All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 3.12 001/235] driver core: Delete an unnecessary check before the function call "put_device"
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 002/235] driver core: fix race between creating/querying glue dir and its cleanup Jiri Slaby
                   ` (235 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Markus Elfring, Greg Kroah-Hartman, Jiri Slaby

From: Markus Elfring <elfring@users.sourceforge.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5f0163a5ee9cc7c59751768bdfd94a73186debba upstream.

The put_device() function tests whether its argument is NULL and then
returns immediately. Thus the test around the call is not needed.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/base/core.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/base/core.c b/drivers/base/core.c
index 944fecd32e9f..90458b1719a8 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -1185,8 +1185,7 @@ done:
 	kobject_del(&dev->kobj);
  Error:
 	cleanup_device_parent(dev);
-	if (parent)
-		put_device(parent);
+	put_device(parent);
 name_error:
 	kfree(dev->p);
 	dev->p = NULL;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 002/235] driver core: fix race between creating/querying glue dir and its cleanup
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 001/235] driver core: Delete an unnecessary check before the function call "put_device" Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 003/235] ext4: fix data exposure after a crash Jiri Slaby
                   ` (234 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Ming Lei, Yijing Wang, Greg Kroah-Hartman, Jiri Slaby

From: Ming Lei <ming.lei@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit cebf8fd16900fdfd58c0028617944f808f97fe50 upstream.

The global mutex of 'gdp_mutex' is used to serialize creating/querying
glue dir and its cleanup. Turns out it isn't a perfect way because
part(kobj_kset_leave()) of the actual cleanup action() is done inside
the release handler of the glue dir kobject. That means gdp_mutex has
to be held before releasing the last reference count of the glue dir
kobject.

This patch moves glue dir's cleanup after kobject_del() in device_del()
for avoiding the race.

Cc: Yijing Wang <wangyijing@huawei.com>
Reported-by: Chandra Sekhar Lingutla <clingutla@codeaurora.org>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/base/core.c | 39 +++++++++++++++++++++++++++++----------
 1 file changed, 29 insertions(+), 10 deletions(-)

diff --git a/drivers/base/core.c b/drivers/base/core.c
index 90458b1719a8..449f7096974d 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -874,11 +874,29 @@ static struct kobject *get_device_parent(struct device *dev,
 	return NULL;
 }
 
+static inline bool live_in_glue_dir(struct kobject *kobj,
+				    struct device *dev)
+{
+	if (!kobj || !dev->class ||
+	    kobj->kset != &dev->class->p->glue_dirs)
+		return false;
+	return true;
+}
+
+static inline struct kobject *get_glue_dir(struct device *dev)
+{
+	return dev->kobj.parent;
+}
+
+/*
+ * make sure cleaning up dir as the last step, we need to make
+ * sure .release handler of kobject is run with holding the
+ * global lock
+ */
 static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
 {
 	/* see if we live in a "glue" directory */
-	if (!glue_dir || !dev->class ||
-	    glue_dir->kset != &dev->class->p->glue_dirs)
+	if (!live_in_glue_dir(glue_dir, dev))
 		return;
 
 	mutex_lock(&gdp_mutex);
@@ -886,11 +904,6 @@ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
 	mutex_unlock(&gdp_mutex);
 }
 
-static void cleanup_device_parent(struct device *dev)
-{
-	cleanup_glue_dir(dev, dev->kobj.parent);
-}
-
 static int device_add_class_symlinks(struct device *dev)
 {
 	int error;
@@ -1054,6 +1067,7 @@ int device_add(struct device *dev)
 	struct kobject *kobj;
 	struct class_interface *class_intf;
 	int error = -EINVAL;
+	struct kobject *glue_dir = NULL;
 
 	dev = get_device(dev);
 	if (!dev)
@@ -1098,8 +1112,10 @@ int device_add(struct device *dev)
 	/* first, register with generic layer. */
 	/* we require the name to be set before, and pass NULL */
 	error = kobject_add(&dev->kobj, dev->kobj.parent, NULL);
-	if (error)
+	if (error) {
+		glue_dir = get_glue_dir(dev);
 		goto Error;
+	}
 
 	/* notify platform of device entry */
 	if (platform_notify)
@@ -1182,9 +1198,10 @@ done:
 	device_remove_file(dev, &dev_attr_uevent);
  attrError:
 	kobject_uevent(&dev->kobj, KOBJ_REMOVE);
+	glue_dir = get_glue_dir(dev);
 	kobject_del(&dev->kobj);
  Error:
-	cleanup_device_parent(dev);
+	cleanup_glue_dir(dev, glue_dir);
 	put_device(parent);
 name_error:
 	kfree(dev->p);
@@ -1260,6 +1277,7 @@ EXPORT_SYMBOL_GPL(put_device);
 void device_del(struct device *dev)
 {
 	struct device *parent = dev->parent;
+	struct kobject *glue_dir = NULL;
 	struct class_interface *class_intf;
 
 	/* Notify clients of device removal.  This call must come
@@ -1301,8 +1319,9 @@ void device_del(struct device *dev)
 	if (platform_notify_remove)
 		platform_notify_remove(dev);
 	kobject_uevent(&dev->kobj, KOBJ_REMOVE);
-	cleanup_device_parent(dev);
+	glue_dir = get_glue_dir(dev);
 	kobject_del(&dev->kobj);
+	cleanup_glue_dir(dev, glue_dir);
 	put_device(parent);
 }
 EXPORT_SYMBOL_GPL(device_del);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 003/235] ext4: fix data exposure after a crash
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 001/235] driver core: Delete an unnecessary check before the function call "put_device" Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 002/235] driver core: fix race between creating/querying glue dir and its cleanup Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 004/235] locking/rtmutex: Prevent dequeue vs. unlock race Jiri Slaby
                   ` (233 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Jan Kara, Theodore Ts'o, Jiri Slaby

From: Jan Kara <jack@suse.cz>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 06bd3c36a733ac27962fea7d6f47168841376824 upstream.

Huang has reported that in his powerfail testing he is seeing stale
block contents in some of recently allocated blocks although he mounts
ext4 in data=ordered mode. After some investigation I have found out
that indeed when delayed allocation is used, we don't add inode to
transaction's list of inodes needing flushing before commit. Originally
we were doing that but commit f3b59291a69d removed the logic with a
flawed argument that it is not needed.

The problem is that although for delayed allocated blocks we write their
contents immediately after allocating them, there is no guarantee that
the IO scheduler or device doesn't reorder things and thus transaction
allocating blocks and attaching them to inode can reach stable storage
before actual block contents. Actually whenever we attach freshly
allocated blocks to inode using a written extent, we should add inode to
transaction's ordered inode list to make sure we properly wait for block
contents to be written before committing the transaction. So that is
what we do in this patch. This also handles other cases where stale data
exposure was possible - like filling hole via mmap in
data=ordered,nodelalloc mode.

The only exception to the above rule are extending direct IO writes where
blkdev_direct_IO() waits for IO to complete before increasing i_size and
thus stale data exposure is not possible. For now we don't complicate
the code with optimizing this special case since the overhead is pretty
low. In case this is observed to be a performance problem we can always
handle it using a special flag to ext4_map_blocks().

Fixes: f3b59291a69d0b734be1fc8be489fef2dd846d3d
Reported-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
Tested-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ext4/inode.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 4a3735a795d0..3fa2da53400d 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -701,6 +701,20 @@ has_zeroout:
 		int ret = check_block_validity(inode, map);
 		if (ret != 0)
 			return ret;
+
+		/*
+		 * Inodes with freshly allocated blocks where contents will be
+		 * visible after transaction commit must be on transaction's
+		 * ordered data list.
+		 */
+		if (map->m_flags & EXT4_MAP_NEW &&
+		    !(map->m_flags & EXT4_MAP_UNWRITTEN) &&
+		    !IS_NOQUOTA(inode) &&
+		    ext4_should_order_data(inode)) {
+			ret = ext4_jbd2_file_inode(handle, inode);
+			if (ret)
+				return ret;
+		}
 	}
 	return retval;
 }
@@ -1065,15 +1079,6 @@ static int ext4_write_end(struct file *file,
 	int i_size_changed = 0;
 
 	trace_ext4_write_end(inode, pos, len, copied);
-	if (ext4_test_inode_state(inode, EXT4_STATE_ORDERED_MODE)) {
-		ret = ext4_jbd2_file_inode(handle, inode);
-		if (ret) {
-			unlock_page(page);
-			page_cache_release(page);
-			goto errout;
-		}
-	}
-
 	if (ext4_has_inline_data(inode)) {
 		ret = ext4_write_inline_data_end(inode, pos, len,
 						 copied, page);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 004/235] locking/rtmutex: Prevent dequeue vs. unlock race
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (2 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 003/235] ext4: fix data exposure after a crash Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 005/235] locking/rtmutex: Use READ_ONCE() in rt_mutex_owner() Jiri Slaby
                   ` (232 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Thomas Gleixner, Linus Torvalds, Mark Rutland,
	Peter Zijlstra, Sebastian Siewior, Will Deacon, Ingo Molnar,
	Jiri Slaby

From: Thomas Gleixner <tglx@linutronix.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit dbb26055defd03d59f678cb5f2c992abe05b064a upstream.

David reported a futex/rtmutex state corruption. It's caused by the
following problem:

CPU0		CPU1		CPU2

l->owner=T1
		rt_mutex_lock(l)
		lock(l->wait_lock)
		l->owner = T1 | HAS_WAITERS;
		enqueue(T2)
		boost()
		  unlock(l->wait_lock)
		schedule()

				rt_mutex_lock(l)
				lock(l->wait_lock)
				l->owner = T1 | HAS_WAITERS;
				enqueue(T3)
				boost()
				  unlock(l->wait_lock)
				schedule()
		signal(->T2)	signal(->T3)
		lock(l->wait_lock)
		dequeue(T2)
		deboost()
		  unlock(l->wait_lock)
				lock(l->wait_lock)
				dequeue(T3)
				  ===> wait list is now empty
				deboost()
				 unlock(l->wait_lock)
		lock(l->wait_lock)
		fixup_rt_mutex_waiters()
		  if (wait_list_empty(l)) {
		    owner = l->owner & ~HAS_WAITERS;
		    l->owner = owner
		     ==> l->owner = T1
		  }

				lock(l->wait_lock)
rt_mutex_unlock(l)		fixup_rt_mutex_waiters()
				  if (wait_list_empty(l)) {
				    owner = l->owner & ~HAS_WAITERS;
cmpxchg(l->owner, T1, NULL)
 ===> Success (l->owner = NULL)
				    l->owner = owner
				     ==> l->owner = T1
				  }

That means the problem is caused by fixup_rt_mutex_waiters() which does the
RMW to clear the waiters bit unconditionally when there are no waiters in
the rtmutexes rbtree.

This can be fatal: A concurrent unlock can release the rtmutex in the
fastpath because the waiters bit is not set. If the cmpxchg() gets in the
middle of the RMW operation then the previous owner, which just unlocked
the rtmutex is set as the owner again when the write takes place after the
successfull cmpxchg().

The solution is rather trivial: verify that the owner member of the rtmutex
has the waiters bit set before clearing it. This does not require a
cmpxchg() or other atomic operations because the waiters bit can only be
set and cleared with the rtmutex wait_lock held. It's also safe against the
fast path unlock attempt. The unlock attempt via cmpxchg() will either see
the bit set and take the slowpath or see the bit cleared and release it
atomically in the fastpath.

It's remarkable that the test program provided by David triggers on ARM64
and MIPS64 really quick, but it refuses to reproduce on x86-64, while the
problem exists there as well. That refusal might explain that this got not
discovered earlier despite the bug existing from day one of the rtmutex
implementation more than 10 years ago.

Thanks to David for meticulously instrumenting the code and providing the
information which allowed to decode this subtle problem.

Reported-by: David Daney <ddaney@caviumnetworks.com>
Tested-by: David Daney <david.daney@cavium.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sebastian Siewior <bigeasy@linutronix.de>
Cc: Will Deacon <will.deacon@arm.com>
Fixes: 23f78d4a03c5 ("[PATCH] pi-futex: rt mutex core")
Link: http://lkml.kernel.org/r/20161130210030.351136722@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 kernel/rtmutex.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 66 insertions(+), 2 deletions(-)

diff --git a/kernel/rtmutex.c b/kernel/rtmutex.c
index 51a83343df68..132c6a00e301 100644
--- a/kernel/rtmutex.c
+++ b/kernel/rtmutex.c
@@ -64,8 +64,72 @@ static inline void clear_rt_mutex_waiters(struct rt_mutex *lock)
 
 static void fixup_rt_mutex_waiters(struct rt_mutex *lock)
 {
-	if (!rt_mutex_has_waiters(lock))
-		clear_rt_mutex_waiters(lock);
+	unsigned long owner, *p = (unsigned long *) &lock->owner;
+
+	if (rt_mutex_has_waiters(lock))
+		return;
+
+	/*
+	 * The rbtree has no waiters enqueued, now make sure that the
+	 * lock->owner still has the waiters bit set, otherwise the
+	 * following can happen:
+	 *
+	 * CPU 0	CPU 1		CPU2
+	 * l->owner=T1
+	 *		rt_mutex_lock(l)
+	 *		lock(l->lock)
+	 *		l->owner = T1 | HAS_WAITERS;
+	 *		enqueue(T2)
+	 *		boost()
+	 *		  unlock(l->lock)
+	 *		block()
+	 *
+	 *				rt_mutex_lock(l)
+	 *				lock(l->lock)
+	 *				l->owner = T1 | HAS_WAITERS;
+	 *				enqueue(T3)
+	 *				boost()
+	 *				  unlock(l->lock)
+	 *				block()
+	 *		signal(->T2)	signal(->T3)
+	 *		lock(l->lock)
+	 *		dequeue(T2)
+	 *		deboost()
+	 *		  unlock(l->lock)
+	 *				lock(l->lock)
+	 *				dequeue(T3)
+	 *				 ==> wait list is empty
+	 *				deboost()
+	 *				 unlock(l->lock)
+	 *		lock(l->lock)
+	 *		fixup_rt_mutex_waiters()
+	 *		  if (wait_list_empty(l) {
+	 *		    l->owner = owner
+	 *		    owner = l->owner & ~HAS_WAITERS;
+	 *		      ==> l->owner = T1
+	 *		  }
+	 *				lock(l->lock)
+	 * rt_mutex_unlock(l)		fixup_rt_mutex_waiters()
+	 *				  if (wait_list_empty(l) {
+	 *				    owner = l->owner & ~HAS_WAITERS;
+	 * cmpxchg(l->owner, T1, NULL)
+	 *  ===> Success (l->owner = NULL)
+	 *
+	 *				    l->owner = owner
+	 *				      ==> l->owner = T1
+	 *				  }
+	 *
+	 * With the check for the waiter bit in place T3 on CPU2 will not
+	 * overwrite. All tasks fiddling with the waiters bit are
+	 * serialized by l->lock, so nothing else can modify the waiters
+	 * bit. If the bit is set then nothing can change l->owner either
+	 * so the simple RMW is safe. The cmpxchg() will simply fail if it
+	 * happens in the middle of the RMW because the waiters bit is
+	 * still set.
+	 */
+	owner = READ_ONCE(*p);
+	if (owner & RT_MUTEX_HAS_WAITERS)
+		WRITE_ONCE(*p, owner & ~RT_MUTEX_HAS_WAITERS);
 }
 
 /*
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 005/235] locking/rtmutex: Use READ_ONCE() in rt_mutex_owner()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (3 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 004/235] locking/rtmutex: Prevent dequeue vs. unlock race Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 006/235] perf/x86: Fix full width counter, counter overflow Jiri Slaby
                   ` (231 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Thomas Gleixner, David Daney, Linus Torvalds,
	Mark Rutland, Peter Zijlstra, Sebastian Siewior, Steven Rostedt,
	Ingo Molnar, Jiri Slaby

From: Thomas Gleixner <tglx@linutronix.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 1be5d4fa0af34fb7bafa205aeb59f5c7cc7a089d upstream.

While debugging the rtmutex unlock vs. dequeue race Will suggested to use
READ_ONCE() in rt_mutex_owner() as it might race against the
cmpxchg_release() in unlock_rt_mutex_safe().

Will: "It's a minor thing which will most likely not matter in practice"

Careful search did not unearth an actual problem in todays code, but it's
better to be safe than surprised.

Suggested-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: David Daney <ddaney@caviumnetworks.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sebastian Siewior <bigeasy@linutronix.de>
Cc: Steven Rostedt <rostedt@goodmis.org>
Link: http://lkml.kernel.org/r/20161130210030.431379999@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 kernel/rtmutex_common.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/rtmutex_common.h b/kernel/rtmutex_common.h
index 53a66c85261b..1823c094fe96 100644
--- a/kernel/rtmutex_common.h
+++ b/kernel/rtmutex_common.h
@@ -96,8 +96,9 @@ task_top_pi_waiter(struct task_struct *p)
 
 static inline struct task_struct *rt_mutex_owner(struct rt_mutex *lock)
 {
-	return (struct task_struct *)
-		((unsigned long)lock->owner & ~RT_MUTEX_OWNER_MASKALL);
+	unsigned long owner = (unsigned long) READ_ONCE(lock->owner);
+
+	return (struct task_struct *) (owner & ~RT_MUTEX_OWNER_MASKALL);
 }
 
 /*
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 006/235] perf/x86: Fix full width counter, counter overflow
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (4 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 005/235] locking/rtmutex: Use READ_ONCE() in rt_mutex_owner() Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 007/235] can: raw: raw_setsockopt: limit number of can_filter that can be set Jiri Slaby
                   ` (230 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Peter Zijlstra (Intel),
	Alexander Shishkin, Arnaldo Carvalho de Melo, Jiri Olsa,
	Linus Torvalds, Stephane Eranian, Thomas Gleixner, Vince Weaver,
	Ingo Molnar, Jiri Slaby

From: "Peter Zijlstra (Intel)" <peterz@infradead.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7f612a7f0bc13a2361a152862435b7941156b6af upstream.

