_init(&conf->gen_lock);
 	mutex_init(&conf->cache_size_mutex);
 	init_waitqueue_head(&conf->wait_for_quiescent);
-	for (i = 0; i < NR_STRIPE_HASH_LOCKS; i++) {
-		init_waitqueue_head(&conf->wait_for_stripe[i]);
-	}
+	init_waitqueue_head(&conf->wait_for_stripe);
 	init_waitqueue_head(&conf->wait_for_overlap);
 	INIT_LIST_HEAD(&conf->handle_list);
 	INIT_LIST_HEAD(&conf->hold_list);
--- a/drivers/md/raid5.h
+++ b/drivers/md/raid5.h
@@ -524,7 +524,7 @@ struct r5conf {
 	atomic_t		empty_inactive_list_nr;
 	struct llist_head	released_stripes;
 	wait_queue_head_t	wait_for_quiescent;
-	wait_queue_head_t	wait_for_stripe[NR_STRIPE_HASH_LOCKS];
+	wait_queue_head_t	wait_for_stripe;
 	wait_queue_head_t	wait_for_overlap;
 	unsigned long		cache_state;
 #define R5_INACTIVE_BLOCKED	1	/* release of inactive stripes blocked,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 164/238] raid10: include bio_end_io_list in nr_queued to prevent freeze_array hang
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 163/238] RAID5: revert e9e4c377e2f563 to fix a livelock Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 165/238] md/raid5: preserve STRIPE_PREREAD_ACTIVE in break_stripe_batch_list Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nate Dailey, Shaohua Li

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shaohua Li <shli@fb.com>

commit 23ddba80ebe836476bb2fa1f5ef305dd1c63dc0b upstream.

This is the raid10 counterpart of the bug fixed by Nate
(raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang)

Fixes: 95af587e95(md/raid10: ensure device failure recorded before write request returns)
Cc: Nate Dailey <nate.dailey@stratus.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid10.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2664,6 +2664,7 @@ static void handle_write_completed(struc
 		if (fail) {
 			spin_lock_irq(&conf->device_lock);
 			list_add(&r10_bio->retry_list, &conf->bio_end_io_list);
+			conf->nr_queued++;
 			spin_unlock_irq(&conf->device_lock);
 			md_wakeup_thread(conf->mddev->thread);
 		} else {
@@ -2691,8 +2692,10 @@ static void raid10d(struct md_thread *th
 		LIST_HEAD(tmp);
 		spin_lock_irqsave(&conf->device_lock, flags);
 		if (!test_bit(MD_CHANGE_PENDING, &mddev->flags)) {
-			list_add(&tmp, &conf->bio_end_io_list);
-			list_del_init(&conf->bio_end_io_list);
+			while (!list_empty(&conf->bio_end_io_list)) {
+				list_move(conf->bio_end_io_list.prev, &tmp);
+				conf->nr_queued--;
+			}
 		}
 		spin_unlock_irqrestore(&conf->device_lock, flags);
 		while (!list_empty(&tmp)) {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 165/238] md/raid5: preserve STRIPE_PREREAD_ACTIVE in break_stripe_batch_list
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 164/238] raid10: include bio_end_io_list in nr_queued to prevent freeze_array hang Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 166/238] md: multipath: dont hardcopy bio in .make_request path Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tom Weber, NeilBrown, Shaohua Li

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: NeilBrown <neilb@suse.com>

commit 550da24f8d62fe81f3c13e3ec27602d6e44d43dc upstream.

break_stripe_batch_list breaks up a batch and copies some flags from
the batch head to the members, preserving others.

It doesn't preserve or copy STRIPE_PREREAD_ACTIVE.  This is not
normally a problem as STRIPE_PREREAD_ACTIVE is cleared when a
stripe_head is added to a batch, and is not set on stripe_heads
already in a batch.

However there is no locking to ensure one thread doesn't set the flag
after it has just been cleared in another.  This does occasionally happen.

md/raid5 maintains a count of the number of stripe_heads with
STRIPE_PREREAD_ACTIVE set: conf->preread_active_stripes.  When
break_stripe_batch_list clears STRIPE_PREREAD_ACTIVE inadvertently
this could becomes incorrect and will never again return to zero.

md/raid5 delays the handling of some stripe_heads until
preread_active_stripes becomes zero.  So when the above mention race
happens, those stripe_heads become blocked and never progress,
resulting is write to the array handing.

So: change break_stripe_batch_list to preserve STRIPE_PREREAD_ACTIVE
in the members of a batch.

URL: https://bugzilla.kernel.org/show_bug.cgi?id=108741
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1258153
URL: http://thread.gmane.org/5649C0E9.2030204@zoner.cz
Reported-by: Martin Svec <martin.svec@zoner.cz> (and others)
Tested-by: Tom Weber <linux@junkyard.4t2.com>
Fixes: 1b956f7a8f9a ("md/raid5: be more selective about distributing flags across batch.")
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/raid5.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -4239,7 +4239,6 @@ static void break_stripe_batch_list(stru
 		WARN_ON_ONCE(sh->state & ((1 << STRIPE_ACTIVE) |
 					  (1 << STRIPE_SYNCING) |
 					  (1 << STRIPE_REPLACED) |
-					  (1 << STRIPE_PREREAD_ACTIVE) |
 					  (1 << STRIPE_DELAYED) |
 					  (1 << STRIPE_BIT_DELAY) |
 					  (1 << STRIPE_FULL_WRITE) |
@@ -4254,6 +4253,7 @@ static void break_stripe_batch_list(stru
 					      (1 << STRIPE_REPLACED)));
 
 		set_mask_bits(&sh->state, ~(STRIPE_EXPAND_SYNC_FLAGS |
+					    (1 << STRIPE_PREREAD_ACTIVE) |
 					    (1 << STRIPE_DEGRADED)),
 			      head_sh->state & (1 << STRIPE_INSYNC));
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 166/238] md: multipath: dont hardcopy bio in .make_request path
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 165/238] md/raid5: preserve STRIPE_PREREAD_ACTIVE in break_stripe_batch_list Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 167/238] fuse: do not use iocb after it may have been freed Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ming Lei, Shaohua Li

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ming Lei <ming.lei@canonical.com>

commit fafcde3ac1a418688a734365203a12483b83907a upstream.

Inside multipath_make_request(), multipath maps the incoming
bio into low level device's bio, but it is totally wrong to
copy the bio into mapped bio via '*mapped_bio = *bio'. For
example, .__bi_remaining is kept in the copy, especially if
the incoming bio is chained to via bio splitting, so .bi_end_io
can't be called for the mapped bio at all in the completing path
in this kind of situation.

This patch fixes the issue by using clone style.

Reported-and-tested-by: Andrea Righi <righi.andrea@gmail.com>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/multipath.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/md/multipath.c
+++ b/drivers/md/multipath.c
@@ -129,7 +129,9 @@ static void multipath_make_request(struc
 	}
 	multipath = conf->multipaths + mp_bh->path;
 
-	mp_bh->bio = *bio;
+	bio_init(&mp_bh->bio);
+	__bio_clone_fast(&mp_bh->bio, bio);
+
 	mp_bh->bio.bi_iter.bi_sector += multipath->rdev->data_offset;
 	mp_bh->bio.bi_bdev = multipath->rdev->bdev;
 	mp_bh->bio.bi_rw |= REQ_FAILFAST_TRANSPORT;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 167/238] fuse: do not use iocb after it may have been freed
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 166/238] md: multipath: dont hardcopy bio in .make_request path Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 168/238] fuse: Add reference counting for fuse_io_priv Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Robert Doebbelin, Miklos Szeredi

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Robert Doebbelin <robert@quobyte.com>

commit 7cabc61e01a0a8b663bd2b4c982aa53048218734 upstream.

There's a race in fuse_direct_IO(), whereby is_sync_kiocb() is called on an
iocb that could have been freed if async io has already completed.  The fix
in this case is simple and obvious: cache the result before starting io.

It was discovered by KASan:

kernel: ==================================================================
kernel: BUG: KASan: use after free in fuse_direct_IO+0xb1a/0xcc0 at addr ffff88036c414390

Signed-off-by: Robert Doebbelin <robert@quobyte.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: bcba24ccdc82 ("fuse: enable asynchronous processing direct IO")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/file.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2843,6 +2843,7 @@ fuse_direct_IO(struct kiocb *iocb, struc
 	loff_t i_size;
 	size_t count = iov_iter_count(iter);
 	struct fuse_io_priv *io;
+	bool is_sync = is_sync_kiocb(iocb);
 
 	pos = offset;
 	inode = file->f_mapping->host;
@@ -2882,11 +2883,11 @@ fuse_direct_IO(struct kiocb *iocb, struc
 	 * to wait on real async I/O requests, so we must submit this request
 	 * synchronously.
 	 */
-	if (!is_sync_kiocb(iocb) && (offset + count > i_size) &&
+	if (!is_sync && (offset + count > i_size) &&
 	    iov_iter_rw(iter) == WRITE)
 		io->async = false;
 
-	if (io->async && is_sync_kiocb(iocb))
+	if (io->async && is_sync)
 		io->done = &wait;
 
 	if (iov_iter_rw(iter) == WRITE) {
@@ -2900,7 +2901,7 @@ fuse_direct_IO(struct kiocb *iocb, struc
 		fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
 
 		/* we have a non-extending, async request, so return */
-		if (!is_sync_kiocb(iocb))
+		if (!is_sync)
 			return -EIOCBQUEUED;
 
 		wait_for_completion(&wait);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 168/238] fuse: Add reference counting for fuse_io_priv
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 167/238] fuse: do not use iocb after it may have been freed Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 169/238] scripts/gdb: account for changes in module data structure Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Seth Forshee, Miklos Szeredi

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Seth Forshee <seth.forshee@canonical.com>

commit 744742d692e37ad5c20630e57d526c8f2e2fe3c9 upstream.

The 'reqs' member of fuse_io_priv serves two purposes. First is to track
the number of oustanding async requests to the server and to signal that
the io request is completed. The second is to be a reference count on the
structure to know when it can be freed.

For sync io requests these purposes can be at odds.  fuse_direct_IO() wants
to block until the request is done, and since the signal is sent when
'reqs' reaches 0 it cannot keep a reference to the object. Yet it needs to
use the object after the userspace server has completed processing
requests. This leads to some handshaking and special casing that it
needlessly complicated and responsible for at least one race condition.

It's much cleaner and safer to maintain a separate reference count for the
object lifecycle and to let 'reqs' just be a count of outstanding requests
to the userspace server. Then we can know for sure when it is safe to free
the object without any handshaking or special cases.

The catch here is that most of the time these objects are stack allocated
and should not be freed. Initializing these objects with a single reference
that is never released prevents accidental attempts to free the objects.

Fixes: 9d5722b7777e ("fuse: handle synchronous iocbs internally")
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/cuse.c   |    4 ++--
 fs/fuse/file.c   |   28 +++++++++++++++++++++-------
 fs/fuse/fuse_i.h |    9 +++++++++
 3 files changed, 32 insertions(+), 9 deletions(-)

--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -90,7 +90,7 @@ static struct list_head *cuse_conntbl_he
 
 static ssize_t cuse_read_iter(struct kiocb *kiocb, struct iov_iter *to)
 {
-	struct fuse_io_priv io = { .async = 0, .file = kiocb->ki_filp };
+	struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(kiocb->ki_filp);
 	loff_t pos = 0;
 
 	return fuse_direct_io(&io, to, &pos, FUSE_DIO_CUSE);
@@ -98,7 +98,7 @@ static ssize_t cuse_read_iter(struct kio
 
 static ssize_t cuse_write_iter(struct kiocb *kiocb, struct iov_iter *from)
 {
-	struct fuse_io_priv io = { .async = 0, .file = kiocb->ki_filp };
+	struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(kiocb->ki_filp);
 	loff_t pos = 0;
 	/*
 	 * No locking or generic_write_checks(), the server is
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -528,6 +528,11 @@ static void fuse_release_user_pages(stru
 	}
 }
 
+static void fuse_io_release(struct kref *kref)
+{
+	kfree(container_of(kref, struct fuse_io_priv, refcnt));
+}
+
 static ssize_t fuse_get_res_by_io(struct fuse_io_priv *io)
 {
 	if (io->err)
@@ -585,8 +590,9 @@ static void fuse_aio_complete(struct fus
 		}
 
 		io->iocb->ki_complete(io->iocb, res, 0);
-		kfree(io);
 	}
+
+	kref_put(&io->refcnt, fuse_io_release);
 }
 
 static void fuse_aio_complete_req(struct fuse_conn *fc, struct fuse_req *req)
@@ -613,6 +619,7 @@ static size_t fuse_async_req_send(struct
 		size_t num_bytes, struct fuse_io_priv *io)
 {
 	spin_lock(&io->lock);
+	kref_get(&io->refcnt);
 	io->size += num_bytes;
 	io->reqs++;
 	spin_unlock(&io->lock);
@@ -691,7 +698,7 @@ static void fuse_short_read(struct fuse_
 
 static int fuse_do_readpage(struct file *file, struct page *page)
 {
-	struct fuse_io_priv io = { .async = 0, .file = file };
+	struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(file);
 	struct inode *inode = page->mapping->host;
 	struct fuse_conn *fc = get_fuse_conn(inode);
 	struct fuse_req *req;
@@ -984,7 +991,7 @@ static size_t fuse_send_write_pages(stru
 	size_t res;
 	unsigned offset;
 	unsigned i;
-	struct fuse_io_priv io = { .async = 0, .file = file };
+	struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(file);
 
 	for (i = 0; i < req->num_pages; i++)
 		fuse_wait_on_page_writeback(inode, req->pages[i]->index);
@@ -1398,7 +1405,7 @@ static ssize_t __fuse_direct_read(struct
 
 static ssize_t fuse_direct_read_iter(struct kiocb *iocb, struct iov_iter *to)
 {
-	struct fuse_io_priv io = { .async = 0, .file = iocb->ki_filp };
+	struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(iocb->ki_filp);
 	return __fuse_direct_read(&io, to, &iocb->ki_pos);
 }
 
@@ -1406,7 +1413,7 @@ static ssize_t fuse_direct_write_iter(st
 {
 	struct file *file = iocb->ki_filp;
 	struct inode *inode = file_inode(file);
-	struct fuse_io_priv io = { .async = 0, .file = file };
+	struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(file);
 	ssize_t res;
 
 	if (is_bad_inode(inode))
@@ -2864,6 +2871,7 @@ fuse_direct_IO(struct kiocb *iocb, struc
 	if (!io)
 		return -ENOMEM;
 	spin_lock_init(&io->lock);
+	kref_init(&io->refcnt);
 	io->reqs = 1;
 	io->bytes = -1;
 	io->size = 0;
@@ -2887,8 +2895,14 @@ fuse_direct_IO(struct kiocb *iocb, struc
 	    iov_iter_rw(iter) == WRITE)
 		io->async = false;
 
-	if (io->async && is_sync)
+	if (io->async && is_sync) {
+		/*
+		 * Additional reference to keep io around after
+		 * calling fuse_aio_complete()
+		 */
+		kref_get(&io->refcnt);
 		io->done = &wait;
+	}
 
 	if (iov_iter_rw(iter) == WRITE) {
 		ret = fuse_direct_io(io, iter, &pos, FUSE_DIO_WRITE);
@@ -2908,7 +2922,7 @@ fuse_direct_IO(struct kiocb *iocb, struc
 		ret = fuse_get_res_by_io(io);
 	}
 
-	kfree(io);
+	kref_put(&io->refcnt, fuse_io_release);
 
 	if (iov_iter_rw(iter) == WRITE) {
 		if (ret > 0)
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -22,6 +22,7 @@
 #include <linux/rbtree.h>
 #include <linux/poll.h>
 #include <linux/workqueue.h>
+#include <linux/kref.h>
 
 /** Max number of pages that can be used in a single read request */
 #define FUSE_MAX_PAGES_PER_REQ 32
@@ -243,6 +244,7 @@ struct fuse_args {
 
 /** The request IO state (for asynchronous processing) */
 struct fuse_io_priv {
+	struct kref refcnt;
 	int async;
 	spinlock_t lock;
 	unsigned reqs;
@@ -256,6 +258,13 @@ struct fuse_io_priv {
 	struct completion *done;
 };
 
+#define FUSE_IO_PRIV_SYNC(f) \
+{					\
+	.refcnt = { ATOMIC_INIT(1) },	\
+	.async = 0,			\
+	.file = f,			\
+}
+
 /**
  * Request flags
  *

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 169/238] scripts/gdb: account for changes in module data structure
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 168/238] fuse: Add reference counting for fuse_io_priv Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 170/238] fs/coredump: prevent fsuid=0 dumps into user-controlled directories Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kiszka, Kieran Bingham,
	Rusty Russell, Jiri Kosina, Jason Wessel, Andrew Morton,
	Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Kiszka <jan.kiszka@siemens.com>

commit ad4db3b24a93e52a92ad8f9b0273a9416f202c23 upstream.

Commit 7523e4dc5057 ("module: use a structure to encapsulate layout.")
factored out the module_layout structure.  Adjust the symbol loader and
the lsmod command to this.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Kieran Bingham <kieran.bingham@linaro.org>
Tested-by: Kieran Bingham <kieran.bingham@linaro.org> (qemu-{ARM,x86})
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 scripts/gdb/linux/modules.py |    5 +++--
 scripts/gdb/linux/symbols.py |    2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

--- a/scripts/gdb/linux/modules.py
+++ b/scripts/gdb/linux/modules.py
@@ -73,10 +73,11 @@ class LxLsmod(gdb.Command):
                 "        " if utils.get_long_type().sizeof == 8 else ""))
 
         for module in module_list():
+            layout = module['core_layout']
             gdb.write("{address} {name:<19} {size:>8}  {ref}".format(
-                address=str(module['module_core']).split()[0],
+                address=str(layout['base']).split()[0],
                 name=module['name'].string(),
-                size=str(module['core_size']),
+                size=str(layout['size']),
                 ref=str(module['refcnt']['counter'])))
 
             source_list = module['source_list']
--- a/scripts/gdb/linux/symbols.py
+++ b/scripts/gdb/linux/symbols.py
@@ -108,7 +108,7 @@ lx-symbols command."""
 
     def load_module_symbols(self, module):
         module_name = module['name'].string()
-        module_addr = str(module['module_core']).split()[0]
+        module_addr = str(module['core_layout']['base']).split()[0]
 
         module_file = self._get_module_file(module_name)
         if not module_file and not self.module_files_updated:

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 170/238] fs/coredump: prevent fsuid=0 dumps into user-controlled directories
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 169/238] scripts/gdb: account for changes in module data structure Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 171/238] rapidio/rionet: fix deadlock on SMP Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jann Horn, Kees Cook, Al Viro,
	Eric W. Biederman, Andy Lutomirski, Oleg Nesterov, Andrew Morton,
	Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jann Horn <jann@thejh.net>

commit 378c6520e7d29280f400ef2ceaf155c86f05a71a upstream.

This commit fixes the following security hole affecting systems where
all of the following conditions are fulfilled:

 - The fs.suid_dumpable sysctl is set to 2.
 - The kernel.core_pattern sysctl's value starts with "/". (Systems
   where kernel.core_pattern starts with "|/" are not affected.)
 - Unprivileged user namespace creation is permitted. (This is
   true on Linux >=3.8, but some distributions disallow it by
   default using a distro patch.)

Under these conditions, if a program executes under secure exec rules,
causing it to run with the SUID_DUMP_ROOT flag, then unshares its user
namespace, changes its root directory and crashes, the coredump will be
written using fsuid=0 and a path derived from kernel.core_pattern - but
this path is interpreted relative to the root directory of the process,
allowing the attacker to control where a coredump will be written with
root privileges.

To fix the security issue, always interpret core_pattern for dumps that
are written under SUID_DUMP_ROOT relative to the root directory of init.

Signed-off-by: Jann Horn <jann@thejh.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/um/drivers/mconsole_kern.c |    2 +-
 fs/coredump.c                   |   30 ++++++++++++++++++++++++++----
 fs/fhandle.c                    |    2 +-
 fs/open.c                       |    6 ++----
 include/linux/fs.h              |    2 +-
 kernel/sysctl_binary.c          |    2 +-
 6 files changed, 32 insertions(+), 12 deletions(-)

--- a/arch/um/drivers/mconsole_kern.c
+++ b/arch/um/drivers/mconsole_kern.c
@@ -133,7 +133,7 @@ void mconsole_proc(struct mc_request *re
 	ptr += strlen("proc");
 	ptr = skip_spaces(ptr);
 
-	file = file_open_root(mnt->mnt_root, mnt, ptr, O_RDONLY);
+	file = file_open_root(mnt->mnt_root, mnt, ptr, O_RDONLY, 0);
 	if (IS_ERR(file)) {
 		mconsole_reply(req, "Failed to open file", 1, 0);
 		printk(KERN_ERR "open /proc/%s: %ld\n", ptr, PTR_ERR(file));
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -32,6 +32,9 @@
 #include <linux/pipe_fs_i.h>
 #include <linux/oom.h>
 #include <linux/compat.h>
+#include <linux/sched.h>
+#include <linux/fs.h>
+#include <linux/path.h>
 #include <linux/timekeeping.h>
 
 #include <asm/uaccess.h>
@@ -649,6 +652,8 @@ void do_coredump(const siginfo_t *siginf
 		}
 	} else {
 		struct inode *inode;
+		int open_flags = O_CREAT | O_RDWR | O_NOFOLLOW |
+				 O_LARGEFILE | O_EXCL;
 
 		if (cprm.limit < binfmt->min_coredump)
 			goto fail_unlock;
@@ -687,10 +692,27 @@ void do_coredump(const siginfo_t *siginf
 		 * what matters is that at least one of the two processes
 		 * writes its coredump successfully, not which one.
 		 */
-		cprm.file = filp_open(cn.corename,
-				 O_CREAT | 2 | O_NOFOLLOW |
-				 O_LARGEFILE | O_EXCL,
-				 0600);
+		if (need_suid_safe) {
+			/*
+			 * Using user namespaces, normal user tasks can change
+			 * their current->fs->root to point to arbitrary
+			 * directories. Since the intention of the "only dump
+			 * with a fully qualified path" rule is to control where
+			 * coredumps may be placed using root privileges,
+			 * current->fs->root must not be used. Instead, use the
+			 * root directory of init_task.
+			 */
+			struct path root;
+
+			task_lock(&init_task);
+			get_fs_root(init_task.fs, &root);
+			task_unlock(&init_task);
+			cprm.file = file_open_root(root.dentry, root.mnt,
+				cn.corename, open_flags, 0600);
+			path_put(&root);
+		} else {
+			cprm.file = filp_open(cn.corename, open_flags, 0600);
+		}
 		if (IS_ERR(cprm.file))
 			goto fail_unlock;
 
--- a/fs/fhandle.c
+++ b/fs/fhandle.c
@@ -228,7 +228,7 @@ long do_handle_open(int mountdirfd,
 		path_put(&path);
 		return fd;
 	}
-	file = file_open_root(path.dentry, path.mnt, "", open_flag);
+	file = file_open_root(path.dentry, path.mnt, "", open_flag, 0);
 	if (IS_ERR(file)) {
 		put_unused_fd(fd);
 		retval =  PTR_ERR(file);
--- a/fs/open.c
+++ b/fs/open.c
@@ -992,14 +992,12 @@ struct file *filp_open(const char *filen
 EXPORT_SYMBOL(filp_open);
 
 struct file *file_open_root(struct dentry *dentry, struct vfsmount *mnt,
-			    const char *filename, int flags)
+			    const char *filename, int flags, umode_t mode)
 {
 	struct open_flags op;
-	int err = build_open_flags(flags, 0, &op);
+	int err = build_open_flags(flags, mode, &op);
 	if (err)
 		return ERR_PTR(err);
-	if (flags & O_CREAT)
-		return ERR_PTR(-EINVAL);
 	return do_file_open_root(dentry, mnt, filename, &op);
 }
 EXPORT_SYMBOL(file_open_root);
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2259,7 +2259,7 @@ extern long do_sys_open(int dfd, const c
 extern struct file *file_open_name(struct filename *, int, umode_t);
 extern struct file *filp_open(const char *, int, umode_t);
 extern struct file *file_open_root(struct dentry *, struct vfsmount *,
-				   const char *, int);
+				   const char *, int, umode_t);
 extern struct file * dentry_open(const struct path *, int, const struct cred *);
 extern int filp_close(struct file *, fl_owner_t id);
 
--- a/kernel/sysctl_binary.c
+++ b/kernel/sysctl_binary.c
@@ -1321,7 +1321,7 @@ static ssize_t binary_sysctl(const int *
 	}
 
 	mnt = task_active_pid_ns(current)->proc_mnt;
-	file = file_open_root(mnt->mnt_root, mnt, pathname, flags);
+	file = file_open_root(mnt->mnt_root, mnt, pathname, flags, 0);
 	result = PTR_ERR(file);
 	if (IS_ERR(file))
 		goto out_putname;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 171/238] rapidio/rionet: fix deadlock on SMP
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 170/238] fs/coredump: prevent fsuid=0 dumps into user-controlled directories Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 172/238] drm/vc4: Return -EFAULT on copy_from_user() failure Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aurelien Jacquiot, Alexandre Bounine,
	Matt Porter, Andre van Herk, Andrew Morton, Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aurelien Jacquiot <a-jacquiot@ti.com>

commit 36915976eca58f2eefa040ba8f9939672564df61 upstream.

Fix deadlocking during concurrent receive and transmit operations on SMP
platforms caused by the use of incorrect lock: on transmit 'tx_lock'
spinlock should be used instead of 'lock' which is used for receive
operation.

This fix is applicable to kernel versions starting from v2.15.

Signed-off-by: Aurelien Jacquiot <a-jacquiot@ti.com>
Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Andre van Herk <andre.van.herk@prodrive-technologies.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/rionet.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/rionet.c
+++ b/drivers/net/rionet.c
@@ -280,7 +280,7 @@ static void rionet_outb_msg_event(struct
 	struct net_device *ndev = dev_id;
 	struct rionet_private *rnet = netdev_priv(ndev);
 
-	spin_lock(&rnet->lock);
+	spin_lock(&rnet->tx_lock);
 
 	if (netif_msg_intr(rnet))
 		printk(KERN_INFO
@@ -299,7 +299,7 @@ static void rionet_outb_msg_event(struct
 	if (rnet->tx_cnt < RIONET_TX_RING_SIZE)
 		netif_wake_queue(ndev);
 
-	spin_unlock(&rnet->lock);
+	spin_unlock(&rnet->tx_lock);
 }
 
 static int rionet_open(struct net_device *ndev)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 172/238] drm/vc4: Return -EFAULT on copy_from_user() failure
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 171/238] rapidio/rionet: fix deadlock on SMP Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 174/238] drm/radeon: Dont drop DP 2.7 Ghz link setup on some cards Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Eric Anholt

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 585cb132a48190b554aecda2ebc3e2911fcbb665 upstream.

The copy_from_user() function returns the number of bytes not copied but
we want to return a negative error code.

Fixes: 463873d57014 ('drm/vc4: Add an API for creating GPU shaders in GEM BOs.')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/vc4/vc4_bo.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/vc4/vc4_bo.c
+++ b/drivers/gpu/drm/vc4/vc4_bo.c
@@ -499,11 +499,12 @@ vc4_create_shader_bo_ioctl(struct drm_de
 	if (IS_ERR(bo))
 		return PTR_ERR(bo);
 
-	ret = copy_from_user(bo->base.vaddr,
+	if (copy_from_user(bo->base.vaddr,
 			     (void __user *)(uintptr_t)args->data,
-			     args->size);
-	if (ret != 0)
+			     args->size)) {
+		ret = -EFAULT;
 		goto fail;
+	}
 	/* Clear the rest of the memory from allocating from the BO
 	 * cache.
 	 */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 174/238] drm/radeon: Dont drop DP 2.7 Ghz link setup on some cards.
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 172/238] drm/vc4: Return -EFAULT on copy_from_user() failure Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 175/238] drm/radeon: rework fbdev handling on chips with no connectors Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mario Kleiner, Alex Deucher

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mario Kleiner <mario.kleiner.de@gmail.com>

commit 459ee1c3fd097ab56ababd8ff4bb7ef6a792de33 upstream.

As observed on Apple iMac10,1, DCE-3.2, RV-730,
link rate of 2.7 Ghz is not selected, because
the args.v1.ucConfig flag setting for 2.7 Ghz
gets overwritten by a following assignment of
the transmitter to use.

Move link rate setup a few lines down to fix this.
In practice this didn't have any positive or
negative effect on display setup on the tested
iMac10,1 so i don't know if backporting to stable
makes sense or not.

Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/atombios_encoders.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/radeon/atombios_encoders.c
+++ b/drivers/gpu/drm/radeon/atombios_encoders.c
@@ -892,8 +892,6 @@ atombios_dig_encoder_setup2(struct drm_e
 			else
 				args.v1.ucLaneNum = 4;
 
-			if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000))
-				args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ;
 			switch (radeon_encoder->encoder_id) {
 			case ENCODER_OBJECT_ID_INTERNAL_UNIPHY:
 				args.v1.ucConfig = ATOM_ENCODER_CONFIG_V2_TRANSMITTER1;
@@ -910,6 +908,10 @@ atombios_dig_encoder_setup2(struct drm_e
 				args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKB;
 			else
 				args.v1.ucConfig |= ATOM_ENCODER_CONFIG_LINKA;
+
+			if (ENCODER_MODE_IS_DP(args.v1.ucEncoderMode) && (dp_clock == 270000))
+				args.v1.ucConfig |= ATOM_ENCODER_CONFIG_DPLINKRATE_2_70GHZ;
+
 			break;
 		case 2:
 		case 3:

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 175/238] drm/radeon: rework fbdev handling on chips with no connectors
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 174/238] drm/radeon: Dont drop DP 2.7 Ghz link setup on some cards Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 176/238] drm/radeon/mst: fix regression in lane/link handling Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alex Deucher <alexander.deucher@amd.com>

commit e5f243bd2edd95c6cc1d90c1878f821068e83fba upstream.

Move all the logic to radeon_fb.c and add checks to functions
called frome elsewhere.

bug:
https://bugzilla.kernel.org/show_bug.cgi?id=112781

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/radeon_display.c |    6 ++----
 drivers/gpu/drm/radeon/radeon_fb.c      |   19 +++++++++++++++----
 2 files changed, 17 insertions(+), 8 deletions(-)

--- a/drivers/gpu/drm/radeon/radeon_display.c
+++ b/drivers/gpu/drm/radeon/radeon_display.c
@@ -1683,10 +1683,8 @@ int radeon_modeset_init(struct radeon_de
 	/* setup afmt */
 	radeon_afmt_init(rdev);
 
-	if (!list_empty(&rdev->ddev->mode_config.connector_list)) {
-		radeon_fbdev_init(rdev);
-		drm_kms_helper_poll_init(rdev->ddev);
-	}
+	radeon_fbdev_init(rdev);
+	drm_kms_helper_poll_init(rdev->ddev);
 
 	/* do pm late init */
 	ret = radeon_pm_late_init(rdev);
--- a/drivers/gpu/drm/radeon/radeon_fb.c
+++ b/drivers/gpu/drm/radeon/radeon_fb.c
@@ -292,7 +292,8 @@ out_unref:
 
 void radeon_fb_output_poll_changed(struct radeon_device *rdev)
 {
-	drm_fb_helper_hotplug_event(&rdev->mode_info.rfbdev->helper);
+	if (rdev->mode_info.rfbdev)
+		drm_fb_helper_hotplug_event(&rdev->mode_info.rfbdev->helper);
 }
 
 static int radeon_fbdev_destroy(struct drm_device *dev, struct radeon_fbdev *rfbdev)
@@ -325,6 +326,10 @@ int radeon_fbdev_init(struct radeon_devi
 	int bpp_sel = 32;
 	int ret;
 
+	/* don't enable fbdev if no connectors */
+	if (list_empty(&rdev->ddev->mode_config.connector_list))
+		return 0;
+
 	/* select 8 bpp console on RN50 or 16MB cards */
 	if (ASIC_IS_RN50(rdev) || rdev->mc.real_vram_size <= (32*1024*1024))
 		bpp_sel = 8;
@@ -377,11 +382,15 @@ void radeon_fbdev_fini(struct radeon_dev
 
 void radeon_fbdev_set_suspend(struct radeon_device *rdev, int state)
 {
-	fb_set_suspend(rdev->mode_info.rfbdev->helper.fbdev, state);
+	if (rdev->mode_info.rfbdev)
+		fb_set_suspend(rdev->mode_info.rfbdev->helper.fbdev, state);
 }
 
 bool radeon_fbdev_robj_is_fb(struct radeon_device *rdev, struct radeon_bo *robj)
 {
+	if (!rdev->mode_info.rfbdev)
+		return false;
+
 	if (robj == gem_to_radeon_bo(rdev->mode_info.rfbdev->rfb.obj))
 		return true;
 	return false;
@@ -389,12 +398,14 @@ bool radeon_fbdev_robj_is_fb(struct rade
 
 void radeon_fb_add_connector(struct radeon_device *rdev, struct drm_connector *connector)
 {
-	drm_fb_helper_add_one_connector(&rdev->mode_info.rfbdev->helper, connector);
+	if (rdev->mode_info.rfbdev)
+		drm_fb_helper_add_one_connector(&rdev->mode_info.rfbdev->helper, connector);
 }
 
 void radeon_fb_remove_connector(struct radeon_device *rdev, struct drm_connector *connector)
 {
-	drm_fb_helper_remove_one_connector(&rdev->mode_info.rfbdev->helper, connector);
+	if (rdev->mode_info.rfbdev)
+		drm_fb_helper_remove_one_connector(&rdev->mode_info.rfbdev->helper, connector);
 }
 
 void radeon_fbdev_restore_mode(struct radeon_device *rdev)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 176/238] drm/radeon/mst: fix regression in lane/link handling.
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 175/238] drm/radeon: rework fbdev handling on chips with no connectors Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 178/238] drm/amdgpu: include the right version of gmc header files for iceland Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dave Airlie, Alex Deucher

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Airlie <airlied@redhat.com>

commit b36f7d26a7fdc0b07b1217368ee09bb8560269f8 upstream.

The function this used changed in
    092c96a8ab9d1bd60ada2ed385cc364ce084180e
    drm/radeon: fix dp link rate selection (v2)

However for MST we should just always train to the
max link/rate. Though we probably need to limit this
for future hw, in theory radeon won't support it.

This fixes my 30" monitor with MST enabled.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/radeon/radeon_dp_mst.c |   12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

--- a/drivers/gpu/drm/radeon/radeon_dp_mst.c
+++ b/drivers/gpu/drm/radeon/radeon_dp_mst.c
@@ -525,17 +525,9 @@ static bool radeon_mst_mode_fixup(struct
 	drm_mode_set_crtcinfo(adjusted_mode, 0);
 	{
 	  struct radeon_connector_atom_dig *dig_connector;
-	  int ret;
-
 	  dig_connector = mst_enc->connector->con_priv;
-	  ret = radeon_dp_get_dp_link_config(&mst_enc->connector->base,
-					     dig_connector->dpcd, adjusted_mode->clock,
-					     &dig_connector->dp_lane_count,
-					     &dig_connector->dp_clock);
-	  if (ret) {
-		  dig_connector->dp_lane_count = 0;
-		  dig_connector->dp_clock = 0;
-	  }
+	  dig_connector->dp_lane_count = drm_dp_max_lane_count(dig_connector->dpcd);
+	  dig_connector->dp_clock = drm_dp_max_link_rate(dig_connector->dpcd);
 	  DRM_DEBUG_KMS("dig clock %p %d %d\n", dig_connector,
 			dig_connector->dp_lane_count, dig_connector->dp_clock);
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 178/238] drm/amdgpu: include the right version of gmc header files for iceland
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 176/238] drm/radeon/mst: fix regression in lane/link handling Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 179/238] drm/amd/powerplay: add uvd/vce dpm enabling flag to fix the performance issue for CZ Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ken Wang, Alex Deucher

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ken Wang <Qingqing.Wang@amd.com>

commit 16a8a49be1b878ef6dd5d1663d456e254e54ae3d upstream.

Signed-off-by: Ken Wang <Qingqing.Wang@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c
@@ -32,8 +32,8 @@
 #include "oss/oss_2_4_d.h"
 #include "oss/oss_2_4_sh_mask.h"
 
-#include "gmc/gmc_8_1_d.h"
-#include "gmc/gmc_8_1_sh_mask.h"
+#include "gmc/gmc_7_1_d.h"
+#include "gmc/gmc_7_1_sh_mask.h"
 
 #include "gca/gfx_8_0_d.h"
 #include "gca/gfx_8_0_enum.h"

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 179/238] drm/amd/powerplay: add uvd/vce dpm enabling flag to fix the performance issue for CZ
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 178/238] drm/amdgpu: include the right version of gmc header files for iceland Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 180/238] tracing: Have preempt(irqs)off trace preempt disabled functions Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alex Deucher, Eric Huang

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Huang <JinHuiEric.Huang@amd.com>

commit 60123300db80b17251b4de5e98c63e288c6f7b46 upstream.

Set the UVD and VCE DPM flags otherwise UVD and VCE DPM won't get enabled.

Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Eric Huang <JinHuiEric.Huang@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c
+++ b/drivers/gpu/drm/amd/powerplay/hwmgr/cz_hwmgr.c
@@ -241,6 +241,11 @@ static int cz_initialize_dpm_defaults(st
 	phm_cap_set(hwmgr->platform_descriptor.platformCaps,
 					PHM_PlatformCaps_DynamicUVDState);
 
+	phm_cap_set(hwmgr->platform_descriptor.platformCaps,
+			PHM_PlatformCaps_UVDDPM);
+	phm_cap_set(hwmgr->platform_descriptor.platformCaps,
+			PHM_PlatformCaps_VCEDPM);
+
 	cz_hwmgr->cc6_settings.cpu_cc6_disable = false;
 	cz_hwmgr->cc6_settings.cpu_pstate_disable = false;
 	cz_hwmgr->cc6_settings.nb_pstate_switch_disable = false;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 180/238] tracing: Have preempt(irqs)off trace preempt disabled functions
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 179/238] drm/amd/powerplay: add uvd/vce dpm enabling flag to fix the performance issue for CZ Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 181/238] tracing: Fix crash from reading trace_pipe with sendfile Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joel Fernandes, Steven Rostedt

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steven Rostedt (Red Hat) <rostedt@goodmis.org>

commit cb86e05390debcc084cfdb0a71ed4c5dbbec517d upstream.

Joel Fernandes reported that the function tracing of preempt disabled
sections was not being reported when running either the preemptirqsoff or
preemptoff tracers. This was due to the fact that the function tracer
callback for those tracers checked if irqs were disabled before tracing. But
this fails when we want to trace preempt off locations as well.

Joel explained that he wanted to see funcitons where interrupts are enabled
but preemption was disabled. The expected output he wanted:

   <...>-2265    1d.h1 3419us : preempt_count_sub <-irq_exit
   <...>-2265    1d..1 3419us : __do_softirq <-irq_exit
   <...>-2265    1d..1 3419us : msecs_to_jiffies <-__do_softirq
   <...>-2265    1d..1 3420us : irqtime_account_irq <-__do_softirq
   <...>-2265    1d..1 3420us : __local_bh_disable_ip <-__do_softirq
   <...>-2265    1..s1 3421us : run_timer_softirq <-__do_softirq
   <...>-2265    1..s1 3421us : hrtimer_run_pending <-run_timer_softirq
   <...>-2265    1..s1 3421us : _raw_spin_lock_irq <-run_timer_softirq
   <...>-2265    1d.s1 3422us : preempt_count_add <-_raw_spin_lock_irq
   <...>-2265    1d.s2 3422us : _raw_spin_unlock_irq <-run_timer_softirq
   <...>-2265    1..s2 3422us : preempt_count_sub <-_raw_spin_unlock_irq
   <...>-2265    1..s1 3423us : rcu_bh_qs <-__do_softirq
   <...>-2265    1d.s1 3423us : irqtime_account_irq <-__do_softirq
   <...>-2265    1d.s1 3423us : __local_bh_enable <-__do_softirq

There's a comment saying that the irq disabled check is because there's a
possible race that tracing_cpu may be set when the function is executed. But
I don't remember that race. For now, I added a check for preemption being
enabled too to not record the function, as there would be no race if that
was the case. I need to re-investigate this, as I'm now thinking that the
tracing_cpu will always be correct. But no harm in keeping the check for
now, except for the slight performance hit.

Link: http://lkml.kernel.org/r/1457770386-88717-1-git-send-email-agnel.joel@gmail.com

Fixes: 5e6d2b9cfa3a "tracing: Use one prologue for the preempt irqs off tracer function tracers"
Reported-by: Joel Fernandes <agnel.joel@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace_irqsoff.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/kernel/trace/trace_irqsoff.c
+++ b/kernel/trace/trace_irqsoff.c
@@ -109,8 +109,12 @@ static int func_prolog_dec(struct trace_
 		return 0;
 
 	local_save_flags(*flags);
-	/* slight chance to get a false positive on tracing_cpu */
-	if (!irqs_disabled_flags(*flags))
+	/*
+	 * Slight chance to get a false positive on tracing_cpu,
+	 * although I'm starting to think there isn't a chance.
+	 * Leave this for now just to be paranoid.
+	 */
+	if (!irqs_disabled_flags(*flags) && !preempt_count())
 		return 0;
 
 	*data = per_cpu_ptr(tr->trace_buffer.data, cpu);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 181/238] tracing: Fix crash from reading trace_pipe with sendfile
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 180/238] tracing: Have preempt(irqs)off trace preempt disabled functions Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:35 ` [PATCH 4.5 182/238] tracing: Fix trace_printk() to print when not using bprintk() Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rabin Vincent, Steven Rostedt

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steven Rostedt (Red Hat) <rostedt@goodmis.org>

commit a29054d9478d0435ab01b7544da4f674ab13f533 upstream.

If tracing contains data and the trace_pipe file is read with sendfile(),
then it can trigger a NULL pointer dereference and various BUG_ON within the
VM code.

There's a patch to fix this in the splice_to_pipe() code, but it's also a
good idea to not let that happen from trace_pipe either.

Link: http://lkml.kernel.org/r/1457641146-9068-1-git-send-email-rabin@rab.in

Reported-by: Rabin Vincent <rabin.vincent@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -4949,7 +4949,10 @@ static ssize_t tracing_splice_read_pipe(
 
 	spd.nr_pages = i;
 
-	ret = splice_to_pipe(pipe, &spd);
+	if (i)
+		ret = splice_to_pipe(pipe, &spd);
+	else
+		ret = 0;
 out:
 	splice_shrink_spd(&spd);
 	return ret;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 182/238] tracing: Fix trace_printk() to print when not using bprintk()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 181/238] tracing: Fix crash from reading trace_pipe with sendfile Greg Kroah-Hartman
@ 2016-04-10 18:35 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 183/238] bitops: Do not default to __clear_bit() for __clear_bit_unlock() Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vlastimil Babka, Steven Rostedt

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Steven Rostedt (Red Hat) <rostedt@goodmis.org>

commit 3debb0a9ddb16526de8b456491b7db60114f7b5e upstream.

The trace_printk() code will allocate extra buffers if the compile detects
that a trace_printk() is used. To do this, the format of the trace_printk()
is saved to the __trace_printk_fmt section, and if that section is bigger
than zero, the buffers are allocated (along with a message that this has
happened).

If trace_printk() uses a format that is not a constant, and thus something
not guaranteed to be around when the print happens, the compiler optimizes
the fmt out, as it is not used, and the __trace_printk_fmt section is not
filled. This means the kernel will not allocate the special buffers needed
for the trace_printk() and the trace_printk() will not write anything to the
tracing buffer.

Adding a "__used" to the variable in the __trace_printk_fmt section will
keep it around, even though it is set to NULL. This will keep the string
from being printed in the debugfs/tracing/printk_formats section as it is
not needed.

Reported-by: Vlastimil Babka <vbabka@suse.cz>
Fixes: 07d777fe8c398 "tracing: Add percpu buffers for trace_printk()"
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/kernel.h      |    6 +++---
 kernel/trace/trace_printk.c |    3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -635,7 +635,7 @@ do {							\
 
 #define do_trace_printk(fmt, args...)					\
 do {									\
-	static const char *trace_printk_fmt				\
+	static const char *trace_printk_fmt __used			\
 		__attribute__((section("__trace_printk_fmt"))) =	\
 		__builtin_constant_p(fmt) ? fmt : NULL;			\
 									\
@@ -679,7 +679,7 @@ int __trace_printk(unsigned long ip, con
  */
 
 #define trace_puts(str) ({						\
-	static const char *trace_printk_fmt				\
+	static const char *trace_printk_fmt __used			\
 		__attribute__((section("__trace_printk_fmt"))) =	\
 		__builtin_constant_p(str) ? str : NULL;			\
 									\
@@ -701,7 +701,7 @@ extern void trace_dump_stack(int skip);
 #define ftrace_vprintk(fmt, vargs)					\
 do {									\
 	if (__builtin_constant_p(fmt)) {				\
-		static const char *trace_printk_fmt			\
+		static const char *trace_printk_fmt __used		\
 		  __attribute__((section("__trace_printk_fmt"))) =	\
 			__builtin_constant_p(fmt) ? fmt : NULL;		\
 									\
--- a/kernel/trace/trace_printk.c
+++ b/kernel/trace/trace_printk.c
@@ -296,6 +296,9 @@ static int t_show(struct seq_file *m, vo
 	const char *str = *fmt;
 	int i;
 
+	if (!*fmt)
+		return 0;
+
 	seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt);
 
 	/*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 183/238] bitops: Do not default to __clear_bit() for __clear_bit_unlock()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2016-04-10 18:35 ` [PATCH 4.5 182/238] tracing: Fix trace_printk() to print when not using bprintk() Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 184/238] scripts/coccinelle: modernize & Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vineet Gupta, Peter Zijlstra (Intel),
	Andrew Morton, Christoph Lameter, David Rientjes, Helge Deller,
	James E.J. Bottomley, Joonsoo Kim, Linus Torvalds, Noam Camus,
	Paul E. McKenney, Pekka Enberg, Thomas Gleixner, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <peterz@infradead.org>

commit f75d48644c56a31731d17fa693c8175328957e1d upstream.

__clear_bit_unlock() is a special little snowflake. While it carries the
non-atomic '__' prefix, it is specifically documented to pair with
test_and_set_bit() and therefore should be 'somewhat' atomic.

Therefore the generic implementation of __clear_bit_unlock() cannot use
the fully non-atomic __clear_bit() as a default.

If an arch is able to do better; is must provide an implementation of
__clear_bit_unlock() itself.

Specifically, this came up as a result of hackbench livelock'ing in
slab_lock() on ARC with SMP + SLUB + !LLSC.

The issue was incorrect pairing of atomic ops.

 slab_lock() -> bit_spin_lock() -> test_and_set_bit()
 slab_unlock() -> __bit_spin_unlock() -> __clear_bit()

The non serializing __clear_bit() was getting "lost"

 80543b8e:	ld_s       r2,[r13,0] <--- (A) Finds PG_locked is set
 80543b90:	or         r3,r2,1    <--- (B) other core unlocks right here
 80543b94:	st_s       r3,[r13,0] <--- (C) sets PG_locked (overwrites unlock)

Fixes ARC STAR 9000817404 (and probably more).

Reported-by: Vineet Gupta <Vineet.Gupta1@synopsys.com>
Tested-by: Vineet Gupta <Vineet.Gupta1@synopsys.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Helge Deller <deller@gmx.de>
Cc: James E.J. Bottomley <jejb@parisc-linux.org>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Noam Camus <noamc@ezchip.com>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20160309114054.GJ6356@twins.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/asm-generic/bitops/lock.h |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/include/asm-generic/bitops/lock.h
+++ b/include/asm-generic/bitops/lock.h
@@ -29,16 +29,16 @@ do {					\
  * @nr: the bit to set
  * @addr: the address to start counting from
  *
- * This operation is like clear_bit_unlock, however it is not atomic.
- * It does provide release barrier semantics so it can be used to unlock
- * a bit lock, however it would only be used if no other CPU can modify
- * any bits in the memory until the lock is released (a good example is
- * if the bit lock itself protects access to the other bits in the word).
+ * A weaker form of clear_bit_unlock() as used by __bit_lock_unlock(). If all
+ * the bits in the word are protected by this lock some archs can use weaker
+ * ops to safely unlock.
+ *
+ * See for example x86's implementation.
  */
 #define __clear_bit_unlock(nr, addr)	\
 do {					\
-	smp_mb();			\
-	__clear_bit(nr, addr);		\
+	smp_mb__before_atomic();	\
+	clear_bit(nr, addr);		\
 } while (0)
 
 #endif /* _ASM_GENERIC_BITOPS_LOCK_H_ */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 184/238] scripts/coccinelle: modernize &
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 183/238] bitops: Do not default to __clear_bit() for __clear_bit_unlock() Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 185/238] scripts/kconfig: allow building with make 3.80 again Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Julia Lawall, Nishanth Menon, Michal Marek

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Julia Lawall <Julia.Lawall@lip6.fr>

commit 1b669e713f277a4d4b3cec84e13d16544ac8286d upstream.

& is no longer allowed in column 0, since Coccinelle 1.0.4.

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Tested-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Michal Marek <mmarek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 scripts/coccinelle/iterators/use_after_iter.cocci |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/scripts/coccinelle/iterators/use_after_iter.cocci
+++ b/scripts/coccinelle/iterators/use_after_iter.cocci
@@ -123,7 +123,7 @@ list_remove_head(x,c,...)
 |
 sizeof(<+...c...+>)
 |
-&c->member
+ &c->member
 |
 c = E
 |

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 185/238] scripts/kconfig: allow building with make 3.80 again
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 184/238] scripts/coccinelle: modernize & Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 186/238] kbuild/mkspec: fix grub2 installkernel issue Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Beulich, Michael Ellerman, Michal Marek

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jan Beulich <JBeulich@suse.com>

commit 42f9d3c6888bceef6dc7ba72c77acf47347dcf05 upstream.

Documentation/Changes still lists this as the minimal required version,
so it ought to remain usable for the time being.

Fixes: d2036f30cf ("scripts/kconfig/Makefile: Allow KBUILD_DEFCONFIG to be a target")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Michal Marek <mmarek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 scripts/kconfig/Makefile |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/scripts/kconfig/Makefile
+++ b/scripts/kconfig/Makefile
@@ -96,13 +96,15 @@ savedefconfig: $(obj)/conf
 defconfig: $(obj)/conf
 ifeq ($(KBUILD_DEFCONFIG),)
 	$< $(silent) --defconfig $(Kconfig)
-else ifneq ($(wildcard $(srctree)/arch/$(SRCARCH)/configs/$(KBUILD_DEFCONFIG)),)
+else
+ifneq ($(wildcard $(srctree)/arch/$(SRCARCH)/configs/$(KBUILD_DEFCONFIG)),)
 	@$(kecho) "*** Default configuration is based on '$(KBUILD_DEFCONFIG)'"
 	$(Q)$< $(silent) --defconfig=arch/$(SRCARCH)/configs/$(KBUILD_DEFCONFIG) $(Kconfig)
 else
 	@$(kecho) "*** Default configuration is based on target '$(KBUILD_DEFCONFIG)'"
 	$(Q)$(MAKE) -f $(srctree)/Makefile $(KBUILD_DEFCONFIG)
 endif
+endif
 
 %_defconfig: $(obj)/conf
 	$(Q)$< $(silent) --defconfig=arch/$(SRCARCH)/configs/$@ $(Kconfig)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 186/238] kbuild/mkspec: fix grub2 installkernel issue
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 185/238] scripts/kconfig: allow building with make 3.80 again Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 187/238] MAINTAINERS: Update mailing list and web page for hwmon subsystem Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Kosina, Michal Marek

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Kosina <jkosina@suse.cz>

commit c8b08ca558c0067bc9e15ce3f1e70af260410bb2 upstream.

mkspec is copying built kernel to temporrary location

	/boot/vmlinuz-$KERNELRELEASE-rpm

and runs installkernel on it. This however directly leads to grub2
menuentry for this suffixed binary being generated as well during the run
of installkernel script.

Later in the process the temporary -rpm suffixed files are removed, and
therefore we end up with spurious (and non-functional) grub2 menu entries
for each installed kernel RPM.

Fix that by using a different temporary name (prefixed by '.'), so that
the binary is not recognized as an actual kernel binary and no menuentry
is created for it.

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Fixes: 3c9c7a14b627 ("rpm-pkg: add %post section to create initramfs and grub hooks")
Signed-off-by: Michal Marek <mmarek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 scripts/package/mkspec |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/scripts/package/mkspec
+++ b/scripts/package/mkspec
@@ -131,11 +131,11 @@ echo 'rm -rf $RPM_BUILD_ROOT'
 echo ""
 echo "%post"
 echo "if [ -x /sbin/installkernel -a -r /boot/vmlinuz-$KERNELRELEASE -a -r /boot/System.map-$KERNELRELEASE ]; then"
-echo "cp /boot/vmlinuz-$KERNELRELEASE /boot/vmlinuz-$KERNELRELEASE-rpm"
-echo "cp /boot/System.map-$KERNELRELEASE /boot/System.map-$KERNELRELEASE-rpm"
+echo "cp /boot/vmlinuz-$KERNELRELEASE /boot/.vmlinuz-$KERNELRELEASE-rpm"
+echo "cp /boot/System.map-$KERNELRELEASE /boot/.System.map-$KERNELRELEASE-rpm"
 echo "rm -f /boot/vmlinuz-$KERNELRELEASE /boot/System.map-$KERNELRELEASE"
-echo "/sbin/installkernel $KERNELRELEASE /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm"
-echo "rm -f /boot/vmlinuz-$KERNELRELEASE-rpm /boot/System.map-$KERNELRELEASE-rpm"
+echo "/sbin/installkernel $KERNELRELEASE /boot/.vmlinuz-$KERNELRELEASE-rpm /boot/.System.map-$KERNELRELEASE-rpm"
+echo "rm -f /boot/.vmlinuz-$KERNELRELEASE-rpm /boot/.System.map-$KERNELRELEASE-rpm"
 echo "fi"
 echo ""
 echo "%files"

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 187/238] MAINTAINERS: Update mailing list and web page for hwmon subsystem
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 186/238] kbuild/mkspec: fix grub2 installkernel issue Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 188/238] ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jean Delvare, Guenter Roeck

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <linux@roeck-us.net>

commit 968ce1b1f45a7d76b5471b19bd035dbecc72f32d upstream.

The old web page for the hwmon subsystem is no longer operational,
and the mailing list has become unreliable. Move both to kernel.org.

Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 MAINTAINERS |   96 ++++++++++++++++++++++++++++++------------------------------
 1 file changed, 48 insertions(+), 48 deletions(-)

--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -228,13 +228,13 @@ F:	kernel/sys_ni.c
 
 ABIT UGURU 1,2 HARDWARE MONITOR DRIVER
 M:	Hans de Goede <hdegoede@redhat.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	drivers/hwmon/abituguru.c
 
 ABIT UGURU 3 HARDWARE MONITOR DRIVER
 M:	Alistair John Strachan <alistair@devzero.co.uk>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	drivers/hwmon/abituguru3.c
 
@@ -386,14 +386,14 @@ F:	Documentation/devicetree/bindings/net
 
 ADM1025 HARDWARE MONITOR DRIVER
 M:	Jean Delvare <jdelvare@suse.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/adm1025
 F:	drivers/hwmon/adm1025.c
 
 ADM1029 HARDWARE MONITOR DRIVER
 M:	Corentin Labbe <clabbe.montjoie@gmail.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	drivers/hwmon/adm1029.c
 
@@ -438,7 +438,7 @@ F:	drivers/video/backlight/adp8860_bl.c
 
 ADS1015 HARDWARE MONITOR DRIVER
 M:	Dirk Eibach <eibach@gdsys.de>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/ads1015
 F:	drivers/hwmon/ads1015.c
@@ -451,7 +451,7 @@ F:	drivers/macintosh/therm_adt746x.c
 
 ADT7475 HARDWARE MONITOR DRIVER
 M:	Jean Delvare <jdelvare@suse.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/adt7475
 F:	drivers/hwmon/adt7475.c
@@ -628,7 +628,7 @@ F:	include/linux/ccp.h
 
 AMD FAM15H PROCESSOR POWER MONITORING DRIVER
 M:	Huang Rui <ray.huang@amd.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Supported
 F:	Documentation/hwmon/fam15h_power
 F:	drivers/hwmon/fam15h_power.c
@@ -786,7 +786,7 @@ F:	drivers/input/mouse/bcm5974.c
 
 APPLE SMC DRIVER
 M:	Henrik Rydberg <rydberg@bitmath.org>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Odd fixes
 F:	drivers/hwmon/applesmc.c
 
@@ -1825,7 +1825,7 @@ F:	include/media/i2c/as3645a.h
 
 ASC7621 HARDWARE MONITOR DRIVER
 M:	George Joseph <george.joseph@fairview5.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/asc7621
 F:	drivers/hwmon/asc7621.c
@@ -1918,7 +1918,7 @@ F:	drivers/net/wireless/ath/carl9170/
 
 ATK0110 HWMON DRIVER
 M:	Luca Tettamanti <kronos.it@gmail.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	drivers/hwmon/asus_atk0110.c
 
@@ -3037,7 +3037,7 @@ F:	mm/swap_cgroup.c
 
 CORETEMP HARDWARE MONITORING DRIVER
 M:	Fenghua Yu <fenghua.yu@intel.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/coretemp
 F:	drivers/hwmon/coretemp.c
@@ -3625,7 +3625,7 @@ T:	git git://git.infradead.org/users/vko
 
 DME1737 HARDWARE MONITOR DRIVER
 M:	Juerg Haefliger <juergh@gmail.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/dme1737
 F:	drivers/hwmon/dme1737.c
@@ -4322,7 +4322,7 @@ F:	include/video/exynos_mipi*
 
 F71805F HARDWARE MONITORING DRIVER
 M:	Jean Delvare <jdelvare@suse.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/f71805f
 F:	drivers/hwmon/f71805f.c
@@ -4401,7 +4401,7 @@ F:	fs/*
 
 FINTEK F75375S HARDWARE MONITOR AND FAN CONTROLLER DRIVER
 M:	Riku Voipio <riku.voipio@iki.fi>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	drivers/hwmon/f75375s.c
 F:	include/linux/f75375s.h
@@ -4958,8 +4958,8 @@ F:	drivers/media/usb/hackrf/
 HARDWARE MONITORING
 M:	Jean Delvare <jdelvare@suse.com>
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
-W:	http://www.lm-sensors.org/
+L:	linux-hwmon@vger.kernel.org
+W:	http://hwmon.wiki.kernel.org/
 T:	quilt http://jdelvare.nerim.net/devel/linux/jdelvare-hwmon/
 T:	git git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git
 S:	Maintained
@@ -5484,7 +5484,7 @@ F:	drivers/usb/atm/ueagle-atm.c
 
 INA209 HARDWARE MONITOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/ina209
 F:	Documentation/devicetree/bindings/i2c/ina209.txt
@@ -5492,7 +5492,7 @@ F:	drivers/hwmon/ina209.c
 
 INA2XX HARDWARE MONITOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/ina2xx
 F:	drivers/hwmon/ina2xx.c
@@ -5985,7 +5985,7 @@ F:	drivers/isdn/hardware/eicon/
 
 IT87 HARDWARE MONITORING DRIVER
 M:	Jean Delvare <jdelvare@suse.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/it87
 F:	drivers/hwmon/it87.c
@@ -6021,7 +6021,7 @@ F:	drivers/media/dvb-frontends/ix2505v*
 
 JC42.4 TEMPERATURE SENSOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	drivers/hwmon/jc42.c
 F:	Documentation/hwmon/jc42
@@ -6071,14 +6071,14 @@ F:	drivers/tty/serial/jsm/
 
 K10TEMP HARDWARE MONITORING DRIVER
 M:	Clemens Ladisch <clemens@ladisch.de>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/k10temp
 F:	drivers/hwmon/k10temp.c
 
 K8TEMP HARDWARE MONITORING DRIVER
 M:	Rudolf Marek <r.marek@assembler.cz>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/k8temp
 F:	drivers/hwmon/k8temp.c
@@ -6605,27 +6605,27 @@ F:	net/llc/
 
 LM73 HARDWARE MONITOR DRIVER
 M:	Guillaume Ligneul <guillaume.ligneul@gmail.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	drivers/hwmon/lm73.c
 
 LM78 HARDWARE MONITOR DRIVER
 M:	Jean Delvare <jdelvare@suse.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/lm78
 F:	drivers/hwmon/lm78.c
 
 LM83 HARDWARE MONITOR DRIVER
 M:	Jean Delvare <jdelvare@suse.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/lm83
 F:	drivers/hwmon/lm83.c
 
 LM90 HARDWARE MONITOR DRIVER
 M:	Jean Delvare <jdelvare@suse.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/lm90
 F:	Documentation/devicetree/bindings/hwmon/lm90.txt
@@ -6633,7 +6633,7 @@ F:	drivers/hwmon/lm90.c
 
 LM95234 HARDWARE MONITOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/lm95234
 F:	drivers/hwmon/lm95234.c
@@ -6700,7 +6700,7 @@ F:	drivers/scsi/sym53c8xx_2/
 
 LTC4261 HARDWARE MONITOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/ltc4261
 F:	drivers/hwmon/ltc4261.c
@@ -6870,28 +6870,28 @@ F:	include/uapi/linux/matroxfb.h
 
 MAX16065 HARDWARE MONITOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/max16065
 F:	drivers/hwmon/max16065.c
 
 MAX20751 HARDWARE MONITOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/max20751
 F:	drivers/hwmon/max20751.c
 
 MAX6650 HARDWARE MONITOR AND FAN CONTROLLER DRIVER
 M:	"Hans J. Koch" <hjk@hansjkoch.de>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/max6650
 F:	drivers/hwmon/max6650.c
 
 MAX6697 HARDWARE MONITOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/max6697
 F:	Documentation/devicetree/bindings/i2c/max6697.txt
@@ -7455,7 +7455,7 @@ F:	drivers/scsi/NCR_D700.*
 
 NCT6775 HARDWARE MONITOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/nct6775
 F:	drivers/hwmon/nct6775.c
@@ -8235,7 +8235,7 @@ F:	drivers/video/logo/logo_parisc*
 
 PC87360 HARDWARE MONITORING DRIVER
 M:	Jim Cromie <jim.cromie@gmail.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/pc87360
 F:	drivers/hwmon/pc87360.c
@@ -8247,7 +8247,7 @@ F:	drivers/char/pc8736x_gpio.c
 
 PC87427 HARDWARE MONITORING DRIVER
 M:	Jean Delvare <jdelvare@suse.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/pc87427
 F:	drivers/hwmon/pc87427.c
@@ -8601,8 +8601,8 @@ F:	drivers/rtc/rtc-puv3.c
 
 PMBUS HARDWARE MONITORING DRIVERS
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
-W:	http://www.lm-sensors.org/
+L:	linux-hwmon@vger.kernel.org
+W:	http://hwmon.wiki.kernel.org/
 W:	http://www.roeck-us.net/linux/drivers/
 T:	git git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git
 S:	Maintained
@@ -8807,7 +8807,7 @@ F:	drivers/media/usb/pwc/*
 
 PWM FAN DRIVER
 M:	Kamil Debski <k.debski@samsung.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Supported
 F:	Documentation/devicetree/bindings/hwmon/pwm-fan.txt
 F:	Documentation/hwmon/pwm-fan
@@ -10113,28 +10113,28 @@ F:	Documentation/devicetree/bindings/med
 
 SMM665 HARDWARE MONITOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/smm665
 F:	drivers/hwmon/smm665.c
 
 SMSC EMC2103 HARDWARE MONITOR DRIVER
 M:	Steve Glendinning <steve.glendinning@shawell.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/emc2103
 F:	drivers/hwmon/emc2103.c
 
 SMSC SCH5627 HARDWARE MONITOR DRIVER
 M:	Hans de Goede <hdegoede@redhat.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Supported
 F:	Documentation/hwmon/sch5627
 F:	drivers/hwmon/sch5627.c
 
 SMSC47B397 HARDWARE MONITOR DRIVER
 M:	Jean Delvare <jdelvare@suse.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/smsc47b397
 F:	drivers/hwmon/smsc47b397.c
@@ -11067,7 +11067,7 @@ F:	include/linux/mmc/sh_mobile_sdhi.h
 
 TMP401 HARDWARE MONITOR DRIVER
 M:	Guenter Roeck <linux@roeck-us.net>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/tmp401
 F:	drivers/hwmon/tmp401.c
@@ -11812,14 +11812,14 @@ F:	Documentation/networking/vrf.txt
 
 VT1211 HARDWARE MONITOR DRIVER
 M:	Juerg Haefliger <juergh@gmail.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/vt1211
 F:	drivers/hwmon/vt1211.c
 
 VT8231 HARDWARE MONITOR DRIVER
 M:	Roger Lucas <vt8231@hiddenengine.co.uk>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	drivers/hwmon/vt8231.c
 
@@ -11838,21 +11838,21 @@ F:	drivers/w1/
 
 W83791D HARDWARE MONITORING DRIVER
 M:	Marc Hulsman <m.hulsman@tudelft.nl>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/w83791d
 F:	drivers/hwmon/w83791d.c
 
 W83793 HARDWARE MONITORING DRIVER
 M:	Rudolf Marek <r.marek@assembler.cz>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	Documentation/hwmon/w83793
 F:	drivers/hwmon/w83793.c
 
 W83795 HARDWARE MONITORING DRIVER
 M:	Jean Delvare <jdelvare@suse.com>
-L:	lm-sensors@lm-sensors.org
+L:	linux-hwmon@vger.kernel.org
 S:	Maintained
 F:	drivers/hwmon/w83795.c
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 188/238] ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 187/238] MAINTAINERS: Update mailing list and web page for hwmon subsystem Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 189/238] mmc: block: fix ABI regression of mmc_blk_ioctl Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, John Dahlstrom, Darren Hart

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: John Dahlstrom <jodarom@SDF.ORG>

commit 4db9675d927a71faa66e5ab128d2390d6329750b upstream.

Some Lenovo ideapad models lack a physical rfkill switch.
On Lenovo models ideapad Y700 Touch-15ISK and ideapad Y700-15ISK,
ideapad-laptop would wrongly report all radios as blocked by
hardware which caused wireless network connections to fail.

Add these models without an rfkill switch to the no_hw_rfkill list.

Signed-off-by: John Dahlstrom <jodarom@sdf.org>
Cc: <stable@vger.kernel.org> # 3.17.x-: 4fa9dab: ideapad_laptop: Lenovo G50-30 fix rfkill reports wireless blocked
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/platform/x86/ideapad-laptop.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/drivers/platform/x86/ideapad-laptop.c
+++ b/drivers/platform/x86/ideapad-laptop.c
@@ -865,6 +865,20 @@ static const struct dmi_system_id no_hw_
 		},
 	},
 	{
+		.ident = "Lenovo ideapad Y700-15ISK",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-15ISK"),
+		},
+	},
+	{
+		.ident = "Lenovo ideapad Y700 Touch-15ISK",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700 Touch-15ISK"),
+		},
+	},
+	{
 		.ident = "Lenovo ideapad Y700-17ISK",
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 189/238] mmc: block: fix ABI regression of mmc_blk_ioctl
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 188/238] ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 190/238] mmc: mmc_spi: Add Card Detect comments and fix CD GPIO case Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shawn Lin, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shawn Lin <shawn.lin@rock-chips.com>

commit 83c742c344c08c2bbe338d45c6ec63110e9d5e3d upstream.