Lukasz reported that perf stat counters overflow handling is broken on KNL/SLM.

Both these parts have full_width_write set, and that does indeed have
a problem. In order to deal with counter wrap, we must sample the
counter at at least half the counter period (see also the sampling
theorem) such that we can unambiguously reconstruct the count.

However commit:

  069e0c3c4058 ("perf/x86/intel: Support full width counting")

sets the sampling interval to the full period, not half.

Fixing that exposes another issue, in that we must not sign extend the
delta value when we shift it right; the counter cannot have
decremented after all.

With both these issues fixed, counter overflow functions correctly
again.

Reported-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
Tested-by: Liang, Kan <kan.liang@intel.com>
Tested-by: Odzioba, Lukasz <lukasz.odzioba@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: 069e0c3c4058 ("perf/x86/intel: Support full width counting")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/kernel/cpu/perf_event.c       | 2 +-
 arch/x86/kernel/cpu/perf_event_intel.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
index 0271272d55d0..050784bcd71f 100644
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -64,7 +64,7 @@ u64 x86_perf_event_update(struct perf_event *event)
 	int shift = 64 - x86_pmu.cntval_bits;
 	u64 prev_raw_count, new_raw_count;
 	int idx = hwc->idx;
-	s64 delta;
+	u64 delta;
 
 	if (idx == INTEL_PMC_IDX_FIXED_BTS)
 		return 0;
diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
index 04e7df068f0e..0c6527a168f0 100644
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -2578,7 +2578,7 @@ __init int intel_pmu_init(void)
 
 	/* Support full width counters using alternative MSR range */
 	if (x86_pmu.intel_cap.full_width_write) {
-		x86_pmu.max_period = x86_pmu.cntval_mask;
+		x86_pmu.max_period = x86_pmu.cntval_mask >> 1;
 		x86_pmu.perfctr = MSR_IA32_PMC0;
 		pr_cont("full-width counters, ");
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 007/235] can: raw: raw_setsockopt: limit number of can_filter that can be set
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (5 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 006/235] perf/x86: Fix full width counter, counter overflow Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 008/235] can: peak: fix bad memory access and free sequence Jiri Slaby
                   ` (229 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Marc Kleine-Budde, Jiri Slaby

From: Marc Kleine-Budde <mkl@pengutronix.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 332b05ca7a438f857c61a3c21a88489a21532364 upstream.

This patch adds a check to limit the number of can_filters that can be
set via setsockopt on CAN_RAW sockets. Otherwise allocations > MAX_ORDER
are not prevented resulting in a warning.

Reference: https://lkml.org/lkml/2016/12/2/230

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/uapi/linux/can.h | 1 +
 net/can/raw.c            | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/include/uapi/linux/can.h b/include/uapi/linux/can.h
index e52958d7c2d1..3018528bd1bf 100644
--- a/include/uapi/linux/can.h
+++ b/include/uapi/linux/can.h
@@ -158,5 +158,6 @@ struct can_filter {
 };
 
 #define CAN_INV_FILTER 0x20000000U /* to be set in can_filter.can_id */
+#define CAN_RAW_FILTER_MAX 512 /* maximum number of can_filter set via setsockopt() */
 
 #endif /* CAN_H */
diff --git a/net/can/raw.c b/net/can/raw.c
index 641e1c895123..e10699cc72bd 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -470,6 +470,9 @@ static int raw_setsockopt(struct socket *sock, int level, int optname,
 		if (optlen % sizeof(struct can_filter) != 0)
 			return -EINVAL;
 
+		if (optlen > CAN_RAW_FILTER_MAX * sizeof(struct can_filter))
+			return -EINVAL;
+
 		count = optlen / sizeof(struct can_filter);
 
 		if (count > 1) {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 008/235] can: peak: fix bad memory access and free sequence
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (6 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 007/235] can: raw: raw_setsockopt: limit number of can_filter that can be set Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 009/235] m68k: Fix ndelay() macro Jiri Slaby
                   ` (228 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, 추지호, Marc Kleine-Budde, Jiri Slaby

From: 추지호 <jiho.chu@samsung.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c upstream.

Fix for bad memory access while disconnecting. netdev is freed before
private data free, and dev is accessed after freeing netdev.

This makes a slub problem, and it raise kernel oops with slub debugger
config.

Signed-off-by: Jiho Chu <jiho.chu@samsung.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/can/usb/peak_usb/pcan_usb_core.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
index 03e7f0cbda8c..47f0dcbf42ca 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
@@ -824,23 +824,25 @@ lbl_free_candev:
 static void peak_usb_disconnect(struct usb_interface *intf)
 {
 	struct peak_usb_device *dev;
+	struct peak_usb_device *dev_prev_siblings;
 
 	/* unregister as many netdev devices as siblings */
-	for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) {
+	for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) {
 		struct net_device *netdev = dev->netdev;
 		char name[IFNAMSIZ];
 
+		dev_prev_siblings = dev->prev_siblings;
 		dev->state &= ~PCAN_USB_STATE_CONNECTED;
 		strncpy(name, netdev->name, IFNAMSIZ);
 
 		unregister_netdev(netdev);
-		free_candev(netdev);
 
 		kfree(dev->cmd_buf);
 		dev->next_siblings = NULL;
 		if (dev->adapter->dev_free)
 			dev->adapter->dev_free(dev);
 
+		free_candev(netdev);
 		dev_info(&intf->dev, "%s removed\n", name);
 	}
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 009/235] m68k: Fix ndelay() macro
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (7 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 008/235] can: peak: fix bad memory access and free sequence Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52   ` Jiri Slaby
                   ` (227 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Boris Brezillon, Geert Uytterhoeven, Jiri Slaby

From: Boris Brezillon <boris.brezillon@free-electrons.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7e251bb21ae08ca2e4fb28cc0981fac2685a8efa upstream.

The current ndelay() macro definition has an extra semi-colon at the
end of the line thus leading to a compilation error when ndelay is used
in a conditional block without curly braces like this one:

	if (cond)
		ndelay(t);
	else
		...

which, after the preprocessor pass gives:

	if (cond)
		m68k_ndelay(t);;
	else
		...

thus leading to the following gcc error:

	error: 'else' without a previous 'if'

Remove this extra semi-colon.

Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Fixes: c8ee038bd1488 ("m68k: Implement ndelay() based on the existing udelay() logic")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/m68k/include/asm/delay.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/m68k/include/asm/delay.h b/arch/m68k/include/asm/delay.h
index d28fa8fe26fe..c598d847d56b 100644
--- a/arch/m68k/include/asm/delay.h
+++ b/arch/m68k/include/asm/delay.h
@@ -114,6 +114,6 @@ static inline void __udelay(unsigned long usecs)
  */
 #define	HZSCALE		(268435456 / (1000000 / HZ))
 
-#define ndelay(n) __delay(DIV_ROUND_UP((n) * ((((HZSCALE) >> 11) * (loops_per_jiffy >> 11)) >> 6), 1000));
+#define ndelay(n) __delay(DIV_ROUND_UP((n) * ((((HZSCALE) >> 11) * (loops_per_jiffy >> 11)) >> 6), 1000))
 
 #endif /* defined(_M68K_DELAY_H) */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 010/235] hotplug: Make register and unregister notifier API symmetric
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
@ 2017-01-27 10:52   ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 002/235] driver core: fix race between creating/querying glue dir and its cleanup Jiri Slaby
                     ` (235 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Michal Hocko, linux-mm, Andrew Morton,
	Dan Streetman, Thomas Gleixner, Jiri Slaby

From: Michal Hocko <mhocko@suse.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 777c6e0daebb3fcefbbd6f620410a946b07ef6d0 upstream.

Yu Zhao has noticed that __unregister_cpu_notifier only unregisters its
notifiers when HOTPLUG_CPU=y while the registration might succeed even
when HOTPLUG_CPU=n if MODULE is enabled. This means that e.g. zswap
might keep a stale notifier on the list on the manual clean up during
the pool tear down and thus corrupt the list. Resulting in the following

[  144.964346] BUG: unable to handle kernel paging request at ffff880658a2be78
[  144.971337] IP: [<ffffffffa290b00b>] raw_notifier_chain_register+0x1b/0x40
<snipped>
[  145.122628] Call Trace:
[  145.125086]  [<ffffffffa28e5cf8>] __register_cpu_notifier+0x18/0x20
[  145.131350]  [<ffffffffa2a5dd73>] zswap_pool_create+0x273/0x400
[  145.137268]  [<ffffffffa2a5e0fc>] __zswap_param_set+0x1fc/0x300
[  145.143188]  [<ffffffffa2944c1d>] ? trace_hardirqs_on+0xd/0x10
[  145.149018]  [<ffffffffa2908798>] ? kernel_param_lock+0x28/0x30
[  145.154940]  [<ffffffffa2a3e8cf>] ? __might_fault+0x4f/0xa0
[  145.160511]  [<ffffffffa2a5e237>] zswap_compressor_param_set+0x17/0x20
[  145.167035]  [<ffffffffa2908d3c>] param_attr_store+0x5c/0xb0
[  145.172694]  [<ffffffffa290848d>] module_attr_store+0x1d/0x30
[  145.178443]  [<ffffffffa2b2b41f>] sysfs_kf_write+0x4f/0x70
[  145.183925]  [<ffffffffa2b2a5b9>] kernfs_fop_write+0x149/0x180
[  145.189761]  [<ffffffffa2a99248>] __vfs_write+0x18/0x40
[  145.194982]  [<ffffffffa2a9a412>] vfs_write+0xb2/0x1a0
[  145.200122]  [<ffffffffa2a9a732>] SyS_write+0x52/0xa0
[  145.205177]  [<ffffffffa2ff4d97>] entry_SYSCALL_64_fastpath+0x12/0x17

This can be even triggered manually by changing
/sys/module/zswap/parameters/compressor multiple times.

Fix this issue by making unregister APIs symmetric to the register so
there are no surprises.

[js] backport to 3.12

Fixes: 47e627bc8c9a ("[PATCH] hotplug: Allow modules to use the cpu hotplug notifiers even if !CONFIG_HOTPLUG_CPU")
Reported-and-tested-by: Yu Zhao <yuzhao@google.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Cc: linux-mm@kvack.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dan Streetman <ddstreet@ieee.org>
Link: http://lkml.kernel.org/r/20161207135438.4310-1-mhocko@kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/linux/cpu.h | 12 +++---------
 kernel/cpu.c        |  3 +--
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index 801ff9e73679..d1fcdcbc01e4 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -119,22 +119,16 @@ enum {
 		{ .notifier_call = fn, .priority = pri };	\
 	register_cpu_notifier(&fn##_nb);			\
 }
-#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-#define cpu_notifier(fn, pri)	do { (void)(fn); } while (0)
-#endif /* #else #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-#ifdef CONFIG_HOTPLUG_CPU
 extern int register_cpu_notifier(struct notifier_block *nb);
 extern void unregister_cpu_notifier(struct notifier_block *nb);
-#else
 
-#ifndef MODULE
-extern int register_cpu_notifier(struct notifier_block *nb);
-#else
+#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
+#define cpu_notifier(fn, pri)	do { (void)(fn); } while (0)
+
 static inline int register_cpu_notifier(struct notifier_block *nb)
 {
 	return 0;
 }
-#endif
 
 static inline void unregister_cpu_notifier(struct notifier_block *nb)
 {
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 92599d897125..c1f258a0a10e 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -182,8 +182,6 @@ static int cpu_notify(unsigned long val, void *v)
 	return __cpu_notify(val, v, -1, NULL);
 }
 
-#ifdef CONFIG_HOTPLUG_CPU
-
 static void cpu_notify_nofail(unsigned long val, void *v)
 {
 	BUG_ON(cpu_notify(val, v));
@@ -198,6 +196,7 @@ void __ref unregister_cpu_notifier(struct notifier_block *nb)
 }
 EXPORT_SYMBOL(unregister_cpu_notifier);
 
+#ifdef CONFIG_HOTPLUG_CPU
 /**
  * clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU
  * @cpu: a CPU id
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 010/235] hotplug: Make register and unregister notifier API symmetric
@ 2017-01-27 10:52   ` Jiri Slaby
  0 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Michal Hocko, linux-mm, Andrew Morton,
	Dan Streetman, Thomas Gleixner, Jiri Slaby

From: Michal Hocko <mhocko@suse.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 777c6e0daebb3fcefbbd6f620410a946b07ef6d0 upstream.

Yu Zhao has noticed that __unregister_cpu_notifier only unregisters its
notifiers when HOTPLUG_CPU=y while the registration might succeed even
when HOTPLUG_CPU=n if MODULE is enabled. This means that e.g. zswap
might keep a stale notifier on the list on the manual clean up during
the pool tear down and thus corrupt the list. Resulting in the following

[  144.964346] BUG: unable to handle kernel paging request at ffff880658a2be78
[  144.971337] IP: [<ffffffffa290b00b>] raw_notifier_chain_register+0x1b/0x40
<snipped>
[  145.122628] Call Trace:
[  145.125086]  [<ffffffffa28e5cf8>] __register_cpu_notifier+0x18/0x20
[  145.131350]  [<ffffffffa2a5dd73>] zswap_pool_create+0x273/0x400
[  145.137268]  [<ffffffffa2a5e0fc>] __zswap_param_set+0x1fc/0x300
[  145.143188]  [<ffffffffa2944c1d>] ? trace_hardirqs_on+0xd/0x10
[  145.149018]  [<ffffffffa2908798>] ? kernel_param_lock+0x28/0x30
[  145.154940]  [<ffffffffa2a3e8cf>] ? __might_fault+0x4f/0xa0
[  145.160511]  [<ffffffffa2a5e237>] zswap_compressor_param_set+0x17/0x20
[  145.167035]  [<ffffffffa2908d3c>] param_attr_store+0x5c/0xb0
[  145.172694]  [<ffffffffa290848d>] module_attr_store+0x1d/0x30
[  145.178443]  [<ffffffffa2b2b41f>] sysfs_kf_write+0x4f/0x70
[  145.183925]  [<ffffffffa2b2a5b9>] kernfs_fop_write+0x149/0x180
[  145.189761]  [<ffffffffa2a99248>] __vfs_write+0x18/0x40
[  145.194982]  [<ffffffffa2a9a412>] vfs_write+0xb2/0x1a0
[  145.200122]  [<ffffffffa2a9a732>] SyS_write+0x52/0xa0
[  145.205177]  [<ffffffffa2ff4d97>] entry_SYSCALL_64_fastpath+0x12/0x17

This can be even triggered manually by changing
/sys/module/zswap/parameters/compressor multiple times.

Fix this issue by making unregister APIs symmetric to the register so
there are no surprises.

[js] backport to 3.12

Fixes: 47e627bc8c9a ("[PATCH] hotplug: Allow modules to use the cpu hotplug notifiers even if !CONFIG_HOTPLUG_CPU")
Reported-and-tested-by: Yu Zhao <yuzhao@google.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Cc: linux-mm@kvack.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dan Streetman <ddstreet@ieee.org>
Link: http://lkml.kernel.org/r/20161207135438.4310-1-mhocko@kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/linux/cpu.h | 12 +++---------
 kernel/cpu.c        |  3 +--
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/include/linux/cpu.h b/include/linux/cpu.h
index 801ff9e73679..d1fcdcbc01e4 100644
--- a/include/linux/cpu.h
+++ b/include/linux/cpu.h
@@ -119,22 +119,16 @@ enum {
 		{ .notifier_call = fn, .priority = pri };	\
 	register_cpu_notifier(&fn##_nb);			\
 }
-#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-#define cpu_notifier(fn, pri)	do { (void)(fn); } while (0)
-#endif /* #else #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
-#ifdef CONFIG_HOTPLUG_CPU
 extern int register_cpu_notifier(struct notifier_block *nb);
 extern void unregister_cpu_notifier(struct notifier_block *nb);
-#else
 
-#ifndef MODULE
-extern int register_cpu_notifier(struct notifier_block *nb);
-#else
+#else /* #if defined(CONFIG_HOTPLUG_CPU) || !defined(MODULE) */
+#define cpu_notifier(fn, pri)	do { (void)(fn); } while (0)
+
 static inline int register_cpu_notifier(struct notifier_block *nb)
 {
 	return 0;
 }
-#endif
 
 static inline void unregister_cpu_notifier(struct notifier_block *nb)
 {
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 92599d897125..c1f258a0a10e 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -182,8 +182,6 @@ static int cpu_notify(unsigned long val, void *v)
 	return __cpu_notify(val, v, -1, NULL);
 }
 
-#ifdef CONFIG_HOTPLUG_CPU
-
 static void cpu_notify_nofail(unsigned long val, void *v)
 {
 	BUG_ON(cpu_notify(val, v));
@@ -198,6 +196,7 @@ void __ref unregister_cpu_notifier(struct notifier_block *nb)
 }
 EXPORT_SYMBOL(unregister_cpu_notifier);
 
+#ifdef CONFIG_HOTPLUG_CPU
 /**
  * clear_tasks_mm_cpumask - Safely clear tasks' mm_cpumask for a CPU
  * @cpu: a CPU id
-- 
2.11.0

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 011/235] Revert "Btrfs: don't delay inode ref updates during log, replay"
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (9 preceding siblings ...)
  2017-01-27 10:52   ` Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 012/235] Btrfs: fix tree search logic when replaying directory entry deletes Jiri Slaby
                   ` (225 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Jeff Mahoney, Jiri Slaby

From: Jeff Mahoney <jeffm@suse.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

This reverts commit 644d10716875b24388680925d6c7502420987bfe, upstream
commit 6f8960541b1eb6054a642da48daae2320fddba93.