If mmc_blk_ioctl returns -EINVAL, blkdev_ioctl continues to
work without returning err to user-space. But now we check
CAP_SYS_RAWIO firstly, so we return -EPERM to blkdev_ioctl,
which make blkdev_ioctl return -EPERM to user-space directly.
So this will break all the ioctl with BLKROSET. Now we find
Android-adb suffer it for the following log:

remount of /system failed;
couldn't make block device writable: Operation not permitted
openat(AT_FDCWD, "/dev/block/platform/ff420000.dwmmc/by-name/system", O_RDONLY) = 3
ioctl(3, BLKROSET, 0)  = -1 EPERM (Operation not permitted)

Fixes: a5f5774c55a2 ("mmc: block: Add new ioctl to send multi commands")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/card/block.c |   24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -589,6 +589,14 @@ static int mmc_blk_ioctl_cmd(struct bloc
 	struct mmc_card *card;
 	int err = 0, ioc_err = 0;
 
+	/*
+	 * The caller must have CAP_SYS_RAWIO, and must be calling this on the
+	 * whole block device, not on a partition.  This prevents overspray
+	 * between sibling partitions.
+	 */
+	if ((!capable(CAP_SYS_RAWIO)) || (bdev != bdev->bd_contains))
+		return -EPERM;
+
 	idata = mmc_blk_ioctl_copy_from_user(ic_ptr);
 	if (IS_ERR(idata))
 		return PTR_ERR(idata);
@@ -631,6 +639,14 @@ static int mmc_blk_ioctl_multi_cmd(struc
 	int i, err = 0, ioc_err = 0;
 	__u64 num_of_cmds;
 
+	/*
+	 * The caller must have CAP_SYS_RAWIO, and must be calling this on the
+	 * whole block device, not on a partition.  This prevents overspray
+	 * between sibling partitions.
+	 */
+	if ((!capable(CAP_SYS_RAWIO)) || (bdev != bdev->bd_contains))
+		return -EPERM;
+
 	if (copy_from_user(&num_of_cmds, &user->num_of_cmds,
 			   sizeof(num_of_cmds)))
 		return -EFAULT;
@@ -688,14 +704,6 @@ cmd_err:
 static int mmc_blk_ioctl(struct block_device *bdev, fmode_t mode,
 	unsigned int cmd, unsigned long arg)
 {
-	/*
-	 * The caller must have CAP_SYS_RAWIO, and must be calling this on the
-	 * whole block device, not on a partition.  This prevents overspray
-	 * between sibling partitions.
-	 */
-	if ((!capable(CAP_SYS_RAWIO)) || (bdev != bdev->bd_contains))
-		return -EPERM;
-
 	switch (cmd) {
 	case MMC_IOC_CMD:
 		return mmc_blk_ioctl_cmd(bdev,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 190/238] mmc: mmc_spi: Add Card Detect comments and fix CD GPIO case
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 189/238] mmc: block: fix ABI regression of mmc_blk_ioctl Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 191/238] mmc: sdhci: move initialisation of command error member Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Magnus Damm, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Magnus Damm <damm+renesas@opensource.se>

commit bcdc9f260bdce09913db1464be9817170d51044a upstream.

This patch fixes the MMC SPI driver from doing polling card detect when a
CD GPIO that supports interrupts is specified using the gpios DT property.

Without this patch the DT node below results in the following output:

 spi_gpio: spi-gpio { /* SD2 @ CN12 */
         compatible = "spi-gpio";
         #address-cells = <1>;
         #size-cells = <0>;
         gpio-sck = <&gpio6 16 GPIO_ACTIVE_HIGH>;
         gpio-mosi = <&gpio6 17 GPIO_ACTIVE_HIGH>;
         gpio-miso = <&gpio6 18 GPIO_ACTIVE_HIGH>;
         num-chipselects = <1>;
         cs-gpios = <&gpio6 21 GPIO_ACTIVE_LOW>;
         status = "okay";

         spi@0 {
                 compatible = "mmc-spi-slot";
                 reg = <0>;
                 voltage-ranges = <3200 3400>;
                 spi-max-frequency = <25000000>;
                 gpios = <&gpio6 22 GPIO_ACTIVE_LOW>;   /* CD */
         };
 };

 # dmesg | grep mmc
 mmc_spi spi32766.0: SD/MMC host mmc0, no WP, no poweroff, cd polling
 mmc0: host does not support reading read-only switch, assuming write-enable
 mmc0: new SDHC card on SPI
 mmcblk0: mmc0:0000 SU04G 3.69 GiB
 mmcblk0: p1

With this patch applied the "cd polling" portion above disappears.

Signed-off-by: Magnus Damm <damm+renesas@opensource.se>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/mmc_spi.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/mmc/host/mmc_spi.c
+++ b/drivers/mmc/host/mmc_spi.c
@@ -1442,6 +1442,12 @@ static int mmc_spi_probe(struct spi_devi
 					     host->pdata->cd_debounce);
 		if (status != 0)
 			goto fail_add_host;
+
+		/* The platform has a CD GPIO signal that may support
+		 * interrupts, so let mmc_gpiod_request_cd_irq() decide
+		 * if polling is needed or not.
+		 */
+		mmc->caps &= ~MMC_CAP_NEEDS_POLL;
 		mmc_gpiod_request_cd_irq(mmc);
 	}
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 191/238] mmc: sdhci: move initialisation of command error member
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (179 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 190/238] mmc: mmc_spi: Add Card Detect comments and fix CD GPIO case Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 192/238] mmc: sdhci: clean up command error handling Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Adrian Hunter,
	Gregory CLEMENT, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit 96776200898cf9c1965b9f8b9a128e94bb6dce18 upstream.

When a command is started, logically it has no error.  Initialise the
command's error member to zero whenever we start a command.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
[ Goes with "mmc: sdhci: fix command response CRC error handling" ]
Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -1003,6 +1003,9 @@ void sdhci_send_command(struct sdhci_hos
 
 	WARN_ON(host->cmd);
 
+	/* Initially, a command has no error */
+	cmd->error = 0;
+
 	/* Wait max 10 ms */
 	timeout = 10;
 
@@ -1097,8 +1100,6 @@ static void sdhci_finish_command(struct
 		}
 	}
 
-	host->cmd->error = 0;
-
 	/* Finished CMD23, now send actual command. */
 	if (host->cmd == host->mrq->sbc) {
 		host->cmd = NULL;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 192/238] mmc: sdhci: clean up command error handling
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (180 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 191/238] mmc: sdhci: move initialisation of command error member Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 193/238] mmc: sdhci: fix command response CRC " Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Adrian Hunter,
	Gregory CLEMENT, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit ec014cbacf6229c583cb832726ca39be1ae3d8c3 upstream.

Avoid multiple tests while handling a command error; simplify the code.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
[ Goes with "mmc: sdhci: fix command response CRC error handling" ]
Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -2323,13 +2323,13 @@ static void sdhci_cmd_irq(struct sdhci_h
 		return;
 	}
 
-	if (intmask & SDHCI_INT_TIMEOUT)
-		host->cmd->error = -ETIMEDOUT;
-	else if (intmask & (SDHCI_INT_CRC | SDHCI_INT_END_BIT |
-			SDHCI_INT_INDEX))
-		host->cmd->error = -EILSEQ;
+	if (intmask & (SDHCI_INT_TIMEOUT | SDHCI_INT_CRC |
+		       SDHCI_INT_END_BIT | SDHCI_INT_INDEX)) {
+		if (intmask & SDHCI_INT_TIMEOUT)
+			host->cmd->error = -ETIMEDOUT;
+		else
+			host->cmd->error = -EILSEQ;
 
-	if (host->cmd->error) {
 		tasklet_schedule(&host->finish_tasklet);
 		return;
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 193/238] mmc: sdhci: fix command response CRC error handling
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (181 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 192/238] mmc: sdhci: clean up command error handling Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 194/238] mmc: sdhci: further fix for DMA unmapping in sdhci_post_req() Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Adrian Hunter,
	Gregory CLEMENT, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit 71fcbda0fcddd0896c4982a484f6c8aa802d28b1 upstream.

When we get a response CRC error on a command, it means that the
response we received back from the card was not correct.  It does not
mean that the card did not receive the command correctly.  If the
command is one which initiates a data transfer, the card can enter the
data transfer state, and start sending data.

Moreover, if the request contained a data phase, we do not clean this
up, and this results in the driver triggering DMA API debug warnings,
and also creates a race condition in the driver, between running the
finish_tasklet and the data transfer interrupts, which can trigger a
"Got data interrupt" state dump.

Fix this by handing a response CRC error slightly differently: record
the failure of the data initiating command, but allow the remainder of
the request to be processed normally.  This is safe as core MMC checks
the status of all commands and data transfer phases of the request.

If the card does not initiate a data transfer, then we should time out
according to the data transfer parameters.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[ Fix missing parenthesis around bitwise-AND expression, and tweak subject ]
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -2330,6 +2330,23 @@ static void sdhci_cmd_irq(struct sdhci_h
 		else
 			host->cmd->error = -EILSEQ;
 
+		/*
+		 * If this command initiates a data phase and a response
+		 * CRC error is signalled, the card can start transferring
+		 * data - the card may have received the command without
+		 * error.  We must not terminate the mmc_request early.
+		 *
+		 * If the card did not receive the command or returned an
+		 * error which prevented it sending data, the data phase
+		 * will time out.
+		 */
+		if (host->cmd->data &&
+		    (intmask & (SDHCI_INT_CRC | SDHCI_INT_TIMEOUT)) ==
+		     SDHCI_INT_CRC) {
+			host->cmd = NULL;
+			return;
+		}
+
 		tasklet_schedule(&host->finish_tasklet);
 		return;
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 194/238] mmc: sdhci: further fix for DMA unmapping in sdhci_post_req()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (182 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 193/238] mmc: sdhci: fix command response CRC " Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 195/238] mmc: sdhci: avoid unnecessary mapping/unmapping of align buffer Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Adrian Hunter,
	Gregory CLEMENT, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit 771a3dc225815b7cc691c1ce703a3af8488e48df upstream.

sdhci_post_req() exists to unmap a previously mapped but already
finished request, while the next request is in progress.  However, the
state of the SDHCI_REQ_USE_DMA flag depends on the last submitted
request.

This means we can end up clearing the flag due to a quirk, which then
means that sdhci_post_req() fails to unmap the DMA buffer, potentially
leading to data corruption.

We can safely ignore the SDHCI_REQ_USE_DMA here, as testing
data->host_cookie is entirely sufficient.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[ Re-based to apply as a separate fix ]
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |   15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -2115,14 +2115,13 @@ static void sdhci_post_req(struct mmc_ho
 	struct sdhci_host *host = mmc_priv(mmc);
 	struct mmc_data *data = mrq->data;
 
-	if (host->flags & SDHCI_REQ_USE_DMA) {
-		if (data->host_cookie == COOKIE_GIVEN ||
-				data->host_cookie == COOKIE_MAPPED)
-			dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len,
-					 data->flags & MMC_DATA_WRITE ?
-					 DMA_TO_DEVICE : DMA_FROM_DEVICE);
-		data->host_cookie = COOKIE_UNMAPPED;
-	}
+	if (data->host_cookie == COOKIE_GIVEN ||
+	    data->host_cookie == COOKIE_MAPPED)
+		dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len,
+			     data->flags & MMC_DATA_WRITE ?
+			       DMA_TO_DEVICE : DMA_FROM_DEVICE);
+
+	data->host_cookie = COOKIE_UNMAPPED;
 }
 
 static int sdhci_pre_dma_transfer(struct sdhci_host *host,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 195/238] mmc: sdhci: avoid unnecessary mapping/unmapping of align buffer
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (183 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 194/238] mmc: sdhci: further fix for DMA unmapping in sdhci_post_req() Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 196/238] mmc: sdhci: plug DMA mapping leak on error Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Adrian Hunter,
	Gregory CLEMENT, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit edd63fcc97cdb53279a7c43fa1691f5913d92793 upstream.

Unnecessarily mapping and unmapping the align buffer for SD cards is
expensive: performance measurements on iMX6 show that this gives a hit
of 10% on hdparm buffered disk reads.

MMC/SD card IO comes from the mm/vfs which gives us page based IO, so
for this case, the align buffer is not going to be used.  However, we
still map and unmap this buffer.

Eliminate this by switching the align buffer to be a DMA coherent
buffer, which needs no DMA maintenance to access the buffer.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |   54 +++++++++++++++--------------------------------
 1 file changed, 18 insertions(+), 36 deletions(-)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -465,8 +465,6 @@ static void sdhci_adma_mark_end(void *de
 static int sdhci_adma_table_pre(struct sdhci_host *host,
 	struct mmc_data *data)
 {
-	int direction;
-
 	void *desc;
 	void *align;
 	dma_addr_t addr;
@@ -483,20 +481,9 @@ static int sdhci_adma_table_pre(struct s
 	 * We currently guess that it is LE.
 	 */
 
-	if (data->flags & MMC_DATA_READ)
-		direction = DMA_FROM_DEVICE;
-	else
-		direction = DMA_TO_DEVICE;
-
-	host->align_addr = dma_map_single(mmc_dev(host->mmc),
-		host->align_buffer, host->align_buffer_sz, direction);
-	if (dma_mapping_error(mmc_dev(host->mmc), host->align_addr))
-		goto fail;
-	BUG_ON(host->align_addr & SDHCI_ADMA2_MASK);
-
 	host->sg_count = sdhci_pre_dma_transfer(host, data);
 	if (host->sg_count < 0)
-		goto unmap_align;
+		return -EINVAL;
 
 	desc = host->adma_table;
 	align = host->align_buffer;
@@ -570,22 +557,7 @@ static int sdhci_adma_table_pre(struct s
 		/* nop, end, valid */
 		sdhci_adma_write_desc(host, desc, 0, 0, ADMA2_NOP_END_VALID);
 	}
-
-	/*
-	 * Resync align buffer as we might have changed it.
-	 */
-	if (data->flags & MMC_DATA_WRITE) {
-		dma_sync_single_for_device(mmc_dev(host->mmc),
-			host->align_addr, host->align_buffer_sz, direction);
-	}
-
 	return 0;
-
-unmap_align:
-	dma_unmap_single(mmc_dev(host->mmc), host->align_addr,
-		host->align_buffer_sz, direction);
-fail:
-	return -EINVAL;
 }
 
 static void sdhci_adma_table_post(struct sdhci_host *host,
@@ -605,9 +577,6 @@ static void sdhci_adma_table_post(struct
 	else
 		direction = DMA_TO_DEVICE;
 
-	dma_unmap_single(mmc_dev(host->mmc), host->align_addr,
-		host->align_buffer_sz, direction);
-
 	/* Do a quick scan of the SG list for any unaligned mappings */
 	has_unaligned = false;
 	for_each_sg(data->sg, sg, host->sg_count, i)
@@ -2984,14 +2953,21 @@ int sdhci_add_host(struct sdhci_host *ho
 						      &host->adma_addr,
 						      GFP_KERNEL);
 		host->align_buffer_sz = SDHCI_MAX_SEGS * SDHCI_ADMA2_ALIGN;
-		host->align_buffer = kmalloc(host->align_buffer_sz, GFP_KERNEL);
+		host->align_buffer = dma_alloc_coherent(mmc_dev(mmc),
+							host->align_buffer_sz,
+							&host->align_addr,
+							GFP_KERNEL);
 		if (!host->adma_table || !host->align_buffer) {
 			if (host->adma_table)
 				dma_free_coherent(mmc_dev(mmc),
 						  host->adma_table_sz,
 						  host->adma_table,
 						  host->adma_addr);
-			kfree(host->align_buffer);
+			if (host->align_buffer)
+				dma_free_coherent(mmc_dev(mmc),
+						  host->align_buffer_sz,
+						  host->align_buffer,
+						  host->align_addr);
 			pr_warn("%s: Unable to allocate ADMA buffers - falling back to standard DMA\n",
 				mmc_hostname(mmc));
 			host->flags &= ~SDHCI_USE_ADMA;
@@ -3003,10 +2979,14 @@ int sdhci_add_host(struct sdhci_host *ho
 			host->flags &= ~SDHCI_USE_ADMA;
 			dma_free_coherent(mmc_dev(mmc), host->adma_table_sz,
 					  host->adma_table, host->adma_addr);
-			kfree(host->align_buffer);
+			dma_free_coherent(mmc_dev(mmc), host->align_buffer_sz,
+					  host->align_buffer, host->align_addr);
 			host->adma_table = NULL;
 			host->align_buffer = NULL;
 		}
+
+		/* dma_alloc_coherent returns page aligned and sized buffers */
+		BUG_ON(host->align_addr & SDHCI_ADMA2_MASK);
 	}
 
 	/*
@@ -3469,7 +3449,9 @@ void sdhci_remove_host(struct sdhci_host
 	if (host->adma_table)
 		dma_free_coherent(mmc_dev(mmc), host->adma_table_sz,
 				  host->adma_table, host->adma_addr);
-	kfree(host->align_buffer);
+	if (host->align_buffer)
+		dma_free_coherent(mmc_dev(mmc), host->align_buffer_sz,
+				  host->align_buffer, host->align_addr);
 
 	host->adma_table = NULL;
 	host->align_buffer = NULL;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 196/238] mmc: sdhci: plug DMA mapping leak on error
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (184 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 195/238] mmc: sdhci: avoid unnecessary mapping/unmapping of align buffer Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 197/238] mmc: sdhci: fix data timeout (part 1) Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Adrian Hunter,
	Gregory CLEMENT, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit 054cedff5e025a54ceefff891c6ea42ee8b37eab upstream.

If we terminate a command early, we fail to properly clean up the DMA
mappings for the data part of the request.  Put this clean up to the
tasklet, which is the common path for finishing a request so we always
clean up after ourselves.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[ Split original patch so that it now contains only the fix ]
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -2207,6 +2207,22 @@ static void sdhci_tasklet_finish(unsigne
 	mrq = host->mrq;
 
 	/*
+	 * Always unmap the data buffers if they were mapped by
+	 * sdhci_prepare_data() whenever we finish with a request.
+	 * This avoids leaking DMA mappings on error.
+	 */
+	if (host->flags & SDHCI_REQ_USE_DMA) {
+		struct mmc_data *data = mrq->data;
+
+		if (data && data->host_cookie == COOKIE_MAPPED) {
+			dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len,
+				     (data->flags & MMC_DATA_READ) ?
+				     DMA_FROM_DEVICE : DMA_TO_DEVICE);
+			data->host_cookie = COOKIE_UNMAPPED;
+		}
+	}
+
+	/*
 	 * The controller needs a reset of internal state machines
 	 * upon error conditions.
 	 */

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 197/238] mmc: sdhci: fix data timeout (part 1)
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (185 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 196/238] mmc: sdhci: plug DMA mapping leak on error Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 198/238] mmc: sdhci: fix data timeout (part 2) Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Adrian Hunter,
	Gregory CLEMENT, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit fafcfda9e78cae8796d1799f14e6457790797555 upstream.

The data timeout gives the minimum amount of time that should be
waited before timing out if no data is received from the card.
Simply dividing the nanosecond part by 1000 does not give this
required guarantee, since such a division rounds down.  Use
DIV_ROUND_UP() to give the desired timeout.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -635,7 +635,7 @@ static u8 sdhci_calc_timeout(struct sdhc
 	if (!data)
 		target_timeout = cmd->busy_timeout * 1000;
 	else {
-		target_timeout = data->timeout_ns / 1000;
+		target_timeout = DIV_ROUND_UP(data->timeout_ns, 1000);
 		if (host->clock)
 			target_timeout += data->timeout_clks / host->clock;
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 198/238] mmc: sdhci: fix data timeout (part 2)
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (186 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 197/238] mmc: sdhci: fix data timeout (part 1) Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 199/238] mmc: sdhci-pxav3: fix higher speed mode capabilities Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Adrian Hunter,
	Gregory CLEMENT, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit 7f05538af71c7d30b5fc821cbe9f318edc645961 upstream.

The calculation for the timeout based on the number of card clocks is
incorrect.  The calculation assumed:

	timeout in microseconds = clock cycles / clock in Hz

which is clearly a several orders of magnitude wrong.  Fix this by
multiplying the clock cycles by 1000000 prior to dividing by the Hz
based clock.  Also, as per part 1, ensure that the division rounds
up.

As this needs 64-bit math via do_div(), avoid it if the clock cycles
is zero.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -636,8 +636,19 @@ static u8 sdhci_calc_timeout(struct sdhc
 		target_timeout = cmd->busy_timeout * 1000;
 	else {
 		target_timeout = DIV_ROUND_UP(data->timeout_ns, 1000);
-		if (host->clock)
-			target_timeout += data->timeout_clks / host->clock;
+		if (host->clock && data->timeout_clks) {
+			unsigned long long val;
+
+			/*
+			 * data->timeout_clks is in units of clock cycles.
+			 * host->clock is in Hz.  target_timeout is in us.
+			 * Hence, us = 1000000 * cycles / Hz.  Round up.
+			 */
+			val = 1000000 * data->timeout_clks;
+			if (do_div(val, host->clock))
+				target_timeout++;
+			target_timeout += val;
+		}
 	}
 
 	/*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 199/238] mmc: sdhci-pxav3: fix higher speed mode capabilities
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (187 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 198/238] mmc: sdhci: fix data timeout (part 2) Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 200/238] mmc: tegra: Disable UHS-I modes for tegra114 Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Russell King, Adrian Hunter,
	Gregory CLEMENT, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Russell King <rmk+kernel@arm.linux.org.uk>

commit 0ca33b4ad9cfc133bb3d93eec1ad0eea83d6f252 upstream.

Commit 1140011ee9d9 ("mmc: sdhci-pxav3: Modify clock settings for the
SDR50 and DDR50 modes") broke any chance of the SDR50 or DDR50 modes
being used.

The commit claims that SDR50 and DDR50 require clock adjustments in
the SDIO3 Configuration register, which is located via the "conf-sdio3"
resource.  However, when this resource is given, we fail to read the
host capabilities 1 register, resulting in host->caps1 being zero.
Hence, both SDHCI_SUPPORT_SDR50 and SDHCI_SUPPORT_DDR50 bits remain
zero, disabling the SDR50 and DDR50 modes.

The underlying idea in this function appears to be to read the device
capabilities, modify them, and set SDHCI_QUIRK_MISSING_CAPS to cause
our modified capabilities to be used.  Implement exactly that.

Fixes: 1140011ee9d9 ("mmc: sdhci-pxav3: Modify clock settings for the SDR50 and DDR50 modes")
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci-pxav3.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/mmc/host/sdhci-pxav3.c
+++ b/drivers/mmc/host/sdhci-pxav3.c
@@ -137,6 +137,10 @@ static int armada_38x_quirks(struct plat
 
 	host->quirks &= ~SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN;
 	host->quirks |= SDHCI_QUIRK_MISSING_CAPS;
+
+	host->caps = sdhci_readl(host, SDHCI_CAPABILITIES);
+	host->caps1 = sdhci_readl(host, SDHCI_CAPABILITIES_1);
+
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
 					   "conf-sdio3");
 	if (res) {
@@ -150,7 +154,6 @@ static int armada_38x_quirks(struct plat
 		 * Configuration register, if the adjustment is not done,
 		 * remove them from the capabilities.
 		 */
-		host->caps1 = sdhci_readl(host, SDHCI_CAPABILITIES_1);
 		host->caps1 &= ~(SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50);
 
 		dev_warn(&pdev->dev, "conf-sdio3 register not found: disabling SDR50 and DDR50 modes.\nConsider updating your dtb\n");
@@ -161,7 +164,6 @@ static int armada_38x_quirks(struct plat
 	 * controller has different capabilities than the ones shown
 	 * in its registers
 	 */
-	host->caps = sdhci_readl(host, SDHCI_CAPABILITIES);
 	if (of_property_read_bool(np, "no-1-8-v")) {
 		host->caps &= ~SDHCI_CAN_VDD_180;
 		host->mmc->caps &= ~MMC_CAP_1_8V_DDR;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 200/238] mmc: tegra: Disable UHS-I modes for tegra114
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (188 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 199/238] mmc: sdhci-pxav3: fix higher speed mode capabilities Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 201/238] mmc: tegra: properly disable card clock Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Hunter, Lucas Stach,
	Thierry Reding, Adrian Hunter, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jon Hunter <jonathanh@nvidia.com>

commit 7bf037d6ac4768e228e337afd7b6c6d98f947f9f upstream.

SD card support for Tegra114 started failing after commit a8e326a911d3
("mmc: tegra: implement module external clock change") was merged. This
commit was part of a series to enable UHS-I modes for Tegra. To
workaround this problem for now, disable UHS-I modes for Tegra114 by
separating the soc data structures for Tegra114 and Tegra124 so that
UHS-I is still enabled for Tegra124 but not Tegra114.

Fixes: a8e326a911d3 ("mmc: tegra: implement module external clock change")
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Lucas Stach <dev@lynxeye.de>
Acked-by: Thierry Reding <treding@nvidia.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci-tegra.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/mmc/host/sdhci-tegra.c
+++ b/drivers/mmc/host/sdhci-tegra.c
@@ -147,10 +147,16 @@ static void tegra_sdhci_reset(struct sdh
 	/* Advertise UHS modes as supported by host */
 	if (soc_data->nvquirks & NVQUIRK_ENABLE_SDR50)
 		misc_ctrl |= SDHCI_MISC_CTRL_ENABLE_SDR50;
+	else
+		misc_ctrl &= ~SDHCI_MISC_CTRL_ENABLE_SDR50;
 	if (soc_data->nvquirks & NVQUIRK_ENABLE_DDR50)
 		misc_ctrl |= SDHCI_MISC_CTRL_ENABLE_DDR50;
+	else
+		misc_ctrl &= ~SDHCI_MISC_CTRL_ENABLE_DDR50;
 	if (soc_data->nvquirks & NVQUIRK_ENABLE_SDR104)
 		misc_ctrl |= SDHCI_MISC_CTRL_ENABLE_SDR104;
+	else
+		misc_ctrl &= ~SDHCI_MISC_CTRL_ENABLE_SDR104;
 	sdhci_writel(host, misc_ctrl, SDHCI_TEGRA_VENDOR_MISC_CTRL);
 
 	clk_ctrl = sdhci_readl(host, SDHCI_TEGRA_VENDOR_CLOCK_CTRL);
@@ -335,6 +341,10 @@ static const struct sdhci_pltfm_data sdh
 
 static const struct sdhci_tegra_soc_data soc_data_tegra114 = {
 	.pdata = &sdhci_tegra114_pdata,
+};
+
+static const struct sdhci_tegra_soc_data soc_data_tegra124 = {
+	.pdata = &sdhci_tegra114_pdata,
 	.nvquirks = NVQUIRK_ENABLE_SDR50 |
 		    NVQUIRK_ENABLE_DDR50 |
 		    NVQUIRK_ENABLE_SDR104,
@@ -357,7 +367,7 @@ static const struct sdhci_tegra_soc_data
 
 static const struct of_device_id sdhci_tegra_dt_match[] = {
 	{ .compatible = "nvidia,tegra210-sdhci", .data = &soc_data_tegra210 },
-	{ .compatible = "nvidia,tegra124-sdhci", .data = &soc_data_tegra114 },
+	{ .compatible = "nvidia,tegra124-sdhci", .data = &soc_data_tegra124 },
 	{ .compatible = "nvidia,tegra114-sdhci", .data = &soc_data_tegra114 },
 	{ .compatible = "nvidia,tegra30-sdhci", .data = &soc_data_tegra30 },
 	{ .compatible = "nvidia,tegra20-sdhci", .data = &soc_data_tegra20 },

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 201/238] mmc: tegra: properly disable card clock
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (189 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 200/238] mmc: tegra: Disable UHS-I modes for tegra114 Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 202/238] mmc: sdhci: Fix override of timeout clk wrt max_busy_timeout Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lucas Stach, Adrian Hunter, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lucas Stach <dev@lynxeye.de>

commit 3491b69045b1926a198ba70dc1296ca253f2fbdd upstream.

The new code to do the clock rate setting externally to the SDMMC
module has a shortcut to not propagate changes with a 0 rate to
the CAR by simply bailing out. This breaks proper cutting of the
card clock. Fix it by directly calling the correct sdhci function.

Fixes: a8e326a911d3 "mmc: tegra: implement module external clock change"
Signed-off-by: Lucas Stach <dev@lynxeye.de>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci-tegra.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mmc/host/sdhci-tegra.c
+++ b/drivers/mmc/host/sdhci-tegra.c
@@ -194,7 +194,7 @@ static void tegra_sdhci_set_clock(struct
 	unsigned long host_clk;
 
 	if (!clock)
-		return;
+		return sdhci_set_clock(host, clock);
 
 	host_clk = tegra_host->ddr_signaling ? clock * 2 : clock;
 	clk_set_rate(pltfm_host->clk, host_clk);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 202/238] mmc: sdhci: Fix override of timeout clk wrt max_busy_timeout
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (190 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 201/238] mmc: tegra: properly disable card clock Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 203/238] mmc: atmel-mci: Check pdata for NULL before dereferencing it at DMA config Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Adrian Hunter <adrian.hunter@intel.com>

commit 995136247915c5cee633d55ba23f6eebf67aa567 upstream.

Normally the timeout clock frequency is read from the capabilities
register.  It is also possible to set the value prior to calling
sdhci_add_host() in which case that value will override the
capabilities register value.  However that was being done after
calculating max_busy_timeout so that max_busy_timeout was being
calculated using the wrong value of timeout_clk.

Fix that by moving the override before max_busy_timeout is
calculated.

The result is that the max_busy_timeout and max_discard
increase for BSW devices so that, for example, the time for
mkfs.ext4 on a 64GB eMMC drops from about 1 minute 40 seconds
to about 20 seconds.

Note, in the future, the capabilities setting will be tidied up
and this override won't be used anymore.  However this fix is
needed for stable.

Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -3096,14 +3096,14 @@ int sdhci_add_host(struct sdhci_host *ho
 		if (caps[0] & SDHCI_TIMEOUT_CLK_UNIT)
 			host->timeout_clk *= 1000;
 
+		if (override_timeout_clk)
+			host->timeout_clk = override_timeout_clk;
+
 		mmc->max_busy_timeout = host->ops->get_max_timeout_count ?
 			host->ops->get_max_timeout_count(host) : 1 << 27;
 		mmc->max_busy_timeout /= host->timeout_clk;
 	}
 
-	if (override_timeout_clk)
-		host->timeout_clk = override_timeout_clk;
-
 	mmc->caps |= MMC_CAP_SDIO_IRQ | MMC_CAP_ERASE | MMC_CAP_CMD23;
 	mmc->caps2 |= MMC_CAP2_SDIO_IRQ_NOTHREAD;
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 203/238] mmc: atmel-mci: Check pdata for NULL before dereferencing it at DMA config
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (191 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 202/238] mmc: sdhci: Fix override of timeout clk wrt max_busy_timeout Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 204/238] clk: rockchip: rk3368: fix cpuclk mux bit of big cpu-cluster Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Brent Taylor, Ulf Hansson

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Brent Taylor <motobud@gmail.com>

commit 93c77d2999b09f2084b033ea6489915e0104ad9c upstream.

Using an at91sam9g20ek development board with DTS configuration may trigger
a kernel panic because of a NULL pointer dereference exception, while
configuring DMA. Let's fix this by adding a check for pdata before
dereferencing it.

Signed-off-by: Brent Taylor <motobud@gmail.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/atmel-mci.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mmc/host/atmel-mci.c
+++ b/drivers/mmc/host/atmel-mci.c
@@ -2443,7 +2443,7 @@ static int atmci_configure_dma(struct at
 		struct mci_platform_data *pdata = host->pdev->dev.platform_data;
 		dma_cap_mask_t mask;
 
-		if (!pdata->dma_filter)
+		if (!pdata || !pdata->dma_filter)
 			return -ENODEV;
 
 		dma_cap_zero(mask);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 204/238] clk: rockchip: rk3368: fix cpuclk mux bit of big cpu-cluster
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (192 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 203/238] mmc: atmel-mci: Check pdata for NULL before dereferencing it at DMA config Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 205/238] clk: rockchip: rk3368: fix cpuclk core dividers Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhang Qing, Heiko Stuebner

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Stuebner <heiko@sntech.de>

commit 535ebd428aeb07c3327947281306f2943f2c9faa upstream.

Both clusters have their mux bit in bit 7 of their respective register.
For whatever reason the big cluster currently lists bit 15 which is
definitly wrong.

Fixes: 3536c97a52db ("clk: rockchip: add rk3368 clock controller")
Reported-by: Zhang Qing <zhangqing@rock-chips.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: zhangqing <zhangqing@rock-chips.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/rockchip/clk-rk3368.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/clk/rockchip/clk-rk3368.c
+++ b/drivers/clk/rockchip/clk-rk3368.c
@@ -165,7 +165,7 @@ static const struct rockchip_cpuclk_reg_
 	.core_reg = RK3368_CLKSEL_CON(0),
 	.div_core_shift = 0,
 	.div_core_mask = 0x1f,
-	.mux_core_shift = 15,
+	.mux_core_shift = 7,
 };
 
 static const struct rockchip_cpuclk_reg_data rk3368_cpuclkl_data = {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 205/238] clk: rockchip: rk3368: fix cpuclk core dividers
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (193 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 204/238] clk: rockchip: rk3368: fix cpuclk mux bit of big cpu-cluster Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 206/238] clk: rockchip: rk3368: fix parents of video encoder/decoder Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhang Qing, Heiko Stuebner

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Stuebner <heiko@sntech.de>

commit c6d5fe2ca8286f35a79f7345c9378c39d48a1527 upstream.

Similar to commit 9880d4277f6a ("clk: rockchip: fix rk3288 cpuclk core
dividers") it seems the cpuclk dividers are one to high on the rk3368
as well.

And again similar to the previous fix, we opt to make the divider list
contain the values to be written to use the same paradigm for them on all
supported socs.