The original patch for mainline, 6f8960541b1 (Btrfs: don't delay
inode ref updates during log replay) lists 1d52c78afbb (Btrfs: try
not to ENOSPC on log replay) as the only pre-3.18 dependency, but it
also depends on 67de11769bd (Btrfs: introduce the delayed inode ref
deletion for the single link inode), which was introduced in 3.14
and isn't in 3.12.y.

The -stable commit added the check to btrfs_delayed_update_inode,
which may look similar to btrfs_delayed_delete_inode_ref, but it's
only superficial.  The tops of both functions handle typical
delayed node boilerplate.  The upshot is that the patch is harmless
since the caller already checks to see if we're doing log recovery,
so we're not breaking anything.  It should be reverted because it
makes it appear as if this issue was fixed for users who did
backport 67de11769bd, when it is not.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/btrfs/delayed-inode.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 34f33e16b08f..269ac79ea25c 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -1805,14 +1805,6 @@ int btrfs_delayed_update_inode(struct btrfs_trans_handle *trans,
 	struct btrfs_delayed_node *delayed_node;
 	int ret = 0;
 
-	/*
-	 * we don't do delayed inode updates during log recovery because it
-	 * leads to enospc problems.  This means we also can't do
-	 * delayed inode refs
-	 */
-	if (BTRFS_I(inode)->root->fs_info->log_root_recovering)
-		return -EAGAIN;
-
 	delayed_node = btrfs_get_or_create_delayed_node(inode);
 	if (IS_ERR(delayed_node))
 		return PTR_ERR(delayed_node);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 012/235] Btrfs: fix tree search logic when replaying directory entry deletes
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (10 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 011/235] Revert "Btrfs: don't delay inode ref updates during log, replay" Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 013/235] USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041 Jiri Slaby
                   ` (224 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Robbie Ko, Filipe Manana, Jiri Slaby

From: Robbie Ko <robbieko@synology.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 2a7bf53f577e49c43de4ffa7776056de26db65d9 upstream.

If a log tree has a layout like the following:

leaf N:
        ...
        item 240 key (282 DIR_LOG_ITEM 0) itemoff 8189 itemsize 8
                dir log end 1275809046
leaf N + 1:
        item 0 key (282 DIR_LOG_ITEM 3936149215) itemoff 16275 itemsize 8
                dir log end 18446744073709551615
        ...

When we pass the value 1275809046 + 1 as the parameter start_ret to the
function tree-log.c:find_dir_range() (done by replay_dir_deletes()), we
end up with path->slots[0] having the value 239 (points to the last item
of leaf N, item 240). Because the dir log item in that position has an
offset value smaller than *start_ret (1275809046 + 1) we need to move on
to the next leaf, however the logic for that is wrong since it compares
the current slot to the number of items in the leaf, which is smaller
and therefore we don't lookup for the next leaf but instead we set the
slot to point to an item that does not exist, at slot 240, and we later
operate on that slot which has unexpected content or in the worst case
can result in an invalid memory access (accessing beyond the last page
of leaf N's extent buffer).

So fix the logic that checks when we need to lookup at the next leaf
by first incrementing the slot and only after to check if that slot
is beyond the last item of the current leaf.

Signed-off-by: Robbie Ko <robbieko@synology.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Fixes: e02119d5a7b4 (Btrfs: Add a write ahead tree log to optimize synchronous operations)
Signed-off-by: Filipe Manana <fdmanana@suse.com>
[Modified changelog for clarity and correctness]
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/btrfs/tree-log.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index be3bf0be13c7..4c56a5028786 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1739,12 +1739,11 @@ static noinline int find_dir_range(struct btrfs_root *root,
 next:
 	/* check the next slot in the tree to see if it is a valid item */
 	nritems = btrfs_header_nritems(path->nodes[0]);
+	path->slots[0]++;
 	if (path->slots[0] >= nritems) {
 		ret = btrfs_next_leaf(root, path);
 		if (ret)
 			goto out;
-	} else {
-		path->slots[0]++;
 	}
 
 	btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 013/235] USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (11 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 012/235] Btrfs: fix tree search logic when replaying directory entry deletes Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 014/235] USB: serial: option: add dlink dwm-158 Jiri Slaby
                   ` (223 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Daniele Palmas, Johan Hovold, Jiri Slaby

From: Daniele Palmas <dnlplm@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5b09eff0c379002527ad72ea5ea38f25da8a8650 upstream.

This patch adds support for PIDs 0x1040, 0x1041 of Telit LE922A.

Since the interface positions are the same than the ones used
for other Telit compositions, previous defined blacklists are used.

Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/option.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 2bc169692965..66fcf25b33e3 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -269,6 +269,8 @@ static void option_instat_callback(struct urb *urb);
 #define TELIT_PRODUCT_CC864_SINGLE		0x1006
 #define TELIT_PRODUCT_DE910_DUAL		0x1010
 #define TELIT_PRODUCT_UE910_V2			0x1012
+#define TELIT_PRODUCT_LE922_USBCFG1		0x1040
+#define TELIT_PRODUCT_LE922_USBCFG2		0x1041
 #define TELIT_PRODUCT_LE922_USBCFG0		0x1042
 #define TELIT_PRODUCT_LE922_USBCFG3		0x1043
 #define TELIT_PRODUCT_LE922_USBCFG5		0x1045
@@ -1212,6 +1214,10 @@ static const struct usb_device_id option_ids[] = {
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_UE910_V2) },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0),
 		.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
+	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG1),
+		.driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG2),
+		.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG3),
 		.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
 	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff),
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 014/235] USB: serial: option: add dlink dwm-158
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (12 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 013/235] USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041 Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 015/235] USB: serial: kl5kusb105: fix open error path Jiri Slaby
                   ` (222 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Giuseppe Lippolis, Johan Hovold, Jiri Slaby

From: Giuseppe Lippolis <giu.lippolis@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d8a12b7117b42fd708f1e908498350232bdbd5ff upstream.

Adding registration for 3G modem DWM-158 in usb-serial-option

Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/option.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 66fcf25b33e3..99dff08b560b 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1862,6 +1862,7 @@ static const struct usb_device_id option_ids[] = {
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
+	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7d04, 0xff) },			/* D-Link DWM-158 */
 	{ USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff),			/* D-Link DWM-221 B1 */
 	  .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
 	{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 015/235] USB: serial: kl5kusb105: fix open error path
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (13 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 014/235] USB: serial: option: add dlink dwm-158 Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 016/235] USB: cdc-acm: add device id for GW Instek AFG-125 Jiri Slaby
                   ` (221 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6774d5f53271d5f60464f824748995b71da401ab upstream.

Kill urbs and disable read before returning from open on failure to
retrieve the line state.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/kl5kusb105.c | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/drivers/usb/serial/kl5kusb105.c b/drivers/usb/serial/kl5kusb105.c
index 1b4054fe52a5..70e163d21e9a 100644
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -304,7 +304,7 @@ static int  klsi_105_open(struct tty_struct *tty, struct usb_serial_port *port)
 	rc = usb_serial_generic_open(tty, port);
 	if (rc) {
 		retval = rc;
-		goto exit;
+		goto err_free_cfg;
 	}
 
 	rc = usb_control_msg(port->serial->dev,
@@ -323,17 +323,32 @@ static int  klsi_105_open(struct tty_struct *tty, struct usb_serial_port *port)
 		dev_dbg(&port->dev, "%s - enabled reading\n", __func__);
 
 	rc = klsi_105_get_line_state(port, &line_state);
-	if (rc >= 0) {
-		spin_lock_irqsave(&priv->lock, flags);
-		priv->line_state = line_state;
-		spin_unlock_irqrestore(&priv->lock, flags);
-		dev_dbg(&port->dev, "%s - read line state 0x%lx\n", __func__, line_state);
-		retval = 0;
-	} else
+	if (rc < 0) {
 		retval = rc;
+		goto err_disable_read;
+	}
+
+	spin_lock_irqsave(&priv->lock, flags);
+	priv->line_state = line_state;
+	spin_unlock_irqrestore(&priv->lock, flags);
+	dev_dbg(&port->dev, "%s - read line state 0x%lx\n", __func__,
+			line_state);
+
+	return 0;
 
-exit:
+err_disable_read:
+	usb_control_msg(port->serial->dev,
+			     usb_sndctrlpipe(port->serial->dev, 0),
+			     KL5KUSB105A_SIO_CONFIGURE,
+			     USB_TYPE_VENDOR | USB_DIR_OUT,
+			     KL5KUSB105A_SIO_CONFIGURE_READ_OFF,
+			     0, /* index */
+			     NULL, 0,
+			     KLSI_TIMEOUT);
+	usb_serial_generic_close(port);
+err_free_cfg:
 	kfree(cfg);
+
 	return retval;
 }
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 016/235] USB: cdc-acm: add device id for GW Instek AFG-125
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (14 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 015/235] USB: serial: kl5kusb105: fix open error path Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 017/235] usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices Jiri Slaby
                   ` (220 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Nathaniel Quillin, Jiri Slaby

From: Nathaniel Quillin <ndq@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 301216044e4c27d5a7323c1fa766266fad00db5e upstream.

Add device-id entry for GW Instek AFG-125, which has a byte swapped
bInterfaceSubClass (0x20).

Signed-off-by: Nathaniel Quillin <ndq@google.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/class/cdc-acm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index 2d269169d08b..c78c4f7efb40 100644
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1588,6 +1588,7 @@ static const struct usb_device_id acm_ids[] = {
 	.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
 	},
 	{ USB_DEVICE(0x2184, 0x001c) },	/* GW Instek AFG-2225 */
+	{ USB_DEVICE(0x2184, 0x0036) },	/* GW Instek AFG-125 */
 	{ USB_DEVICE(0x22b8, 0x6425), /* Motorola MOTOMAGX phones */
 	},
 	/* Motorola H24 HSPA module: */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 017/235] usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (15 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 016/235] USB: cdc-acm: add device id for GW Instek AFG-125 Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 018/235] usb: gadget: composite: correctly initialize ep->maxpacket Jiri Slaby
                   ` (219 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Mathias Nyman, Alan Stern, Jiri Slaby

From: Mathias Nyman <mathias.nyman@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 37be66767e3cae4fd16e064d8bb7f9f72bf5c045 upstream.

USB-3 does not have any link state that will avoid negotiating a connection
with a plugged-in cable but will signal the host when the cable is
unplugged.

For USB-3 we used to first set the link to Disabled, then to RxDdetect to
be able to detect cable connects or disconnects. But in RxDetect the
connected device is detected again and eventually enabled.

Instead set the link into U3 and disable remote wakeups for the device.
This is what Windows does, and what Alan Stern suggested.

Cc: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/core/hub.c | 102 +++++++++++++++++--------------------------------
 1 file changed, 36 insertions(+), 66 deletions(-)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 5e788077675b..2b11c552a909 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -115,6 +115,8 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem);
 
 static int usb_reset_and_verify_device(struct usb_device *udev);
 static void hub_release(struct kref *kref);
+static void hub_usb3_port_prepare_disable(struct usb_hub *hub,
+					  struct usb_port *port_dev);
 
 static inline char *portspeed(struct usb_hub *hub, int portstatus)
 {
@@ -878,82 +880,27 @@ static int hub_set_port_link_state(struct usb_hub *hub, int port1,
 }
 
 /*
- * If USB 3.0 ports are placed into the Disabled state, they will no longer
- * detect any device connects or disconnects.  This is generally not what the
- * USB core wants, since it expects a disabled port to produce a port status
- * change event when a new device connects.
- *
- * Instead, set the link state to Disabled, wait for the link to settle into
- * that state, clear any change bits, and then put the port into the RxDetect
- * state.
+ * USB-3 does not have a similar link state as USB-2 that will avoid negotiating
+ * a connection with a plugged-in cable but will signal the host when the cable
+ * is unplugged. Disable remote wake and set link state to U3 for USB-3 devices
  */
-static int hub_usb3_port_disable(struct usb_hub *hub, int port1)
-{
-	int ret;
-	int total_time;
-	u16 portchange, portstatus;
-
-	if (!hub_is_superspeed(hub->hdev))
-		return -EINVAL;
-
-	ret = hub_port_status(hub, port1, &portstatus, &portchange);
-	if (ret < 0)
-		return ret;
-
-	/*
-	 * USB controller Advanced Micro Devices, Inc. [AMD] FCH USB XHCI
-	 * Controller [1022:7814] will have spurious result making the following
-	 * usb 3.0 device hotplugging route to the 2.0 root hub and recognized
-	 * as high-speed device if we set the usb 3.0 port link state to
-	 * Disabled. Since it's already in USB_SS_PORT_LS_RX_DETECT state, we
-	 * check the state here to avoid the bug.
-	 */
-	if ((portstatus & USB_PORT_STAT_LINK_STATE) ==
-				USB_SS_PORT_LS_RX_DETECT) {
-		dev_dbg(&hub->ports[port1 - 1]->dev,
-			 "Not disabling port; link state is RxDetect\n");
-		return ret;
-	}
-
-	ret = hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_SS_DISABLED);
-	if (ret)
-		return ret;
-
-	/* Wait for the link to enter the disabled state. */
-	for (total_time = 0; ; total_time += HUB_DEBOUNCE_STEP) {
-		ret = hub_port_status(hub, port1, &portstatus, &portchange);
-		if (ret < 0)
-			return ret;
-
-		if ((portstatus & USB_PORT_STAT_LINK_STATE) ==
-				USB_SS_PORT_LS_SS_DISABLED)
-			break;
-		if (total_time >= HUB_DEBOUNCE_TIMEOUT)
-			break;
-		msleep(HUB_DEBOUNCE_STEP);
-	}
-	if (total_time >= HUB_DEBOUNCE_TIMEOUT)
-		dev_warn(hub->intfdev, "Could not disable port %d after %d ms\n",
-				port1, total_time);
-
-	return hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_RX_DETECT);
-}
-
 static int hub_port_disable(struct usb_hub *hub, int port1, int set_state)
 {
 	struct usb_device *hdev = hub->hdev;
 	int ret = 0;
 
-	if (hub->ports[port1 - 1]->child && set_state)
-		usb_set_device_state(hub->ports[port1 - 1]->child,
-				USB_STATE_NOTATTACHED);
 	if (!hub->error) {
-		if (hub_is_superspeed(hub->hdev))
-			ret = hub_usb3_port_disable(hub, port1);
-		else
+		if (hub_is_superspeed(hub->hdev)) {
+			hub_usb3_port_prepare_disable(hub, hub->ports[port1 - 1]);
+			ret = hub_set_port_link_state(hub, hub->ports[port1 - 1]->portnum,
+						      USB_SS_PORT_LS_U3);
+		} else {
 			ret = usb_clear_port_feature(hdev, port1,
 					USB_PORT_FEAT_ENABLE);
+		}
 	}
+	if (hub->ports[port1 - 1]->child && set_state)
+		usb_set_device_state(hub->ports[port1 - 1]->child, USB_STATE_NOTATTACHED);
 	if (ret && ret != -ENODEV)
 		dev_err(hub->intfdev, "cannot disable port %d (err = %d)\n",
 				port1, ret);
@@ -3885,6 +3832,26 @@ void usb_unlocked_enable_lpm(struct usb_device *udev)
 }
 EXPORT_SYMBOL_GPL(usb_unlocked_enable_lpm);
 
+/* usb3 devices use U3 for disabled, make sure remote wakeup is disabled */
+static void hub_usb3_port_prepare_disable(struct usb_hub *hub,
+					  struct usb_port *port_dev)
+{
+	struct usb_device *udev = port_dev->child;
+	int ret;
+
+	if (udev && udev->port_is_suspended && udev->do_remote_wakeup) {
+		ret = hub_set_port_link_state(hub, port_dev->portnum,
+					      USB_SS_PORT_LS_U0);
+		if (!ret) {
+			msleep(USB_RESUME_TIMEOUT);
+			ret = usb_disable_remote_wakeup(udev);
+		}
+		if (ret)
+			dev_warn(&udev->dev,
+				 "Port disable: can't disable remote wake\n");
+		udev->do_remote_wakeup = 0;
+	}
+}
 
 #else	/* CONFIG_PM */
 
@@ -3892,6 +3859,9 @@ EXPORT_SYMBOL_GPL(usb_unlocked_enable_lpm);
 #define hub_resume		NULL
 #define hub_reset_resume	NULL
 
+static inline void hub_usb3_port_prepare_disable(struct usb_hub *hub,
+						 struct usb_port *port_dev) { }
+
 int usb_disable_lpm(struct usb_device *udev)
 {
 	return 0;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 018/235] usb: gadget: composite: correctly initialize ep->maxpacket
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (16 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 017/235] usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 019/235] USB: UHCI: report non-PME wakeup signalling for Intel hardware Jiri Slaby
                   ` (218 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Felipe Balbi, Jiri Slaby

From: Felipe Balbi <felipe.balbi@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e8f29bb719b47a234f33b0af62974d7a9521a52c upstream.

usb_endpoint_maxp() returns wMaxPacketSize in its
raw form. Without taking into consideration that it
also contains other bits reserved for isochronous
endpoints.

This patch fixes one occasion where this is a
problem by making sure that we initialize
ep->maxpacket only with lower 10 bits of the value
returned by usb_endpoint_maxp(). Note that seperate
patches will be necessary to audit all call sites of
usb_endpoint_maxp() and make sure that
usb_endpoint_maxp() only returns lower 10 bits of
wMaxPacketSize.

Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/gadget/composite.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index a0b5a13b52b0..bd6400b4af89 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -125,7 +125,7 @@ int config_ep_by_speed(struct usb_gadget *g,
 
 ep_found:
 	/* commit results */
-	_ep->maxpacket = usb_endpoint_maxp(chosen_desc);
+	_ep->maxpacket = usb_endpoint_maxp(chosen_desc) & 0x7ff;
 	_ep->desc = chosen_desc;
 	_ep->comp_desc = NULL;
 	_ep->maxburst = 0;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 019/235] USB: UHCI: report non-PME wakeup signalling for Intel hardware
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (17 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 018/235] usb: gadget: composite: correctly initialize ep->maxpacket Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 020/235] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks Jiri Slaby
                   ` (217 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alan Stern, Bjorn Helgaas, Jiri Slaby

From: Alan Stern <stern@rowland.harvard.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ccdb6be9ec6580ef69f68949ebe26e0fb58a6fb0 upstream.

The UHCI controllers in Intel chipsets rely on a platform-specific non-PME
mechanism for wakeup signalling.  They can generate wakeup signals even
though they don't support PME.

We need to let the USB core know this so that it will enable runtime
suspend for UHCI controllers.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/uhci-pci.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/host/uhci-pci.c b/drivers/usb/host/uhci-pci.c
index 0f228c46eeda..ad458ef4b7e9 100644
--- a/drivers/usb/host/uhci-pci.c
+++ b/drivers/usb/host/uhci-pci.c
@@ -129,6 +129,10 @@ static int uhci_pci_init(struct usb_hcd *hcd)
 	if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_HP)
 		uhci->wait_for_hp = 1;
 
+	/* Intel controllers use non-PME wakeup signalling */
+	if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_INTEL)
+		device_set_run_wake(uhci_dev(uhci), 1);
+
 	/* Set up pointers to PCI-specific functions */
 	uhci->reset_hc = uhci_pci_reset_hc;
 	uhci->check_and_reset_hc = uhci_pci_check_and_reset_hc;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 020/235] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (18 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 019/235] USB: UHCI: report non-PME wakeup signalling for Intel hardware Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 021/235] ALSA: hiface: Fix M2Tech hiFace driver sampling rate change Jiri Slaby
                   ` (216 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Con Kolivas, Con Kolivas, Takashi Iwai, Jiri Slaby

From: Con Kolivas <con@kolivas.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 82ffb6fc637150b279f49e174166d2aa3853eaf4 upstream.

The Logitech QuickCam Communicate Deluxe/S7500 microphone fails with the
following warning.

[    6.778995] usb 2-1.2.2.2: Warning! Unlikely big volume range (=3072),
cval->res is probably wrong.
[    6.778996] usb 2-1.2.2.2: [5] FU [Mic Capture Volume] ch = 1, val =
4608/7680/1

Adding it to the list of devices in volume_control_quirks makes it work
properly, fixing related typo.

Signed-off-by: Con Kolivas <kernel@kolivas.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 sound/usb/mixer.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 86f46b46f214..afcaafce643c 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -893,9 +893,10 @@ static void volume_control_quirks(struct usb_mixer_elem_info *cval,
 	case USB_ID(0x046d, 0x0826): /* HD Webcam c525 */
 	case USB_ID(0x046d, 0x08ca): /* Logitech Quickcam Fusion */
 	case USB_ID(0x046d, 0x0991):
+	case USB_ID(0x046d, 0x09a2): /* QuickCam Communicate Deluxe/S7500 */
 	/* Most audio usb devices lie about volume resolution.
 	 * Most Logitech webcams have res = 384.
-	 * Proboly there is some logitech magic behind this number --fishor
+	 * Probably there is some logitech magic behind this number --fishor
 	 */
 		if (!strcmp(kctl->id.name, "Mic Capture Volume")) {
 			snd_printk(KERN_INFO
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 021/235] ALSA: hiface: Fix M2Tech hiFace driver sampling rate change
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (19 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 020/235] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 022/235] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO Jiri Slaby
                   ` (215 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Jussi Laako, Takashi Iwai, Jiri Slaby

From: Jussi Laako <jussi@sonarnerd.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 995c6a7fd9b9212abdf01160f6ce3193176be503 upstream.

Sampling rate changes after first set one are not reflected to the
hardware, while driver and ALSA think the rate has been changed.

Fix the problem by properly stopping the interface at the beginning of
prepare call, allowing new rate to be set to the hardware. This keeps
the hardware in sync with the driver.

Signed-off-by: Jussi Laako <jussi@sonarnerd.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 sound/usb/hiface/pcm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/usb/hiface/pcm.c b/sound/usb/hiface/pcm.c
index c21a3df9a0df..d4d036fca6cb 100644
--- a/sound/usb/hiface/pcm.c
+++ b/sound/usb/hiface/pcm.c
@@ -445,6 +445,8 @@ static int hiface_pcm_prepare(struct snd_pcm_substream *alsa_sub)
 
 	mutex_lock(&rt->stream_mutex);
 
+	hiface_pcm_stream_stop(rt);
+
 	sub->dma_off = 0;
 	sub->period_off = 0;
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 022/235] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (20 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 021/235] ALSA: hiface: Fix M2Tech hiFace driver sampling rate change Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 023/235] Btrfs: fix memory leak in reading btree blocks Jiri Slaby
                   ` (214 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Takashi Iwai, Jiri Slaby

From: Takashi Iwai <tiwai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f73cd43ac3b41c0f09a126387f302bbc0d9c726d upstream.

HP Z1 Gen3 AiO with Conexant codec doesn't give an unsolicited event
to the headset mic pin upon the jack plugging, it reports only to the
headphone pin.  It results in the missing mic switching.  Let's fix up
by simply gating the jack event.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 sound/pci/hda/patch_conexant.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index c036e60c34fe..63a335dfd629 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -3234,6 +3234,7 @@ enum {
 	CXT_FIXUP_HEADPHONE_MIC,
 	CXT_FIXUP_GPIO1,
 	CXT_FIXUP_ASPIRE_DMIC,
+	CXT_FIXUP_HP_GATE_MIC,
 };
 
 static void cxt_fixup_stereo_dmic(struct hda_codec *codec,
@@ -3310,6 +3311,17 @@ static void cxt_fixup_headphone_mic(struct hda_codec *codec,
 }
 
 
+static void cxt_fixup_hp_gate_mic_jack(struct hda_codec *codec,
+				       const struct hda_fixup *fix,
+				       int action)
+{
+	/* the mic pin (0x19) doesn't give an unsolicited event;
+	 * probe the mic pin together with the headphone pin (0x16)
+	 */
+	if (action == HDA_FIXUP_ACT_PROBE)
+		snd_hda_jack_set_gating_jack(codec, 0x19, 0x16);
+}
+
 /* ThinkPad X200 & co with cxt5051 */
 static const struct hda_pintbl cxt_pincfg_lenovo_x200[] = {
 	{ 0x16, 0x042140ff }, /* HP (seq# overridden) */
@@ -3403,6 +3415,10 @@ static const struct hda_fixup cxt_fixups[] = {
 		.chained = true,
 		.chain_id = CXT_FIXUP_GPIO1,
 	},
+	[CXT_FIXUP_HP_GATE_MIC] = {
+		.type = HDA_FIXUP_FUNC,
+		.v.func = cxt_fixup_hp_gate_mic_jack,
+	},
 };
 
 static const struct snd_pci_quirk cxt5051_fixups[] = {
@@ -3414,6 +3430,7 @@ static const struct snd_pci_quirk cxt5051_fixups[] = {
 static const struct snd_pci_quirk cxt5066_fixups[] = {
 	SND_PCI_QUIRK(0x1025, 0x0543, "Acer Aspire One 522", CXT_FIXUP_STEREO_DMIC),
 	SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC),
+	SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC),
 	SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
 	SND_PCI_QUIRK(0x17aa, 0x20f2, "Lenovo T400", CXT_PINCFG_LENOVO_TP410),
 	SND_PCI_QUIRK(0x17aa, 0x215e, "Lenovo T410", CXT_PINCFG_LENOVO_TP410),
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 023/235] Btrfs: fix memory leak in reading btree blocks
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (21 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 022/235] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 024/235] block_dev: don't test bdev->bd_contains when it is not stable Jiri Slaby
                   ` (213 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Liu Bo, David Sterba, Jiri Slaby

From: Liu Bo <bo.li.liu@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 2571e739677f1e4c0c63f5ed49adcc0857923625 upstream.

So we can read a btree block via readahead or intentional read,
and we can end up with a memory leak when something happens as
follows,
1) readahead starts to read block A but does not wait for read
   completion,
2) btree_readpage_end_io_hook finds that block A is corrupted,
   and it needs to clear all block A's pages' uptodate bit.
3) meanwhile an intentional read kicks in and checks block A's
   pages' uptodate to decide which page needs to be read.
4) when some pages have the uptodate bit during 3)'s check so
   3) doesn't count them for eb->io_pages, but they are later
   cleared by 2) so we has to readpage on the page, we get
   the wrong eb->io_pages which results in a memory leak of
   this block.

This fixes the problem by firstly getting all pages's locking and
then checking pages' uptodate bit.

   t1(readahead)                              t2(readahead endio)                                       t3(the following read)
read_extent_buffer_pages                    end_bio_extent_readpage
  for pg in eb:                                for page 0,1,2 in eb:
      if pg is uptodate:                           btree_readpage_end_io_hook(pg)
          num_reads++                              if uptodate:
  eb->io_pages = num_reads                             SetPageUptodate(pg)              _______________
  for pg in eb:                                for page 3 in eb:                                     read_extent_buffer_pages
       if pg is NOT uptodate:                      btree_readpage_end_io_hook(pg)                       for pg in eb:
           __extent_read_full_page(pg)                 sanity check reports something wrong                 if pg is uptodate:
                                                       clear_extent_buffer_uptodate(eb)                         num_reads++
                                                           for pg in eb:                                eb->io_pages = num_reads
                                                               ClearPageUptodate(page)  _______________
                                                                                                        for pg in eb:
                                                                                                            if pg is NOT uptodate:
                                                                                                                __extent_read_full_page(pg)

So t3's eb->io_pages is not consistent with the number of pages it's reading,
and during endio(), atomic_dec_and_test(&eb->io_pages) will get a negative
number so that we're not able to free the eb.

Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/btrfs/extent_io.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 85bcb25384c0..854af9e95f4c 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -4865,11 +4865,20 @@ int read_extent_buffer_pages(struct extent_io_tree *tree,
 			lock_page(page);
 		}
 		locked_pages++;
+	}
+	/*
+	 * We need to firstly lock all pages to make sure that
+	 * the uptodate bit of our pages won't be affected by
+	 * clear_extent_buffer_uptodate().
+	 */
+	for (i = start_i; i < num_pages; i++) {
+		page = eb->pages[i];
 		if (!PageUptodate(page)) {
 			num_reads++;
 			all_uptodate = 0;
 		}
 	}
+
 	if (all_uptodate) {
 		if (start_i == 0)
 			set_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 024/235] block_dev: don't test bdev->bd_contains when it is not stable
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (22 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 023/235] Btrfs: fix memory leak in reading btree blocks Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 025/235] crypto: caam - fix AEAD givenc descriptors Jiri Slaby
                   ` (212 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, NeilBrown, Jens Axboe, Jiri Slaby

From: NeilBrown <neilb@suse.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit bcc7f5b4bee8e327689a4d994022765855c807ff upstream.

bdev->bd_contains is not stable before calling __blkdev_get().
When __blkdev_get() is called on a parition with ->bd_openers == 0
it sets
  bdev->bd_contains = bdev;
which is not correct for a partition.
After a call to __blkdev_get() succeeds, ->bd_openers will be > 0
and then ->bd_contains is stable.

When FMODE_EXCL is used, blkdev_get() calls
   bd_start_claiming() ->  bd_prepare_to_claim() -> bd_may_claim()

This call happens before __blkdev_get() is called, so ->bd_contains
is not stable.  So bd_may_claim() cannot safely use ->bd_contains.
It currently tries to use it, and this can lead to a BUG_ON().

This happens when a whole device is already open with a bd_holder (in
use by dm in my particular example) and two threads race to open a
partition of that device for the first time, one opening with O_EXCL and
one without.

The thread that doesn't use O_EXCL gets through blkdev_get() to
__blkdev_get(), gains the ->bd_mutex, and sets bdev->bd_contains = bdev;

Immediately thereafter the other thread, using FMODE_EXCL, calls
bd_start_claiming() from blkdev_get().  This should fail because the
whole device has a holder, but because bdev->bd_contains == bdev
bd_may_claim() incorrectly reports success.
This thread continues and blocks on bd_mutex.

The first thread then sets bdev->bd_contains correctly and drops the mutex.
The thread using FMODE_EXCL then continues and when it calls bd_may_claim()
again in:
			BUG_ON(!bd_may_claim(bdev, whole, holder));
The BUG_ON fires.

Fix this by removing the dependency on ->bd_contains in
bd_may_claim().  As bd_may_claim() has direct access to the whole
device, it can simply test if the target bdev is the whole device.

Fixes: 6b4517a7913a ("block: implement bd_claiming and claiming block")
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/block_dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/block_dev.c b/fs/block_dev.c
index 1e86823a9cbd..bd1930056f0b 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -634,7 +634,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole,
 		return true;	 /* already a holder */
 	else if (bdev->bd_holder != NULL)
 		return false; 	 /* held by someone else */
-	else if (bdev->bd_contains == bdev)
+	else if (whole == bdev)
 		return true;  	 /* is a whole device which isn't held */
 
 	else if (whole->bd_holder == bd_may_claim)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 025/235] crypto: caam - fix AEAD givenc descriptors
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (23 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 024/235] block_dev: don't test bdev->bd_contains when it is not stable Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 026/235] ext4: fix mballoc breakage with 64k block size Jiri Slaby
                   ` (211 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Alex Porosanu, Horia Geantă, Herbert Xu, Jiri Slaby

From: Alex Porosanu <alexandru.porosanu@nxp.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d128af17876d79b87edf048303f98b35f6a53dbc upstream.

The AEAD givenc descriptor relies on moving the IV through the
output FIFO and then back to the CTX2 for authentication. The
SEQ FIFO STORE could be scheduled before the data can be
read from OFIFO, especially since the SEQ FIFO LOAD needs
to wait for the SEQ FIFO LOAD SKIP to finish first. The
SKIP takes more time when the input is SG than when it's
a contiguous buffer. If the SEQ FIFO LOAD is not scheduled
before the STORE, the DECO will hang waiting for data
to be available in the OFIFO so it can be transferred to C2.
In order to overcome this, first force transfer of IV to C2
by starting the "cryptlen" transfer first and then starting to
store data from OFIFO to the output buffer.

Fixes: 1acebad3d8db8 ("crypto: caam - faster aead implementation")
Signed-off-by: Alex Porosanu <alexandru.porosanu@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/crypto/caam/caamalg.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c
index 7c63b72ecd75..66f549399dc4 100644
--- a/drivers/crypto/caam/caamalg.c
+++ b/drivers/crypto/caam/caamalg.c
@@ -418,7 +418,9 @@ static int aead_set_sh_desc(struct crypto_aead *aead)
 
 	/* Will read cryptlen */
 	append_math_add(desc, VARSEQINLEN, SEQINLEN, REG0, CAAM_CMD_SZ);
-	aead_append_src_dst(desc, FIFOLD_TYPE_MSG1OUT2);
+	append_seq_fifo_load(desc, 0, FIFOLD_CLASS_BOTH | KEY_VLF |
+			     FIFOLD_TYPE_MSG1OUT2 | FIFOLD_TYPE_LASTBOTH);
+	append_seq_fifo_store(desc, 0, FIFOST_TYPE_MESSAGE_DATA | KEY_VLF);
 
 	/* Write ICV */
 	append_seq_store(desc, ctx->authsize, LDST_CLASS_2_CCB |
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 026/235] ext4: fix mballoc breakage with 64k block size
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (24 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 025/235] crypto: caam - fix AEAD givenc descriptors Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 027/235] ext4: fix stack memory corruption " Jiri Slaby
                   ` (210 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Chandan Rajendra, Theodore Ts'o, Jiri Slaby

From: Chandan Rajendra <chandan@linux.vnet.ibm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 69e43e8cc971a79dd1ee5d4343d8e63f82725123 upstream.

'border' variable is set to a value of 2 times the block size of the
underlying filesystem. With 64k block size, the resulting value won't
fit into a 16-bit variable. Hence this commit changes the data type of
'border' to 'unsigned int'.

Fixes: c9de560ded61f
Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ext4/mballoc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 96f4c72fbbd2..d775b7b02dd0 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -668,7 +668,7 @@ static void ext4_mb_mark_free_simple(struct super_block *sb,
 	ext4_grpblk_t min;
 	ext4_grpblk_t max;
 	ext4_grpblk_t chunk;
-	unsigned short border;
+	unsigned int border;
 
 	BUG_ON(len > EXT4_CLUSTERS_PER_GROUP(sb));
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 027/235] ext4: fix stack memory corruption with 64k block size
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (25 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 026/235] ext4: fix mballoc breakage with 64k block size Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 028/235] ext4: use more strict checks for inodes_per_block on mount Jiri Slaby
                   ` (209 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Chandan Rajendra, Theodore Ts'o, Jiri Slaby

From: Chandan Rajendra <chandan@linux.vnet.ibm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 30a9d7afe70ed6bd9191d3000e2ef1a34fb58493 upstream.

The number of 'counters' elements needed in 'struct sg' is
super_block->s_blocksize_bits + 2. Presently we have 16 'counters'
elements in the array. This is insufficient for block sizes >= 32k. In
such cases the memcpy operation performed in ext4_mb_seq_groups_show()
would cause stack memory corruption.