Fixes: 3536c97a52db ("clk: rockchip: add rk3368 clock controller")
Reported-by: Zhang Qing <zhangqing@rock-chips.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: zhangqing <zhangqing@rock-chips.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/rockchip/clk-rk3368.c |   40 +++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

--- a/drivers/clk/rockchip/clk-rk3368.c
+++ b/drivers/clk/rockchip/clk-rk3368.c
@@ -218,29 +218,29 @@ static const struct rockchip_cpuclk_reg_
 	}
 
 static struct rockchip_cpuclk_rate_table rk3368_cpuclkb_rates[] __initdata = {
-	RK3368_CPUCLKB_RATE(1512000000, 2, 6, 6),
-	RK3368_CPUCLKB_RATE(1488000000, 2, 5, 5),
-	RK3368_CPUCLKB_RATE(1416000000, 2, 5, 5),
-	RK3368_CPUCLKB_RATE(1200000000, 2, 4, 4),
-	RK3368_CPUCLKB_RATE(1008000000, 2, 4, 4),
-	RK3368_CPUCLKB_RATE( 816000000, 2, 3, 3),
-	RK3368_CPUCLKB_RATE( 696000000, 2, 3, 3),
-	RK3368_CPUCLKB_RATE( 600000000, 2, 2, 2),
-	RK3368_CPUCLKB_RATE( 408000000, 2, 2, 2),
-	RK3368_CPUCLKB_RATE( 312000000, 2, 2, 2),
+	RK3368_CPUCLKB_RATE(1512000000, 1, 5, 5),
+	RK3368_CPUCLKB_RATE(1488000000, 1, 4, 4),
+	RK3368_CPUCLKB_RATE(1416000000, 1, 4, 4),
+	RK3368_CPUCLKB_RATE(1200000000, 1, 3, 3),
+	RK3368_CPUCLKB_RATE(1008000000, 1, 3, 3),
+	RK3368_CPUCLKB_RATE( 816000000, 1, 2, 2),
+	RK3368_CPUCLKB_RATE( 696000000, 1, 2, 2),
+	RK3368_CPUCLKB_RATE( 600000000, 1, 1, 1),
+	RK3368_CPUCLKB_RATE( 408000000, 1, 1, 1),
+	RK3368_CPUCLKB_RATE( 312000000, 1, 1, 1),
 };
 
 static struct rockchip_cpuclk_rate_table rk3368_cpuclkl_rates[] __initdata = {
-	RK3368_CPUCLKL_RATE(1512000000, 2, 7, 7),
-	RK3368_CPUCLKL_RATE(1488000000, 2, 6, 6),
-	RK3368_CPUCLKL_RATE(1416000000, 2, 6, 6),
-	RK3368_CPUCLKL_RATE(1200000000, 2, 5, 5),
-	RK3368_CPUCLKL_RATE(1008000000, 2, 5, 5),
-	RK3368_CPUCLKL_RATE( 816000000, 2, 4, 4),
-	RK3368_CPUCLKL_RATE( 696000000, 2, 3, 3),
-	RK3368_CPUCLKL_RATE( 600000000, 2, 3, 3),
-	RK3368_CPUCLKL_RATE( 408000000, 2, 2, 2),
-	RK3368_CPUCLKL_RATE( 312000000, 2, 2, 2),
+	RK3368_CPUCLKL_RATE(1512000000, 1, 6, 6),
+	RK3368_CPUCLKL_RATE(1488000000, 1, 5, 5),
+	RK3368_CPUCLKL_RATE(1416000000, 1, 5, 5),
+	RK3368_CPUCLKL_RATE(1200000000, 1, 4, 4),
+	RK3368_CPUCLKL_RATE(1008000000, 1, 4, 4),
+	RK3368_CPUCLKL_RATE( 816000000, 1, 3, 3),
+	RK3368_CPUCLKL_RATE( 696000000, 1, 2, 2),
+	RK3368_CPUCLKL_RATE( 600000000, 1, 2, 2),
+	RK3368_CPUCLKL_RATE( 408000000, 1, 1, 1),
+	RK3368_CPUCLKL_RATE( 312000000, 1, 1, 1),
 };
 
 static struct rockchip_clk_branch rk3368_clk_branches[] __initdata = {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 206/238] clk: rockchip: rk3368: fix parents of video encoder/decoder
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (194 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 205/238] clk: rockchip: rk3368: fix cpuclk core dividers Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 207/238] clk: rockchip: rk3368: fix hdmi_cec gate-register Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Heiko Stuebner, zhangqing

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Stuebner <heiko@sntech.de>

commit 0f28d98463498c61c61a38aacbf9f69e92e85e9d upstream.

The vdpu and vepu clocks can also be parented to the npll and current
parent list also is wrong as it would use the npll as "usbphy" source,
so adapt the parent to the correct one.

Fixes: 3536c97a52db ("clk: rockchip: add rk3368 clock controller")
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: zhangqing <zhangqing@rock-chips.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/rockchip/clk-rk3368.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/clk/rockchip/clk-rk3368.c
+++ b/drivers/clk/rockchip/clk-rk3368.c
@@ -384,10 +384,10 @@ static struct rockchip_clk_branch rk3368
 	 * Clock-Architecture Diagram 3
 	 */
 
-	COMPOSITE(0, "aclk_vepu", mux_pll_src_cpll_gpll_usb_p, 0,
+	COMPOSITE(0, "aclk_vepu", mux_pll_src_cpll_gpll_npll_usb_p, 0,
 			RK3368_CLKSEL_CON(15), 6, 2, MFLAGS, 0, 5, DFLAGS,
 			RK3368_CLKGATE_CON(4), 6, GFLAGS),
-	COMPOSITE(0, "aclk_vdpu", mux_pll_src_cpll_gpll_usb_p, 0,
+	COMPOSITE(0, "aclk_vdpu", mux_pll_src_cpll_gpll_npll_usb_p, 0,
 			RK3368_CLKSEL_CON(15), 14, 2, MFLAGS, 8, 5, DFLAGS,
 			RK3368_CLKGATE_CON(4), 7, GFLAGS),
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 207/238] clk: rockchip: rk3368: fix hdmi_cec gate-register
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (195 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 206/238] clk: rockchip: rk3368: fix parents of video encoder/decoder Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 208/238] clk: rockchip: add hclk_cpubus to the list of rk3188 critical clocks Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Heiko Stuebner, zhangqing

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Stuebner <heiko@sntech.de>

commit fd0c0740fac17a014704ef89d8c8b1768711ca59 upstream.

Fix a typo making the sclk_hdmi_cec access a wrong register to handle
its gate.

Fixes: 3536c97a52db ("clk: rockchip: add rk3368 clock controller")
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: zhangqing <zhangqing@rock-chips.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/rockchip/clk-rk3368.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/clk/rockchip/clk-rk3368.c
+++ b/drivers/clk/rockchip/clk-rk3368.c
@@ -442,7 +442,7 @@ static struct rockchip_clk_branch rk3368
 	GATE(SCLK_HDMI_HDCP, "sclk_hdmi_hdcp", "xin24m", 0,
 			RK3368_CLKGATE_CON(4), 13, GFLAGS),
 	GATE(SCLK_HDMI_CEC, "sclk_hdmi_cec", "xin32k", 0,
-			RK3368_CLKGATE_CON(5), 12, GFLAGS),
+			RK3368_CLKGATE_CON(4), 12, GFLAGS),
 
 	COMPOSITE_NODIV(0, "vip_src", mux_pll_src_cpll_gpll_p, 0,
 			RK3368_CLKSEL_CON(21), 15, 1, MFLAGS,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 208/238] clk: rockchip: add hclk_cpubus to the list of rk3188 critical clocks
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (196 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 207/238] clk: rockchip: rk3368: fix hdmi_cec gate-register Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 209/238] clk: bcm2835: Fix setting of PLL divider clock rates Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Kochetkov, Heiko Stuebner

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Kochetkov <al.kochet@gmail.com>

commit e8b63288b37dbb8457b510c9d96f6006da4653f6 upstream.

hclk_cpubus needs to keep running because it is needed for devices like
the rom, i2s0 or spdif to be accessible via cpu. Without that all
accesses to devices (readl/writel) return wrong data. So add it
to the list of critical clocks.

Fixes: 78eaf6095cc763c ("clk: rockchip: disable unused clocks")
Signed-off-by: Alexander Kochetkov <al.kochet@gmail.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/rockchip/clk-rk3188.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/clk/rockchip/clk-rk3188.c
+++ b/drivers/clk/rockchip/clk-rk3188.c
@@ -748,6 +748,7 @@ static const char *const rk3188_critical
 	"hclk_peri",
 	"pclk_cpu",
 	"pclk_peri",
+	"hclk_cpubus"
 };
 
 static void __init rk3188_common_clk_init(struct device_node *np)

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 209/238] clk: bcm2835: Fix setting of PLL divider clock rates
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (197 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 208/238] clk: rockchip: add hclk_cpubus to the list of rk3188 critical clocks Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 210/238] target: Fix target_release_cmd_kref shutdown comp leak Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Anholt, Michael Turquette

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Anholt <eric@anholt.net>

commit 773b3966dd3cdaeb68e7f2edfe5656abac1dc411 upstream.

Our dividers weren't being set successfully because CM_PASSWORD wasn't
included in the register write.  It looks easier to just compute the
divider to write ourselves than to update clk-divider for the ability
to OR in some arbitrary bits on write.

Fixes about half of the video modes on my HDMI monitor (everything
except 720x400).

Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Michael Turquette <mturquette@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/bcm/clk-bcm2835.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/drivers/clk/bcm/clk-bcm2835.c
+++ b/drivers/clk/bcm/clk-bcm2835.c
@@ -1107,13 +1107,15 @@ static int bcm2835_pll_divider_set_rate(
 	struct bcm2835_pll_divider *divider = bcm2835_pll_divider_from_hw(hw);
 	struct bcm2835_cprman *cprman = divider->cprman;
 	const struct bcm2835_pll_divider_data *data = divider->data;
-	u32 cm;
-	int ret;
+	u32 cm, div, max_div = 1 << A2W_PLL_DIV_BITS;
 
-	ret = clk_divider_ops.set_rate(hw, rate, parent_rate);
-	if (ret)
-		return ret;
+	div = DIV_ROUND_UP_ULL(parent_rate, rate);
 
+	div = min(div, max_div);
+	if (div == max_div)
+		div = 0;
+
+	cprman_write(cprman, data->a2w_reg, div);
 	cm = cprman_read(cprman, data->cm_reg);
 	cprman_write(cprman, data->cm_reg, cm | data->load_mask);
 	cprman_write(cprman, data->cm_reg, cm & ~data->load_mask);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 210/238] target: Fix target_release_cmd_kref shutdown comp leak
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (198 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 209/238] clk: bcm2835: Fix setting of PLL divider clock rates Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 211/238] iser-target: Fix identification of login rx descriptor type Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Himanshu Madhani, Nicholas Bellinger

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Himanshu Madhani <himanshu.madhani@qlogic.com>

commit 5e47f1985d7107331c3f64fb3ec83d66fd73577e upstream.

This patch fixes an active I/O shutdown bug for fabric
drivers using target_wait_for_sess_cmds(), where se_cmd
descriptor shutdown would result in hung tasks waiting
indefinitely for se_cmd->cmd_wait_comp to complete().

To address this bug, drop the incorrect list_del_init()
usage in target_wait_for_sess_cmds() and always complete()
during se_cmd target_release_cmd_kref() put, in order to
let caller invoke the final fabric release callback
into se_cmd->se_tfo->release_cmd() code.

Reported-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
Tested-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/target/target_core_transport.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2596,8 +2596,6 @@ void target_wait_for_sess_cmds(struct se
 
 	list_for_each_entry_safe(se_cmd, tmp_cmd,
 				&se_sess->sess_wait_list, se_cmd_list) {
-		list_del_init(&se_cmd->se_cmd_list);
-
 		pr_debug("Waiting for se_cmd: %p t_state: %d, fabric state:"
 			" %d\n", se_cmd, se_cmd->t_state,
 			se_cmd->se_tfo->get_cmd_state(se_cmd));

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 211/238] iser-target: Fix identification of login rx descriptor type
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (199 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 210/238] target: Fix target_release_cmd_kref shutdown comp leak Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 212/238] iser-target: Add new state ISER_CONN_BOUND to isert_conn Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jenny Derzhavetz, Sagi Grimberg,
	Nicholas Bellinger

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jenny Derzhavetz <jennyf@mellanox.com>

commit b89a7c25462b164db280abc3b05d4d9d888d40e9 upstream.

Once connection request is accepted, one rx descriptor
is posted to receive login request. This descriptor has rx type,
but is outside the main pool of rx descriptors, and thus
was mistreated as tx type.

Signed-off-by: Jenny Derzhavetz <jennyf@mellanox.com>
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/ulp/isert/ib_isert.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -2048,7 +2048,8 @@ is_isert_tx_desc(struct isert_conn *iser
 	void *start = isert_conn->rx_descs;
 	int len = ISERT_QP_MAX_RECV_DTOS * sizeof(*isert_conn->rx_descs);
 
-	if (wr_id >= start && wr_id < start + len)
+	if ((wr_id >= start && wr_id < start + len) ||
+	    (wr_id == isert_conn->login_req_buf))
 		return false;
 
 	return true;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 212/238] iser-target: Add new state ISER_CONN_BOUND to isert_conn
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (200 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 211/238] iser-target: Fix identification of login rx descriptor type Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 213/238] iser-target: Separate flows for np listeners and connections cma events Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jenny Derzhavetz, Sagi Grimberg,
	Nicholas Bellinger

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jenny Derzhavetz <jennyf@mellanox.com>

commit aea92980601f7ddfcb3c54caa53a43726314fe46 upstream.

We need an indication that isert_conn->iscsi_conn binding has
happened so we'll know not to invoke a connection reinstatement
on an unbound connection which will lead to a bogus isert_conn->conn
dereferece.

Signed-off-by: Jenny Derzhavetz <jennyf@mellanox.com>
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/ulp/isert/ib_isert.c |    7 +++++--
 drivers/infiniband/ulp/isert/ib_isert.h |    1 +
 2 files changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -825,7 +825,7 @@ isert_put_conn(struct isert_conn *isert_
  * @isert_conn: isert connection struct
  *
  * Notes:
- * In case the connection state is FULL_FEATURE, move state
+ * In case the connection state is BOUND, move state
  * to TEMINATING and start teardown sequence (rdma_disconnect).
  * In case the connection state is UP, complete flush as well.
  *
@@ -841,6 +841,7 @@ isert_conn_terminate(struct isert_conn *
 	case ISER_CONN_TERMINATING:
 		break;
 	case ISER_CONN_UP:
+	case ISER_CONN_BOUND:
 	case ISER_CONN_FULL_FEATURE: /* FALLTHRU */
 		isert_info("Terminating conn %p state %d\n",
 			   isert_conn, isert_conn->state);
@@ -2075,7 +2076,8 @@ isert_cq_comp_err(struct isert_conn *ise
 			isert_completion_put(desc, isert_cmd, ib_dev, true);
 	} else {
 		isert_conn->post_recv_buf_count--;
-		if (!isert_conn->post_recv_buf_count)
+		if (!isert_conn->post_recv_buf_count &&
+		    isert_conn->state >= ISER_CONN_BOUND)
 			iscsit_cause_connection_reinstatement(isert_conn->conn, 0);
 	}
 }
@@ -3215,6 +3217,7 @@ accept_wait:
 
 	conn->context = isert_conn;
 	isert_conn->conn = conn;
+	isert_conn->state = ISER_CONN_BOUND;
 
 	isert_set_conn_info(np, conn, isert_conn);
 
--- a/drivers/infiniband/ulp/isert/ib_isert.h
+++ b/drivers/infiniband/ulp/isert/ib_isert.h
@@ -84,6 +84,7 @@ enum iser_ib_op_code {
 enum iser_conn_state {
 	ISER_CONN_INIT,
 	ISER_CONN_UP,
+	ISER_CONN_BOUND,
 	ISER_CONN_FULL_FEATURE,
 	ISER_CONN_TERMINATING,
 	ISER_CONN_DOWN,

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 213/238] iser-target: Separate flows for np listeners and connections cma events
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (201 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 212/238] iser-target: Add new state ISER_CONN_BOUND to isert_conn Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 214/238] iser-target: Rework connection termination Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jenny Derzhavetz, Sagi Grimberg,
	Nicholas Bellinger

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jenny Derzhavetz <jennyf@mellanox.com>

commit f81bf458208ef6d12b2fc08091204e3859dcdba4 upstream.

No need to restrict this check to specific events.

Signed-off-by: Jenny Derzhavetz <jennyf@mellanox.com>
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/ulp/isert/ib_isert.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -889,14 +889,9 @@ isert_disconnected_handler(struct rdma_c
 			   enum rdma_cm_event_type event)
 {
 	struct isert_np *isert_np = cma_id->context;
-	struct isert_conn *isert_conn;
+	struct isert_conn *isert_conn = cma_id->qp->qp_context;
 	bool terminating = false;
 
-	if (isert_np->cm_id == cma_id)
-		return isert_np_cma_handler(cma_id->context, event);
-
-	isert_conn = cma_id->qp->qp_context;
-
 	mutex_lock(&isert_conn->mutex);
 	terminating = (isert_conn->state == ISER_CONN_TERMINATING);
 	isert_conn_terminate(isert_conn);
@@ -935,12 +930,16 @@ isert_connect_error(struct rdma_cm_id *c
 static int
 isert_cma_handler(struct rdma_cm_id *cma_id, struct rdma_cm_event *event)
 {
+	struct isert_np *isert_np = cma_id->context;
 	int ret = 0;
 
 	isert_info("%s (%d): status %d id %p np %p\n",
 		   rdma_event_msg(event->event), event->event,
 		   event->status, cma_id, cma_id->context);
 
+	if (isert_np->cm_id == cma_id)
+		return isert_np_cma_handler(cma_id->context, event->event);
+
 	switch (event->event) {
 	case RDMA_CM_EVENT_CONNECT_REQUEST:
 		ret = isert_connect_request(cma_id, event);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 214/238] iser-target: Rework connection termination
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (202 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 213/238] iser-target: Separate flows for np listeners and connections cma events Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 215/238] nfsd4: fix bad bounds checking Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jenny Derzhavetz, Sagi Grimberg,
	Nicholas Bellinger

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jenny Derzhavetz <jennyf@mellanox.com>

commit 6d1fba0c2cc7efe42fd761ecbba833ed0ea7b07e upstream.

When we receive an event that triggers connection termination,
we have a a couple of things we may want to do:
1. In case we are already terminating, bailout early
2. In case we are connected but not bound, disconnect and schedule
   a connection cleanup silently (don't reinstate)
3. In case we are connected and bound, disconnect and reinstate the connection

This rework fixes a bug that was detected against a mis-behaved
initiator which rejected our rdma_cm accept, in this stage the
isert_conn is no bound and reinstate caused a bogus dereference.

What's great about this is that we don't need the
post_recv_buf_count anymore, so get rid of it.

Signed-off-by: Jenny Derzhavetz <jennyf@mellanox.com>
Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/ulp/isert/ib_isert.c |  107 +++++++++++++++-----------------
 drivers/infiniband/ulp/isert/ib_isert.h |    1 
 2 files changed, 52 insertions(+), 56 deletions(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -65,6 +65,7 @@ isert_rdma_accept(struct isert_conn *ise
 struct rdma_cm_id *isert_setup_id(struct isert_np *isert_np);
 
 static void isert_release_work(struct work_struct *work);
+static void isert_wait4flush(struct isert_conn *isert_conn);
 
 static inline bool
 isert_prot_cmd(struct isert_conn *conn, struct se_cmd *cmd)
@@ -820,6 +821,25 @@ isert_put_conn(struct isert_conn *isert_
 	kref_put(&isert_conn->kref, isert_release_kref);
 }
 
+static void
+isert_handle_unbound_conn(struct isert_conn *isert_conn)
+{
+	struct isert_np *isert_np = isert_conn->cm_id->context;
+
+	mutex_lock(&isert_np->mutex);
+	if (!list_empty(&isert_conn->node)) {
+		/*
+		 * This means iscsi doesn't know this connection
+		 * so schedule a cleanup ourselves
+		 */
+		list_del_init(&isert_conn->node);
+		isert_put_conn(isert_conn);
+		complete(&isert_conn->wait);
+		queue_work(isert_release_wq, &isert_conn->release_work);
+	}
+	mutex_unlock(&isert_np->mutex);
+}
+
 /**
  * isert_conn_terminate() - Initiate connection termination
  * @isert_conn: isert connection struct
@@ -837,24 +857,19 @@ isert_conn_terminate(struct isert_conn *
 {
 	int err;
 
-	switch (isert_conn->state) {
-	case ISER_CONN_TERMINATING:
-		break;
-	case ISER_CONN_UP:
-	case ISER_CONN_BOUND:
-	case ISER_CONN_FULL_FEATURE: /* FALLTHRU */
-		isert_info("Terminating conn %p state %d\n",
-			   isert_conn, isert_conn->state);
-		isert_conn->state = ISER_CONN_TERMINATING;
-		err = rdma_disconnect(isert_conn->cm_id);
-		if (err)
-			isert_warn("Failed rdma_disconnect isert_conn %p\n",
-				   isert_conn);
-		break;
-	default:
-		isert_warn("conn %p teminating in state %d\n",
-			   isert_conn, isert_conn->state);
-	}
+	if (isert_conn->state >= ISER_CONN_TERMINATING)
+		return;
+
+	isert_info("Terminating conn %p state %d\n",
+		   isert_conn, isert_conn->state);
+	isert_conn->state = ISER_CONN_TERMINATING;
+	err = rdma_disconnect(isert_conn->cm_id);
+	if (err)
+		isert_warn("Failed rdma_disconnect isert_conn %p\n",
+			   isert_conn);
+
+	isert_info("conn %p completing wait\n", isert_conn);
+	complete(&isert_conn->wait);
 }
 
 static int
@@ -888,30 +903,27 @@ static int
 isert_disconnected_handler(struct rdma_cm_id *cma_id,
 			   enum rdma_cm_event_type event)
 {
-	struct isert_np *isert_np = cma_id->context;
 	struct isert_conn *isert_conn = cma_id->qp->qp_context;
-	bool terminating = false;
 
 	mutex_lock(&isert_conn->mutex);
-	terminating = (isert_conn->state == ISER_CONN_TERMINATING);
-	isert_conn_terminate(isert_conn);
-	mutex_unlock(&isert_conn->mutex);
-
-	isert_info("conn %p completing wait\n", isert_conn);
-	complete(&isert_conn->wait);
-
-	if (terminating)
-		goto out;
-
-	mutex_lock(&isert_np->mutex);
-	if (!list_empty(&isert_conn->node)) {
-		list_del_init(&isert_conn->node);
-		isert_put_conn(isert_conn);
-		queue_work(isert_release_wq, &isert_conn->release_work);
+	switch (isert_conn->state) {
+	case ISER_CONN_TERMINATING:
+		break;
+	case ISER_CONN_UP:
+		isert_conn_terminate(isert_conn);
+		isert_wait4flush(isert_conn);
+		isert_handle_unbound_conn(isert_conn);
+		break;
+	case ISER_CONN_BOUND:
+	case ISER_CONN_FULL_FEATURE: /* FALLTHRU */
+		iscsit_cause_connection_reinstatement(isert_conn->conn, 0);
+		break;
+	default:
+		isert_warn("conn %p teminating in state %d\n",
+			   isert_conn, isert_conn->state);
 	}
-	mutex_unlock(&isert_np->mutex);
+	mutex_unlock(&isert_conn->mutex);
 
-out:
 	return 0;
 }
 
@@ -985,13 +997,10 @@ isert_post_recvm(struct isert_conn *iser
 	rx_wr--;
 	rx_wr->next = NULL; /* mark end of work requests list */
 
-	isert_conn->post_recv_buf_count += count;
 	ret = ib_post_recv(isert_conn->qp, isert_conn->rx_wr,
 			   &rx_wr_failed);
-	if (ret) {
+	if (ret)
 		isert_err("ib_post_recv() failed with ret: %d\n", ret);
-		isert_conn->post_recv_buf_count -= count;
-	}
 
 	return ret;
 }
@@ -1007,12 +1016,9 @@ isert_post_recv(struct isert_conn *isert
 	rx_wr.num_sge = 1;
 	rx_wr.next = NULL;
 
-	isert_conn->post_recv_buf_count++;
 	ret = ib_post_recv(isert_conn->qp, &rx_wr, &rx_wr_failed);
-	if (ret) {
+	if (ret)
 		isert_err("ib_post_recv() failed with ret: %d\n", ret);
-		isert_conn->post_recv_buf_count--;
-	}
 
 	return ret;
 }
@@ -1132,12 +1138,9 @@ isert_rdma_post_recvl(struct isert_conn
 	rx_wr.sg_list = &sge;
 	rx_wr.num_sge = 1;
 
-	isert_conn->post_recv_buf_count++;
 	ret = ib_post_recv(isert_conn->qp, &rx_wr, &rx_wr_fail);
-	if (ret) {
+	if (ret)
 		isert_err("ib_post_recv() failed: %d\n", ret);
-		isert_conn->post_recv_buf_count--;
-	}
 
 	return ret;
 }
@@ -1633,7 +1636,6 @@ isert_rcv_completion(struct iser_rx_desc
 	ib_dma_sync_single_for_device(ib_dev, rx_dma, rx_buflen,
 				      DMA_FROM_DEVICE);
 
-	isert_conn->post_recv_buf_count--;
 }
 
 static int
@@ -2073,11 +2075,6 @@ isert_cq_comp_err(struct isert_conn *ise
 			isert_unmap_tx_desc(desc, ib_dev);
 		else
 			isert_completion_put(desc, isert_cmd, ib_dev, true);
-	} else {
-		isert_conn->post_recv_buf_count--;
-		if (!isert_conn->post_recv_buf_count &&
-		    isert_conn->state >= ISER_CONN_BOUND)
-			iscsit_cause_connection_reinstatement(isert_conn->conn, 0);
 	}
 }
 
--- a/drivers/infiniband/ulp/isert/ib_isert.h
+++ b/drivers/infiniband/ulp/isert/ib_isert.h
@@ -180,7 +180,6 @@ struct isert_device;
 
 struct isert_conn {
 	enum iser_conn_state	state;
-	int			post_recv_buf_count;
 	u32			responder_resources;
 	u32			initiator_depth;
 	bool			pi_support;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 215/238] nfsd4: fix bad bounds checking
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (203 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 214/238] iser-target: Rework connection termination Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 216/238] nfsd: fix deadlock secinfo+readdir compound Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, J. Bruce Fields

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: J. Bruce Fields <bfields@redhat.com>

commit 4aed9c46afb80164401143aa0fdcfe3798baa9d5 upstream.

A number of spots in the xdr decoding follow a pattern like

	n = be32_to_cpup(p++);
	READ_BUF(n + 4);

where n is a u32.  The only bounds checking is done in READ_BUF itself,
but since it's checking (n + 4), it won't catch cases where n is very
large, (u32)(-4) or higher.  I'm not sure exactly what the consequences
are, but we've seen crashes soon after.

Instead, just break these up into two READ_BUF()s.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfsd/nfs4xdr.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1072,8 +1072,9 @@ nfsd4_decode_rename(struct nfsd4_compoun
 
 	READ_BUF(4);
 	rename->rn_snamelen = be32_to_cpup(p++);
-	READ_BUF(rename->rn_snamelen + 4);
+	READ_BUF(rename->rn_snamelen);
 	SAVEMEM(rename->rn_sname, rename->rn_snamelen);
+	READ_BUF(4);
 	rename->rn_tnamelen = be32_to_cpup(p++);
 	READ_BUF(rename->rn_tnamelen);
 	SAVEMEM(rename->rn_tname, rename->rn_tnamelen);
@@ -1155,13 +1156,14 @@ nfsd4_decode_setclientid(struct nfsd4_co
 	READ_BUF(8);
 	setclientid->se_callback_prog = be32_to_cpup(p++);
 	setclientid->se_callback_netid_len = be32_to_cpup(p++);
-
-	READ_BUF(setclientid->se_callback_netid_len + 4);
+	READ_BUF(setclientid->se_callback_netid_len);
 	SAVEMEM(setclientid->se_callback_netid_val, setclientid->se_callback_netid_len);
+	READ_BUF(4);
 	setclientid->se_callback_addr_len = be32_to_cpup(p++);
 
-	READ_BUF(setclientid->se_callback_addr_len + 4);
+	READ_BUF(setclientid->se_callback_addr_len);
 	SAVEMEM(setclientid->se_callback_addr_val, setclientid->se_callback_addr_len);
+	READ_BUF(4);
 	setclientid->se_callback_ident = be32_to_cpup(p++);
 
 	DECODE_TAIL;
@@ -1835,8 +1837,9 @@ nfsd4_decode_compound(struct nfsd4_compo
 
 	READ_BUF(4);
 	argp->taglen = be32_to_cpup(p++);
-	READ_BUF(argp->taglen + 8);
+	READ_BUF(argp->taglen);
 	SAVEMEM(argp->tag, argp->taglen);
+	READ_BUF(8);
 	argp->minorversion = be32_to_cpup(p++);
 	argp->opcnt = be32_to_cpup(p++);
 	max_reply += 4 + (XDR_QUADLEN(argp->taglen) << 2);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 216/238] nfsd: fix deadlock secinfo+readdir compound
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (204 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 215/238] nfsd4: fix bad bounds checking Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 217/238] ARM: dts: at91: sama5d3 Xplained: dont disable hsmci regulator Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, J. Bruce Fields

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: J. Bruce Fields <bfields@redhat.com>

commit 2f6fc056e899bd0144a08da5cacaecbe8997cd74 upstream.

nfsd_lookup_dentry exits with the parent filehandle locked.  fh_put also
unlocks if necessary (nfsd filehandle locking is probably too lenient),
so it gets unlocked eventually, but if the following op in the compound
needs to lock it again, we can deadlock.

A fuzzer ran into this; normal clients don't send a secinfo followed by
a readdir in the same compound.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfsd/nfs4proc.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -878,6 +878,7 @@ nfsd4_secinfo(struct svc_rqst *rqstp, st
 				    &exp, &dentry);
 	if (err)
 		return err;
+	fh_unlock(&cstate->current_fh);
 	if (d_really_is_negative(dentry)) {
 		exp_put(exp);
 		err = nfserr_noent;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 217/238] ARM: dts: at91: sama5d3 Xplained: dont disable hsmci regulator
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (205 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 216/238] nfsd: fix deadlock secinfo+readdir compound Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 218/238] ARM: dts: at91: sama5d4 " Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ludovic Desroches, Nicolas Ferre

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ludovic Desroches <ludovic.desroches@atmel.com>

commit ae3fc8ea08e405682f1fa959f94b6e4126afbc1b upstream.

If enabling the hsmci regulator on card detection, the board can reboot
on sd card insertion. Keeping the regulator always enabled fixes this
issue.

Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Fixes: 1b53e3416dd0 ("ARM: at91/dt: sama5d3 xplained: add fixed regulator for vmmc0")
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/at91-sama5d3_xplained.dts |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts
+++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts
@@ -303,6 +303,7 @@
 		regulator-name = "mmc0-card-supply";
 		regulator-min-microvolt = <3300000>;
 		regulator-max-microvolt = <3300000>;
+		regulator-always-on;
 	};
 
 	gpio_keys {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 218/238] ARM: dts: at91: sama5d4 Xplained: dont disable hsmci regulator
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (206 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 217/238] ARM: dts: at91: sama5d3 Xplained: dont disable hsmci regulator Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 219/238] ACPI / PM: Runtime resume devices when waking from hibernate Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ludovic Desroches, Nicolas Ferre

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ludovic Desroches <ludovic.desroches@atmel.com>

commit b02acd4e62602a6ab307da84388a16bf60106c48 upstream.

If enabling the hsmci regulator on card detection, the board can reboot
on sd card insertion. Keeping the regulator always enabled fixes this
issue.

Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Fixes: 8d545f32bd77 ("ARM: at91/dt: sama5d4 xplained: add regulators for v(q)mmc1 supplies")
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/at91-sama5d4_xplained.dts |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/boot/dts/at91-sama5d4_xplained.dts
+++ b/arch/arm/boot/dts/at91-sama5d4_xplained.dts
@@ -268,5 +268,6 @@
 		regulator-min-microvolt = <3300000>;
 		regulator-max-microvolt = <3300000>;
 		vin-supply = <&vcc_3v3_reg>;
+		regulator-always-on;
 	};
 };

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 219/238] ACPI / PM: Runtime resume devices when waking from hibernate
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (207 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 218/238] ARM: dts: at91: sama5d4 " Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 220/238] writeback, cgroup: fix premature wb_put() in locked_inode_to_wb_and_lock_list() Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lukas Wunner, Rafael J. Wysocki

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <lukas@wunner.de>

commit fbda4b38fa3995aa0777fe9cbbdcb223c6292083 upstream.

Commit 58a1fbbb2ee8 ("PM / PCI / ACPI: Kick devices that might have been
reset by firmware") added a runtime resume for devices that were runtime
suspended when the system entered suspend-to-RAM.

Briefly, the motivation was to ensure that devices did not remain in a
reset-power-on state after resume, potentially preventing deep SoC-wide
low-power states from being entered on idle.

Currently we're not doing the same when leaving suspend-to-disk and this
asymmetry is a problem if drivers rely on the automatic resume triggered
by pm_complete_with_resume_check(). Fix it.

Fixes: 58a1fbbb2ee8 (PM / PCI / ACPI: Kick devices that might have been reset by firmware)
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/acpi/sleep.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/acpi/sleep.c
+++ b/drivers/acpi/sleep.c
@@ -714,6 +714,7 @@ static int acpi_hibernation_enter(void)
 
 static void acpi_hibernation_leave(void)
 {
+	pm_set_resume_via_firmware();
 	/*
 	 * If ACPI is not enabled by the BIOS and the boot kernel, we need to
 	 * enable it here.

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 220/238] writeback, cgroup: fix premature wb_put() in locked_inode_to_wb_and_lock_list()
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (208 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 219/238] ACPI / PM: Runtime resume devices when waking from hibernate Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 221/238] writeback, cgroup: fix use of the wrong bdi_writeback which mismatches the inode Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tejun Heo, Tahsin Erdogan, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>

commit 614a4e3773148a31f58dc174bbf578ceb63510c2 upstream.

locked_inode_to_wb_and_lock_list() wb_get()'s the wb associated with
the target inode, unlocks inode, locks the wb's list_lock and verifies
that the inode is still associated with the wb.  To prevent the wb
going away between dropping inode lock and acquiring list_lock, the wb
is pinned while inode lock is held.  The wb reference is put right
after acquiring list_lock citing that the wb won't be dereferenced
anymore.

This isn't true.  If the inode is still associated with the wb, the
inode has reference and it's safe to return the wb; however, if inode
has been switched, the wb still needs to be unlocked which is a
dereference and can lead to use-after-free if it it races with wb
destruction.

Fix it by putting the reference after releasing list_lock.

Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 87e1d789bf55 ("writeback: implement [locked_]inode_to_wb_and_lock_list()")
Tested-by: Tahsin Erdogan <tahsin@google.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fs-writeback.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -281,13 +281,15 @@ locked_inode_to_wb_and_lock_list(struct
 		wb_get(wb);
 		spin_unlock(&inode->i_lock);
 		spin_lock(&wb->list_lock);
-		wb_put(wb);		/* not gonna deref it anymore */
 
 		/* i_wb may have changed inbetween, can't use inode_to_wb() */
-		if (likely(wb == inode->i_wb))
-			return wb;	/* @inode already has ref */
+		if (likely(wb == inode->i_wb)) {
+			wb_put(wb);	/* @inode already has ref */
+			return wb;
+		}
 
 		spin_unlock(&wb->list_lock);
+		wb_put(wb);
 		cpu_relax();
 		spin_lock(&inode->i_lock);
 	}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 221/238] writeback, cgroup: fix use of the wrong bdi_writeback which mismatches the inode
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (209 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 220/238] writeback, cgroup: fix premature wb_put() in locked_inode_to_wb_and_lock_list() Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 222/238] Input: synaptics - handle spurious release of trackstick buttons, again Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tejun Heo, Tahsin Erdogan, Jens Axboe

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Tejun Heo <tj@kernel.org>

commit aaf2559332ba272671bb870464a99b909b29a3a1 upstream.

When cgroup writeback is in use, there can be multiple wb's
(bdi_writeback's) per bdi and an inode may switch among them
dynamically.  In a couple places, the wrong wb was used leading to
performing operations on the wrong list under the wrong lock
corrupting the io lists.

* writeback_single_inode() was taking @wb parameter and used it to
  remove the inode from io lists if it becomes clean after writeback.
  The callers of this function were always passing in the root wb
  regardless of the actual wb that the inode was associated with,
  which could also change while writeback is in progress.

  Fix it by dropping the @wb parameter and using
  inode_to_wb_and_lock_list() to determine and lock the associated wb.

* After writeback_sb_inodes() writes out an inode, it re-locks @wb and
  inode to remove it from or move it to the right io list.  It assumes
  that the inode is still associated with @wb; however, the inode may
  have switched to another wb while writeback was in progress.

  Fix it by using inode_to_wb_and_lock_list() to determine and lock
  the associated wb after writeback is complete.  As the function
  requires the original @wb->list_lock locked for the next iteration,
  in the unlikely case where the inode has changed association, switch
  the locks.

Kudos to Tahsin for pinpointing these subtle breakages.

Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: d10c80955265 ("writeback: implement foreign cgroup inode bdi_writeback switching")
Link: http://lkml.kernel.org/g/CAAeU0aMYeM_39Y2+PaRvyB1nqAPYZSNngJ1eBRmrxn7gKAt2Mg@mail.gmail.com
Reported-and-diagnosed-by: Tahsin Erdogan <tahsin@google.com>
Tested-by: Tahsin Erdogan <tahsin@google.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fs-writeback.c |   29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -1339,10 +1339,10 @@ __writeback_single_inode(struct inode *i
  * we go e.g. from filesystem. Flusher thread uses __writeback_single_inode()
  * and does more profound writeback list handling in writeback_sb_inodes().
  */
-static int
-writeback_single_inode(struct inode *inode, struct bdi_writeback *wb,
-		       struct writeback_control *wbc)
+static int writeback_single_inode(struct inode *inode,
+				  struct writeback_control *wbc)
 {
+	struct bdi_writeback *wb;
 	int ret = 0;
 
 	spin_lock(&inode->i_lock);
@@ -1380,7 +1380,8 @@ writeback_single_inode(struct inode *ino
 	ret = __writeback_single_inode(inode, wbc);
 
 	wbc_detach_inode(wbc);
-	spin_lock(&wb->list_lock);
+
+	wb = inode_to_wb_and_lock_list(inode);
 	spin_lock(&inode->i_lock);
 	/*
 	 * If inode is clean, remove it from writeback lists. Otherwise don't
@@ -1455,6 +1456,7 @@ static long writeback_sb_inodes(struct s
 
 	while (!list_empty(&wb->b_io)) {
 		struct inode *inode = wb_inode(wb->b_io.prev);
+		struct bdi_writeback *tmp_wb;
 
 		if (inode->i_sb != sb) {
 			if (work->sb) {
@@ -1545,15 +1547,23 @@ static long writeback_sb_inodes(struct s
 			cond_resched();
 		}
 
-
-		spin_lock(&wb->list_lock);
+		/*
+		 * Requeue @inode if still dirty.  Be careful as @inode may
+		 * have been switched to another wb in the meantime.
+		 */
+		tmp_wb = inode_to_wb_and_lock_list(inode);
 		spin_lock(&inode->i_lock);
 		if (!(inode->i_state & I_DIRTY_ALL))
 			wrote++;
-		requeue_inode(inode, wb, &wbc);
+		requeue_inode(inode, tmp_wb, &wbc);
 		inode_sync_complete(inode);
 		spin_unlock(&inode->i_lock);
 
+		if (unlikely(tmp_wb != wb)) {
+			spin_unlock(&tmp_wb->list_lock);
+			spin_lock(&wb->list_lock);
+		}
+
 		/*
 		 * bail out to wb_writeback() often enough to check
 		 * background threshold and other termination conditions.
@@ -2340,7 +2350,6 @@ EXPORT_SYMBOL(sync_inodes_sb);
  */
 int write_inode_now(struct inode *inode, int sync)
 {
-	struct bdi_writeback *wb = &inode_to_bdi(inode)->wb;
 	struct writeback_control wbc = {
 		.nr_to_write = LONG_MAX,
 		.sync_mode = sync ? WB_SYNC_ALL : WB_SYNC_NONE,
@@ -2352,7 +2361,7 @@ int write_inode_now(struct inode *inode,
 		wbc.nr_to_write = 0;
 
 	might_sleep();
-	return writeback_single_inode(inode, wb, &wbc);
+	return writeback_single_inode(inode, &wbc);
 }
 EXPORT_SYMBOL(write_inode_now);
 
@@ -2369,7 +2378,7 @@ EXPORT_SYMBOL(write_inode_now);
  */
 int sync_inode(struct inode *inode, struct writeback_control *wbc)
 {
-	return writeback_single_inode(inode, &inode_to_bdi(inode)->wb, wbc);
+	return writeback_single_inode(inode, wbc);
 }
 EXPORT_SYMBOL(sync_inode);
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 222/238] Input: synaptics - handle spurious release of trackstick buttons, again
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (210 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 221/238] writeback, cgroup: fix use of the wrong bdi_writeback which mismatches the inode Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 223/238] Input: ims-pcu - sanity check against missing interfaces Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Tissoires, Dmitry Torokhov

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Benjamin Tissoires <benjamin.tissoires@redhat.com>

commit 82be788c96ed5978d3cb4a00079e26b981a3df3f upstream.

Looks like the fimware 8.2 still has the extra buttons spurious release
bug.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=114321
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/mouse/synaptics.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -862,8 +862,9 @@ static void synaptics_report_ext_buttons
 	if (!SYN_CAP_MULTI_BUTTON_NO(priv->ext_cap))
 		return;
 
-	/* Bug in FW 8.1, buttons are reported only when ExtBit is 1 */
-	if (SYN_ID_FULL(priv->identity) == 0x801 &&
+	/* Bug in FW 8.1 & 8.2, buttons are reported only when ExtBit is 1 */
+	if ((SYN_ID_FULL(priv->identity) == 0x801 ||
+	     SYN_ID_FULL(priv->identity) == 0x802) &&
 	    !((psmouse->packet[0] ^ psmouse->packet[3]) & 0x02))
 		return;
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 223/238] Input: ims-pcu - sanity check against missing interfaces
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (211 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 222/238] Input: synaptics - handle spurious release of trackstick buttons, again Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 224/238] Input: ati_remote2 - fix crashes on detecting device with invalid descriptor Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum, Dmitry Torokhov

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <oneukum@suse.com>

commit a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff upstream.

A malicious device missing interface can make the driver oops.
Add sanity checking.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/misc/ims-pcu.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct
 
 	pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev,
 					 union_desc->bMasterInterface0);
+	if (!pcu->ctrl_intf)
+		return -EINVAL;
 
 	alt = pcu->ctrl_intf->cur_altsetting;
 	pcu->ep_ctrl = &alt->endpoint[0].desc;
@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct
 
 	pcu->data_intf = usb_ifnum_to_if(pcu->udev,
 					 union_desc->bSlaveInterface0);
+	if (!pcu->data_intf)
+		return -EINVAL;
 
 	alt = pcu->data_intf->cur_altsetting;
 	if (alt->desc.bNumEndpoints != 2) {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 224/238] Input: ati_remote2 - fix crashes on detecting device with invalid descriptor
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (212 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 223/238] Input: ims-pcu - sanity check against missing interfaces Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 225/238] ocfs2: o2hb: fix double free bug Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ralf Spenneberg, Vladis Dronov,
	Dmitry Torokhov

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vladis Dronov <vdronov@redhat.com>

commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d upstream.

The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.

The full disclosure: http://seclists.org/bugtraq/2016/Mar/90

Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/misc/ati_remote2.c |   36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

--- a/drivers/input/misc/ati_remote2.c
+++ b/drivers/input/misc/ati_remote2.c
@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_
 
 	ar2->udev = udev;
 
+	/* Sanity check, first interface must have an endpoint */
+	if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+		dev_err(&interface->dev,
+			"%s(): interface 0 must have an endpoint\n", __func__);
+		r = -ENODEV;
+		goto fail1;
+	}
 	ar2->intf[0] = interface;
 	ar2->ep[0] = &alt->endpoint[0].desc;
 
+	/* Sanity check, the device must have two interfaces */
 	ar2->intf[1] = usb_ifnum_to_if(udev, 1);
+	if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
+		dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
+			__func__, udev->actconfig->desc.bNumInterfaces);
+		r = -ENODEV;
+		goto fail1;
+	}
+
 	r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
 	if (r)
 		goto fail1;
+
+	/* Sanity check, second interface must have an endpoint */
 	alt = ar2->intf[1]->cur_altsetting;
+	if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+		dev_err(&interface->dev,
+			"%s(): interface 1 must have an endpoint\n", __func__);
+		r = -ENODEV;
+		goto fail2;
+	}
 	ar2->ep[1] = &alt->endpoint[0].desc;
 
 	r = ati_remote2_urb_init(ar2);
 	if (r)
-		goto fail2;
+		goto fail3;
 
 	ar2->channel_mask = channel_mask;
 	ar2->mode_mask = mode_mask;
 
 	r = ati_remote2_setup(ar2, ar2->channel_mask);
 	if (r)
-		goto fail2;
+		goto fail3;
 
 	usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
 	strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_
 
 	r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
 	if (r)
-		goto fail2;
+		goto fail3;
 
 	r = ati_remote2_input_init(ar2);
 	if (r)
-		goto fail3;
+		goto fail4;
 
 	usb_set_intfdata(interface, ar2);
 
@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_
 
 	return 0;
 
- fail3:
+ fail4:
 	sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
- fail2:
+ fail3:
 	ati_remote2_urb_cleanup(ar2);
+ fail2:
 	usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
  fail1:
 	kfree(ar2);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 225/238] ocfs2: o2hb: fix double free bug
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (213 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 224/238] Input: ati_remote2 - fix crashes on detecting device with invalid descriptor Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 226/238] ocfs2/dlm: fix race between convert and recovery Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Junxiao Bi, Joseph Qi, Mark Fasheh,
	Joel Becker, Andrew Morton, Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Junxiao Bi <junxiao.bi@oracle.com>

commit 9e13f1f9de1cb143fbae6f1170f26c8544b64cff upstream.

This is a regression issue and caused the following kernel panic when do
ocfs2 multiple test.

  BUG: unable to handle kernel paging request at 00000002000800c0
  IP: [<ffffffff81192978>] kmem_cache_alloc+0x78/0x160
  PGD 7bbe5067 PUD 0
  Oops: 0000 [#1] SMP
  Modules linked in: ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi xen_kbdfront xen_netfront xen_fbfront xen_blkfront
  CPU: 2 PID: 4044 Comm: mpirun Not tainted 4.5.0-rc5-next-20160225 #1
  Hardware name: Xen HVM domU, BIOS 4.3.1OVM 05/14/2014
  task: ffff88007a521a80 ti: ffff88007aed0000 task.ti: ffff88007aed0000
  RIP: 0010:[<ffffffff81192978>]  [<ffffffff81192978>] kmem_cache_alloc+0x78/0x160
  RSP: 0018:ffff88007aed3a48  EFLAGS: 00010282
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000001991
  RDX: 0000000000001990 RSI: 00000000024000c0 RDI: 000000000001b330
  RBP: ffff88007aed3a98 R08: ffff88007d29b330 R09: 00000002000800c0
  R10: 0000000c51376d87 R11: ffff8800792cac38 R12: ffff88007cc30f00
  R13: 00000000024000c0 R14: ffffffff811b053f R15: ffff88007aed3ce7
  FS:  0000000000000000(0000) GS:ffff88007d280000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000002000800c0 CR3: 000000007aeb2000 CR4: 00000000000406e0
  Call Trace:
    __d_alloc+0x2f/0x1a0
    d_alloc+0x17/0x80
    lookup_dcache+0x8a/0xc0
    path_openat+0x3c3/0x1210
    do_filp_open+0x80/0xe0
    do_sys_open+0x110/0x200
    SyS_open+0x19/0x20
    do_syscall_64+0x72/0x230
    entry_SYSCALL64_slow_path+0x25/0x25
  Code: 05 e6 77 e7 7e 4d 8b 08 49 8b 40 10 4d 85 c9 0f 84 dd 00 00 00 48 85 c0 0f 84 d4 00 00 00 49 63 44 24 20 49 8b 3c 24 48 8d 4a 01 <49> 8b 1c 01 4c 89 c8 65 48 0f c7 0f 0f 94 c0 3c 01 75 b6 49 63
  RIP   kmem_cache_alloc+0x78/0x160
  CR2: 00000002000800c0
  ---[ end trace 823969e602e4aaac ]---

Fixes: a4a1dfa4bb8b("ocfs2/cluster: fix memory leak in o2hb_region_release")
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: Joseph Qi <joseph.qi@huawei.com>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ocfs2/cluster/heartbeat.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/ocfs2/cluster/heartbeat.c
+++ b/fs/ocfs2/cluster/heartbeat.c
@@ -1445,8 +1445,8 @@ static void o2hb_region_release(struct c
 	debugfs_remove(reg->hr_debug_dir);
 	kfree(reg->hr_db_livenodes);
 	kfree(reg->hr_db_regnum);
-	kfree(reg->hr_debug_elapsed_time);
-	kfree(reg->hr_debug_pinned);
+	kfree(reg->hr_db_elapsed_time);
+	kfree(reg->hr_db_pinned);
 
 	spin_lock(&o2hb_live_lock);
 	list_del(&reg->hr_all_item);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 226/238] ocfs2/dlm: fix race between convert and recovery
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (214 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 225/238] ocfs2: o2hb: fix double free bug Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 227/238] ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joseph Qi, Yiwen Jiang, Junxiao Bi,
	Mark Fasheh, Joel Becker, Tariq Saeed, Andrew Morton,
	Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joseph Qi <joseph.qi@huawei.com>

commit ac7cf246dfdbec3d8fed296c7bf30e16f5099dac upstream.

There is a race window between dlmconvert_remote and
dlm_move_lockres_to_recovery_list, which will cause a lock with
OCFS2_LOCK_BUSY in grant list, thus system hangs.

dlmconvert_remote
{
        spin_lock(&res->spinlock);
        list_move_tail(&lock->list, &res->converting);
        lock->convert_pending = 1;
        spin_unlock(&res->spinlock);

        status = dlm_send_remote_convert_request();
        >>>>>> race window, master has queued ast and return DLM_NORMAL,
               and then down before sending ast.
               this node detects master down and calls
               dlm_move_lockres_to_recovery_list, which will revert the
               lock to grant list.
               Then OCFS2_LOCK_BUSY won't be cleared as new master won't
               send ast any more because it thinks already be authorized.

        spin_lock(&res->spinlock);
        lock->convert_pending = 0;
        if (status != DLM_NORMAL)
                dlm_revert_pending_convert(res, lock);
        spin_unlock(&res->spinlock);
}

In this case, check if res->state has DLM_LOCK_RES_RECOVERING bit set
(res is still in recovering) or res master changed (new master has
finished recovery), reset the status to DLM_RECOVERING, then it will
retry convert.

Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
Reported-by: Yiwen Jiang <jiangyiwen@huawei.com>
Reviewed-by: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Tariq Saeed <tariq.x.saeed@oracle.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ocfs2/dlm/dlmconvert.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/fs/ocfs2/dlm/dlmconvert.c
+++ b/fs/ocfs2/dlm/dlmconvert.c
@@ -262,6 +262,7 @@ enum dlm_status dlmconvert_remote(struct
 				  struct dlm_lock *lock, int flags, int type)
 {
 	enum dlm_status status;
+	u8 old_owner = res->owner;
 
 	mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
 	     lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
@@ -316,11 +317,19 @@ enum dlm_status dlmconvert_remote(struct
 	spin_lock(&res->spinlock);
 	res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
 	lock->convert_pending = 0;
-	/* if it failed, move it back to granted queue */
+	/* if it failed, move it back to granted queue.
+	 * if master returns DLM_NORMAL and then down before sending ast,
+	 * it may have already been moved to granted queue, reset to
+	 * DLM_RECOVERING and retry convert */
 	if (status != DLM_NORMAL) {
 		if (status != DLM_NOTQUEUED)
 			dlm_error(status);
 		dlm_revert_pending_convert(res, lock);
+	} else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
+			(old_owner != res->owner)) {
+		mlog(0, "res %.*s is in recovering or has been recovered.\n",
+				res->lockname.len, res->lockname.name);
+		status = DLM_RECOVERING;
 	}
 bail:
 	spin_unlock(&res->spinlock);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 227/238] ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (215 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 226/238] ocfs2/dlm: fix race between convert and recovery Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 228/238] mm/page_alloc: prevent merging between isolated and other pageblocks Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joseph Qi, Yiwen Jiang, Junxiao Bi,
	Mark Fasheh, Joel Becker, Tariq Saeed, Andrew Morton,
	Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Joseph Qi <joseph.qi@huawei.com>

commit be12b299a83fc807bbaccd2bcb8ec50cbb0cb55c upstream.

When master handles convert request, it queues ast first and then
returns status.  This may happen that the ast is sent before the request
status because the above two messages are sent by two threads.  And
right after the ast is sent, if master down, it may trigger BUG in
dlm_move_lockres_to_recovery_list in the requested node because ast
handler moves it to grant list without clear lock->convert_pending.  So
remove BUG_ON statement and check if the ast is processed in
dlmconvert_remote.

Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
Reported-by: Yiwen Jiang <jiangyiwen@huawei.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Tariq Saeed <tariq.x.saeed@oracle.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ocfs2/dlm/dlmconvert.c  |   13 +++++++++++++
 fs/ocfs2/dlm/dlmrecovery.c |    1 -
 2 files changed, 13 insertions(+), 1 deletion(-)

--- a/fs/ocfs2/dlm/dlmconvert.c
+++ b/fs/ocfs2/dlm/dlmconvert.c
@@ -288,6 +288,19 @@ enum dlm_status dlmconvert_remote(struct
 		status = DLM_DENIED;
 		goto bail;
 	}
+
+	if (lock->ml.type == type && lock->ml.convert_type == LKM_IVMODE) {
+		mlog(0, "last convert request returned DLM_RECOVERING, but "
+		     "owner has already queued and sent ast to me. res %.*s, "
+		     "(cookie=%u:%llu, type=%d, conv=%d)\n",
+		     res->lockname.len, res->lockname.name,
+		     dlm_get_lock_cookie_node(be64_to_cpu(lock->ml.cookie)),
+		     dlm_get_lock_cookie_seq(be64_to_cpu(lock->ml.cookie)),
+		     lock->ml.type, lock->ml.convert_type);
+		status = DLM_NORMAL;
+		goto bail;
+	}
+
 	res->state |= DLM_LOCK_RES_IN_PROGRESS;
 	/* move lock to local convert queue */
 	/* do not alter lock refcount.  switching lists. */
--- a/fs/ocfs2/dlm/dlmrecovery.c
+++ b/fs/ocfs2/dlm/dlmrecovery.c
@@ -2071,7 +2071,6 @@ void dlm_move_lockres_to_recovery_list(s
 			dlm_lock_get(lock);
 			if (lock->convert_pending) {
 				/* move converting lock back to granted */
-				BUG_ON(i != DLM_CONVERTING_LIST);
 				mlog(0, "node died with convert pending "
 				     "on %.*s. move back to granted list.\n",
 				     res->lockname.len, res->lockname.name);

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 228/238] mm/page_alloc: prevent merging between isolated and other pageblocks
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (216 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 227/238] ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 229/238] mtd: onenand: fix deadlock in onenand_block_markbad Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vlastimil Babka, Hanjun Guo,
	Joonsoo Kim, Mel Gorman, Kirill A. Shutemov, Johannes Weiner,
	Minchan Kim, Yasuaki Ishimatsu, Zhang Yanfei, Michal Nazarewicz,
	Naoya Horiguchi, Aneesh Kumar K.V, Andrew Morton, Linus Torvalds

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vlastimil Babka <vbabka@suse.cz>

commit d9dddbf556674bf125ecd925b24e43a5cf2a568a upstream.

Hanjun Guo has reported that a CMA stress test causes broken accounting of
CMA and free pages:

> Before the test, I got:
> -bash-4.3# cat /proc/meminfo | grep Cma
> CmaTotal:         204800 kB
> CmaFree:          195044 kB
>
>
> After running the test:
> -bash-4.3# cat /proc/meminfo | grep Cma
> CmaTotal:         204800 kB
> CmaFree:         6602584 kB
>
> So the freed CMA memory is more than total..
>
> Also the the MemFree is more than mem total:
>
> -bash-4.3# cat /proc/meminfo
> MemTotal:       16342016 kB
> MemFree:        22367268 kB
> MemAvailable:   22370528 kB

Laura Abbott has confirmed the issue and suspected the freepage accounting
rewrite around 3.18/4.0 by Joonsoo Kim.  Joonsoo had a theory that this is
caused by unexpected merging between MIGRATE_ISOLATE and MIGRATE_CMA
pageblocks:

> CMA isolates MAX_ORDER aligned blocks, but, during the process,
> partialy isolated block exists. If MAX_ORDER is 11 and
> pageblock_order is 9, two pageblocks make up MAX_ORDER
> aligned block and I can think following scenario because pageblock
> (un)isolation would be done one by one.
>
> (each character means one pageblock. 'C', 'I' means MIGRATE_CMA,
> MIGRATE_ISOLATE, respectively.
>
> CC -> IC -> II (Isolation)
> II -> CI -> CC (Un-isolation)
>
> If some pages are freed at this intermediate state such as IC or CI,
> that page could be merged to the other page that is resident on
> different type of pageblock and it will cause wrong freepage count.

This was supposed to be prevented by CMA operating on MAX_ORDER blocks,
but since it doesn't hold the zone->lock between pageblocks, a race
window does exist.

It's also likely that unexpected merging can occur between
MIGRATE_ISOLATE and non-CMA pageblocks.  This should be prevented in
__free_one_page() since commit 3c605096d315 ("mm/page_alloc: restrict
max order of merging on isolated pageblock").  However, we only check
the migratetype of the pageblock where buddy merging has been initiated,
not the migratetype of the buddy pageblock (or group of pageblocks)
which can be MIGRATE_ISOLATE.

Joonsoo has suggested checking for buddy migratetype as part of
page_is_buddy(), but that would add extra checks in allocator hotpath
and bloat-o-meter has shown significant code bloat (the function is
inline).

This patch reduces the bloat at some expense of more complicated code.
The buddy-merging while-loop in __free_one_page() is initially bounded
to pageblock_border and without any migratetype checks.  The checks are
placed outside, bumping the max_order if merging is allowed, and
returning to the while-loop with a statement which can't be possibly
considered harmful.

This fixes the accounting bug and also removes the arguably weird state
in the original commit 3c605096d315 where buddies could be left
unmerged.

Fixes: 3c605096d315 ("mm/page_alloc: restrict max order of merging on isolated pageblock")
Link: https://lkml.org/lkml/2016/3/2/280
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Hanjun Guo <guohanjun@huawei.com>
Tested-by: Hanjun Guo <guohanjun@huawei.com>
Acked-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Debugged-by: Laura Abbott <labbott@redhat.com>
Debugged-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Cc: Zhang Yanfei <zhangyanfei@cn.fujitsu.com>
Cc: Michal Nazarewicz <mina86@mina86.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/page_alloc.c |   46 +++++++++++++++++++++++++++++++++-------------
 1 file changed, 33 insertions(+), 13 deletions(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -660,34 +660,28 @@ static inline void __free_one_page(struc
 	unsigned long combined_idx;
 	unsigned long uninitialized_var(buddy_idx);
 	struct page *buddy;
-	unsigned int max_order = MAX_ORDER;
+	unsigned int max_order;
+
+	max_order = min_t(unsigned int, MAX_ORDER, pageblock_order + 1);
 
 	VM_BUG_ON(!zone_is_initialized(zone));
 	VM_BUG_ON_PAGE(page->flags & PAGE_FLAGS_CHECK_AT_PREP, page);
 
 	VM_BUG_ON(migratetype == -1);
-	if (is_migrate_isolate(migratetype)) {
-		/*
-		 * We restrict max order of merging to prevent merge
-		 * between freepages on isolate pageblock and normal
-		 * pageblock. Without this, pageblock isolation
-		 * could cause incorrect freepage accounting.
-		 */
-		max_order = min_t(unsigned int, MAX_ORDER, pageblock_order + 1);
-	} else {
+	if (likely(!is_migrate_isolate(migratetype)))
 		__mod_zone_freepage_state(zone, 1 << order, migratetype);
-	}
 
-	page_idx = pfn & ((1 << max_order) - 1);
+	page_idx = pfn & ((1 << MAX_ORDER) - 1);
 
 	VM_BUG_ON_PAGE(page_idx & ((1 << order) - 1), page);
 	VM_BUG_ON_PAGE(bad_range(zone, page), page);
 
+continue_merging:
 	while (order < max_order - 1) {
 		buddy_idx = __find_buddy_index(page_idx, order);
 		buddy = page + (buddy_idx - page_idx);
 		if (!page_is_buddy(page, buddy, order))
-			break;
+			goto done_merging;
 		/*
 		 * Our buddy is free or it is CONFIG_DEBUG_PAGEALLOC guard page,
 		 * merge with it and move up one order.
@@ -704,6 +698,32 @@ static inline void __free_one_page(struc
 		page_idx = combined_idx;
 		order++;
 	}
+	if (max_order < MAX_ORDER) {
+		/* If we are here, it means order is >= pageblock_order.
+		 * We want to prevent merge between freepages on isolate
+		 * pageblock and normal pageblock. Without this, pageblock
+		 * isolation could cause incorrect freepage or CMA accounting.
+		 *
+		 * We don't want to hit this code for the more frequent
+		 * low-order merging.
+		 */
+		if (unlikely(has_isolate_pageblock(zone))) {
+			int buddy_mt;
+
+			buddy_idx = __find_buddy_index(page_idx, order);
+			buddy = page + (buddy_idx - page_idx);
+			buddy_mt = get_pageblock_migratetype(buddy);
+
+			if (migratetype != buddy_mt
+					&& (is_migrate_isolate(migratetype) ||
+						is_migrate_isolate(buddy_mt)))
+				goto done_merging;
+		}
+		max_order++;
+		goto continue_merging;
+	}
+
+done_merging:
 	set_page_order(page, order);
 
 	/*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 229/238] mtd: onenand: fix deadlock in onenand_block_markbad
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (217 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 228/238] mm/page_alloc: prevent merging between isolated and other pageblocks Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 230/238] intel_idle: prevent SKL-H boot failure when C8+C9+C10 enabled Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, Artem Bityutskiy,
	Brian Norris

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aaro Koskinen <aaro.koskinen@iki.fi>

commit 5e64c29e98bfbba1b527b0a164f9493f3db9e8cb upstream.

Commit 5942ddbc500d ("mtd: introduce mtd_block_markbad interface")
incorrectly changed onenand_block_markbad() to call mtd_block_markbad
instead of onenand_chip's block_markbad function. As a result the function
will now recurse and deadlock. Fix by reverting the change.

Fixes: 5942ddbc500d ("mtd: introduce mtd_block_markbad interface")
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Acked-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/onenand/onenand_base.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/mtd/onenand/onenand_base.c
+++ b/drivers/mtd/onenand/onenand_base.c
@@ -2599,6 +2599,7 @@ static int onenand_default_block_markbad
  */
 static int onenand_block_markbad(struct mtd_info *mtd, loff_t ofs)
 {
+	struct onenand_chip *this = mtd->priv;
 	int ret;
 
 	ret = onenand_block_isbad(mtd, ofs);
@@ -2610,7 +2611,7 @@ static int onenand_block_markbad(struct
 	}
 
 	onenand_get_device(mtd, FL_WRITING);
-	ret = mtd_block_markbad(mtd, ofs);
+	ret = this->block_markbad(mtd, ofs);
 	onenand_release_device(mtd);
 	return ret;
 }

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 230/238] intel_idle: prevent SKL-H boot failure when C8+C9+C10 enabled
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (218 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 229/238] mtd: onenand: fix deadlock in onenand_block_markbad Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 231/238] PM / sleep: Clear pm_suspend_global_flags upon hibernate Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Len Brown

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Len Brown <len.brown@intel.com>

commit d70e28f57e14a481977436695b0c9ba165472431 upstream.

Some SKL-H configurations require "intel_idle.max_cstate=7" to boot.
While that is an effective workaround, it disables C10.

This patch detects the problematic configuration,
and disables C8 and C9, keeping C10 enabled.

Note that enabling SGX in BIOS SETUP can also prevent this issue,
if the system BIOS provides that option.

https://bugzilla.kernel.org/show_bug.cgi?id=109081
"Freezes with Intel i7 6700HQ (Skylake), unless intel_idle.max_cstate=7"

Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/idle/intel_idle.c |  106 ++++++++++++++++++++++++++++++++++++----------
 1 file changed, 85 insertions(+), 21 deletions(-)

--- a/drivers/idle/intel_idle.c
+++ b/drivers/idle/intel_idle.c
@@ -65,7 +65,7 @@
 #include <asm/mwait.h>
 #include <asm/msr.h>
 
-#define INTEL_IDLE_VERSION "0.4"
+#define INTEL_IDLE_VERSION "0.4.1"
 #define PREFIX "intel_idle: "
 
 static struct cpuidle_driver intel_idle_driver = {
@@ -994,36 +994,92 @@ static void intel_idle_cpuidle_devices_u
 }
 
 /*
- * intel_idle_state_table_update()
- *
- * Update the default state_table for this CPU-id
+ * ivt_idle_state_table_update(void)
  *
- * Currently used to access tuned IVT multi-socket targets
+ * Tune IVT multi-socket targets
  * Assumption: num_sockets == (max_package_num + 1)
  */
-void intel_idle_state_table_update(void)
+static void ivt_idle_state_table_update(void)
 {
 	/* IVT uses a different table for 1-2, 3-4, and > 4 sockets */
-	if (boot_cpu_data.x86_model == 0x3e) { /* IVT */
-		int cpu, package_num, num_sockets = 1;
+	int cpu, package_num, num_sockets = 1;
 
-		for_each_online_cpu(cpu) {
-			package_num = topology_physical_package_id(cpu);
-			if (package_num + 1 > num_sockets) {
-				num_sockets = package_num + 1;
-
-				if (num_sockets > 4) {
-					cpuidle_state_table = ivt_cstates_8s;
-					return;
-				}
+	for_each_online_cpu(cpu) {
+		package_num = topology_physical_package_id(cpu);
+		if (package_num + 1 > num_sockets) {
+			num_sockets = package_num + 1;
+
+			if (num_sockets > 4) {
+				cpuidle_state_table = ivt_cstates_8s;
+				return;
 			}
 		}
+	}
+
+	if (num_sockets > 2)
+		cpuidle_state_table = ivt_cstates_4s;
+
+	/* else, 1 and 2 socket systems use default ivt_cstates */
+}
+/*
+ * sklh_idle_state_table_update(void)
+ *
+ * On SKL-H (model 0x5e) disable C8 and C9 if:
+ * C10 is enabled and SGX disabled
+ */
+static void sklh_idle_state_table_update(void)
+{
+	unsigned long long msr;
+	unsigned int eax, ebx, ecx, edx;
+
+
+	/* if PC10 disabled via cmdline intel_idle.max_cstate=7 or shallower */
+	if (max_cstate <= 7)
+		return;
+
+	/* if PC10 not present in CPUID.MWAIT.EDX */
+	if ((mwait_substates & (0xF << 28)) == 0)
+		return;
+
+	rdmsrl(MSR_NHM_SNB_PKG_CST_CFG_CTL, msr);
+
+	/* PC10 is not enabled in PKG C-state limit */
+	if ((msr & 0xF) != 8)
+		return;
+
+	ecx = 0;
+	cpuid(7, &eax, &ebx, &ecx, &edx);
+
+	/* if SGX is present */
+	if (ebx & (1 << 2)) {
+
+		rdmsrl(MSR_IA32_FEATURE_CONTROL, msr);
 
-		if (num_sockets > 2)
-			cpuidle_state_table = ivt_cstates_4s;
-		/* else, 1 and 2 socket systems use default ivt_cstates */
+		/* if SGX is enabled */
+		if (msr & (1 << 18))
+			return;
+	}
+
+	skl_cstates[5].disabled = 1;	/* C8-SKL */
+	skl_cstates[6].disabled = 1;	/* C9-SKL */
+}
+/*
+ * intel_idle_state_table_update()
+ *
+ * Update the default state_table for this CPU-id
+ */
+
+static void intel_idle_state_table_update(void)
+{
+	switch (boot_cpu_data.x86_model) {
+
+	case 0x3e: /* IVT */
+		ivt_idle_state_table_update();
+		break;
+	case 0x5e: /* SKL-H */
+		sklh_idle_state_table_update();
+		break;
 	}
-	return;
 }
 
 /*
@@ -1063,6 +1119,14 @@ static int __init intel_idle_cpuidle_dri
 		if (num_substates == 0)
 			continue;
 
+		/* if state marked as disabled, skip it */
+		if (cpuidle_state_table[cstate].disabled != 0) {
+			pr_debug(PREFIX "state %s is disabled",
+				cpuidle_state_table[cstate].name);
+			continue;
+		}
+
+
 		if (((mwait_cstate + 1) > 2) &&
 			!boot_cpu_has(X86_FEATURE_NONSTOP_TSC))
 			mark_tsc_unstable("TSC halts in idle"

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 231/238] PM / sleep: Clear pm_suspend_global_flags upon hibernate
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (219 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 230/238] intel_idle: prevent SKL-H boot failure when C8+C9+C10 enabled Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 232/238] scsi_common: do not clobber fixed sense information Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lukas Wunner, Rafael J. Wysocki

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <lukas@wunner.de>

commit 276142730c39c9839465a36a90e5674a8c34e839 upstream.