Fixes: c9de560ded61f
Signed-off-by: Chandan Rajendra <chandan@linux.vnet.ibm.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ext4/mballoc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index d775b7b02dd0..2b4ed2bf9569 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2243,7 +2243,7 @@ static int ext4_mb_seq_groups_show(struct seq_file *seq, void *v)
 	struct ext4_group_info *grinfo;
 	struct sg {
 		struct ext4_group_info info;
-		ext4_grpblk_t counters[16];
+		ext4_grpblk_t counters[EXT4_MAX_BLOCK_LOG_SIZE + 2];
 	} sg;
 
 	group--;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 028/235] ext4: use more strict checks for inodes_per_block on mount
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (26 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 027/235] ext4: fix stack memory corruption " Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 029/235] ext4: fix in-superblock mount options processing Jiri Slaby
                   ` (208 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Theodore Ts'o, Jiri Slaby

From: Theodore Ts'o <tytso@mit.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit cd6bb35bf7f6d7d922509bf50265383a0ceabe96 upstream.

Centralize the checks for inodes_per_block and be more strict to make
sure the inodes_per_block_group can't end up being zero.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ext4/super.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 483bc328643d..f61a597282f2 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3689,12 +3689,16 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
 
 	sbi->s_blocks_per_group = le32_to_cpu(es->s_blocks_per_group);
 	sbi->s_inodes_per_group = le32_to_cpu(es->s_inodes_per_group);
-	if (EXT4_INODE_SIZE(sb) == 0 || EXT4_INODES_PER_GROUP(sb) == 0)
-		goto cantfind_ext4;
 
 	sbi->s_inodes_per_block = blocksize / EXT4_INODE_SIZE(sb);
 	if (sbi->s_inodes_per_block == 0)
 		goto cantfind_ext4;
+	if (sbi->s_inodes_per_group < sbi->s_inodes_per_block ||
+	    sbi->s_inodes_per_group > blocksize * 8) {
+		ext4_msg(sb, KERN_ERR, "invalid inodes per group: %lu\n",
+			 sbi->s_blocks_per_group);
+		goto failed_mount;
+	}
 	sbi->s_itb_per_group = sbi->s_inodes_per_group /
 					sbi->s_inodes_per_block;
 	sbi->s_desc_per_block = blocksize / EXT4_DESC_SIZE(sb);
@@ -3778,13 +3782,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
 	}
 	sbi->s_cluster_ratio = clustersize / blocksize;
 
-	if (sbi->s_inodes_per_group > blocksize * 8) {
-		ext4_msg(sb, KERN_ERR,
-		       "#inodes per group too big: %lu",
-		       sbi->s_inodes_per_group);
-		goto failed_mount;
-	}
-
 	/* Do we have standard group size of clustersize * 8 blocks ? */
 	if (sbi->s_blocks_per_group == clustersize << 3)
 		set_opt2(sb, STD_GROUP_SIZE);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 029/235] ext4: fix in-superblock mount options processing
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (27 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 028/235] ext4: use more strict checks for inodes_per_block on mount Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 030/235] ext4: add sanity checking to count_overhead() Jiri Slaby
                   ` (207 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Theodore Ts'o, Jiri Slaby

From: Theodore Ts'o <tytso@mit.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5aee0f8a3f42c94c5012f1673420aee96315925a upstream.

Fix a large number of problems with how we handle mount options in the
superblock.  For one, if the string in the superblock is long enough
that it is not null terminated, we could run off the end of the string
and try to interpret superblocks fields as characters.  It's unlikely
this will cause a security problem, but it could result in an invalid
parse.  Also, parse_options is destructive to the string, so in some
cases if there is a comma-separated string, it would be modified in
the superblock.  (Fortunately it only happens on file systems with a
1k block size.)

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ext4/super.c | 38 +++++++++++++++++++++++---------------
 1 file changed, 23 insertions(+), 15 deletions(-)

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index f61a597282f2..6c67a988bfce 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3363,7 +3363,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
 	char *orig_data = kstrdup(data, GFP_KERNEL);
 	struct buffer_head *bh;
 	struct ext4_super_block *es = NULL;
-	struct ext4_sb_info *sbi;
+	struct ext4_sb_info *sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
 	ext4_fsblk_t block;
 	ext4_fsblk_t sb_block = get_sb_block(&data);
 	ext4_fsblk_t logical_sb_block;
@@ -3383,16 +3383,14 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
 	unsigned int journal_ioprio = DEFAULT_JOURNAL_IOPRIO;
 	ext4_group_t first_not_zeroed;
 
-	sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
-	if (!sbi)
-		goto out_free_orig;
+	if ((data && !orig_data) || !sbi)
+		goto out_free_base;
 
 	sbi->s_blockgroup_lock =
 		kzalloc(sizeof(struct blockgroup_lock), GFP_KERNEL);
-	if (!sbi->s_blockgroup_lock) {
-		kfree(sbi);
-		goto out_free_orig;
-	}
+	if (!sbi->s_blockgroup_lock)
+		goto out_free_base;
+
 	sb->s_fs_info = sbi;
 	sbi->s_sb = sb;
 	sbi->s_inode_readahead_blks = EXT4_DEF_INODE_READAHEAD_BLKS;
@@ -3538,11 +3536,19 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
 	 */
 	sbi->s_li_wait_mult = EXT4_DEF_LI_WAIT_MULT;
 
-	if (!parse_options((char *) sbi->s_es->s_mount_opts, sb,
-			   &journal_devnum, &journal_ioprio, 0)) {
-		ext4_msg(sb, KERN_WARNING,
-			 "failed to parse options in superblock: %s",
-			 sbi->s_es->s_mount_opts);
+	if (sbi->s_es->s_mount_opts[0]) {
+		char *s_mount_opts = kstrndup(sbi->s_es->s_mount_opts,
+					      sizeof(sbi->s_es->s_mount_opts),
+					      GFP_KERNEL);
+		if (!s_mount_opts)
+			goto failed_mount;
+		if (!parse_options(s_mount_opts, sb, &journal_devnum,
+				   &journal_ioprio, 0)) {
+			ext4_msg(sb, KERN_WARNING,
+				 "failed to parse options in superblock: %s",
+				 s_mount_opts);
+		}
+		kfree(s_mount_opts);
 	}
 	sbi->s_def_mount_opt = sbi->s_mount_opt;
 	if (!parse_options((char *) data, sb, &journal_devnum,
@@ -4170,7 +4176,9 @@ no_journal:
 	}
 
 	ext4_msg(sb, KERN_INFO, "mounted filesystem with%s. "
-		 "Opts: %s%s%s", descr, sbi->s_es->s_mount_opts,
+		 "Opts: %.*s%s%s", descr,
+		 (int) sizeof(sbi->s_es->s_mount_opts),
+		 sbi->s_es->s_mount_opts,
 		 *sbi->s_es->s_mount_opts ? "; " : "", orig_data);
 
 	if (es->s_error_count)
@@ -4239,8 +4247,8 @@ failed_mount:
 out_fail:
 	sb->s_fs_info = NULL;
 	kfree(sbi->s_blockgroup_lock);
+out_free_base:
 	kfree(sbi);
-out_free_orig:
 	kfree(orig_data);
 	return err ? err : ret;
 }
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 030/235] ext4: add sanity checking to count_overhead()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (28 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 029/235] ext4: fix in-superblock mount options processing Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 031/235] ext4: reject inodes with negative size Jiri Slaby
                   ` (206 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Theodore Ts'o, Jiri Slaby

From: Theodore Ts'o <tytso@mit.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c48ae41bafe31e9a66d8be2ced4e42a6b57fa814 upstream.

The commit "ext4: sanity check the block and cluster size at mount
time" should prevent any problems, but in case the superblock is
modified while the file system is mounted, add an extra safety check
to make sure we won't overrun the allocated buffer.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ext4/super.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 6c67a988bfce..6362896f5875 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3257,10 +3257,15 @@ static int count_overhead(struct super_block *sb, ext4_group_t grp,
 			ext4_set_bit(s++, buf);
 			count++;
 		}
-		for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) {
-			ext4_set_bit(EXT4_B2C(sbi, s++), buf);
-			count++;
+		j = ext4_bg_num_gdb(sb, grp);
+		if (s + j > EXT4_BLOCKS_PER_GROUP(sb)) {
+			ext4_error(sb, "Invalid number of block group "
+				   "descriptor blocks: %d", j);
+			j = EXT4_BLOCKS_PER_GROUP(sb) - s;
 		}
+		count += j;
+		for (; j > 0; j--)
+			ext4_set_bit(EXT4_B2C(sbi, s++), buf);
 	}
 	if (!count)
 		return 0;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 031/235] ext4: reject inodes with negative size
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (29 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 030/235] ext4: add sanity checking to count_overhead() Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 032/235] ext4: return -ENOMEM instead of success Jiri Slaby
                   ` (205 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Darrick J. Wong, Theodore Ts'o, Jiri Slaby

From: "Darrick J. Wong" <darrick.wong@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7e6e1ef48fc02f3ac5d0edecbb0c6087cd758d58 upstream.

Don't load an inode with a negative size; this causes integer overflow
problems in the VFS.

[ Added EXT4_ERROR_INODE() to mark file system as corrupted. -TYT]

js: use EIO for 3.12 instead of EFSCORRUPTED.

Fixes: a48380f769df (ext4: rename i_dir_acl to i_size_high)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ext4/inode.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 3fa2da53400d..50fc2d1da9a9 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4103,6 +4103,7 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
 	struct inode *inode;
 	journal_t *journal = EXT4_SB(sb)->s_journal;
 	long ret;
+	loff_t size;
 	int block;
 	uid_t i_uid;
 	gid_t i_gid;
@@ -4194,6 +4195,11 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
 		ei->i_file_acl |=
 			((__u64)le16_to_cpu(raw_inode->i_file_acl_high)) << 32;
 	inode->i_size = ext4_isize(raw_inode);
+	if ((size = i_size_read(inode)) < 0) {
+		EXT4_ERROR_INODE(inode, "bad i_size value: %lld", size);
+		ret = -EIO;
+		goto bad_inode;
+	}
 	ei->i_disksize = inode->i_size;
 #ifdef CONFIG_QUOTA
 	ei->i_reserved_quota = 0;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 032/235] ext4: return -ENOMEM instead of success
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (30 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 031/235] ext4: reject inodes with negative size Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 033/235] f2fs: set ->owner for debugfs status file's file_operations Jiri Slaby
                   ` (204 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dan Carpenter, Theodore Ts'o, Jiri Slaby

From: Dan Carpenter <dan.carpenter@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 578620f451f836389424833f1454eeeb2ffc9e9f upstream.

We should set the error code if kzalloc() fails.

Fixes: 67cf5b09a46f ("ext4: add the basic function for inline data support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ext4/inline.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index b7e491056f9c..a4d6e9a953f9 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -339,8 +339,10 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
 
 	len -= EXT4_MIN_INLINE_DATA_SIZE;
 	value = kzalloc(len, GFP_NOFS);
-	if (!value)
+	if (!value) {
+		error = -ENOMEM;
 		goto out;
+	}
 
 	error = ext4_xattr_ibody_get(inode, i.name_index, i.name,
 				     value, len);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 033/235] f2fs: set ->owner for debugfs status file's file_operations
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (31 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 032/235] ext4: return -ENOMEM instead of success Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 034/235] mm/vmscan.c: set correct defer count for shrinker Jiri Slaby
                   ` (203 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Nicolai Stange, Jaegeuk Kim, Jiri Slaby

From: Nicolai Stange <nicstange@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 05e6ea2685c964db1e675a24a4f4e2adc22d2388 upstream.

The struct file_operations instance serving the f2fs/status debugfs file
lacks an initialization of its ->owner.

This means that although that file might have been opened, the f2fs module
can still get removed. Any further operation on that opened file, releasing
included,  will cause accesses to unmapped memory.

Indeed, Mike Marshall reported the following:

  BUG: unable to handle kernel paging request at ffffffffa0307430
  IP: [<ffffffff8132a224>] full_proxy_release+0x24/0x90
  <...>
  Call Trace:
   [] __fput+0xdf/0x1d0
   [] ____fput+0xe/0x10
   [] task_work_run+0x8e/0xc0
   [] do_exit+0x2ae/0xae0
   [] ? __audit_syscall_entry+0xae/0x100
   [] ? syscall_trace_enter+0x1ca/0x310
   [] do_group_exit+0x44/0xc0
   [] SyS_exit_group+0x14/0x20
   [] do_syscall_64+0x61/0x150
   [] entry_SYSCALL64_slow_path+0x25/0x25
  <...>
  ---[ end trace f22ae883fa3ea6b8 ]---
  Fixing recursive fault but reboot is needed!

Fix this by initializing the f2fs/status file_operations' ->owner with
THIS_MODULE.

This will allow debugfs to grab a reference to the f2fs module upon any
open on that file, thus preventing it from getting removed.

Fixes: 902829aa0b72 ("f2fs: move proc files to debugfs")
Reported-by: Mike Marshall <hubcap@omnibond.com>
Reported-by: Martin Brandenburg <martin@omnibond.com>
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/f2fs/debug.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/f2fs/debug.c b/fs/f2fs/debug.c
index a84b0a8e6854..52355ba40c15 100644
--- a/fs/f2fs/debug.c
+++ b/fs/f2fs/debug.c
@@ -294,6 +294,7 @@ static int stat_open(struct inode *inode, struct file *file)
 }
 
 static const struct file_operations stat_fops = {
+	.owner = THIS_MODULE,
 	.open = stat_open,
 	.read = seq_read,
 	.llseek = seq_lseek,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 034/235] mm/vmscan.c: set correct defer count for shrinker
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (32 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 033/235] f2fs: set ->owner for debugfs status file's file_operations Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 035/235] fs: exec: apply CLOEXEC before changing dumpable task flags Jiri Slaby
                   ` (202 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Shaohua Li, Johannes Weiner, Michal Hocko,
	Vladimir Davydov, Andrew Morton, Linus Torvalds, Jiri Slaby

From: Shaohua Li <shli@fb.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5f33a0803bbd781de916f5c7448cbbbbc763d911 upstream.

Our system uses significantly more slab memory with memcg enabled with
the latest kernel.  With 3.10 kernel, slab uses 2G memory, while with
4.6 kernel, 6G memory is used.  The shrinker has problem.  Let's see we
have two memcg for one shrinker.  In do_shrink_slab:

1. Check cg1.  nr_deferred = 0, assume total_scan = 700.  batch size
   is 1024, then no memory is freed.  nr_deferred = 700

2. Check cg2.  nr_deferred = 700.  Assume freeable = 20, then
   total_scan = 10 or 40.  Let's assume it's 10.  No memory is freed.
   nr_deferred = 10.

The deferred share of cg1 is lost in this case.  kswapd will free no
memory even run above steps again and again.

The fix makes sure one memcg's deferred share isn't lost.

Link: http://lkml.kernel.org/r/2414be961b5d25892060315fbb56bb19d81d0c07.1476227351.git.shli@fb.com
Signed-off-by: Shaohua Li <shli@fb.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Vladimir Davydov <vdavydov@parallels.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 mm/vmscan.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/mm/vmscan.c b/mm/vmscan.c
index 6dc33d9dc2cf..dc23ad3ecf4c 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -231,6 +231,7 @@ shrink_slab_node(struct shrink_control *shrinkctl, struct shrinker *shrinker,
 	int nid = shrinkctl->nid;
 	long batch_size = shrinker->batch ? shrinker->batch
 					  : SHRINK_BATCH;
+	long scanned = 0, next_deferred;
 
 	freeable = shrinker->count_objects(shrinker, shrinkctl);
 	if (freeable == 0)
@@ -253,7 +254,9 @@ shrink_slab_node(struct shrink_control *shrinkctl, struct shrinker *shrinker,
 		"shrink_slab: %pF negative objects to delete nr=%ld\n",
 		       shrinker->scan_objects, total_scan);
 		total_scan = freeable;
-	}
+		next_deferred = nr;
+	} else
+		next_deferred = total_scan;
 
 	/*
 	 * We need to avoid excessive windup on filesystem shrinkers
@@ -310,17 +313,22 @@ shrink_slab_node(struct shrink_control *shrinkctl, struct shrinker *shrinker,
 
 		count_vm_events(SLABS_SCANNED, nr_to_scan);
 		total_scan -= nr_to_scan;
+		scanned += nr_to_scan;
 
 		cond_resched();
 	}
 
+	if (next_deferred >= scanned)
+		next_deferred -= scanned;
+	else
+		next_deferred = 0;
 	/*
 	 * move the unused scan count back into the shrinker in a
 	 * manner that handles concurrent updates. If we exhausted the
 	 * scan, there is no need to do an update.
 	 */
-	if (total_scan > 0)
-		new_nr = atomic_long_add_return(total_scan,
+	if (next_deferred > 0)
+		new_nr = atomic_long_add_return(next_deferred,
 						&shrinker->nr_deferred[nid]);
 	else
 		new_nr = atomic_long_read(&shrinker->nr_deferred[nid]);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 035/235] fs: exec: apply CLOEXEC before changing dumpable task flags
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (33 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 034/235] mm/vmscan.c: set correct defer count for shrinker Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 036/235] dm crypt: mark key as invalid until properly loaded Jiri Slaby
                   ` (201 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Aleksa Sarai, dev, Al Viro, Jiri Slaby

From: Aleksa Sarai <asarai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 613cc2b6f272c1a8ad33aefa21cad77af23139f7 upstream.

If you have a process that has set itself to be non-dumpable, and it
then undergoes exec(2), any CLOEXEC file descriptors it has open are
"exposed" during a race window between the dumpable flags of the process
being reset for exec(2) and CLOEXEC being applied to the file
descriptors. This can be exploited by a process by attempting to access
/proc/<pid>/fd/... during this window, without requiring CAP_SYS_PTRACE.

The race in question is after set_dumpable has been (for get_link,
though the trace is basically the same for readlink):

[vfs]
-> proc_pid_link_inode_operations.get_link
   -> proc_pid_get_link
      -> proc_fd_access_allowed
         -> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);

Which will return 0, during the race window and CLOEXEC file descriptors
will still be open during this window because do_close_on_exec has not
been called yet. As a result, the ordering of these calls should be
reversed to avoid this race window.

This is of particular concern to container runtimes, where joining a
PID namespace with file descriptors referring to the host filesystem
can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect
against access of CLOEXEC file descriptors -- file descriptors which may
reference filesystem objects the container shouldn't have access to).

Cc: dev@opencontainers.org
Reported-by: Michael Crosby <crosbymichael@gmail.com>
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/exec.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index d8b46a197172..f33c0fff702c 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -19,7 +19,7 @@
  * current->executable is only used by the procfs.  This allows a dispatch
  * table to check for several different types  of binary formats.  We keep
  * trying until we recognize the file or we run out of supported binary
- * formats. 
+ * formats.
  */
 
 #include <linux/slab.h>
@@ -1098,6 +1098,13 @@ int flush_old_exec(struct linux_binprm * bprm)
 	flush_thread();
 	current->personality &= ~bprm->per_clear;
 
+	/*
+	 * We have to apply CLOEXEC before we change whether the process is
+	 * dumpable (in setup_new_exec) to avoid a race with a process in userspace
+	 * trying to access the should-be-closed file descriptors of a process
+	 * undergoing exec(2).
+	 */
+	do_close_on_exec(current->files);
 	return 0;
 
 out:
@@ -1148,7 +1155,6 @@ void setup_new_exec(struct linux_binprm * bprm)
 	current->self_exec_id++;
 			
 	flush_signal_handlers(current, 0);
-	do_close_on_exec(current->files);
 }
 EXPORT_SYMBOL(setup_new_exec);
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 036/235] dm crypt: mark key as invalid until properly loaded
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (34 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 035/235] fs: exec: apply CLOEXEC before changing dumpable task flags Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 037/235] dm space map metadata: fix 'struct sm_metadata' leak on failed create Jiri Slaby
                   ` (200 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Ondrej Kozina, Mike Snitzer, Jiri Slaby

From: Ondrej Kozina <okozina@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 265e9098bac02bc5e36cda21fdbad34cb5b2f48d upstream.

In crypt_set_key(), if a failure occurs while replacing the old key
(e.g. tfm->setkey() fails) the key must not have DM_CRYPT_KEY_VALID flag
set.  Otherwise, the crypto layer would have an invalid key that still
has DM_CRYPT_KEY_VALID flag set.

Signed-off-by: Ondrej Kozina <okozina@redhat.com>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/md/dm-crypt.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
index 0f64dc596bce..c1b36e208669 100644
--- a/drivers/md/dm-crypt.c
+++ b/drivers/md/dm-crypt.c
@@ -1283,12 +1283,15 @@ static int crypt_set_key(struct crypt_config *cc, char *key)
 	if (!cc->key_size && strcmp(key, "-"))
 		goto out;
 
+	/* clear the flag since following operations may invalidate previously valid key */
+	clear_bit(DM_CRYPT_KEY_VALID, &cc->flags);
+
 	if (cc->key_size && crypt_decode_key(cc->key, key, cc->key_size) < 0)
 		goto out;
 
-	set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
-
 	r = crypt_setkey_allcpus(cc);
+	if (!r)
+		set_bit(DM_CRYPT_KEY_VALID, &cc->flags);
 
 out:
 	/* Hex key string not needed after here, so wipe it. */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 037/235] dm space map metadata: fix 'struct sm_metadata' leak on failed create
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (35 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 036/235] dm crypt: mark key as invalid until properly loaded Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 038/235] CIFS: Fix a possible memory corruption during reconnect Jiri Slaby
                   ` (199 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Benjamin Marzinski, Mike Snitzer, Jiri Slaby

From: Benjamin Marzinski <bmarzins@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 314c25c56c1ee5026cf99c570bdfe01847927acb upstream.

In dm_sm_metadata_create() we temporarily change the dm_space_map
operations from 'ops' (whose .destroy function deallocates the
sm_metadata) to 'bootstrap_ops' (whose .destroy function doesn't).

If dm_sm_metadata_create() fails in sm_ll_new_metadata() or
sm_ll_extend(), it exits back to dm_tm_create_internal(), which calls
dm_sm_destroy() with the intention of freeing the sm_metadata, but it
doesn't (because the dm_space_map operations is still set to
'bootstrap_ops').

Fix this by setting the dm_space_map operations back to 'ops' if
dm_sm_metadata_create() fails when it is set to 'bootstrap_ops'.

[js] no nr_blocks test in 3.12 yet

Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Acked-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/md/persistent-data/dm-space-map-metadata.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
index 8a8f06bcde60..1543f37c272a 100644
--- a/drivers/md/persistent-data/dm-space-map-metadata.c
+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
@@ -773,15 +773,13 @@ int dm_sm_metadata_create(struct dm_space_map *sm,
 	memcpy(&smm->sm, &bootstrap_ops, sizeof(smm->sm));
 
 	r = sm_ll_new_metadata(&smm->ll, tm);
+	if (!r) {
+		r = sm_ll_extend(&smm->ll, nr_blocks);
+	}
+	memcpy(&smm->sm, &ops, sizeof(smm->sm));
 	if (r)
 		return r;
 
-	r = sm_ll_extend(&smm->ll, nr_blocks);
-	if (r)
-		return r;
-
-	memcpy(&smm->sm, &ops, sizeof(smm->sm));
-
 	/*
 	 * Now we need to update the newly created data structures with the
 	 * allocated blocks that they were built from.
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 038/235] CIFS: Fix a possible memory corruption during reconnect
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (36 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 037/235] dm space map metadata: fix 'struct sm_metadata' leak on failed create Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 039/235] CIFS: Fix missing nls unload in smb2_reconnect() Jiri Slaby
                   ` (198 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Pavel Shilovsky, Jiri Slaby

From: Pavel Shilovsky <pshilov@microsoft.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 53e0e11efe9289535b060a51d4cf37c25e0d0f2b upstream.

We can not unlock/lock cifs_tcp_ses_lock while walking through ses
and tcon lists because it can corrupt list iterator pointers and
a tcon structure can be released if we don't hold an extra reference.
Fix it by moving a reconnect process to a separate delayed work
and acquiring a reference to every tcon that needs to be reconnected.
Also do not send an echo request on newly established connections.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/cifs/cifsglob.h  |  3 +++
 fs/cifs/cifsproto.h |  3 +++
 fs/cifs/connect.c   | 34 +++++++++++++++++++-----
 fs/cifs/smb2pdu.c   | 75 ++++++++++++++++++++++++++++++++++++-----------------
 fs/cifs/smb2proto.h |  1 +
 5 files changed, 85 insertions(+), 31 deletions(-)

diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index fa30efe15ba2..4b87feaa507f 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -594,6 +594,8 @@ struct TCP_Server_Info {
 #ifdef CONFIG_CIFS_SMB2
 	unsigned int	max_read;
 	unsigned int	max_write;
+	struct delayed_work reconnect; /* reconnect workqueue job */
+	struct mutex reconnect_mutex; /* prevent simultaneous reconnects */
 #endif /* CONFIG_CIFS_SMB2 */
 };
 
@@ -760,6 +762,7 @@ cap_unix(struct cifs_ses *ses)
 struct cifs_tcon {
 	struct list_head tcon_list;
 	int tc_count;
+	struct list_head rlist; /* reconnect list */
 	struct list_head openFileList;
 	spinlock_t open_file_lock; /* protects list above */
 	struct cifs_ses *ses;	/* pointer to session associated with */
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index c6bfe5b368f9..6421d8b433b1 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -199,6 +199,9 @@ extern void cifs_add_pending_open_locked(struct cifs_fid *fid,
 					 struct tcon_link *tlink,
 					 struct cifs_pending_open *open);
 extern void cifs_del_pending_open(struct cifs_pending_open *open);
+extern void cifs_put_tcp_session(struct TCP_Server_Info *server,
+				 int from_reconnect);
+extern void cifs_put_tcon(struct cifs_tcon *tcon);
 
 #if IS_ENABLED(CONFIG_CIFS_DFS_UPCALL)
 extern void cifs_dfs_release_automount_timer(void);
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 54f507bd2c09..e06790171e89 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -52,6 +52,9 @@
 #include "nterr.h"
 #include "rfc1002pdu.h"
 #include "fscache.h"
+#ifdef CONFIG_CIFS_SMB2
+#include "smb2proto.h"
+#endif
 
 #define CIFS_PORT 445
 #define RFC1001_PORT 139
@@ -2060,8 +2063,8 @@ cifs_find_tcp_session(struct smb_vol *vol)
 	return NULL;
 }
 
-static void
-cifs_put_tcp_session(struct TCP_Server_Info *server)
+void
+cifs_put_tcp_session(struct TCP_Server_Info *server, int from_reconnect)
 {
 	struct task_struct *task;
 
@@ -2078,6 +2081,19 @@ cifs_put_tcp_session(struct TCP_Server_Info *server)
 
 	cancel_delayed_work_sync(&server->echo);
 
+#ifdef CONFIG_CIFS_SMB2
+	if (from_reconnect)
+		/*
+		 * Avoid deadlock here: reconnect work calls
+		 * cifs_put_tcp_session() at its end. Need to be sure
+		 * that reconnect work does nothing with server pointer after
+		 * that step.
+		 */
+		cancel_delayed_work(&server->reconnect);
+	else
+		cancel_delayed_work_sync(&server->reconnect);
+#endif
+
 	spin_lock(&GlobalMid_Lock);
 	server->tcpStatus = CifsExiting;
 	spin_unlock(&GlobalMid_Lock);
@@ -2142,6 +2158,10 @@ cifs_get_tcp_session(struct smb_vol *volume_info)
 	INIT_LIST_HEAD(&tcp_ses->tcp_ses_list);
 	INIT_LIST_HEAD(&tcp_ses->smb_ses_list);
 	INIT_DELAYED_WORK(&tcp_ses->echo, cifs_echo_request);
+#ifdef CONFIG_CIFS_SMB2
+	INIT_DELAYED_WORK(&tcp_ses->reconnect, smb2_reconnect_server);
+	mutex_init(&tcp_ses->reconnect_mutex);
+#endif
 	memcpy(&tcp_ses->srcaddr, &volume_info->srcaddr,
 	       sizeof(tcp_ses->srcaddr));
 	memcpy(&tcp_ses->dstaddr, &volume_info->dstaddr,
@@ -2294,7 +2314,7 @@ cifs_put_smb_ses(struct cifs_ses *ses)
 	spin_unlock(&cifs_tcp_ses_lock);
 
 	sesInfoFree(ses);
-	cifs_put_tcp_session(server);
+	cifs_put_tcp_session(server, 0);
 }
 
 #ifdef CONFIG_KEYS
@@ -2467,7 +2487,7 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
 		mutex_unlock(&ses->session_mutex);
 
 		/* existing SMB ses has a server reference already */
-		cifs_put_tcp_session(server);
+		cifs_put_tcp_session(server, 0);
 		free_xid(xid);
 		return ses;
 	}
@@ -2557,7 +2577,7 @@ cifs_find_tcon(struct cifs_ses *ses, const char *unc)
 	return NULL;
 }
 
-static void
+void
 cifs_put_tcon(struct cifs_tcon *tcon)
 {
 	unsigned int xid;
@@ -3606,7 +3626,7 @@ mount_fail_check:
 		else if (ses)
 			cifs_put_smb_ses(ses);
 		else
-			cifs_put_tcp_session(server);
+			cifs_put_tcp_session(server, 0);
 		bdi_destroy(&cifs_sb->bdi);
 	}
 
@@ -3904,7 +3924,7 @@ cifs_construct_tcon(struct cifs_sb_info *cifs_sb, kuid_t fsuid)
 	ses = cifs_get_smb_ses(master_tcon->ses->server, vol_info);
 	if (IS_ERR(ses)) {
 		tcon = (struct cifs_tcon *)ses;
-		cifs_put_tcp_session(master_tcon->ses->server);
+		cifs_put_tcp_session(master_tcon->ses->server, 0);
 		goto out;
 	}
 
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 1a6dde4bce62..ef1532360709 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1560,6 +1560,54 @@ smb2_echo_callback(struct mid_q_entry *mid)
 	add_credits(server, credits_received, CIFS_ECHO_OP);
 }
 
+void smb2_reconnect_server(struct work_struct *work)
+{
+	struct TCP_Server_Info *server = container_of(work,
+					struct TCP_Server_Info, reconnect.work);
+	struct cifs_ses *ses;
+	struct cifs_tcon *tcon, *tcon2;
+	struct list_head tmp_list;
+	int tcon_exist = false;
+
+	/* Prevent simultaneous reconnects that can corrupt tcon->rlist list */
+	mutex_lock(&server->reconnect_mutex);
+
+	INIT_LIST_HEAD(&tmp_list);
+	cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n");
+
+	spin_lock(&cifs_tcp_ses_lock);
+	list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) {
+		list_for_each_entry(tcon, &ses->tcon_list, tcon_list) {
+			if (tcon->need_reconnect) {
+				tcon->tc_count++;
+				list_add_tail(&tcon->rlist, &tmp_list);
+				tcon_exist = true;
+			}
+		}
+	}
+	/*
+	 * Get the reference to server struct to be sure that the last call of
+	 * cifs_put_tcon() in the loop below won't release the server pointer.
+	 */
+	if (tcon_exist)
+		server->srv_count++;
+
+	spin_unlock(&cifs_tcp_ses_lock);
+
+	list_for_each_entry_safe(tcon, tcon2, &tmp_list, rlist) {
+		smb2_reconnect(SMB2_ECHO, tcon);
+		list_del_init(&tcon->rlist);
+		cifs_put_tcon(tcon);
+	}
+
+	cifs_dbg(FYI, "Reconnecting tcons finished\n");
+	mutex_unlock(&server->reconnect_mutex);
+
+	/* now we can safely release srv struct */
+	if (tcon_exist)
+		cifs_put_tcp_session(server, 1);
+}
+
 int
 SMB2_echo(struct TCP_Server_Info *server)
 {
@@ -1572,32 +1620,11 @@ SMB2_echo(struct TCP_Server_Info *server)
 	cifs_dbg(FYI, "In echo request\n");
 
 	if (server->tcpStatus == CifsNeedNegotiate) {
-		struct list_head *tmp, *tmp2;
-		struct cifs_ses *ses;
-		struct cifs_tcon *tcon;
-
-		cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n");
-		spin_lock(&cifs_tcp_ses_lock);
-		list_for_each(tmp, &server->smb_ses_list) {
-			ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
-			list_for_each(tmp2, &ses->tcon_list) {
-				tcon = list_entry(tmp2, struct cifs_tcon,
-						  tcon_list);
-				/* add check for persistent handle reconnect */
-				if (tcon && tcon->need_reconnect) {
-					spin_unlock(&cifs_tcp_ses_lock);
-					rc = smb2_reconnect(SMB2_ECHO, tcon);
-					spin_lock(&cifs_tcp_ses_lock);
-				}
-			}
-		}
-		spin_unlock(&cifs_tcp_ses_lock);
+		/* No need to send echo on newly established connections */
+		queue_delayed_work(cifsiod_wq, &server->reconnect, 0);
+		return rc;
 	}
 
-	/* if no session, renegotiate failed above */
-	if (server->tcpStatus == CifsNeedNegotiate)
-		return -EIO;
-
 	rc = small_smb2_init(SMB2_ECHO, NULL, (void **)&req);
 	if (rc)
 		return rc;
diff --git a/fs/cifs/smb2proto.h b/fs/cifs/smb2proto.h
index 5793f3e39a31..d45f772a35c9 100644
--- a/fs/cifs/smb2proto.h
+++ b/fs/cifs/smb2proto.h
@@ -89,6 +89,7 @@ extern int smb2_open_file(const unsigned int xid,
 extern int smb2_unlock_range(struct cifsFileInfo *cfile,
 			     struct file_lock *flock, const unsigned int xid);
 extern int smb2_push_mandatory_locks(struct cifsFileInfo *cfile);
+extern void smb2_reconnect_server(struct work_struct *work);
 
 /*
  * SMB2 Worker functions - most of protocol specific implementation details
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 039/235] CIFS: Fix missing nls unload in smb2_reconnect()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (37 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 038/235] CIFS: Fix a possible memory corruption during reconnect Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 040/235] CIFS: Fix a possible memory corruption in push locks Jiri Slaby
                   ` (197 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Pavel Shilovsky, Jiri Slaby

From: Pavel Shilovsky <pshilov@microsoft.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 4772c79599564bd08ee6682715a7d3516f67433f upstream.

Acked-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/cifs/smb2pdu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index ef1532360709..30d0751626e3 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -282,7 +282,7 @@ out:
 	case SMB2_CHANGE_NOTIFY:
 	case SMB2_QUERY_INFO:
 	case SMB2_SET_INFO:
-		return -EAGAIN;
+		rc = -EAGAIN;
 	}
 	unload_nls(nls_codepage);
 	return rc;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 040/235] CIFS: Fix a possible memory corruption in push locks
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (38 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 039/235] CIFS: Fix missing nls unload in smb2_reconnect() Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 041/235] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing Jiri Slaby
                   ` (196 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Pavel Shilovsky, Jiri Slaby

From: Pavel Shilovsky <pshilov@microsoft.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e3d240e9d505fc67f8f8735836df97a794bbd946 upstream.

If maxBuf is not 0 but less than a size of SMB2 lock structure
we can end up with a memory corruption.

Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/cifs/smb2file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/cifs/smb2file.c b/fs/cifs/smb2file.c
index 45992944e238..b87b07504947 100644
--- a/fs/cifs/smb2file.c
+++ b/fs/cifs/smb2file.c
@@ -241,7 +241,7 @@ smb2_push_mandatory_locks(struct cifsFileInfo *cfile)
 	 * and check it for zero before using.
 	 */
 	max_buf = tlink_tcon(cfile->tlink)->ses->server->maxBuf;
-	if (!max_buf) {
+	if (max_buf < sizeof(struct smb2_lock_element)) {
 		free_xid(xid);
 		return -EINVAL;
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 041/235] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (39 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 040/235] CIFS: Fix a possible memory corruption in push locks Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 042/235] arm/xen: Use alloc_percpu rather than __alloc_percpu Jiri Slaby
                   ` (195 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Boris Ostrovsky, Juergen Gross, Jiri Slaby

From: Boris Ostrovsky <boris.ostrovsky@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 30faaafdfa0c754c91bac60f216c9f34a2bfdf7e upstream.