When suspending to RAM, waking up and later suspending to disk,
we gratuitously runtime resume devices after the thaw phase.
This does not occur if we always suspend to RAM or always to disk.

pm_complete_with_resume_check(), which gets called from
pci_pm_complete() among others, schedules a runtime resume
if PM_SUSPEND_FLAG_FW_RESUME is set. The flag is set during
a suspend-to-RAM cycle. It is cleared at the beginning of
the suspend-to-RAM cycle but not afterwards and it is not
cleared during a suspend-to-disk cycle at all. Fix it.

Fixes: ef25ba047601 (PM / sleep: Add flags to indicate platform firmware involvement)
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/power/hibernate.c |    1 +
 1 file changed, 1 insertion(+)

--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -339,6 +339,7 @@ int hibernation_snapshot(int platform_mo
 	pm_message_t msg;
 	int error;
 
+	pm_suspend_clear_flags();
 	error = platform_begin(platform_mode);
 	if (error)
 		goto Close;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 232/238] scsi_common: do not clobber fixed sense information
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (220 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 231/238] PM / sleep: Clear pm_suspend_global_flags upon hibernate Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 233/238] sched/cputime: Fix steal time accounting vs. CPU hotplug Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hannes Reinecke, Lee Duncan,
	Bart Van Assche, Ewan D. Milne, Martin K. Petersen

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Hannes Reinecke <hare@suse.de>

commit ba08311647892cc7912de74525fd78416caf544a upstream.

For fixed sense the information field is 32 bits, to we need to truncate
the information field to avoid clobbering the sense code.

Fixes: a1524f226a02 ("libata-eh: Set 'information' field for autosense")
Signed-off-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_common.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/scsi/scsi_common.c
+++ b/drivers/scsi/scsi_common.c
@@ -278,8 +278,16 @@ int scsi_set_sense_information(u8 *buf,
 		ucp[3] = 0;
 		put_unaligned_be64(info, &ucp[4]);
 	} else if ((buf[0] & 0x7f) == 0x70) {
-		buf[0] |= 0x80;
-		put_unaligned_be64(info, &buf[3]);
+		/*
+		 * Only set the 'VALID' bit if we can represent the value
+		 * correctly; otherwise just fill out the lower bytes and
+		 * clear the 'VALID' flag.
+		 */
+		if (info <= 0xffffffffUL)
+			buf[0] |= 0x80;
+		else
+			buf[0] &= 0x7f;
+		put_unaligned_be32((u32)info, &buf[3]);
 	}
 
 	return 0;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 233/238] sched/cputime: Fix steal time accounting vs. CPU hotplug
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (221 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 232/238] scsi_common: do not clobber fixed sense information Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 234/238] perf/x86/pebs: Add workaround for broken OVFL status on HSW+ Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Rik van Riel,
	Frederic Weisbecker, Glauber Costa, Linus Torvalds,
	Peter Zijlstra, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <tglx@linutronix.de>

commit e9532e69b8d1d1284e8ecf8d2586de34aec61244 upstream.

On CPU hotplug the steal time accounting can keep a stale rq->prev_steal_time
value over CPU down and up. So after the CPU comes up again the delta
calculation in steal_account_process_tick() wreckages itself due to the
unsigned math:

	 u64 steal = paravirt_steal_clock(smp_processor_id());

	 steal -= this_rq()->prev_steal_time;

So if steal is smaller than rq->prev_steal_time we end up with an insane large
value which then gets added to rq->prev_steal_time, resulting in a permanent
wreckage of the accounting. As a consequence the per CPU stats in /proc/stat
become stale.

Nice trick to tell the world how idle the system is (100%) while the CPU is
100% busy running tasks. Though we prefer realistic numbers.

None of the accounting values which use a previous value to account for
fractions is reset at CPU hotplug time. update_rq_clock_task() has a sanity
check for prev_irq_time and prev_steal_time_rq, but that sanity check solely
deals with clock warps and limits the /proc/stat visible wreckage. The
prev_time values are still wrong.

Solution is simple: Reset rq->prev_*_time when the CPU is plugged in again.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Glauber Costa <glommer@parallels.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Fixes: commit 095c0aa83e52 "sched: adjust scheduler cpu power for stolen time"
Fixes: commit aa483808516c "sched: Remove irq time from available CPU power"
Fixes: commit e6e6685accfa "KVM guest: Steal time accounting"
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1603041539490.3686@nanos
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/sched/core.c  |    1 +
 kernel/sched/sched.h |   13 +++++++++++++
 2 files changed, 14 insertions(+)

--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5630,6 +5630,7 @@ migration_call(struct notifier_block *nf
 
 	case CPU_UP_PREPARE:
 		rq->calc_load_update = calc_load_update;
+		account_reset_rq(rq);
 		break;
 
 	case CPU_ONLINE:
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -1738,3 +1738,16 @@ static inline u64 irq_time_read(int cpu)
 }
 #endif /* CONFIG_64BIT */
 #endif /* CONFIG_IRQ_TIME_ACCOUNTING */
+
+static inline void account_reset_rq(struct rq *rq)
+{
+#ifdef CONFIG_IRQ_TIME_ACCOUNTING
+	rq->prev_irq_time = 0;
+#endif
+#ifdef CONFIG_PARAVIRT
+	rq->prev_steal_time = 0;
+#endif
+#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING
+	rq->prev_steal_time_rq = 0;
+#endif
+}

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 234/238] perf/x86/pebs: Add workaround for broken OVFL status on HSW+
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (222 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 233/238] sched/cputime: Fix steal time accounting vs. CPU hotplug Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 235/238] perf/x86/intel/uncore: Remove SBOX support for BDX-DE Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephane Eranian,
	Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Thomas Gleixner, Vince Weaver, adrian.hunter,
	kan.liang, namhyung, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephane Eranian <eranian@google.com>

commit 8077eca079a212f26419c57226f28696b7100683 upstream.

This patch fixes an issue with the GLOBAL_OVERFLOW_STATUS bits on
Haswell, Broadwell and Skylake processors when using PEBS.

The SDM stipulates that when the PEBS iterrupt threshold is crossed,
an interrupt is posted and the kernel is interrupted. The kernel will
find GLOBAL_OVF_SATUS bit 62 set indicating there are PEBS records to
drain. But the bits corresponding to the actual counters should NOT be
set. The kernel follows the SDM and assumes that all PEBS events are
processed in the drain_pebs() callback. The kernel then checks for
remaining overflows on any other (non-PEBS) events and processes these
in the for_each_bit_set(&status) loop.

As it turns out, under certain conditions on HSW and later processors,
on PEBS buffer interrupt, bit 62 is set but the counter bits may be
set as well. In that case, the kernel drains PEBS and generates
SAMPLES with the EXACT tag, then it processes the counter bits, and
generates normal (non-EXACT) SAMPLES.

I ran into this problem by trying to understand why on HSW sampling on
a PEBS event was sometimes returning SAMPLES without the EXACT tag.
This should not happen on user level code because HSW has the
eventing_ip which always point to the instruction that caused the
event.

The workaround in this patch simply ensures that the bits for the
counters used for PEBS events are cleared after the PEBS buffer has
been drained. With this fix 100% of the PEBS samples on my user code
report the EXACT tag.

Before:
  $ perf record -e cpu/event=0xd0,umask=0x81/upp ./multichase
  $ perf report -D | fgrep SAMPLES
  PERF_RECORD_SAMPLE(IP, 0x2): 11775/11775: 0x406de5 period: 73469 addr: 0 exact=Y
                           \--- EXACT tag is missing

After:
  $ perf record -e cpu/event=0xd0,umask=0x81/upp ./multichase
  $ perf report -D | fgrep SAMPLES
  PERF_RECORD_SAMPLE(IP, 0x4002): 11775/11775: 0x406de5 period: 73469 addr: 0 exact=Y
                           \--- EXACT tag is set

The problem tends to appear more often when multiple PEBS events are used.

Signed-off-by: Stephane Eranian <eranian@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: adrian.hunter@intel.com
Cc: kan.liang@intel.com
Cc: namhyung@kernel.org
Link: http://lkml.kernel.org/r/1457034642-21837-3-git-send-email-eranian@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/cpu/perf_event_intel.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -1884,6 +1884,16 @@ again:
 	if (__test_and_clear_bit(62, (unsigned long *)&status)) {
 		handled++;
 		x86_pmu.drain_pebs(regs);
+		/*
+		 * There are cases where, even though, the PEBS ovfl bit is set
+		 * in GLOBAL_OVF_STATUS, the PEBS events may also have their
+		 * overflow bits set for their counters. We must clear them
+		 * here because they have been processed as exact samples in
+		 * the drain_pebs() routine. They must not be processed again
+		 * in the for_each_bit_set() loop for regular samples below.
+		 */
+		status &= ~cpuc->pebs_enabled;
+		status &= x86_pmu.intel_ctrl | GLOBAL_STATUS_TRACE_TOPAPMI;
 	}
 
 	/*

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 235/238] perf/x86/intel/uncore: Remove SBOX support for BDX-DE
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (223 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 234/238] perf/x86/pebs: Add workaround for broken OVFL status on HSW+ Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 236/238] [PATCH 3/5] perf/x86/intel: Fix PEBS warning by only restoring active PMU in pmi Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kan Liang, Peter Zijlstra (Intel),
	tonyb, Arnaldo Carvalho de Melo, Jiri Olsa, Linus Torvalds,
	Stephane Eranian, Thomas Gleixner, Vince Weaver, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kan Liang <kan.liang@intel.com>

commit e178b147e530c12a95871e78569554666fe01c0f upstream.

BDX-DE and BDX-EP share the same uncore code path. But there is no sbox
in BDX-DE. This patch remove SBOX support for BDX-DE.

Signed-off-by: Kan Liang <kan.liang@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: <tonyb@cybernetics.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tony Battersby <tonyb@cybernetics.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Link: http://lkml.kernel.org/r/37D7C6CF3E00A74B8858931C1DB2F0770589D336@SHSMSX103.ccr.corp.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore_snbep.c
@@ -2875,11 +2875,13 @@ static struct intel_uncore_type bdx_unco
 	.format_group		= &hswep_uncore_sbox_format_group,
 };
 
+#define BDX_MSR_UNCORE_SBOX	3
+
 static struct intel_uncore_type *bdx_msr_uncores[] = {
 	&bdx_uncore_ubox,
 	&bdx_uncore_cbox,
-	&bdx_uncore_sbox,
 	&hswep_uncore_pcu,
+	&bdx_uncore_sbox,
 	NULL,
 };
 
@@ -2888,6 +2890,10 @@ void bdx_uncore_cpu_init(void)
 	if (bdx_uncore_cbox.num_boxes > boot_cpu_data.x86_max_cores)
 		bdx_uncore_cbox.num_boxes = boot_cpu_data.x86_max_cores;
 	uncore_msr_uncores = bdx_msr_uncores;
+
+	/* BDX-DE doesn't have SBOX */
+	if (boot_cpu_data.x86_model == 86)
+		uncore_msr_uncores[BDX_MSR_UNCORE_SBOX] = NULL;
 }
 
 static struct intel_uncore_type bdx_uncore_ha = {

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 236/238] [PATCH 3/5] perf/x86/intel: Fix PEBS warning by only restoring active PMU in pmi
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (224 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 235/238] perf/x86/intel/uncore: Remove SBOX support for BDX-DE Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 237/238] perf/x86/intel: Use PAGE_SIZE for PEBS buffer size on Core2 Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kan Liang, Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Stephane Eranian, Thomas Gleixner, Vince Weaver,
	Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kan Liang <kan.liang@intel.com>

commit 48253050e1a4b8b82c775185c1bc066a2a826f14 upstream.

This patch tries to fix a PEBS warning found in my stress test. The
following perf command can easily trigger the pebs warning or spurious
NMI error on Skylake/Broadwell/Haswell platforms:

  sudo perf record -e 'cpu/umask=0x04,event=0xc4/pp,cycles,branches,ref-cycles,cache-misses,cache-references' --call-graph fp -b -c1000 -a

Also the NMI watchdog must be enabled.

For this case, the events number is larger than counter number. So
perf has to do multiplexing.

In perf_mux_hrtimer_handler, it does perf_pmu_disable(), schedule out
old events, rotate_ctx, schedule in new events and finally
perf_pmu_enable().

If the old events include precise event, the MSR_IA32_PEBS_ENABLE
should be cleared when perf_pmu_disable().  The MSR_IA32_PEBS_ENABLE
should keep 0 until the perf_pmu_enable() is called and the new event is
precise event.

However, there is a corner case which could restore PEBS_ENABLE to
stale value during the above period. In perf_pmu_disable(), GLOBAL_CTRL
will be set to 0 to stop overflow and followed PMI. But there may be
pending PMI from an earlier overflow, which cannot be stopped. So even
GLOBAL_CTRL is cleared, the kernel still be possible to get PMI. At
the end of the PMI handler, __intel_pmu_enable_all() will be called,
which will restore the stale values if old events haven't scheduled
out.

Once the stale pebs value is set, it's impossible to be corrected if
the new events are non-precise. Because the pebs_enabled will be set
to 0. x86_pmu.enable_all() will ignore the MSR_IA32_PEBS_ENABLE
setting. As a result, the following NMI with stale PEBS_ENABLE
trigger pebs warning.

The pending PMI after enabled=0 will become harmless if the NMI handler
does not change the state. This patch checks cpuc->enabled in pmi and
only restore the state when PMU is active.

Here is the dump:

  Call Trace:
   <NMI>  [<ffffffff813c3a2e>] dump_stack+0x63/0x85
   [<ffffffff810a46f2>] warn_slowpath_common+0x82/0xc0
   [<ffffffff810a483a>] warn_slowpath_null+0x1a/0x20
   [<ffffffff8100fe2e>] intel_pmu_drain_pebs_nhm+0x2be/0x320
   [<ffffffff8100caa9>] intel_pmu_handle_irq+0x279/0x460
   [<ffffffff810639b6>] ? native_write_msr_safe+0x6/0x40
   [<ffffffff811f290d>] ? vunmap_page_range+0x20d/0x330
   [<ffffffff811f2f11>] ?  unmap_kernel_range_noflush+0x11/0x20
   [<ffffffff8148379f>] ? ghes_copy_tofrom_phys+0x10f/0x2a0
   [<ffffffff814839c8>] ? ghes_read_estatus+0x98/0x170
   [<ffffffff81005a7d>] perf_event_nmi_handler+0x2d/0x50
   [<ffffffff810310b9>] nmi_handle+0x69/0x120
   [<ffffffff810316f6>] default_do_nmi+0xe6/0x100
   [<ffffffff810317f2>] do_nmi+0xe2/0x130
   [<ffffffff817aea71>] end_repeat_nmi+0x1a/0x1e
   [<ffffffff810639b6>] ? native_write_msr_safe+0x6/0x40
   [<ffffffff810639b6>] ? native_write_msr_safe+0x6/0x40
   [<ffffffff810639b6>] ? native_write_msr_safe+0x6/0x40
   <<EOE>>  <IRQ>  [<ffffffff81006df8>] ?  x86_perf_event_set_period+0xd8/0x180
   [<ffffffff81006eec>] x86_pmu_start+0x4c/0x100
   [<ffffffff8100722d>] x86_pmu_enable+0x28d/0x300
   [<ffffffff811994d7>] perf_pmu_enable.part.81+0x7/0x10
   [<ffffffff8119cb70>] perf_mux_hrtimer_handler+0x200/0x280
   [<ffffffff8119c970>] ?  __perf_install_in_context+0xc0/0xc0
   [<ffffffff8110f92d>] __hrtimer_run_queues+0xfd/0x280
   [<ffffffff811100d8>] hrtimer_interrupt+0xa8/0x190
   [<ffffffff81199080>] ?  __perf_read_group_add.part.61+0x1a0/0x1a0
   [<ffffffff81051bd8>] local_apic_timer_interrupt+0x38/0x60
   [<ffffffff817af01d>] smp_apic_timer_interrupt+0x3d/0x50
   [<ffffffff817ad15c>] apic_timer_interrupt+0x8c/0xa0
   <EOI>  [<ffffffff81199080>] ?  __perf_read_group_add.part.61+0x1a0/0x1a0
   [<ffffffff81123de5>] ?  smp_call_function_single+0xd5/0x130
   [<ffffffff81123ddb>] ?  smp_call_function_single+0xcb/0x130
   [<ffffffff81199080>] ?  __perf_read_group_add.part.61+0x1a0/0x1a0
   [<ffffffff8119765a>] event_function_call+0x10a/0x120
   [<ffffffff8119c660>] ? ctx_resched+0x90/0x90
   [<ffffffff811971e0>] ? cpu_clock_event_read+0x30/0x30
   [<ffffffff811976d0>] ? _perf_event_disable+0x60/0x60
   [<ffffffff8119772b>] _perf_event_enable+0x5b/0x70
   [<ffffffff81197388>] perf_event_for_each_child+0x38/0xa0
   [<ffffffff811976d0>] ? _perf_event_disable+0x60/0x60
   [<ffffffff811a0ffd>] perf_ioctl+0x12d/0x3c0
   [<ffffffff8134d855>] ? selinux_file_ioctl+0x95/0x1e0
   [<ffffffff8124a3a1>] do_vfs_ioctl+0xa1/0x5a0
   [<ffffffff81036d29>] ? sched_clock+0x9/0x10
   [<ffffffff8124a919>] SyS_ioctl+0x79/0x90
   [<ffffffff817ac4b2>] entry_SYSCALL_64_fastpath+0x1a/0xa4
  ---[ end trace aef202839fe9a71d ]---
  Uhhuh. NMI received for unknown reason 2d on CPU 2.
  Do you have a strange power saving mode enabled?

Signed-off-by: Kan Liang <kan.liang@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Link: http://lkml.kernel.org/r/1457046448-6184-1-git-send-email-kan.liang@intel.com
[ Fixed various typos and other small details. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/cpu/perf_event.c       |   13 +++++++++++++
 arch/x86/kernel/cpu/perf_event_intel.c |   15 +++++++++++++--
 arch/x86/kernel/cpu/perf_event_knc.c   |    4 +++-
 3 files changed, 29 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -596,6 +596,19 @@ void x86_pmu_disable_all(void)
 	}
 }
 
+/*
+ * There may be PMI landing after enabled=0. The PMI hitting could be before or
+ * after disable_all.
+ *
+ * If PMI hits before disable_all, the PMU will be disabled in the NMI handler.
+ * It will not be re-enabled in the NMI handler again, because enabled=0. After
+ * handling the NMI, disable_all will be called, which will not change the
+ * state either. If PMI hits after disable_all, the PMU is already disabled
+ * before entering NMI handler. The NMI handler will not change the state
+ * either.
+ *
+ * So either situation is harmless.
+ */
 static void x86_pmu_disable(struct pmu *pmu)
 {
 	struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events);
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -1502,7 +1502,15 @@ static __initconst const u64 knl_hw_cach
 };
 
 /*
- * Use from PMIs where the LBRs are already disabled.
+ * Used from PMIs where the LBRs are already disabled.
+ *
+ * This function could be called consecutively. It is required to remain in
+ * disabled state if called consecutively.
+ *
+ * During consecutive calls, the same disable value will be written to related
+ * registers, so the PMU state remains unchanged. hw.state in
+ * intel_bts_disable_local will remain PERF_HES_STOPPED too in consecutive
+ * calls.
  */
 static void __intel_pmu_disable_all(void)
 {
@@ -1939,7 +1947,10 @@ again:
 		goto again;
 
 done:
-	__intel_pmu_enable_all(0, true);
+	/* Only restore PMU state when it's active. See x86_pmu_disable(). */
+	if (cpuc->enabled)
+		__intel_pmu_enable_all(0, true);
+
 	/*
 	 * Only unmask the NMI after the overflow counters
 	 * have been reset. This avoids spurious NMIs on
--- a/arch/x86/kernel/cpu/perf_event_knc.c
+++ b/arch/x86/kernel/cpu/perf_event_knc.c
@@ -263,7 +263,9 @@ again:
 		goto again;
 
 done:
-	knc_pmu_enable_all(0);
+	/* Only restore PMU state when it's active. See x86_pmu_disable(). */
+	if (cpuc->enabled)
+		knc_pmu_enable_all(0);
 
 	return handled;
 }

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 237/238] perf/x86/intel: Use PAGE_SIZE for PEBS buffer size on Core2
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (225 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 236/238] [PATCH 3/5] perf/x86/intel: Fix PEBS warning by only restoring active PMU in pmi Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-10 18:36 ` [PATCH 4.5 238/238] perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnaldo Carvalho de Melo, Jiri Olsa,
	Peter Zijlstra (Intel),
	Andi Kleen, Alexander Shishkin, Jiri Olsa, Kan Liang,
	Linus Torvalds, Stephane Eranian, Thomas Gleixner, Vince Weaver,
	Wang Nan, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Olsa <jolsa@redhat.com>

commit 3135a66b768c5ee84c8a98b21d0330dc1c1234b4 upstream.

Using PAGE_SIZE buffers makes the WRMSR to PERF_GLOBAL_CTRL in
intel_pmu_enable_all() mysteriously hang on Core2. As a workaround, we
don't do this.

The hard lockup is easily triggered by running 'perf test attr'
repeatedly. Most of the time it gets stuck on sample session with
small periods.

  # perf test attr -vv
  14: struct perf_event_attr setup                             :
  --- start ---
  ...
    'PERF_TEST_ATTR=/tmp/tmpuEKz3B /usr/bin/perf record -o /tmp/tmpuEKz3B/perf.data -c 123 kill >/dev/null 2>&1' ret 1

Reported-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Andi Kleen <ak@linux.intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Kan Liang <kan.liang@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/r/20160301190352.GA8355@krava.redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/cpu/perf_event.h          |    1 +
 arch/x86/kernel/cpu/perf_event_intel_ds.c |   13 +++++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

--- a/arch/x86/kernel/cpu/perf_event.h
+++ b/arch/x86/kernel/cpu/perf_event.h
@@ -586,6 +586,7 @@ struct x86_pmu {
 			pebs_broken	:1,
 			pebs_prec_dist	:1;
 	int		pebs_record_size;
+	int		pebs_buffer_size;
 	void		(*drain_pebs)(struct pt_regs *regs);
 	struct event_constraint *pebs_constraints;
 	void		(*pebs_aliases)(struct perf_event *event);
--- a/arch/x86/kernel/cpu/perf_event_intel_ds.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c
@@ -269,7 +269,7 @@ static int alloc_pebs_buffer(int cpu)
 	if (!x86_pmu.pebs)
 		return 0;
 
-	buffer = kzalloc_node(PEBS_BUFFER_SIZE, GFP_KERNEL, node);
+	buffer = kzalloc_node(x86_pmu.pebs_buffer_size, GFP_KERNEL, node);
 	if (unlikely(!buffer))
 		return -ENOMEM;
 
@@ -286,7 +286,7 @@ static int alloc_pebs_buffer(int cpu)
 		per_cpu(insn_buffer, cpu) = ibuffer;
 	}
 
-	max = PEBS_BUFFER_SIZE / x86_pmu.pebs_record_size;
+	max = x86_pmu.pebs_buffer_size / x86_pmu.pebs_record_size;
 
 	ds->pebs_buffer_base = (u64)(unsigned long)buffer;
 	ds->pebs_index = ds->pebs_buffer_base;
@@ -1319,6 +1319,7 @@ void __init intel_ds_init(void)
 
 	x86_pmu.bts  = boot_cpu_has(X86_FEATURE_BTS);
 	x86_pmu.pebs = boot_cpu_has(X86_FEATURE_PEBS);
+	x86_pmu.pebs_buffer_size = PEBS_BUFFER_SIZE;
 	if (x86_pmu.pebs) {
 		char pebs_type = x86_pmu.intel_cap.pebs_trap ?  '+' : '-';
 		int format = x86_pmu.intel_cap.pebs_format;
@@ -1327,6 +1328,14 @@ void __init intel_ds_init(void)
 		case 0:
 			printk(KERN_CONT "PEBS fmt0%c, ", pebs_type);
 			x86_pmu.pebs_record_size = sizeof(struct pebs_record_core);
+			/*
+			 * Using >PAGE_SIZE buffers makes the WRMSR to
+			 * PERF_GLOBAL_CTRL in intel_pmu_enable_all()
+			 * mysteriously hang on Core2.
+			 *
+			 * As a workaround, we don't do this.
+			 */
+			x86_pmu.pebs_buffer_size = PAGE_SIZE;
 			x86_pmu.drain_pebs = intel_pmu_drain_pebs_core;
 			break;
 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* [PATCH 4.5 238/238] perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (226 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 237/238] perf/x86/intel: Use PAGE_SIZE for PEBS buffer size on Core2 Greg Kroah-Hartman
@ 2016-04-10 18:36 ` Greg Kroah-Hartman
  2016-04-11  6:43 ` [PATCH 4.5 000/238] 4.5.1-stable review Guenter Roeck
  2016-04-11 17:25 ` shuahkh
  229 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-10 18:36 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andi Kleen, Peter Zijlstra (Intel),
	Linus Torvalds, Thomas Gleixner, jolsa, Ingo Molnar

4.5-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Andi Kleen <ak@linux.intel.com>

commit 5e3f4cbd906c178510dccfed1131b007c96255ff upstream.

Jiri reported some time ago that some entries in the PEBS data source table
in perf do not agree with the SDM. We investigated and the bits
changed for Sandy Bridge, but the SDM was not updated.

perf already implements the bits correctly for Sandy Bridge
and later. This patch patches it up for Nehalem and Westmere.

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: jolsa@kernel.org
Link: http://lkml.kernel.org/r/1456871124-15985-1-git-send-email-andi@firstfloor.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/cpu/perf_event.h          |    2 ++
 arch/x86/kernel/cpu/perf_event_intel.c    |    2 ++
 arch/x86/kernel/cpu/perf_event_intel_ds.c |   11 ++++++++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/perf_event.h
+++ b/arch/x86/kernel/cpu/perf_event.h
@@ -905,6 +905,8 @@ void intel_pmu_lbr_init_skl(void);
 
 void intel_pmu_lbr_init_knl(void);
 
+void intel_pmu_pebs_data_source_nhm(void);
+
 int intel_pmu_setup_lbr_filter(struct perf_event *event);
 
 void intel_pt_interrupt(void);
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -3417,6 +3417,7 @@ __init int intel_pmu_init(void)
 		intel_perfmon_event_map[PERF_COUNT_HW_STALLED_CYCLES_BACKEND] =
 			X86_CONFIG(.event=0xb1, .umask=0x3f, .inv=1, .cmask=1);
 
+		intel_pmu_pebs_data_source_nhm();
 		x86_add_quirk(intel_nehalem_quirk);
 
 		pr_cont("Nehalem events, ");
@@ -3480,6 +3481,7 @@ __init int intel_pmu_init(void)
 		intel_perfmon_event_map[PERF_COUNT_HW_STALLED_CYCLES_BACKEND] =
 			X86_CONFIG(.event=0xb1, .umask=0x3f, .inv=1, .cmask=1);
 
+		intel_pmu_pebs_data_source_nhm();
 		pr_cont("Westmere events, ");
 		break;
 
--- a/arch/x86/kernel/cpu/perf_event_intel_ds.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c
@@ -51,7 +51,8 @@ union intel_x86_pebs_dse {
 #define OP_LH (P(OP, LOAD) | P(LVL, HIT))
 #define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS))
 
-static const u64 pebs_data_source[] = {
+/* Version for Sandy Bridge and later */
+static u64 pebs_data_source[] = {
 	P(OP, LOAD) | P(LVL, MISS) | P(LVL, L3) | P(SNOOP, NA),/* 0x00:ukn L3 */
 	OP_LH | P(LVL, L1)  | P(SNOOP, NONE),	/* 0x01: L1 local */
 	OP_LH | P(LVL, LFB) | P(SNOOP, NONE),	/* 0x02: LFB hit */
@@ -70,6 +71,14 @@ static const u64 pebs_data_source[] = {
 	OP_LH | P(LVL, UNC) | P(SNOOP, NONE), /* 0x0f: uncached */
 };
 
+/* Patch up minor differences in the bits */
+void __init intel_pmu_pebs_data_source_nhm(void)
+{
+	pebs_data_source[0x05] = OP_LH | P(LVL, L3)  | P(SNOOP, HIT);
+	pebs_data_source[0x06] = OP_LH | P(LVL, L3)  | P(SNOOP, HITM);
+	pebs_data_source[0x07] = OP_LH | P(LVL, L3)  | P(SNOOP, HITM);
+}
+
 static u64 precise_store_data(u64 status)
 {
 	union intel_x86_pebs_dse dse;

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 000/238] 4.5.1-stable review
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (227 preceding siblings ...)
  2016-04-10 18:36 ` [PATCH 4.5 238/238] perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere Greg Kroah-Hartman
@ 2016-04-11  6:43 ` Guenter Roeck
  2016-04-12 14:32   ` Greg Kroah-Hartman
  2016-04-11 17:25 ` shuahkh
  229 siblings, 1 reply; 259+ messages in thread
From: Guenter Roeck @ 2016-04-11  6:43 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah.kh, patches, stable

On 04/10/2016 11:32 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.5.1 release.
> There are 238 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue Apr 12 18:34:18 UTC 2016.
> Anything received after that time might be too late.
>

Build results:
	total: 147 pass: 147 fail: 0
Qemu test results:
	total: 104 pass: 100 fail: 4
Failed tests:
	arm:akita:pxa_defconfig
	arm:borzoi:pxa_defconfig
	arm:spitz:pxa_defconfig
	arm:terrier:pxa_defconfig

Details are available at http://kerneltests.org/builders.

4.5 will require two patches from mainline to fix the known problems.

3c2e2266a5bd ("hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated")
c4e5ffb6f224 ("gpio: pxa: fix legacy non pinctrl aware builds")

The first fixes the direct failures reported above, the second fixes
a traceback seen as result of failed gpio pin initialization. The
first patch is tagged Cc: stable, the second has a Fixes: tag,
so both should already be in your queue for 4.5.

Thanks,
Guenter

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 000/238] 4.5.1-stable review
  2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
                   ` (228 preceding siblings ...)
  2016-04-11  6:43 ` [PATCH 4.5 000/238] 4.5.1-stable review Guenter Roeck
@ 2016-04-11 17:25 ` shuahkh
  2016-04-12  6:39   ` Greg Kroah-Hartman
  229 siblings, 1 reply; 259+ messages in thread
From: shuahkh @ 2016-04-11 17:25 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah.kh, patches, stable

On 04/10/2016 12:32 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.5.1 release.
> There are 238 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue Apr 12 18:34:18 UTC 2016.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.5.1-rc1.gz
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 026/238] PCI: Disable IO/MEM decoding for devices with non-compliant BARs
  2016-04-10 18:33 ` [PATCH 4.5 026/238] PCI: Disable IO/MEM decoding for devices with non-compliant BARs Greg Kroah-Hartman
@ 2016-04-11 23:45   ` Ben Hutchings
  2016-04-12 14:31       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 259+ messages in thread
From: Ben Hutchings @ 2016-04-11 23:45 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Bjorn Helgaas, Andi Kleen

[-- Attachment #1: Type: text/plain, Size: 1209 bytes --]

On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:
> 4.5-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Bjorn Helgaas <bhelgaas@google.com>
> 
> commit b84106b4e2290c081cdab521fa832596cdfea246 upstream.
> 
> The PCI config header (first 64 bytes of each device's config space) is
> defined by the PCI spec so generic software can identify the device and
> manage its usage of I/O, memory, and IRQ resources.
> 
> Some non-spec-compliant devices put registers other than BARs where the
> BARs should be.  When the PCI core sizes these "BARs", the reads and writes
> it does may have unwanted side effects, and the "BAR" may appear to
> describe non-sensical address space.
> 
> Add a flag bit to mark non-compliant devices so we don't touch their BARs.
> Turn off IO/MEM decoding to prevent the devices from consuming address
> space, since we can't read the BARs to find out what that address space
> would be.
[...]

No objection, but patch 005/238 seems to depend on this so please
reorder them so bisection will work.

Ben.

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 036/238] aacraid: Set correct msix count for EEH recovery
  2016-04-10 18:33 ` [PATCH 4.5 036/238] aacraid: Set correct msix count for EEH recovery Greg Kroah-Hartman
@ 2016-04-12  0:29   ` Ben Hutchings
  2016-04-12 18:01     ` Raghava Aditya Renukunta
  0 siblings, 1 reply; 259+ messages in thread
From: Ben Hutchings @ 2016-04-12  0:29 UTC (permalink / raw)
  To: Raghava Aditya Renukunta
  Cc: stable, Shane Seymour, Johannes Thumshirn, Martin K. Petersen,
	Greg Kroah-Hartman, LKML

[-- Attachment #1: Type: text/plain, Size: 1620 bytes --]

On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:
> 4.5-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
> 
> commit ecc479e00db8eb110b200afe1effcb3df20ca7ae upstream.
> 
> During EEH recovery number of online CPU's might change thereby changing
> the number of MSIx vectors. Since each fib is allocated to a vector,
> changes in the number of vectors causes fib to be sent thru invalid
> vectors.In addition the correct number of MSIx vectors is not updated in
> the INIT struct sent to the controller, when it is reinitialized.
> 
> Fixed by reassigning vectors to fibs based on the updated number of MSIx
> vectors and updating the INIT structure before sending to controller.

Really?

[...]
> --- a/drivers/scsi/aacraid/linit.c
> +++ b/drivers/scsi/aacraid/linit.c
> @@ -1404,8 +1404,18 @@ static int aac_acquire_resources(struct
>  
>  	aac_adapter_enable_int(dev);
>  
> -	if (!dev->sync_mode)
> +	/*max msix may change  after EEH
> +	 * Re-assign vectors to fibs
> +	 */
> +	aac_fib_vector_assign(dev);
> +
> +	if (!dev->sync_mode) {
> +		/* After EEH recovery or suspend resume, max_msix count
> +		 * may change, therfore updating in init as well.
> +		 */
>  		aac_adapter_start(dev);
> +		dev->init->Sa_MSIXVectors = cpu_to_le32(dev->max_msix);

Aren't these two lines in the wrong order?

Ben.

> +	}
>  	return 0;
>  
>  error_iounmap:
-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 052/238] dm cache: make sure every metadata function checks fail_io
  2016-04-10 18:33 ` [PATCH 4.5 052/238] dm cache: make sure every metadata function checks fail_io Greg Kroah-Hartman
@ 2016-04-12  1:27   ` Ben Hutchings
  2016-04-12 17:18     ` Mike Snitzer
  0 siblings, 1 reply; 259+ messages in thread
From: Ben Hutchings @ 2016-04-12  1:27 UTC (permalink / raw)
  To: Joe Thornber; +Cc: dm-devel, Mike Snitzer


[-- Attachment #1.1: Type: text/plain, Size: 3223 bytes --]

On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:
> 4.5-stable review patch.  If anyone has any objections, please let me know.

I've dropped stable because this isn't actually broken, but...

> ------------------
> 
> From: Joe Thornber <ejt@redhat.com>
> 
> commit d14fcf3dd79c0b8a8d0ba469c44a6b04f3a1403b upstream.
> 
> Otherwise operations may be attempted that will only ever go on to crash
> (since the metadata device is either missing or unreliable if 'fail_io'
> is set).
> 
> Signed-off-by: Joe Thornber <ejt@redhat.com>
> Signed-off-by: Mike Snitzer <snitzer@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  drivers/md/dm-cache-metadata.c |   98 ++++++++++++++++++++++++-----------------
>  drivers/md/dm-cache-metadata.h |    4 -
>  drivers/md/dm-cache-target.c   |   12 ++++-
>  3 files changed, 71 insertions(+), 43 deletions(-)
> 
> --- a/drivers/md/dm-cache-metadata.c
> +++ b/drivers/md/dm-cache-metadata.c
> @@ -867,19 +867,40 @@ static int blocks_are_unmapped_or_clean(
>  	return 0;
>  }
>  
> -#define WRITE_LOCK(cmd) \
> -	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) \
> +#define WRITE_LOCK(cmd)	\
> +	down_write(&cmd->root_lock); \
> +	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
> +		up_write(&cmd->root_lock); \
>  		return -EINVAL; \
> -	down_write(&cmd->root_lock)
> +	}
>  
>  #define WRITE_LOCK_VOID(cmd) \
> -	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) \
> +	down_write(&cmd->root_lock); \
> +	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
> +		up_write(&cmd->root_lock); \
>  		return; \
> -	down_write(&cmd->root_lock)
> +	}

Whenever a macro expands to multiple statements they should be wrapped
up in do { ... } while (0) so the macro is safe to use in other
compound statements.

That's not a regression for these existing macros, but:

>  #define WRITE_UNLOCK(cmd) \
>  	up_write(&cmd->root_lock)
>  
> +#define READ_LOCK(cmd) \
> +	down_read(&cmd->root_lock); \
> +	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
> +		up_read(&cmd->root_lock); \
> +		return -EINVAL; \
> +	}
> +
> +#define READ_LOCK_VOID(cmd)	\
> +	down_read(&cmd->root_lock); \
> +	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
> +		up_read(&cmd->root_lock); \
> +		return; \
> +	}
[...]

here you're repeating the same broken pattern in new macros.  Which
checkpatch.pl would have complained about, if you'd thought to run it.

Hiding return statements in macros is another bad idea (who expects
exceptions in C?).  And once we reject that bad idea, all these macros
can be inline functions, like:

static inline bool dm_cm_read_lock(struct dm_cache_metadata *cmd)
{
	down_read(&cmd->root_lock);
	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) {
		up_read(&cmd->root_lock);
		return false;
	}
	return true;
}

/* ... */

	if (!dm_cm_read_lock(cmd))
		return -EINVAL;

Actually... I said this wasn't broken, but should the READ_LOCK macros
really fail in case dm_bm_is_read_only(), or only if cmd->fail_io?

Ben.

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors
  2016-04-10 18:33 ` [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors Greg Kroah-Hartman
@ 2016-04-12  1:37   ` Ben Hutchings
  2016-04-12 14:25       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 259+ messages in thread
From: Ben Hutchings @ 2016-04-12  1:37 UTC (permalink / raw)
  To: Josh Boyer; +Cc: stable, Ralf Spenneberg, Greg Kroah-Hartman, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 969 bytes --]

On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:

> 4.5-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Josh Boyer <jwboyer@fedoraproject.org>
> 
> commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.
> 
> The iowarrior driver expects at least one valid endpoint.  If given
> malicious descriptors that specify 0 for the number of endpoints,
> it will crash in the probe function.  Ensure there is at least
> one endpoint on the interface before using it.
[...]

Which means our imaginary attacker will move on to providing a single
endpoint of the wrong type.  You've fixed the driver to reject the PoC
descriptor without thinking about what the driver actually requires.

I don't see the point of applying this to stable; it doesn't provide
any meaningful security benefit.

Ben.

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas are aligned
  2016-04-10 18:34 ` [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas are aligned Greg Kroah-Hartman
@ 2016-04-12  1:56   ` Ben Hutchings
  2016-04-12 14:28       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 259+ messages in thread
From: Ben Hutchings @ 2016-04-12  1:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Tom Lendacky, Herbert Xu

[-- Attachment #1: Type: text/plain, Size: 1783 bytes --]

On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> 4.5-stable review patch.  If anyone has any objections, please let me know.

I object, because this introduces an information leak.

[...]
> --- a/drivers/crypto/ccp/ccp-crypto-sha.c
> +++ b/drivers/crypto/ccp/ccp-crypto-sha.c
> @@ -210,14 +210,17 @@ static int ccp_sha_digest(struct ahash_r
>  static int ccp_sha_export(struct ahash_request *req, void *out)
>  {
>  	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
> -	struct ccp_sha_exp_ctx *state = out;
> +	struct ccp_sha_exp_ctx state;

The structure was defined in the previous patch as:

> +struct ccp_sha_exp_ctx {
> +	enum ccp_sha_type type;

There will be padding between type and msg_bits on most architectures.

> +	u64 msg_bits;
> +	unsigned int first;
> +
> +	u8 ctx[MAX_SHA_CONTEXT_SIZE];
> +
> +	unsigned int buf_count;
> +	u8 buf[MAX_SHA_BLOCK_SIZE];

And more padding at the end of the structure.

> +};

Back to the code:

> -	state->type = rctx->type;
> -	state->msg_bits = rctx->msg_bits;
> -	state->first = rctx->first;
> -	memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
> -	state->buf_count = rctx->buf_count;
> -	memcpy(state->buf, rctx->buf, sizeof(state->buf));
> +	state.type = rctx->type;
> +	state.msg_bits = rctx->msg_bits;
> +	state.first = rctx->first;
> +	memcpy(state.ctx, rctx->ctx, sizeof(state.ctx));
> +	state.buf_count = rctx->buf_count;
> +	memcpy(state.buf, rctx->buf, sizeof(state.buf));
> +
> +	/* 'out' may not be aligned so memcpy from local variable */
> +	memcpy(out, &state, sizeof(state));
[...]

The padding was not initialised, but here we copy it to userland.

Ben.

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 109/238] mtip32xx: Print exact time when an internal command is interrupted
  2016-04-10 18:34 ` [PATCH 4.5 109/238] mtip32xx: Print exact time when an internal command is interrupted Greg Kroah-Hartman
@ 2016-04-12  2:48   ` Ben Hutchings
  2016-04-12  4:06       ` Greg Kroah-Hartman
  0 siblings, 1 reply; 259+ messages in thread
From: Ben Hutchings @ 2016-04-12  2:48 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, Selvan Mani, Rajesh Kumar Sambandam, Asai Thambi S P, Jens Axboe

[-- Attachment #1: Type: text/plain, Size: 502 bytes --]

On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> 4.5-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Asai Thambi SP <asamymuthupa@micron.com>
> 
> commit 5b7e0a8ac85e2dfd83830dc9e0b3554d153a37e3 upstream.
> 
> Print exact time when an internal command is interrupted.
[...]

There's no way that's important enough for stable.

Ben.

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 113/238] mtip32xx: Implement timeout handler
  2016-04-10 18:34 ` [PATCH 4.5 113/238] mtip32xx: Implement timeout handler Greg Kroah-Hartman
@ 2016-04-12  2:49   ` Ben Hutchings
  0 siblings, 0 replies; 259+ messages in thread
From: Ben Hutchings @ 2016-04-12  2:49 UTC (permalink / raw)
  To: Selvan Mani, Rajesh Kumar Sambandam, Asai Thambi S P
  Cc: stable, Jens Axboe, Greg Kroah-Hartman, LKML

[-- Attachment #1: Type: text/plain, Size: 1216 bytes --]

On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> 4.5-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Asai Thambi SP <asamymuthupa@micron.com>
> 
> commit abb0ccd185c9e31847709b86192e6c815d1f57ad upstream.
> 
> Added timeout handler. Replaced blk_mq_end_request() with
> blk_mq_complete_request() to avoid double completion of a request.
> 
> Signed-off-by: Selvan Mani <smani@micron.com>
> Signed-off-by: Rajesh Kumar Sambandam <rsambandam@micron.com>
> Signed-off-by: Asai Thambi S P <asamymuthupa@micron.com>
> Signed-off-by: Jens Axboe <axboe@fb.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  drivers/block/mtip32xx/mtip32xx.c |   95 ++++++++++++++++++++++++++++++++++----
>  drivers/block/mtip32xx/mtip32xx.h |    7 ++
>  2 files changed, 92 insertions(+), 10 deletions(-)
[...]

This is >100 lines (the rough limit for stable), and it's part of a
whole series of complex and inadequately explained changes.

How thoroughly have these changes been tested against 4.4 and 4.5?

Ben.

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 109/238] mtip32xx: Print exact time when an internal command is interrupted
  2016-04-12  2:48   ` Ben Hutchings
@ 2016-04-12  4:06       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-12  4:06 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, Selvan Mani, Rajesh Kumar Sambandam,
	Asai Thambi S P, Jens Axboe

On Tue, Apr 12, 2016 at 03:48:37AM +0100, Ben Hutchings wrote:
> On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> > 4.5-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Asai Thambi SP <asamymuthupa@micron.com>
> > 
> > commit 5b7e0a8ac85e2dfd83830dc9e0b3554d153a37e3 upstream.
> > 
> > Print exact time when an internal command is interrupted.
> [...]
> 
> There's no way that's important enough for stable.

I think one of the following patches needed it :(

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 109/238] mtip32xx: Print exact time when an internal command is interrupted
@ 2016-04-12  4:06       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-12  4:06 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: linux-kernel, stable, Selvan Mani, Rajesh Kumar Sambandam,
	Asai Thambi S P, Jens Axboe

On Tue, Apr 12, 2016 at 03:48:37AM +0100, Ben Hutchings wrote:
> On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> > 4.5-stable review patch.��If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Asai Thambi SP <asamymuthupa@micron.com>
> > 
> > commit 5b7e0a8ac85e2dfd83830dc9e0b3554d153a37e3 upstream.
> > 
> > Print exact time when an internal command is interrupted.
> [...]
> 
> There's no way that's important enough for stable.

I think one of the following patches needed it :(

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 109/238] mtip32xx: Print exact time when an internal command is interrupted
  2016-04-12  4:06       ` Greg Kroah-Hartman
@ 2016-04-12  6:29         ` Willy Tarreau
  -1 siblings, 0 replies; 259+ messages in thread
From: Willy Tarreau @ 2016-04-12  6:29 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Ben Hutchings, linux-kernel, stable, Selvan Mani,
	Rajesh Kumar Sambandam, Asai Thambi S P, Jens Axboe

On Mon, Apr 11, 2016 at 09:06:13PM -0700, Greg Kroah-Hartman wrote:
> On Tue, Apr 12, 2016 at 03:48:37AM +0100, Ben Hutchings wrote:
> > On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> > > 4.5-stable review patch.  If anyone has any objections, please let me know.
> > > 
> > > ------------------
> > > 
> > > From: Asai Thambi SP <asamymuthupa@micron.com>
> > > 
> > > commit 5b7e0a8ac85e2dfd83830dc9e0b3554d153a37e3 upstream.
> > > 
> > > Print exact time when an internal command is interrupted.
> > [...]
> > 
> > There's no way that's important enough for stable.
> 
> I think one of the following patches needed it :(

Also in general I'd rather encourage maintainers to push their fixes
into stable than give up early and leave bogus code behind them considering
it's not their problem anymore once released. If someone cares enough to
fix code in -stable and introduces a regression, 1) we know how to revert
and 2) the same person will likely feel concerned by the issue and help
fix it.

Just my 2 cents,
Willy

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 109/238] mtip32xx: Print exact time when an internal command is interrupted
@ 2016-04-12  6:29         ` Willy Tarreau
  0 siblings, 0 replies; 259+ messages in thread
From: Willy Tarreau @ 2016-04-12  6:29 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Ben Hutchings, linux-kernel, stable, Selvan Mani,
	Rajesh Kumar Sambandam, Asai Thambi S P, Jens Axboe

On Mon, Apr 11, 2016 at 09:06:13PM -0700, Greg Kroah-Hartman wrote:
> On Tue, Apr 12, 2016 at 03:48:37AM +0100, Ben Hutchings wrote:
> > On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> > > 4.5-stable review patch.��If anyone has any objections, please let me know.
> > > 
> > > ------------------
> > > 
> > > From: Asai Thambi SP <asamymuthupa@micron.com>
> > > 
> > > commit 5b7e0a8ac85e2dfd83830dc9e0b3554d153a37e3 upstream.
> > > 
> > > Print exact time when an internal command is interrupted.
> > [...]
> > 
> > There's no way that's important enough for stable.
> 
> I think one of the following patches needed it :(

Also in general I'd rather encourage maintainers to push their fixes
into stable than give up early and leave bogus code behind them considering
it's not their problem anymore once released. If someone cares enough to
fix code in -stable and introduces a regression, 1) we know how to revert
and 2) the same person will likely feel concerned by the issue and help
fix it.

Just my 2 cents,
Willy


^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 000/238] 4.5.1-stable review
  2016-04-11 17:25 ` shuahkh
@ 2016-04-12  6:39   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-12  6:39 UTC (permalink / raw)
  To: shuahkh; +Cc: linux-kernel, torvalds, akpm, linux, shuah.kh, patches, stable

On Mon, Apr 11, 2016 at 11:25:17AM -0600, shuahkh wrote:
> On 04/10/2016 12:32 PM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.5.1 release.
> > There are 238 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Tue Apr 12 18:34:18 UTC 2016.
> > Anything received after that time might be too late.
> > 
> > The whole patch series can be found in one patch at:
> > 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.5.1-rc1.gz
> > and the diffstat can be found below.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> 
> Compiled and booted on my test system. No dmesg regressions.

Thanks for testing all of these and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors
  2016-04-12  1:37   ` Ben Hutchings
@ 2016-04-12 14:25       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-12 14:25 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: Josh Boyer, stable, Ralf Spenneberg, linux-kernel

On Tue, Apr 12, 2016 at 02:37:33AM +0100, Ben Hutchings wrote:
> On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:
> 
> > 4.5-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Josh Boyer <jwboyer@fedoraproject.org>
> > 
> > commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.
> > 
> > The iowarrior driver expects at least one valid endpoint.  If given
> > malicious descriptors that specify 0 for the number of endpoints,
> > it will crash in the probe function.  Ensure there is at least
> > one endpoint on the interface before using it.
> [...]
> 
> Which means our imaginary attacker will move on to providing a single
> endpoint of the wrong type.  You've fixed the driver to reject the PoC
> descriptor without thinking about what the driver actually requires.
> 
> I don't see the point of applying this to stable; it doesn't provide
> any meaningful security benefit.

Well, it's one hurdle down, but yes, it needs to be fixed "correctly"
Ideally all of these types of issues can be fixed in the USB core, I
just need to carve out some time to resolve them, but for now, let's
stay in sync with Linus's tree for this patch.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors
@ 2016-04-12 14:25       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-12 14:25 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: Josh Boyer, stable, Ralf Spenneberg, linux-kernel

On Tue, Apr 12, 2016 at 02:37:33AM +0100, Ben Hutchings wrote:
> On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:
> 
> > 4.5-stable review patch.��If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Josh Boyer <jwboyer@fedoraproject.org>
> > 
> > commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.
> > 
> > The iowarrior driver expects at least one valid endpoint.��If given
> > malicious descriptors that specify 0 for the number of endpoints,
> > it will crash in the probe function.��Ensure there is at least
> > one endpoint on the interface before using it.
> [...]
> 
> Which means our imaginary attacker will move on to providing a single
> endpoint of the wrong type. �You've fixed the driver to reject the PoC
> descriptor without thinking about what the driver actually requires.
> 
> I don't see the point of applying this to stable; it doesn't provide
> any meaningful security benefit.

Well, it's one hurdle down, but yes, it needs to be fixed "correctly"
Ideally all of these types of issues can be fixed in the USB core, I
just need to carve out some time to resolve them, but for now, let's
stay in sync with Linus's tree for this patch.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas are aligned
  2016-04-12  1:56   ` Ben Hutchings
@ 2016-04-12 14:28       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-12 14:28 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: linux-kernel, stable, Tom Lendacky, Herbert Xu

On Tue, Apr 12, 2016 at 02:56:52AM +0100, Ben Hutchings wrote:
> On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> > 4.5-stable review patch.  If anyone has any objections, please let me know.
> 
> I object, because this introduces an information leak.
> 
> [...]
> > --- a/drivers/crypto/ccp/ccp-crypto-sha.c
> > +++ b/drivers/crypto/ccp/ccp-crypto-sha.c
> > @@ -210,14 +210,17 @@ static int ccp_sha_digest(struct ahash_r
> >  static int ccp_sha_export(struct ahash_request *req, void *out)
> >  {
> >  	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
> > -	struct ccp_sha_exp_ctx *state = out;
> > +	struct ccp_sha_exp_ctx state;
> 
> The structure was defined in the previous patch as:
> 
> > +struct ccp_sha_exp_ctx {
> > +	enum ccp_sha_type type;
> 
> There will be padding between type and msg_bits on most architectures.
> 
> > +	u64 msg_bits;
> > +	unsigned int first;
> > +
> > +	u8 ctx[MAX_SHA_CONTEXT_SIZE];
> > +
> > +	unsigned int buf_count;
> > +	u8 buf[MAX_SHA_BLOCK_SIZE];
> 
> And more padding at the end of the structure.
> 
> > +};
> 
> Back to the code:
> 
> > -	state->type = rctx->type;
> > -	state->msg_bits = rctx->msg_bits;
> > -	state->first = rctx->first;
> > -	memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
> > -	state->buf_count = rctx->buf_count;
> > -	memcpy(state->buf, rctx->buf, sizeof(state->buf));
> > +	state.type = rctx->type;
> > +	state.msg_bits = rctx->msg_bits;
> > +	state.first = rctx->first;
> > +	memcpy(state.ctx, rctx->ctx, sizeof(state.ctx));
> > +	state.buf_count = rctx->buf_count;
> > +	memcpy(state.buf, rctx->buf, sizeof(state.buf));
> > +
> > +	/* 'out' may not be aligned so memcpy from local variable */
> > +	memcpy(out, &state, sizeof(state));
> [...]
> 
> The padding was not initialised, but here we copy it to userland.

Nice catch.  Given that the user/kernel structure here doesn't seem very
sane (implicit padding, etc.), shouldn't that be where this is fixed up
to be a properly packed structure?  Or have padding where needed, along
with a memset() call?

I'll leave this here, but will be expecting a follow-on patch to fix up
the issues from the crypto developers.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas are aligned
@ 2016-04-12 14:28       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-12 14:28 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: linux-kernel, stable, Tom Lendacky, Herbert Xu

On Tue, Apr 12, 2016 at 02:56:52AM +0100, Ben Hutchings wrote:
> On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> > 4.5-stable review patch.��If anyone has any objections, please let me know.
> 
> I object, because this introduces an information leak.
> 
> [...]
> > --- a/drivers/crypto/ccp/ccp-crypto-sha.c
> > +++ b/drivers/crypto/ccp/ccp-crypto-sha.c
> > @@ -210,14 +210,17 @@ static int ccp_sha_digest(struct ahash_r
> > �static int ccp_sha_export(struct ahash_request *req, void *out)
> > �{
> > �	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
> > -	struct ccp_sha_exp_ctx *state = out;
> > +	struct ccp_sha_exp_ctx state;
> 
> The structure was defined in the previous patch as:
> 
> > +struct ccp_sha_exp_ctx {
> > +	enum ccp_sha_type type;
> 
> There will be padding between type and msg_bits on most architectures.
> 
> > +	u64 msg_bits;
> > +	unsigned int first;
> > +
> > +	u8 ctx[MAX_SHA_CONTEXT_SIZE];
> > +
> > +	unsigned int buf_count;
> > +	u8 buf[MAX_SHA_BLOCK_SIZE];
> 
> And more padding at the end of the structure.
> 
> > +};
> 
> Back to the code:
> 
> > -	state->type = rctx->type;
> > -	state->msg_bits = rctx->msg_bits;
> > -	state->first = rctx->first;
> > -	memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
> > -	state->buf_count = rctx->buf_count;
> > -	memcpy(state->buf, rctx->buf, sizeof(state->buf));
> > +	state.type = rctx->type;
> > +	state.msg_bits = rctx->msg_bits;
> > +	state.first = rctx->first;
> > +	memcpy(state.ctx, rctx->ctx, sizeof(state.ctx));
> > +	state.buf_count = rctx->buf_count;
> > +	memcpy(state.buf, rctx->buf, sizeof(state.buf));
> > +
> > +	/* 'out' may not be aligned so memcpy from local variable */
> > +	memcpy(out, &state, sizeof(state));
> [...]
> 
> The padding was not initialised, but here we copy it to userland.

Nice catch.  Given that the user/kernel structure here doesn't seem very
sane (implicit padding, etc.), shouldn't that be where this is fixed up
to be a properly packed structure?  Or have padding where needed, along
with a memset() call?

I'll leave this here, but will be expecting a follow-on patch to fix up
the issues from the crypto developers.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 026/238] PCI: Disable IO/MEM decoding for devices with non-compliant BARs
  2016-04-11 23:45   ` Ben Hutchings
@ 2016-04-12 14:31       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-12 14:31 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: linux-kernel, stable, Bjorn Helgaas, Andi Kleen

On Tue, Apr 12, 2016 at 12:45:13AM +0100, Ben Hutchings wrote:
> On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:
> > 4.5-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Bjorn Helgaas <bhelgaas@google.com>
> > 
> > commit b84106b4e2290c081cdab521fa832596cdfea246 upstream.
> > 
> > The PCI config header (first 64 bytes of each device's config space) is
> > defined by the PCI spec so generic software can identify the device and
> > manage its usage of I/O, memory, and IRQ resources.
> > 
> > Some non-spec-compliant devices put registers other than BARs where the
> > BARs should be.  When the PCI core sizes these "BARs", the reads and writes
> > it does may have unwanted side effects, and the "BAR" may appear to
> > describe non-sensical address space.
> > 
> > Add a flag bit to mark non-compliant devices so we don't touch their BARs.
> > Turn off IO/MEM decoding to prevent the devices from consuming address
> > space, since we can't read the BARs to find out what that address space
> > would be.
> [...]
> 
> No objection, but patch 005/238 seems to depend on this so please
> reorder them so bisection will work.

Now reordered, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 026/238] PCI: Disable IO/MEM decoding for devices with non-compliant BARs
@ 2016-04-12 14:31       ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-12 14:31 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: linux-kernel, stable, Bjorn Helgaas, Andi Kleen

On Tue, Apr 12, 2016 at 12:45:13AM +0100, Ben Hutchings wrote:
> On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:
> > 4.5-stable review patch.��If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Bjorn Helgaas <bhelgaas@google.com>
> > 
> > commit b84106b4e2290c081cdab521fa832596cdfea246 upstream.
> > 
> > The PCI config header (first 64 bytes of each device's config space) is
> > defined by the PCI spec so generic software can identify the device and
> > manage its usage of I/O, memory, and IRQ resources.
> > 
> > Some non-spec-compliant devices put registers other than BARs where the
> > BARs should be.��When the PCI core sizes these "BARs", the reads and writes
> > it does may have unwanted side effects, and the "BAR" may appear to
> > describe non-sensical address space.
> > 
> > Add a flag bit to mark non-compliant devices so we don't touch their BARs.
> > Turn off IO/MEM decoding to prevent the devices from consuming address
> > space, since we can't read the BARs to find out what that address space
> > would be.
> [...]
> 
> No objection, but patch 005/238 seems to depend on this so please
> reorder them so bisection will work.

Now reordered, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 000/238] 4.5.1-stable review
  2016-04-11  6:43 ` [PATCH 4.5 000/238] 4.5.1-stable review Guenter Roeck
@ 2016-04-12 14:32   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 259+ messages in thread
From: Greg Kroah-Hartman @ 2016-04-12 14:32 UTC (permalink / raw)
  To: Guenter Roeck; +Cc: linux-kernel, torvalds, akpm, shuah.kh, patches, stable

On Sun, Apr 10, 2016 at 11:43:47PM -0700, Guenter Roeck wrote:
> On 04/10/2016 11:32 AM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.5.1 release.
> > There are 238 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> > 
> > Responses should be made by Tue Apr 12 18:34:18 UTC 2016.
> > Anything received after that time might be too late.
> > 
> 
> Build results:
> 	total: 147 pass: 147 fail: 0
> Qemu test results:
> 	total: 104 pass: 100 fail: 4
> Failed tests:
> 	arm:akita:pxa_defconfig
> 	arm:borzoi:pxa_defconfig
> 	arm:spitz:pxa_defconfig
> 	arm:terrier:pxa_defconfig
> 
> Details are available at http://kerneltests.org/builders.
> 
> 4.5 will require two patches from mainline to fix the known problems.
> 
> 3c2e2266a5bd ("hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated")
> c4e5ffb6f224 ("gpio: pxa: fix legacy non pinctrl aware builds")
> 
> The first fixes the direct failures reported above, the second fixes
> a traceback seen as result of failed gpio pin initialization. The
> first patch is tagged Cc: stable, the second has a Fixes: tag,
> so both should already be in your queue for 4.5.

Yes, both should be queued up for the next round of 4.5-stable patches,
I'll let them get merged then.

Thanks for testing and letting me know.

greg k-h

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas are aligned
  2016-04-12 14:28       ` Greg Kroah-Hartman
  (?)
@ 2016-04-12 17:01       ` Tom Lendacky
  2016-04-12 17:25         ` Ben Hutchings
  -1 siblings, 1 reply; 259+ messages in thread
From: Tom Lendacky @ 2016-04-12 17:01 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Ben Hutchings; +Cc: linux-kernel, stable, Herbert Xu

On 04/12/2016 09:28 AM, Greg Kroah-Hartman wrote:
> On Tue, Apr 12, 2016 at 02:56:52AM +0100, Ben Hutchings wrote:
>> On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
>>> 4.5-stable review patch.  If anyone has any objections, please let me know.
>>
>> I object, because this introduces an information leak.
>>
>> [...]
>>> --- a/drivers/crypto/ccp/ccp-crypto-sha.c
>>> +++ b/drivers/crypto/ccp/ccp-crypto-sha.c
>>> @@ -210,14 +210,17 @@ static int ccp_sha_digest(struct ahash_r
>>>  static int ccp_sha_export(struct ahash_request *req, void *out)
>>>  {
>>>  	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
>>> -	struct ccp_sha_exp_ctx *state = out;
>>> +	struct ccp_sha_exp_ctx state;
>>
>> The structure was defined in the previous patch as:
>>
>>> +struct ccp_sha_exp_ctx {
>>> +	enum ccp_sha_type type;
>>
>> There will be padding between type and msg_bits on most architectures.
>>
>>> +	u64 msg_bits;
>>> +	unsigned int first;
>>> +
>>> +	u8 ctx[MAX_SHA_CONTEXT_SIZE];
>>> +
>>> +	unsigned int buf_count;
>>> +	u8 buf[MAX_SHA_BLOCK_SIZE];
>>
>> And more padding at the end of the structure.
>>
>>> +};
>>
>> Back to the code:
>>
>>> -	state->type = rctx->type;
>>> -	state->msg_bits = rctx->msg_bits;
>>> -	state->first = rctx->first;
>>> -	memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
>>> -	state->buf_count = rctx->buf_count;
>>> -	memcpy(state->buf, rctx->buf, sizeof(state->buf));
>>> +	state.type = rctx->type;
>>> +	state.msg_bits = rctx->msg_bits;
>>> +	state.first = rctx->first;
>>> +	memcpy(state.ctx, rctx->ctx, sizeof(state.ctx));
>>> +	state.buf_count = rctx->buf_count;
>>> +	memcpy(state.buf, rctx->buf, sizeof(state.buf));
>>> +
>>> +	/* 'out' may not be aligned so memcpy from local variable */
>>> +	memcpy(out, &state, sizeof(state));
>> [...]
>>
>> The padding was not initialised, but here we copy it to userland.
> 
> Nice catch.  Given that the user/kernel structure here doesn't seem very
> sane (implicit padding, etc.), shouldn't that be where this is fixed up
> to be a properly packed structure?  Or have padding where needed, along
> with a memset() call?

The structure is not meant for use outside the kernel - it's an opaque
blob that will be processed by the driver import function. So would it
be enough to just memset the struct ccp_sha_exp_ctx state variable to 0
before setting and copying it?  That should take care of any padding not
being initialized.

Thanks,
Tom

> 
> I'll leave this here, but will be expecting a follow-on patch to fix up
> the issues from the crypto developers.
> 
> thanks,
> 
> greg k-h
> 

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 052/238] dm cache: make sure every metadata function checks fail_io
  2016-04-12  1:27   ` Ben Hutchings
@ 2016-04-12 17:18     ` Mike Snitzer
  0 siblings, 0 replies; 259+ messages in thread
From: Mike Snitzer @ 2016-04-12 17:18 UTC (permalink / raw)
  To: Ben Hutchings; +Cc: Joe Thornber, dm-devel

On Mon, Apr 11 2016 at  9:27pm -0400,
Ben Hutchings <ben@decadent.org.uk> wrote:

> On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:
> > 4.5-stable review patch.  If anyone has any objections, please let me know.
> 
> I've dropped stable because this isn't actually broken, but...
> 
> > ------------------
> > 
> > From: Joe Thornber <ejt@redhat.com>
> > 
> > commit d14fcf3dd79c0b8a8d0ba469c44a6b04f3a1403b upstream.
> > 
> > Otherwise operations may be attempted that will only ever go on to crash
> > (since the metadata device is either missing or unreliable if 'fail_io'
> > is set).
> > 
> > Signed-off-by: Joe Thornber <ejt@redhat.com>
> > Signed-off-by: Mike Snitzer <snitzer@redhat.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> > ---
> >  drivers/md/dm-cache-metadata.c |   98 ++++++++++++++++++++++++-----------------
> >  drivers/md/dm-cache-metadata.h |    4 -
> >  drivers/md/dm-cache-target.c   |   12 ++++-
> >  3 files changed, 71 insertions(+), 43 deletions(-)
> > 
> > --- a/drivers/md/dm-cache-metadata.c
> > +++ b/drivers/md/dm-cache-metadata.c
> > @@ -867,19 +867,40 @@ static int blocks_are_unmapped_or_clean(
> >  	return 0;
> >  }
> >  
> > -#define WRITE_LOCK(cmd) \
> > -	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) \
> > +#define WRITE_LOCK(cmd)	\
> > +	down_write(&cmd->root_lock); \
> > +	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
> > +		up_write(&cmd->root_lock); \
> >  		return -EINVAL; \
> > -	down_write(&cmd->root_lock)
> > +	}
> >  
> >  #define WRITE_LOCK_VOID(cmd) \
> > -	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) \
> > +	down_write(&cmd->root_lock); \
> > +	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
> > +		up_write(&cmd->root_lock); \
> >  		return; \
> > -	down_write(&cmd->root_lock)
> > +	}
> 
> Whenever a macro expands to multiple statements they should be wrapped
> up in do { ... } while (0) so the macro is safe to use in other
> compound statements.
> 
> That's not a regression for these existing macros, but:
> 
> >  #define WRITE_UNLOCK(cmd) \
> >  	up_write(&cmd->root_lock)
> >  
> > +#define READ_LOCK(cmd) \
> > +	down_read(&cmd->root_lock); \
> > +	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
> > +		up_read(&cmd->root_lock); \
> > +		return -EINVAL; \
> > +	}
> > +
> > +#define READ_LOCK_VOID(cmd)	\
> > +	down_read(&cmd->root_lock); \
> > +	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) { \
> > +		up_read(&cmd->root_lock); \
> > +		return; \
> > +	}
> [...]
> 
> here you're repeating the same broken pattern in new macros.  Which
> checkpatch.pl would have complained about, if you'd thought to run it.
> 
> Hiding return statements in macros is another bad idea (who expects
> exceptions in C?).  And once we reject that bad idea, all these macros
> can be inline functions, like:
> 
> static inline bool dm_cm_read_lock(struct dm_cache_metadata *cmd)
> {
> 	down_read(&cmd->root_lock);
> 	if (cmd->fail_io || dm_bm_is_read_only(cmd->bm)) {
> 		up_read(&cmd->root_lock);
> 		return false;
> 	}
> 	return true;
> }
> 
> /* ... */
> 
> 	if (!dm_cm_read_lock(cmd))
> 		return -EINVAL;
> 
> Actually... I said this wasn't broken, but should the READ_LOCK macros
> really fail in case dm_bm_is_read_only(), or only if cmd->fail_io?