Commit 9c17d96500f7 ("xen/gntdev: Grant maps should not be subject to
NUMA balancing") set VM_IO flag to prevent grant maps from being
subjected to NUMA balancing.

It was discovered recently that this flag causes get_user_pages() to
always fail with -EFAULT.

check_vma_flags
__get_user_pages
__get_user_pages_locked
__get_user_pages_unlocked
get_user_pages_fast
iov_iter_get_pages
dio_refill_pages
do_direct_IO
do_blockdev_direct_IO
do_blockdev_direct_IO
ext4_direct_IO_read
generic_file_read_iter
aio_run_iocb

(which can happen if guest's vdisk has direct-io-safe option).

To avoid this let's use VM_MIXEDMAP flag instead --- it prevents
NUMA balancing just as VM_IO does and has no effect on
check_vma_flags().


Reported-by: Olaf Hering <olaf@aepfle.de>
Suggested-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Acked-by: Hugh Dickins <hughd@google.com>
Tested-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/xen/gntdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index 27accc4cc999..c17116f63eb1 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -763,7 +763,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
 
 	vma->vm_ops = &gntdev_vmops;
 
-	vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_IO;
+	vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP | VM_MIXEDMAP;
 
 	if (use_ptemod)
 		vma->vm_flags |= VM_DONTCOPY;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 042/235] arm/xen: Use alloc_percpu rather than __alloc_percpu
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (40 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 041/235] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 043/235] xfs: set AGI buffer type in xlog_recover_clear_agi_bucket Jiri Slaby
                   ` (194 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Julien Grall, Stefano Stabellini, Jiri Slaby

From: Julien Grall <julien.grall@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 24d5373dda7c00a438d26016bce140299fae675e upstream.

The function xen_guest_init is using __alloc_percpu with an alignment
which are not power of two.

However, the percpu allocator never supported alignments which are not power
of two and has always behaved incorectly in thise case.

Commit 3ca45a4 "percpu: ensure requested alignment is power of two"
introduced a check which trigger a warning [1] when booting linux-next
on Xen. But in reality this bug was always present.

This can be fixed by replacing the call to __alloc_percpu with
alloc_percpu. The latter will use an alignment which are a power of two.

[1]

[    0.023921] illegal size (48) or align (48) for percpu allocation
[    0.024167] ------------[ cut here ]------------
[    0.024344] WARNING: CPU: 0 PID: 1 at linux/mm/percpu.c:892 pcpu_alloc+0x88/0x6c0
[    0.024584] Modules linked in:
[    0.024708]
[    0.024804] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
4.9.0-rc7-next-20161128 #473
[    0.025012] Hardware name: Foundation-v8A (DT)
[    0.025162] task: ffff80003d870000 task.stack: ffff80003d844000
[    0.025351] PC is at pcpu_alloc+0x88/0x6c0
[    0.025490] LR is at pcpu_alloc+0x88/0x6c0
[    0.025624] pc : [<ffff00000818e678>] lr : [<ffff00000818e678>]
pstate: 60000045
[    0.025830] sp : ffff80003d847cd0
[    0.025946] x29: ffff80003d847cd0 x28: 0000000000000000
[    0.026147] x27: 0000000000000000 x26: 0000000000000000
[    0.026348] x25: 0000000000000000 x24: 0000000000000000
[    0.026549] x23: 0000000000000000 x22: 00000000024000c0
[    0.026752] x21: ffff000008e97000 x20: 0000000000000000
[    0.026953] x19: 0000000000000030 x18: 0000000000000010
[    0.027155] x17: 0000000000000a3f x16: 00000000deadbeef
[    0.027357] x15: 0000000000000006 x14: ffff000088f79c3f
[    0.027573] x13: ffff000008f79c4d x12: 0000000000000041
[    0.027782] x11: 0000000000000006 x10: 0000000000000042
[    0.027995] x9 : ffff80003d847a40 x8 : 6f697461636f6c6c
[    0.028208] x7 : 6120757063726570 x6 : ffff000008f79c84
[    0.028419] x5 : 0000000000000005 x4 : 0000000000000000
[    0.028628] x3 : 0000000000000000 x2 : 000000000000017f
[    0.028840] x1 : ffff80003d870000 x0 : 0000000000000035
[    0.029056]
[    0.029152] ---[ end trace 0000000000000000 ]---
[    0.029297] Call trace:
[    0.029403] Exception stack(0xffff80003d847b00 to
                               0xffff80003d847c30)
[    0.029621] 7b00: 0000000000000030 0001000000000000
ffff80003d847cd0 ffff00000818e678
[    0.029901] 7b20: 0000000000000002 0000000000000004
ffff000008f7c060 0000000000000035
[    0.030153] 7b40: ffff000008f79000 ffff000008c4cd88
ffff80003d847bf0 ffff000008101778
[    0.030402] 7b60: 0000000000000030 0000000000000000
ffff000008e97000 00000000024000c0
[    0.030647] 7b80: 0000000000000000 0000000000000000
0000000000000000 0000000000000000
[    0.030895] 7ba0: 0000000000000035 ffff80003d870000
000000000000017f 0000000000000000
[    0.031144] 7bc0: 0000000000000000 0000000000000005
ffff000008f79c84 6120757063726570
[    0.031394] 7be0: 6f697461636f6c6c ffff80003d847a40
0000000000000042 0000000000000006
[    0.031643] 7c00: 0000000000000041 ffff000008f79c4d
ffff000088f79c3f 0000000000000006
[    0.031877] 7c20: 00000000deadbeef 0000000000000a3f
[    0.032051] [<ffff00000818e678>] pcpu_alloc+0x88/0x6c0
[    0.032229] [<ffff00000818ece8>] __alloc_percpu+0x18/0x20
[    0.032409] [<ffff000008d9606c>] xen_guest_init+0x174/0x2f4
[    0.032591] [<ffff0000080830f8>] do_one_initcall+0x38/0x130
[    0.032783] [<ffff000008d90c34>] kernel_init_freeable+0xe0/0x248
[    0.032995] [<ffff00000899a890>] kernel_init+0x10/0x100
[    0.033172] [<ffff000008082ec0>] ret_from_fork+0x10/0x50

Reported-by: Wei Chen <wei.chen@arm.com>
Link: https://lkml.org/lkml/2016/11/28/669
Signed-off-by: Julien Grall <julien.grall@arm.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm/xen/enlighten.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c
index 83e4f959ee47..0cad698cdd3c 100644
--- a/arch/arm/xen/enlighten.c
+++ b/arch/arm/xen/enlighten.c
@@ -260,8 +260,7 @@ static int __init xen_guest_init(void)
 	 * for secondary CPUs as they are brought up.
 	 * For uniformity we use VCPUOP_register_vcpu_info even on cpu0.
 	 */
-	xen_vcpu_info = __alloc_percpu(sizeof(struct vcpu_info),
-			                       sizeof(struct vcpu_info));
+	xen_vcpu_info = alloc_percpu(struct vcpu_info);
 	if (xen_vcpu_info == NULL)
 		return -ENOMEM;
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 043/235] xfs: set AGI buffer type in xlog_recover_clear_agi_bucket
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (41 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 042/235] arm/xen: Use alloc_percpu rather than __alloc_percpu Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 044/235] ssb: Fix error routine when fallback SPROM fails Jiri Slaby
                   ` (193 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Eric Sandeen, Eric Sandeen, Dave Chinner, Jiri Slaby

From: Eric Sandeen <sandeen@sandeen.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6b10b23ca94451fae153a5cc8d62fd721bec2019 upstream.

xlog_recover_clear_agi_bucket didn't set the
type to XFS_BLFT_AGI_BUF, so we got a warning during log
replay (or an ASSERT on a debug build).

    XFS (md0): Unknown buffer type 0!
    XFS (md0): _xfs_buf_ioapply: no ops on block 0xaea8802/0x1

Fix this, as was done in f19b872b for 2 other locations
with the same problem.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/xfs/xfs_log_recover.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index 5b166a07d55e..48dcb167cce5 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -3923,6 +3923,7 @@ xlog_recover_clear_agi_bucket(
 	agi->agi_unlinked[bucket] = cpu_to_be32(NULLAGINO);
 	offset = offsetof(xfs_agi_t, agi_unlinked) +
 		 (sizeof(xfs_agino_t) * bucket);
+	xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF);
 	xfs_trans_log_buf(tp, agibp, offset,
 			  (offset + sizeof(xfs_agino_t) - 1));
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 044/235] ssb: Fix error routine when fallback SPROM fails
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (42 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 043/235] xfs: set AGI buffer type in xlog_recover_clear_agi_bucket Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 045/235] thermal: hwmon: Properly report critical temperature in sysfs Jiri Slaby
                   ` (192 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Larry Finger, Kalle Valo, Jiri Slaby

From: Larry Finger <Larry.Finger@lwfinger.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8052d7245b6089992343c80b38b14dbbd8354651 upstream.

When there is a CRC error in the SPROM read from the device, the code
attempts to handle a fallback SPROM. When this also fails, the driver
returns zero rather than an error code.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/ssb/pci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/ssb/pci.c b/drivers/ssb/pci.c
index a8dc95ebf2d6..7700cef5e177 100644
--- a/drivers/ssb/pci.c
+++ b/drivers/ssb/pci.c
@@ -846,6 +846,7 @@ static int ssb_pci_sprom_get(struct ssb_bus *bus,
 			if (err) {
 				ssb_warn("WARNING: Using fallback SPROM failed (err %d)\n",
 					 err);
+				goto out_free;
 			} else {
 				ssb_dbg("Using SPROM revision %d provided by platform\n",
 					sprom->revision);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 045/235] thermal: hwmon: Properly report critical temperature in sysfs
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (43 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 044/235] ssb: Fix error routine when fallback SPROM fails Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 046/235] drm/radeon: add additional pci revision to dpm workaround Jiri Slaby
                   ` (191 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Krzysztof Kozlowski, Zhang Rui, Jiri Slaby

From: Krzysztof Kozlowski <krzk@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f37fabb8643eaf8e3b613333a72f683770c85eca upstream.

In the critical sysfs entry the thermal hwmon was returning wrong
temperature to the user-space.  It was reporting the temperature of the
first trip point instead of the temperature of critical trip point.

For example:
	/sys/class/hwmon/hwmon0/temp1_crit:50000
	/sys/class/thermal/thermal_zone0/trip_point_0_temp:50000
	/sys/class/thermal/thermal_zone0/trip_point_0_type:active
	/sys/class/thermal/thermal_zone0/trip_point_3_temp:120000
	/sys/class/thermal/thermal_zone0/trip_point_3_type:critical

Since commit e68b16abd91d ("thermal: add hwmon sysfs I/F") the driver
have been registering a sysfs entry if get_crit_temp() callback was
provided.  However when accessed, it was calling get_trip_temp() instead
of the get_crit_temp().

Fixes: e68b16abd91d ("thermal: add hwmon sysfs I/F")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/thermal/thermal_hwmon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/thermal/thermal_hwmon.c b/drivers/thermal/thermal_hwmon.c
index 1967bee4f076..9035fbc5e98d 100644
--- a/drivers/thermal/thermal_hwmon.c
+++ b/drivers/thermal/thermal_hwmon.c
@@ -98,7 +98,7 @@ temp_crit_show(struct device *dev, struct device_attribute *attr, char *buf)
 	long temperature;
 	int ret;
 
-	ret = tz->ops->get_trip_temp(tz, 0, &temperature);
+	ret = tz->ops->get_crit_temp(tz, &temperature);
 	if (ret)
 		return ret;
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 046/235] drm/radeon: add additional pci revision to dpm workaround
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (44 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 045/235] thermal: hwmon: Properly report critical temperature in sysfs Jiri Slaby
@ 2017-01-27 10:52 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 047/235] drm/gma500: Add compat ioctl Jiri Slaby
                   ` (190 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:52 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alex Deucher, Jiri Slaby

From: Alex Deucher <alexander.deucher@amd.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8729675c00a8d13cb2094d617d70a4a4da7d83c5 upstream.

New variant.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/gpu/drm/radeon/si_dpm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c
index 3265792f1990..38686f92536f 100644
--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -2961,6 +2961,7 @@ static void si_apply_state_adjust_rules(struct radeon_device *rdev,
 		    (rdev->pdev->revision == 0x80) ||
 		    (rdev->pdev->revision == 0x81) ||
 		    (rdev->pdev->revision == 0x83) ||
+		    (rdev->pdev->revision == 0x87) ||
 		    (rdev->pdev->device == 0x6604) ||
 		    (rdev->pdev->device == 0x6605)) {
 			max_sclk = 75000;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 047/235] drm/gma500: Add compat ioctl
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (45 preceding siblings ...)
  2017-01-27 10:52 ` [PATCH 3.12 046/235] drm/radeon: add additional pci revision to dpm workaround Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 048/235] drivers/gpu/drm/ast: Fix infinite loop if read fails Jiri Slaby
                   ` (189 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Patrik Jakobsson, Sean Paul, Jiri Slaby

From: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 0a97c81a9717431e6c57ea845b59c3c345edce67 upstream.

Hook up drm_compat_ioctl to support 32-bit userspace on 64-bit kernels.
It turns out that N2600 and N2800 comes with 64-bit enabled. We
previously assumed there where no such systems out there.

Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: http://patchwork.freedesktop.org/patch/msgid/20161101144315.2955-1-patrik.r.jakobsson@gmail.com
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/gpu/drm/gma500/psb_drv.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/gma500/psb_drv.c b/drivers/gpu/drm/gma500/psb_drv.c
index fcb4e9ff1f20..09c155737daf 100644
--- a/drivers/gpu/drm/gma500/psb_drv.c
+++ b/drivers/gpu/drm/gma500/psb_drv.c
@@ -620,6 +620,9 @@ static const struct file_operations psb_gem_fops = {
 	.open = drm_open,
 	.release = drm_release,
 	.unlocked_ioctl = psb_unlocked_ioctl,
+#ifdef CONFIG_COMPAT
+	.compat_ioctl = drm_compat_ioctl,
+#endif
 	.mmap = drm_gem_mmap,
 	.poll = drm_poll,
 	.read = drm_read,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 048/235] drivers/gpu/drm/ast: Fix infinite loop if read fails
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (46 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 047/235] drm/gma500: Add compat ioctl Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 049/235] block: protect iterate_bdevs() against concurrent close Jiri Slaby
                   ` (188 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Russell Currey, Daniel Vetter, Jiri Slaby

From: Russell Currey <ruscur@russell.cc>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 298360af3dab45659810fdc51aba0c9f4097e4f6 upstream.

ast_get_dram_info() configures a window in order to access BMC memory.
A BMC register can be configured to disallow this, and if so, causes
an infinite loop in the ast driver which renders the system unusable.

Fix this by erroring out if an error is detected.  On powerpc systems with
EEH, this leads to the device being fenced and the system continuing to
operate.

Signed-off-by: Russell Currey <ruscur@russell.cc>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20161215051241.20815-1-ruscur@russell.cc
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/gpu/drm/ast/ast_main.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c
index 88fc3a5fa7c4..32be5cb1f797 100644
--- a/drivers/gpu/drm/ast/ast_main.c
+++ b/drivers/gpu/drm/ast/ast_main.c
@@ -120,7 +120,8 @@ static int ast_get_dram_info(struct drm_device *dev)
 	ast_write32(ast, 0x10000, 0xfc600309);
 
 	do {
-		;
+		if (pci_channel_offline(dev->pdev))
+			return -EIO;
 	} while (ast_read32(ast, 0x10000) != 0x01);
 	data = ast_read32(ast, 0x10004);
 
@@ -343,7 +344,9 @@ int ast_driver_load(struct drm_device *dev, unsigned long flags)
 	ast_detect_chip(dev);
 
 	if (ast->chip != AST1180) {
-		ast_get_dram_info(dev);
+		ret = ast_get_dram_info(dev);
+		if (ret)
+			goto out_free;
 		ast->vram_size = ast_get_vram_info(dev);
 		DRM_INFO("dram %d %d %d %08x\n", ast->mclk, ast->dram_type, ast->dram_bus_width, ast->vram_size);
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 049/235] block: protect iterate_bdevs() against concurrent close
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (47 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 048/235] drivers/gpu/drm/ast: Fix infinite loop if read fails Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 050/235] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF Jiri Slaby
                   ` (187 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Rabin Vincent, Jan Kara, Jens Axboe, Jiri Slaby

From: Rabin Vincent <rabinv@axis.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit af309226db916e2c6e08d3eba3fa5c34225200c4 upstream.