Thanks for the report!

I've staged this to go to Linus by the end of the week:
https://git.kernel.org/cgit/linux/kernel/git/device-mapper/linux-dm.git/commit/?h=dm-4.6&id=a64204672859248c89c8df796421442fb41e59ec

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas are aligned
  2016-04-12 17:01       ` Tom Lendacky
@ 2016-04-12 17:25         ` Ben Hutchings
  0 siblings, 0 replies; 259+ messages in thread
From: Ben Hutchings @ 2016-04-12 17:25 UTC (permalink / raw)
  To: Tom Lendacky, Greg Kroah-Hartman; +Cc: linux-kernel, stable, Herbert Xu

[-- Attachment #1: Type: text/plain, Size: 1773 bytes --]

On Tue, 2016-04-12 at 12:01 -0500, Tom Lendacky wrote:
> On 04/12/2016 09:28 AM, Greg Kroah-Hartman wrote:
> > 
> > On Tue, Apr 12, 2016 at 02:56:52AM +0100, Ben Hutchings wrote:
> > > 
> > > On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
[...]
> > > > -	state->type = rctx->type;
> > > > -	state->msg_bits = rctx->msg_bits;
> > > > -	state->first = rctx->first;
> > > > -	memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
> > > > -	state->buf_count = rctx->buf_count;
> > > > -	memcpy(state->buf, rctx->buf, sizeof(state->buf));
> > > > +	state.type = rctx->type;
> > > > +	state.msg_bits = rctx->msg_bits;
> > > > +	state.first = rctx->first;
> > > > +	memcpy(state.ctx, rctx->ctx, sizeof(state.ctx));
> > > > +	state.buf_count = rctx->buf_count;
> > > > +	memcpy(state.buf, rctx->buf, sizeof(state.buf));
> > > > +
> > > > +	/* 'out' may not be aligned so memcpy from local variable */
> > > > +	memcpy(out, &state, sizeof(state));
> > > [...]
> > > 
> > > The padding was not initialised, but here we copy it to userland.
> > Nice catch.  Given that the user/kernel structure here doesn't seem very
> > sane (implicit padding, etc.), shouldn't that be where this is fixed up
> > to be a properly packed structure?  Or have padding where needed, along
> > with a memset() call?
> The structure is not meant for use outside the kernel - it's an opaque
> blob that will be processed by the driver import function. So would it
> be enough to just memset the struct ccp_sha_exp_ctx state variable to 0
> before setting and copying it?  That should take care of any padding not
> being initialized.

I think that would be enough.

Ben.

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 259+ messages in thread

* RE: [PATCH 4.5 036/238] aacraid: Set correct msix count for EEH recovery
  2016-04-12  0:29   ` Ben Hutchings
@ 2016-04-12 18:01     ` Raghava Aditya Renukunta
  0 siblings, 0 replies; 259+ messages in thread
From: Raghava Aditya Renukunta @ 2016-04-12 18:01 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: stable, Shane Seymour, Johannes Thumshirn, Martin K. Petersen,
	Greg Kroah-Hartman, LKML

Hello Ben,

> -----Original Message-----
> From: Ben Hutchings [mailto:ben@decadent.org.uk]
> Sent: Monday, April 11, 2016 5:29 PM
> To: Raghava Aditya Renukunta
> Cc: stable@vger.kernel.org; Shane Seymour; Johannes Thumshirn; Martin K.
> Petersen; Greg Kroah-Hartman; LKML
> Subject: Re: [PATCH 4.5 036/238] aacraid: Set correct msix count for EEH
> recovery
> 
> On Sun, 2016-04-10 at 11:33 -0700, Greg Kroah-Hartman wrote:
> > 4.5-stable review patch.  If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
> >
> > commit ecc479e00db8eb110b200afe1effcb3df20ca7ae upstream.
> >
> > During EEH recovery number of online CPU's might change thereby
> changing
> > the number of MSIx vectors. Since each fib is allocated to a vector,
> > changes in the number of vectors causes fib to be sent thru invalid
> > vectors.In addition the correct number of MSIx vectors is not updated in
> > the INIT struct sent to the controller, when it is reinitialized.
> >
> > Fixed by reassigning vectors to fibs based on the updated number of MSIx
> > vectors and updating the INIT structure before sending to controller.
> 
> Really?
> 
> [...]
> > --- a/drivers/scsi/aacraid/linit.c
> > +++ b/drivers/scsi/aacraid/linit.c
> > @@ -1404,8 +1404,18 @@ static int aac_acquire_resources(struct
> >
> >  	aac_adapter_enable_int(dev);
> >
> > -	if (!dev->sync_mode)
> > +	/*max msix may change  after EEH
> > +	 * Re-assign vectors to fibs
> > +	 */
> > +	aac_fib_vector_assign(dev);
> > +
> > +	if (!dev->sync_mode) {
> > +		/* After EEH recovery or suspend resume, max_msix count
> > +		 * may change, therfore updating in init as well.
> > +		 */
> >  		aac_adapter_start(dev);
> > +		dev->init->Sa_MSIXVectors = cpu_to_le32(dev->max_msix);
> 
> Aren't these two lines in the wrong order?
> 
> Ben.

You are right those are two lines are in the wrong order,
I will submit another patch to correct that issue.

Raghava 
> 
> > +	}
> >  	return 0;
> >
> >  error_iounmap:
> --
> Ben Hutchings
> This sentence contradicts itself - no actually it doesn't.

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 128/238] ALSA: hda - Fix missing ELD update at unplugging
  2016-04-10 18:35 ` [PATCH 4.5 128/238] ALSA: hda - Fix missing ELD update at unplugging Greg Kroah-Hartman
@ 2016-04-12 18:39   ` Paul Bolle
  2016-04-12 18:51     ` Takashi Iwai
  0 siblings, 1 reply; 259+ messages in thread
From: Paul Bolle @ 2016-04-12 18:39 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Takashi Iwai; +Cc: Libin Yang, linux-kernel, stable

On zo, 2016-04-10 at 11:35 -0700, Greg Kroah-Hartman wrote:
> --- a/sound/pci/hda/patch_hdmi.c
> +++ b/sound/pci/hda/patch_hdmi.c
> @@ -1670,11 +1670,10 @@ static void sync_eld_via_acomp(struct hd
>  	int size;
>  
>  	mutex_lock(&per_pin->lock);
> +	eld->monitor_present = false;
>  	size = snd_hdac_acomp_get_eld(&codec->bus->core, per_pin->pin_nid,
>  				      &eld->monitor_present, eld->eld_buffer,
>  				      ELD_MAX_SIZE);
> -	if (size < 0)
> -		goto unlock;

This hunk triggers an obviously correct warning:
    sound/pci/hda/patch_hdmi.c: In function 'sync_eld_via_acomp':
    sound/pci/hda/patch_hdmi.c:1695:2: warning: label 'unlock' defined but not used [-Wunused-label]
      unlock:
      ^

It's trivial to silence this warning for the v4.5 stable build, of
course. But I never saw this warning in my v4.6-rc builds, so it's
possible another patch should also be included in the v4.5 stable tree.
Takashi?

Thanks,


Paul Bolle

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 128/238] ALSA: hda - Fix missing ELD update at unplugging
  2016-04-12 18:39   ` Paul Bolle
@ 2016-04-12 18:51     ` Takashi Iwai
  0 siblings, 0 replies; 259+ messages in thread
From: Takashi Iwai @ 2016-04-12 18:51 UTC (permalink / raw)
  To: Paul Bolle; +Cc: Greg Kroah-Hartman, Libin Yang, linux-kernel, stable

On Tue, 12 Apr 2016 20:39:00 +0200,
Paul Bolle wrote:
> 
> On zo, 2016-04-10 at 11:35 -0700, Greg Kroah-Hartman wrote:
> > --- a/sound/pci/hda/patch_hdmi.c
> > +++ b/sound/pci/hda/patch_hdmi.c
> > @@ -1670,11 +1670,10 @@ static void sync_eld_via_acomp(struct hd
> >  	int size;
> >  
> >  	mutex_lock(&per_pin->lock);
> > +	eld->monitor_present = false;
> >  	size = snd_hdac_acomp_get_eld(&codec->bus->core, per_pin->pin_nid,
> >  				      &eld->monitor_present, eld->eld_buffer,
> >  				      ELD_MAX_SIZE);
> > -	if (size < 0)
> > -		goto unlock;
> 
> This hunk triggers an obviously correct warning:
>     sound/pci/hda/patch_hdmi.c: In function 'sync_eld_via_acomp':
>     sound/pci/hda/patch_hdmi.c:1695:2: warning: label 'unlock' defined but not used [-Wunused-label]
>       unlock:
>       ^
> 
> It's trivial to silence this warning for the v4.5 stable build, of
> course. But I never saw this warning in my v4.6-rc builds, so it's
> possible another patch should also be included in the v4.5 stable tree.
> Takashi?

The newer kernel has more code jumping to unlock label, so it's a
warning seen only on 4.5 kernel.  If this really matters, we'd need a
non-upstream fix to paper over it.


thanks,

Takashi

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 142/238] watchdog: dont run proc_watchdog_update if new value is same as old
  2016-04-10 18:35 ` [PATCH 4.5 142/238] watchdog: dont run proc_watchdog_update if new value is same as old Greg Kroah-Hartman
@ 2016-04-12 22:41   ` Ben Hutchings
  2016-04-13 15:56     ` Don Zickus
  0 siblings, 1 reply; 259+ messages in thread
From: Ben Hutchings @ 2016-04-12 22:41 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: stable, Josh Hunt, Don Zickus, Aaron Tomlin, Ulrich Obergfell,
	Andrew Morton, Linus Torvalds

[-- Attachment #1: Type: text/plain, Size: 2544 bytes --]

On Sun, 2016-04-10 at 11:35 -0700, Greg Kroah-Hartman wrote:

> 4.5-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Joshua Hunt <johunt@akamai.com>
> 
> commit a1ee1932aa6bea0bb074f5e3ced112664e4637ed upstream.
> 
> While working on a script to restore all sysctl params before a series of
> tests I found that writing any value into the
> /proc/sys/kernel/{nmi_watchdog,soft_watchdog,watchdog,watchdog_thresh}
> causes them to call proc_watchdog_update().
> 
>   NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
>   NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
>   NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
>   NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
> 
> There doesn't appear to be a reason for doing this work every time a write
> occurs, so only do it when the values change.
> 
> Signed-off-by: Josh Hunt <johunt@akamai.com>
> Acked-by: Don Zickus <dzickus@redhat.com>
> Reviewed-by: Aaron Tomlin <atomlin@redhat.com>
> Cc: Ulrich Obergfell <uobergfe@redhat.com>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  kernel/watchdog.c |    9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> --- a/kernel/watchdog.c
> +++ b/kernel/watchdog.c
[...]
> @@ -967,7 +970,7 @@ int proc_soft_watchdog(struct ctl_table
>  int proc_watchdog_thresh(struct ctl_table *table, int write,
>  			 void __user *buffer, size_t *lenp, loff_t *ppos)
>  {
> -	int err, old;
> +	int err, old, new;
>  
>  	get_online_cpus();
>  	mutex_lock(&watchdog_proc_mutex);
> @@ -987,6 +990,10 @@ int proc_watchdog_thresh(struct ctl_tabl
>  	/*
>  	 * Update the sample period. Restore on failure.
>  	 */
> +	new = ACCESS_ONCE(watchdog_thresh);

This ACCESS_ONCE() doesn't make any sense to me.  Isn't watchdog_thresh
protected by watchdog_proc_mutex?  If a race on watchdog_thresh is
still possible then the check for old == new isn't a valid
optimisation, and if it isn't possible then ACCESS_ONCE() shouldn't be
used here.

Ben.

> +	if (old == new)
> +		goto out;
> +
>  	set_sample_period();
>  	err = proc_watchdog_update();
>  	if (err) {

-- 
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 259+ messages in thread

* Re: [PATCH 4.5 142/238] watchdog: dont run proc_watchdog_update if new value is same as old
  2016-04-12 22:41   ` Ben Hutchings
@ 2016-04-13 15:56     ` Don Zickus
  0 siblings, 0 replies; 259+ messages in thread
From: Don Zickus @ 2016-04-13 15:56 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: Greg Kroah-Hartman, linux-kernel, stable, Josh Hunt,
	Aaron Tomlin, Ulrich Obergfell, Andrew Morton, Linus Torvalds

On Tue, Apr 12, 2016 at 11:41:43PM +0100, Ben Hutchings wrote:
> On Sun, 2016-04-10 at 11:35 -0700, Greg Kroah-Hartman wrote:
> 
> > 4.5-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Joshua Hunt <johunt@akamai.com>
> > 
> > commit a1ee1932aa6bea0bb074f5e3ced112664e4637ed upstream.
> > 
> > While working on a script to restore all sysctl params before a series of
> > tests I found that writing any value into the
> > /proc/sys/kernel/{nmi_watchdog,soft_watchdog,watchdog,watchdog_thresh}
> > causes them to call proc_watchdog_update().
> > 
> >   NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
> >   NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
> >   NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
> >   NMI watchdog: enabled on all CPUs, permanently consumes one hw-PMU counter.
> > 
> > There doesn't appear to be a reason for doing this work every time a write
> > occurs, so only do it when the values change.
> > 
> > Signed-off-by: Josh Hunt <johunt@akamai.com>
> > Acked-by: Don Zickus <dzickus@redhat.com>
> > Reviewed-by: Aaron Tomlin <atomlin@redhat.com>
> > Cc: Ulrich Obergfell <uobergfe@redhat.com>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > 
> > ---
> >  kernel/watchdog.c |    9 ++++++++-
> >  1 file changed, 8 insertions(+), 1 deletion(-)
> > 
> > --- a/kernel/watchdog.c
> > +++ b/kernel/watchdog.c
> [...]
> > @@ -967,7 +970,7 @@ int proc_soft_watchdog(struct ctl_table
> >  int proc_watchdog_thresh(struct ctl_table *table, int write,
> >  			 void __user *buffer, size_t *lenp, loff_t *ppos)
> >  {
> > -	int err, old;
> > +	int err, old, new;
> >  
> >  	get_online_cpus();
> >  	mutex_lock(&watchdog_proc_mutex);
> > @@ -987,6 +990,10 @@ int proc_watchdog_thresh(struct ctl_tabl
> >  	/*
> >  	 * Update the sample period. Restore on failure.
> >  	 */
> > +	new = ACCESS_ONCE(watchdog_thresh);
> 

Hi Ben,

> This ACCESS_ONCE() doesn't make any sense to me.  Isn't watchdog_thresh
> protected by watchdog_proc_mutex?  If a race on watchdog_thresh is

The write accesses are, but not all the reads.

> still possible then the check for old == new isn't a valid
> optimisation, and if it isn't possible then ACCESS_ONCE() shouldn't be
> used here.

The irq and nmi handlers may read it, but not write.  So there should not be
any race of overwriting watchdog_thresh, just a race to read stale data.

I don't fully understand the use case for ACCESS_ONCE, so it is hard for me
to comment on whether or not the code paths satisfy the use cases or not.

The check for 'old == new' is a needed optimization and should not race
because of the mutex protection.

So, I don't have a good answer for you without understanding ACCESS_ONCE
better.

Cheers,
Don

^ permalink raw reply	[flat|nested] 259+ messages in thread

end of thread, other threads:[~2016-04-13 15:56 UTC | newest]

Thread overview: 259+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-10 18:32 [PATCH 4.5 000/238] 4.5.1-stable review Greg Kroah-Hartman
2016-04-10 18:32 ` [PATCH 4.5 001/238] x86/microcode/intel: Make early loader look for builtin microcode too Greg Kroah-Hartman
2016-04-10 18:32 ` [PATCH 4.5 002/238] x86/microcode: Untangle from BLK_DEV_INITRD Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 003/238] x86/entry/compat: Keep TS_COMPAT set during signal delivery Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 004/238] perf/x86/intel: Add definition for PT PMI bit Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 005/238] x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant BARs Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 006/238] KVM: x86: fix missed hardware breakpoints Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 008/238] KVM: fix spin_lock_init order on x86 Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 009/238] KVM: VMX: avoid guest hang on invalid invept instruction Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 010/238] KVM: VMX: avoid guest hang on invalid invvpid instruction Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 011/238] KVM: VMX: fix nested vpid for old KVM guests Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 012/238] perf/core: Fix perf_sched_count derailment Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 013/238] perf tools: Dont stop PMU parsing on alias parse error Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 014/238] perf tools: Fix checking asprintf return value Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 015/238] perf tools: Fix python extension build Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 016/238] Thermal: Ignore invalid trip points Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 017/238] sched/cputime: Fix steal_account_process_tick() to always return jiffies Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 018/238] sched/fair: Avoid using decay_load_missed() with a negative value Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 019/238] sched/preempt, sh: kmap_coherent relies on disabled preemption Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 020/238] EDAC/sb_edac: Fix computation of channel address Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 021/238] EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr() Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 022/238] s390: fix floating pointer register corruption (again) Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 023/238] s390/cpumf: add missing lpp magic initialization Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 024/238] s390/pci: enforce fmb page boundary rule Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 025/238] pinctrl-bcm2835: Fix cut-and-paste error in "pull" parsing Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 026/238] PCI: Disable IO/MEM decoding for devices with non-compliant BARs Greg Kroah-Hartman
2016-04-11 23:45   ` Ben Hutchings
2016-04-12 14:31     ` Greg Kroah-Hartman
2016-04-12 14:31       ` Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 027/238] PCI: ACPI: IA64: fix IO port generic range check Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 028/238] x86/irq: Cure live lock in fixup_irqs() Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 029/238] x86/apic: Fix suspicious RCU usage in smp_trace_call_function_interrupt() Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 030/238] x86/iopl/64: Properly context-switch IOPL on Xen PV Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 031/238] x86/iopl: Fix iopl capability check " Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 032/238] x86/mm: TLB_REMOTE_SEND_IPI should count pages Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 033/238] sg: fix dxferp in from_to case Greg Kroah-Hartman
2016-04-10 18:33   ` Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 034/238] aacraid: Fix RRQ overload Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 035/238] aacraid: Fix memory leak in aac_fib_map_free Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 036/238] aacraid: Set correct msix count for EEH recovery Greg Kroah-Hartman
2016-04-12  0:29   ` Ben Hutchings
2016-04-12 18:01     ` Raghava Aditya Renukunta
2016-04-10 18:33 ` [PATCH 4.5 037/238] sd: Fix discard granularity when LBPRZ=1 Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 038/238] ncr5380: Correctly clear command pointers and lists after bus reset Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 039/238] ncr5380: Dont release lock for PIO transfer Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 040/238] ncr5380: Dont re-enter NCR5380_select() Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 041/238] ncr5380: Forget aborted commands Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 042/238] ncr5380: Fix NCR5380_select() EH checks and result handling Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 043/238] ncr5380: Call scsi_eh_prep_cmnd() and scsi_eh_restore_cmnd() as and when appropriate Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 044/238] scsi: storvsc: fix SRB_STATUS_ABORTED handling Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 045/238] be2iscsi: set the boot_kset pointer to NULL in case of failure Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 046/238] aic7xxx: Fix queue depth handling Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 047/238] libnvdimm: Fix security issue with DSM IOCTL Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 048/238] libnvdimm, pmem: fix kmap_atomic() leak in error path Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 049/238] dm snapshot: disallow the COW and origin devices from being identical Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 050/238] dm: fix excessive dm-mq context switching Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 051/238] dm thin metadata: dont issue prefetches if a transaction abort has failed Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 052/238] dm cache: make sure every metadata function checks fail_io Greg Kroah-Hartman
2016-04-12  1:27   ` Ben Hutchings
2016-04-12 17:18     ` Mike Snitzer
2016-04-10 18:33 ` [PATCH 4.5 053/238] dm: fix rq_end_stats() NULL pointer in dm_requeue_original_request() Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 054/238] usb: retry reset if a device times out Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 055/238] usb: hub: fix a typo in hub_port_init() leading to wrong logic Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 056/238] USB: uas: Reduce can_queue to MAX_CMNDS Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 057/238] USB: cdc-acm: more sanity checking Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 058/238] USB: iowarrior: fix oops with malicious USB descriptors Greg Kroah-Hartman
2016-04-12  1:37   ` Ben Hutchings
2016-04-12 14:25     ` Greg Kroah-Hartman
2016-04-12 14:25       ` Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 059/238] USB: usb_driver_claim_interface: add sanity checking Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 060/238] USB: mct_u232: add sanity checking in probe Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 061/238] USB: digi_acceleport: do sanity checking for the number of ports Greg Kroah-Hartman
2016-04-10 18:33 ` [PATCH 4.5 062/238] USB: cypress_m8: add endpoint sanity check Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 063/238] USB: serial: cp210x: Adding GE Healthcare Device ID Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 064/238] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 066/238] rt2x00: add new rt2800usb device Buffalo WLI-UC-G450 Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 067/238] [media] pwc: Add USB id for Philips Spc880nc webcam Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 068/238] Input: powermate - fix oops with malicious USB descriptors Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 069/238] ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk() Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 070/238] ALSA: usb-audio: Add sanity checks for endpoint accesses Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 072/238] ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk() Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 073/238] ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 074/238] Bluetooth: btusb: Add new AR3012 ID 13d3:3395 Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 075/238] Bluetooth: btusb: Add a new AR3012 ID 04ca:3014 Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 076/238] Bluetooth: btusb: Add a new AR3012 ID 13d3:3472 Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 077/238] crypto: ccp - Add hash state import and export support Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 078/238] crypto: ccp - Limit the amount of information exported Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas are aligned Greg Kroah-Hartman
2016-04-12  1:56   ` Ben Hutchings
2016-04-12 14:28     ` Greg Kroah-Hartman
2016-04-12 14:28       ` Greg Kroah-Hartman
2016-04-12 17:01       ` Tom Lendacky
2016-04-12 17:25         ` Ben Hutchings
2016-04-10 18:34 ` [PATCH 4.5 080/238] crypto: ccp - memset request context to zero during import Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 081/238] crypto: keywrap - memzero the correct memory Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 082/238] crypto: atmel - fix checks of error code returned by devm_ioremap_resource() Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 083/238] crypto: ux500 " Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 084/238] crypto: marvell/cesa - forward devm_ioremap_resource() error code Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 085/238] X.509: Fix leap year handling again Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 086/238] mei: bus: check if the device is enabled before data transfer Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 087/238] tpm: fix the rollback in tpm_chip_register() Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 088/238] tpm_crb: tpm2_shutdown() must be called before tpm_chip_unregister() Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 089/238] tpm_eventlog.c: fix binary_bios_measurements Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 090/238] tpm: fix the cleanup of struct tpm_chip Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 091/238] HID: logitech: fix Dual Action gamepad support Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 092/238] HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report() Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 093/238] HID: multitouch: force retrieving of Win8 signature blob Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 094/238] HID: fix hid_ignore_special_drivers module parameter Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 095/238] staging: comedi: ni_tiocmd: change mistaken use of start_src for start_arg Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 096/238] staging: android: ion_test: fix check of platform_device_register_simple() error code Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 097/238] staging: comedi: ni_mio_common: fix the ni_write[blw]() functions Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 098/238] tty: Fix GPF in flush_to_ldisc(), part 2 Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 099/238] net: irda: Fix use-after-free in irtty_open() Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 100/238] 8250: use callbacks to access UART_DLL/UART_DLM Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 101/238] [media] saa7134: Fix bytesperline not being set correctly for planar formats Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 102/238] [media] adv7511: TX_EDID_PRESENT is still 1 after a disconnect Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 103/238] [media] bttv: Width must be a multiple of 16 when capturing planar formats Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 104/238] [media] coda: fix first encoded frame payload Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 105/238] [media] media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32 Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 106/238] mtip32xx: Avoid issuing standby immediate cmd during FTL rebuild Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 107/238] mtip32xx: Fix broken service thread handling Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 108/238] mtip32xx: Remove unwanted code from taskfile error handler Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 109/238] mtip32xx: Print exact time when an internal command is interrupted Greg Kroah-Hartman
2016-04-12  2:48   ` Ben Hutchings
2016-04-12  4:06     ` Greg Kroah-Hartman
2016-04-12  4:06       ` Greg Kroah-Hartman
2016-04-12  6:29       ` Willy Tarreau
2016-04-12  6:29         ` Willy Tarreau
2016-04-10 18:34 ` [PATCH 4.5 110/238] mtip32xx: Fix for rmmod crash when drive is in FTL rebuild Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 111/238] mtip32xx: Handle safe removal during IO Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 112/238] mtip32xx: Handle FTL rebuild failure state during device initialization Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 113/238] mtip32xx: Implement timeout handler Greg Kroah-Hartman
2016-04-12  2:49   ` Ben Hutchings
2016-04-10 18:34 ` [PATCH 4.5 114/238] mtip32xx: Cleanup queued requests after surprise removal Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 115/238] ALSA: hda - Fix unexpected resume through regmap code path Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 116/238] ALSA: hda - Apply reboot D3 fix for CX20724 codec, too Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 117/238] ALSA: pcm: Avoid "BUG:" string for warnings again Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 118/238] ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41 Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 119/238] ALSA: hda - Dont handle ELD notify from invalid port Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 120/238] ALSA: hda - fix the mic mute button and led problem for a Lenovo AIO Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 121/238] ALSA: hda - Add new GPU codec ID 0x10de0082 to snd-hda Greg Kroah-Hartman
2016-04-10 18:34 ` [PATCH 4.5 122/238] ALSA: hda - Fix unconditional GPIO toggle via automute Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 126/238] ALSA: hda - Fix forgotten HDMI monitor_present update Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 128/238] ALSA: hda - Fix missing ELD update at unplugging Greg Kroah-Hartman
2016-04-12 18:39   ` Paul Bolle
2016-04-12 18:51     ` Takashi Iwai
2016-04-10 18:35 ` [PATCH 4.5 129/238] tools/hv: Use include/uapi with __EXPORTED_HEADERS__ Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 130/238] jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 131/238] gpio: pca953x: Fix pca953x_gpio_set_multiple() on 64-bit Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 132/238] arm64: Update PTE_RDONLY in set_pte_at() for PROT_NONE permission Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 133/238] brd: Fix discard request processing Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 134/238] IB/srpt: Simplify srpt_handle_tsk_mgmt() Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 135/238] bcache: cleaned up error handling around register_cache() Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 136/238] bcache: fix race of writeback thread starting before complete initialization Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 137/238] bcache: fix cache_set_flush() NULL pointer dereference on OOM Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 138/238] mm: memcontrol: reclaim when shrinking memory.high below usage Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 139/238] mm: memcontrol: reclaim and OOM kill when shrinking memory.max " Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 140/238] ia64: define ioremap_uc() Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 141/238] drivers/firmware/broadcom/bcm47xx_nvram.c: fix incorrect __ioread32_copy Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 142/238] watchdog: dont run proc_watchdog_update if new value is same as old Greg Kroah-Hartman
2016-04-12 22:41   ` Ben Hutchings
2016-04-13 15:56     ` Don Zickus
2016-04-10 18:35 ` [PATCH 4.5 143/238] watchdog: rc32434_wdt: fix ioctl error handling Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 144/238] Bluetooth: Add new AR3012 ID 0489:e095 Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 145/238] Bluetooth: Fix potential buffer overflow with Add Advertising Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 146/238] cgroup: ignore css_sets associated with dead cgroups during migration Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 147/238] net: mvneta: enable change MAC address when interface is up Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 149/238] of: alloc anywhere from memblock if range not specified Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 150/238] vfs: show_vfsstat: do not ignore errors from show_devname method Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 151/238] splice: handle zero nr_pages in splice_to_pipe() Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 152/238] xtensa: ISS: dont hang if stdin EOF is reached Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 153/238] xtensa: fix preemption in {clear,copy}_user_highpage Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 154/238] xtensa: clear all DBREAKC registers on start Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 155/238] ARC: [plat-axs10x] add Ethernet PHY description in .dts Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 156/238] ARC: [BE] readl()/writel() to work in Big Endian CPU configuration Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 157/238] ARC: bitops: Remove non relevant comments Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 158/238] quota: Fix possible GPF due to uninitialised pointers Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 159/238] xfs: fix two memory leaks in xfs_attr_list.c error paths Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 160/238] raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 161/238] md/raid5: Compare apples to apples (or sectors to sectors) Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 162/238] RAID5: check_reshape() shouldnt call mddev_suspend Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 163/238] RAID5: revert e9e4c377e2f563 to fix a livelock Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 164/238] raid10: include bio_end_io_list in nr_queued to prevent freeze_array hang Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 165/238] md/raid5: preserve STRIPE_PREREAD_ACTIVE in break_stripe_batch_list Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 166/238] md: multipath: dont hardcopy bio in .make_request path Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 167/238] fuse: do not use iocb after it may have been freed Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 168/238] fuse: Add reference counting for fuse_io_priv Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 169/238] scripts/gdb: account for changes in module data structure Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 170/238] fs/coredump: prevent fsuid=0 dumps into user-controlled directories Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 171/238] rapidio/rionet: fix deadlock on SMP Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 172/238] drm/vc4: Return -EFAULT on copy_from_user() failure Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 174/238] drm/radeon: Dont drop DP 2.7 Ghz link setup on some cards Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 175/238] drm/radeon: rework fbdev handling on chips with no connectors Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 176/238] drm/radeon/mst: fix regression in lane/link handling Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 178/238] drm/amdgpu: include the right version of gmc header files for iceland Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 179/238] drm/amd/powerplay: add uvd/vce dpm enabling flag to fix the performance issue for CZ Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 180/238] tracing: Have preempt(irqs)off trace preempt disabled functions Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 181/238] tracing: Fix crash from reading trace_pipe with sendfile Greg Kroah-Hartman
2016-04-10 18:35 ` [PATCH 4.5 182/238] tracing: Fix trace_printk() to print when not using bprintk() Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 183/238] bitops: Do not default to __clear_bit() for __clear_bit_unlock() Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 184/238] scripts/coccinelle: modernize & Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 185/238] scripts/kconfig: allow building with make 3.80 again Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 186/238] kbuild/mkspec: fix grub2 installkernel issue Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 187/238] MAINTAINERS: Update mailing list and web page for hwmon subsystem Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 188/238] ideapad-laptop: Add ideapad Y700 (15) to the no_hw_rfkill DMI list Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 189/238] mmc: block: fix ABI regression of mmc_blk_ioctl Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 190/238] mmc: mmc_spi: Add Card Detect comments and fix CD GPIO case Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 191/238] mmc: sdhci: move initialisation of command error member Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 192/238] mmc: sdhci: clean up command error handling Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 193/238] mmc: sdhci: fix command response CRC " Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 194/238] mmc: sdhci: further fix for DMA unmapping in sdhci_post_req() Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 195/238] mmc: sdhci: avoid unnecessary mapping/unmapping of align buffer Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 196/238] mmc: sdhci: plug DMA mapping leak on error Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 197/238] mmc: sdhci: fix data timeout (part 1) Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 198/238] mmc: sdhci: fix data timeout (part 2) Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 199/238] mmc: sdhci-pxav3: fix higher speed mode capabilities Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 200/238] mmc: tegra: Disable UHS-I modes for tegra114 Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 201/238] mmc: tegra: properly disable card clock Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 202/238] mmc: sdhci: Fix override of timeout clk wrt max_busy_timeout Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 203/238] mmc: atmel-mci: Check pdata for NULL before dereferencing it at DMA config Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 204/238] clk: rockchip: rk3368: fix cpuclk mux bit of big cpu-cluster Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 205/238] clk: rockchip: rk3368: fix cpuclk core dividers Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 206/238] clk: rockchip: rk3368: fix parents of video encoder/decoder Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 207/238] clk: rockchip: rk3368: fix hdmi_cec gate-register Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 208/238] clk: rockchip: add hclk_cpubus to the list of rk3188 critical clocks Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 209/238] clk: bcm2835: Fix setting of PLL divider clock rates Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 210/238] target: Fix target_release_cmd_kref shutdown comp leak Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 211/238] iser-target: Fix identification of login rx descriptor type Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 212/238] iser-target: Add new state ISER_CONN_BOUND to isert_conn Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 213/238] iser-target: Separate flows for np listeners and connections cma events Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 214/238] iser-target: Rework connection termination Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 215/238] nfsd4: fix bad bounds checking Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 216/238] nfsd: fix deadlock secinfo+readdir compound Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 217/238] ARM: dts: at91: sama5d3 Xplained: dont disable hsmci regulator Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 218/238] ARM: dts: at91: sama5d4 " Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 219/238] ACPI / PM: Runtime resume devices when waking from hibernate Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 220/238] writeback, cgroup: fix premature wb_put() in locked_inode_to_wb_and_lock_list() Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 221/238] writeback, cgroup: fix use of the wrong bdi_writeback which mismatches the inode Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 222/238] Input: synaptics - handle spurious release of trackstick buttons, again Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 223/238] Input: ims-pcu - sanity check against missing interfaces Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 224/238] Input: ati_remote2 - fix crashes on detecting device with invalid descriptor Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 225/238] ocfs2: o2hb: fix double free bug Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 226/238] ocfs2/dlm: fix race between convert and recovery Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 227/238] ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 228/238] mm/page_alloc: prevent merging between isolated and other pageblocks Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 229/238] mtd: onenand: fix deadlock in onenand_block_markbad Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 230/238] intel_idle: prevent SKL-H boot failure when C8+C9+C10 enabled Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 231/238] PM / sleep: Clear pm_suspend_global_flags upon hibernate Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 232/238] scsi_common: do not clobber fixed sense information Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 233/238] sched/cputime: Fix steal time accounting vs. CPU hotplug Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 234/238] perf/x86/pebs: Add workaround for broken OVFL status on HSW+ Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 235/238] perf/x86/intel/uncore: Remove SBOX support for BDX-DE Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 236/238] [PATCH 3/5] perf/x86/intel: Fix PEBS warning by only restoring active PMU in pmi Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 237/238] perf/x86/intel: Use PAGE_SIZE for PEBS buffer size on Core2 Greg Kroah-Hartman
2016-04-10 18:36 ` [PATCH 4.5 238/238] perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere Greg Kroah-Hartman
2016-04-11  6:43 ` [PATCH 4.5 000/238] 4.5.1-stable review Guenter Roeck
2016-04-12 14:32   ` Greg Kroah-Hartman
2016-04-11 17:25 ` shuahkh
2016-04-12  6:39   ` Greg Kroah-Hartman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.