If a block device is closed while iterate_bdevs() is handling it, the
following NULL pointer dereference occurs because bdev->b_disk is NULL
in bdev_get_queue(), which is called from blk_get_backing_dev_info() (in
turn called by the mapping_cap_writeback_dirty() call in
__filemap_fdatawrite_range()):

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000508
 IP: [<ffffffff81314790>] blk_get_backing_dev_info+0x10/0x20
 PGD 9e62067 PUD 9ee8067 PMD 0
 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
 Modules linked in:
 CPU: 1 PID: 2422 Comm: sync Not tainted 4.5.0-rc7+ #400
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
 task: ffff880009f4d700 ti: ffff880009f5c000 task.ti: ffff880009f5c000
 RIP: 0010:[<ffffffff81314790>]  [<ffffffff81314790>] blk_get_backing_dev_info+0x10/0x20
 RSP: 0018:ffff880009f5fe68  EFLAGS: 00010246
 RAX: 0000000000000000 RBX: ffff88000ec17a38 RCX: ffffffff81a4e940
 RDX: 7fffffffffffffff RSI: 0000000000000000 RDI: ffff88000ec176c0
 RBP: ffff880009f5fe68 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000001 R11: 0000000000000000 R12: ffff88000ec17860
 R13: ffffffff811b25c0 R14: ffff88000ec178e0 R15: ffff88000ec17a38
 FS:  00007faee505d700(0000) GS:ffff88000fb00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
 CR2: 0000000000000508 CR3: 0000000009e8a000 CR4: 00000000000006e0
 Stack:
  ffff880009f5feb8 ffffffff8112e7f5 0000000000000000 7fffffffffffffff
  0000000000000000 0000000000000000 7fffffffffffffff 0000000000000001
  ffff88000ec178e0 ffff88000ec17860 ffff880009f5fec8 ffffffff8112e81f
 Call Trace:
  [<ffffffff8112e7f5>] __filemap_fdatawrite_range+0x85/0x90
  [<ffffffff8112e81f>] filemap_fdatawrite+0x1f/0x30
  [<ffffffff811b25d6>] fdatawrite_one_bdev+0x16/0x20
  [<ffffffff811bc402>] iterate_bdevs+0xf2/0x130
  [<ffffffff811b2763>] sys_sync+0x63/0x90
  [<ffffffff815d4272>] entry_SYSCALL_64_fastpath+0x12/0x76
 Code: 0f 1f 44 00 00 48 8b 87 f0 00 00 00 55 48 89 e5 <48> 8b 80 08 05 00 00 5d
 RIP  [<ffffffff81314790>] blk_get_backing_dev_info+0x10/0x20
  RSP <ffff880009f5fe68>
 CR2: 0000000000000508
 ---[ end trace 2487336ceb3de62d ]---

The crash is easily reproducible by running the following command, if an
msleep(100) is inserted before the call to func() in iterate_devs():

 while :; do head -c1 /dev/nullb0; done > /dev/null & while :; do sync; done

Fix it by holding the bd_mutex across the func() call and only calling
func() if the bdev is opened.

Fixes: 5c0d6b60a0ba ("vfs: Create function for iterating over block devices")
Reported-and-tested-by: Wei Fang <fangwei1@huawei.com>
Signed-off-by: Rabin Vincent <rabinv@axis.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/block_dev.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/block_dev.c b/fs/block_dev.c
index bd1930056f0b..e833c974409c 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1672,6 +1672,7 @@ void iterate_bdevs(void (*func)(struct block_device *, void *), void *arg)
 	spin_lock(&inode_sb_list_lock);
 	list_for_each_entry(inode, &blockdev_superblock->s_inodes, i_sb_list) {
 		struct address_space *mapping = inode->i_mapping;
+		struct block_device *bdev;
 
 		spin_lock(&inode->i_lock);
 		if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW) ||
@@ -1692,8 +1693,12 @@ void iterate_bdevs(void (*func)(struct block_device *, void *), void *arg)
 		 */
 		iput(old_inode);
 		old_inode = inode;
+		bdev = I_BDEV(inode);
 
-		func(I_BDEV(inode), arg);
+		mutex_lock(&bdev->bd_mutex);
+		if (bdev->bd_openers)
+			func(bdev, arg);
+		mutex_unlock(&bdev->bd_mutex);
 
 		spin_lock(&inode_sb_list_lock);
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 050/235] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (48 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 049/235] block: protect iterate_bdevs() against concurrent close Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 051/235] scsi: zfcp: do not trace pure benign residual HBA responses at default level Jiri Slaby
                   ` (186 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Benjamin Block, Steffen Maier, Martin K . Petersen,
	Jiri Slaby

From: Benjamin Block <bblock@linux.vnet.ibm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit dac37e15b7d511e026a9313c8c46794c144103cd upstream.

When SCSI EH invokes zFCP's callbacks for eh_device_reset_handler() and
eh_target_reset_handler(), it expects us to relent the ownership over
the given scsi_cmnd and all other scsi_cmnds within the same scope - LUN
or target - when returning with SUCCESS from the callback ('release'
them).  SCSI EH can then reuse those commands.

We did not follow this rule to release commands upon SUCCESS; and if
later a reply arrived for one of those supposed to be released commands,
we would still make use of the scsi_cmnd in our ingress tasklet. This
will at least result in undefined behavior or a kernel panic because of
a wrong kernel pointer dereference.

To fix this, we NULLify all pointers to scsi_cmnds (struct zfcp_fsf_req
*)->data in the matching scope if a TMF was successful. This is done
under the locks (struct zfcp_adapter *)->abort_lock and (struct
zfcp_reqlist *)->lock to prevent the requests from being removed from
the request-hashtable, and the ingress tasklet from making use of the
scsi_cmnd-pointer in zfcp_fsf_fcp_cmnd_handler().

For cases where a reply arrives during SCSI EH, but before we get a
chance to NULLify the pointer - but before we return from the callback
-, we assume that the code is protected from races via the CAS operation
in blk_complete_request() that is called in scsi_done().

The following stacktrace shows an example for a crash resulting from the
previous behavior:

Unable to handle kernel pointer dereference at virtual kernel address fffffee17a672000
Oops: 0038 [#1] SMP
CPU: 2 PID: 0 Comm: swapper/2 Not tainted
task: 00000003f7ff5be0 ti: 00000003f3d38000 task.ti: 00000003f3d38000
Krnl PSW : 0404d00180000000 00000000001156b0 (smp_vcpu_scheduled+0x18/0x40)
           R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 EA:3
Krnl GPRS: 000000200000007e 0000000000000000 fffffee17a671fd8 0000000300000015
           ffffffff80000000 00000000005dfde8 07000003f7f80e00 000000004fa4e800
           000000036ce8d8f8 000000036ce8d9c0 00000003ece8fe00 ffffffff969c9e93
           00000003fffffffd 000000036ce8da10 00000000003bf134 00000003f3b07918
Krnl Code: 00000000001156a2: a7190000        lghi    %r1,0
           00000000001156a6: a7380015        lhi    %r3,21
          #00000000001156aa: e32050000008    ag    %r2,0(%r5)
          >00000000001156b0: 482022b0        lh    %r2,688(%r2)
           00000000001156b4: ae123000        sigp    %r1,%r2,0(%r3)
           00000000001156b8: b2220020        ipm    %r2
           00000000001156bc: 8820001c        srl    %r2,28
           00000000001156c0: c02700000001    xilf    %r2,1
Call Trace:
([<0000000000000000>] 0x0)
 [<000003ff807bdb8e>] zfcp_fsf_fcp_cmnd_handler+0x3de/0x490 [zfcp]
 [<000003ff807be30a>] zfcp_fsf_req_complete+0x252/0x800 [zfcp]
 [<000003ff807c0a48>] zfcp_fsf_reqid_check+0xe8/0x190 [zfcp]
 [<000003ff807c194e>] zfcp_qdio_int_resp+0x66/0x188 [zfcp]
 [<000003ff80440c64>] qdio_kick_handler+0xdc/0x310 [qdio]
 [<000003ff804463d0>] __tiqdio_inbound_processing+0xf8/0xcd8 [qdio]
 [<0000000000141fd4>] tasklet_action+0x9c/0x170
 [<0000000000141550>] __do_softirq+0xe8/0x258
 [<000000000010ce0a>] do_softirq+0xba/0xc0
 [<000000000014187c>] irq_exit+0xc4/0xe8
 [<000000000046b526>] do_IRQ+0x146/0x1d8
 [<00000000005d6a3c>] io_return+0x0/0x8
 [<00000000005d6422>] vtime_stop_cpu+0x4a/0xa0
([<0000000000000000>] 0x0)
 [<0000000000103d8a>] arch_cpu_idle+0xa2/0xb0
 [<0000000000197f94>] cpu_startup_entry+0x13c/0x1f8
 [<0000000000114782>] smp_start_secondary+0xda/0xe8
 [<00000000005d6efe>] restart_int_handler+0x56/0x6c
 [<0000000000000000>] 0x0
Last Breaking-Event-Address:
 [<00000000003bf12e>] arch_spin_lock_wait+0x56/0xb0

Suggested-by: Steffen Maier <maier@linux.vnet.ibm.com>
Signed-off-by: Benjamin Block <bblock@linux.vnet.ibm.com>
Fixes: ea127f9754 ("[PATCH] s390 (7/7): zfcp host adapter.") (tglx/history.git)
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/s390/scsi/zfcp_dbf.h     | 11 ++++++++
 drivers/s390/scsi/zfcp_reqlist.h | 30 ++++++++++++++++++++-
 drivers/s390/scsi/zfcp_scsi.c    | 57 ++++++++++++++++++++++++++++++++++++++--
 3 files changed, 95 insertions(+), 3 deletions(-)

diff --git a/drivers/s390/scsi/zfcp_dbf.h b/drivers/s390/scsi/zfcp_dbf.h
index 440aa619da1d..e7839ecaf332 100644
--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -388,4 +388,15 @@ void zfcp_dbf_scsi_devreset(char *tag, struct scsi_cmnd *scmnd, u8 flag)
 	_zfcp_dbf_scsi(tmp_tag, 1, scmnd, NULL);
 }
 
+/**
+ * zfcp_dbf_scsi_nullcmnd() - trace NULLify of SCSI command in dev/tgt-reset.
+ * @scmnd: SCSI command that was NULLified.
+ * @fsf_req: request that owned @scmnd.
+ */
+static inline void zfcp_dbf_scsi_nullcmnd(struct scsi_cmnd *scmnd,
+					  struct zfcp_fsf_req *fsf_req)
+{
+	_zfcp_dbf_scsi("scfc__1", 3, scmnd, fsf_req);
+}
+
 #endif /* ZFCP_DBF_H */
diff --git a/drivers/s390/scsi/zfcp_reqlist.h b/drivers/s390/scsi/zfcp_reqlist.h
index 7c2c6194dfca..703fce59befe 100644
--- a/drivers/s390/scsi/zfcp_reqlist.h
+++ b/drivers/s390/scsi/zfcp_reqlist.h
@@ -4,7 +4,7 @@
  * Data structure and helper functions for tracking pending FSF
  * requests.
  *
- * Copyright IBM Corp. 2009
+ * Copyright IBM Corp. 2009, 2016
  */
 
 #ifndef ZFCP_REQLIST_H
@@ -180,4 +180,32 @@ static inline void zfcp_reqlist_move(struct zfcp_reqlist *rl,
 	spin_unlock_irqrestore(&rl->lock, flags);
 }
 
+/**
+ * zfcp_reqlist_apply_for_all() - apply a function to every request.
+ * @rl: the requestlist that contains the target requests.
+ * @f: the function to apply to each request; the first parameter of the
+ *     function will be the target-request; the second parameter is the same
+ *     pointer as given with the argument @data.
+ * @data: freely chosen argument; passed through to @f as second parameter.
+ *
+ * Uses :c:macro:`list_for_each_entry` to iterate over the lists in the hash-
+ * table (not a 'safe' variant, so don't modify the list).
+ *
+ * Holds @rl->lock over the entire request-iteration.
+ */
+static inline void
+zfcp_reqlist_apply_for_all(struct zfcp_reqlist *rl,
+			   void (*f)(struct zfcp_fsf_req *, void *), void *data)
+{
+	struct zfcp_fsf_req *req;
+	unsigned long flags;
+	unsigned int i;
+
+	spin_lock_irqsave(&rl->lock, flags);
+	for (i = 0; i < ZFCP_REQ_LIST_BUCKETS; i++)
+		list_for_each_entry(req, &rl->buckets[i], list)
+			f(req, data);
+	spin_unlock_irqrestore(&rl->lock, flags);
+}
+
 #endif /* ZFCP_REQLIST_H */
diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
index 38ee0df633a3..0bbc2a9a95c5 100644
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
  *
  * Interface to Linux SCSI midlayer.
  *
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -230,6 +230,57 @@ static int zfcp_scsi_eh_abort_handler(struct scsi_cmnd *scpnt)
 	return retval;
 }
 
+struct zfcp_scsi_req_filter {
+	u8 tmf_scope;
+	u32 lun_handle;
+	u32 port_handle;
+};
+
+static void zfcp_scsi_forget_cmnd(struct zfcp_fsf_req *old_req, void *data)
+{
+	struct zfcp_scsi_req_filter *filter =
+		(struct zfcp_scsi_req_filter *)data;
+
+	/* already aborted - prevent side-effects - or not a SCSI command */
+	if (old_req->data == NULL || old_req->fsf_command != FSF_QTCB_FCP_CMND)
+		return;
+
+	/* (tmf_scope == FCP_TMF_TGT_RESET || tmf_scope == FCP_TMF_LUN_RESET) */
+	if (old_req->qtcb->header.port_handle != filter->port_handle)
+		return;
+
+	if (filter->tmf_scope == FCP_TMF_LUN_RESET &&
+	    old_req->qtcb->header.lun_handle != filter->lun_handle)
+		return;
+
+	zfcp_dbf_scsi_nullcmnd((struct scsi_cmnd *)old_req->data, old_req);
+	old_req->data = NULL;
+}
+
+static void zfcp_scsi_forget_cmnds(struct zfcp_scsi_dev *zsdev, u8 tm_flags)
+{
+	struct zfcp_adapter *adapter = zsdev->port->adapter;
+	struct zfcp_scsi_req_filter filter = {
+		.tmf_scope = FCP_TMF_TGT_RESET,
+		.port_handle = zsdev->port->handle,
+	};
+	unsigned long flags;
+
+	if (tm_flags == FCP_TMF_LUN_RESET) {
+		filter.tmf_scope = FCP_TMF_LUN_RESET;
+		filter.lun_handle = zsdev->lun_handle;
+	}
+
+	/*
+	 * abort_lock secures against other processings - in the abort-function
+	 * and normal cmnd-handler - of (struct zfcp_fsf_req *)->data
+	 */
+	write_lock_irqsave(&adapter->abort_lock, flags);
+	zfcp_reqlist_apply_for_all(adapter->req_list, zfcp_scsi_forget_cmnd,
+				   &filter);
+	write_unlock_irqrestore(&adapter->abort_lock, flags);
+}
+
 static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags)
 {
 	struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device);
@@ -262,8 +313,10 @@ static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags)
 	if (fsf_req->status & ZFCP_STATUS_FSFREQ_TMFUNCFAILED) {
 		zfcp_dbf_scsi_devreset("fail", scpnt, tm_flags);
 		retval = FAILED;
-	} else
+	} else {
 		zfcp_dbf_scsi_devreset("okay", scpnt, tm_flags);
+		zfcp_scsi_forget_cmnds(zfcp_sdev, tm_flags);
+	}
 
 	zfcp_fsf_req_free(fsf_req);
 	return retval;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 051/235] scsi: zfcp: do not trace pure benign residual HBA responses at default level
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (49 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 050/235] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 052/235] scsi: zfcp: fix rport unblock race with LUN recovery Jiri Slaby
                   ` (185 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Steffen Maier, Martin K . Petersen, Jiri Slaby

From: Steffen Maier <maier@linux.vnet.ibm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 56d23ed7adf3974f10e91b643bd230e9c65b5f79 upstream.

Since quite a while, Linux issues enough SCSI commands per scsi_device
which successfully return with FCP_RESID_UNDER, FSF_FCP_RSP_AVAILABLE,
and SAM_STAT_GOOD.  This floods the HBA trace area and we cannot see
other and important HBA trace records long enough.

Therefore, do not trace HBA response errors for pure benign residual
under counts at the default trace level.

This excludes benign residual under count combined with other validity
bits set in FCP_RSP_IU, such as FCP_SNS_LEN_VAL.  For all those other
cases, we still do want to see both the HBA record and the corresponding
SCSI record by default.

Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Fixes: a54ca0f62f95 ("[SCSI] zfcp: Redesign of the debug tracing for HBA records.")
Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/s390/scsi/zfcp_dbf.h | 30 ++++++++++++++++++++++++++++--
 drivers/s390/scsi/zfcp_fsf.h |  3 ++-
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/drivers/s390/scsi/zfcp_dbf.h b/drivers/s390/scsi/zfcp_dbf.h
index e7839ecaf332..a8165f142550 100644
--- a/drivers/s390/scsi/zfcp_dbf.h
+++ b/drivers/s390/scsi/zfcp_dbf.h
@@ -2,7 +2,7 @@
  * zfcp device driver
  * debug feature declarations
  *
- * Copyright IBM Corp. 2008, 2015
+ * Copyright IBM Corp. 2008, 2016
  */
 
 #ifndef ZFCP_DBF_H
@@ -283,6 +283,30 @@ struct zfcp_dbf {
 	struct zfcp_dbf_scsi		scsi_buf;
 };
 
+/**
+ * zfcp_dbf_hba_fsf_resp_suppress - true if we should not trace by default
+ * @req: request that has been completed
+ *
+ * Returns true if FCP response with only benign residual under count.
+ */
+static inline
+bool zfcp_dbf_hba_fsf_resp_suppress(struct zfcp_fsf_req *req)
+{
+	struct fsf_qtcb *qtcb = req->qtcb;
+	u32 fsf_stat = qtcb->header.fsf_status;
+	struct fcp_resp *fcp_rsp;
+	u8 rsp_flags, fr_status;
+
+	if (qtcb->prefix.qtcb_type != FSF_IO_COMMAND)
+		return false; /* not an FCP response */
+	fcp_rsp = (struct fcp_resp *)&qtcb->bottom.io.fcp_rsp;
+	rsp_flags = fcp_rsp->fr_flags;
+	fr_status = fcp_rsp->fr_status;
+	return (fsf_stat == FSF_FCP_RSP_AVAILABLE) &&
+		(rsp_flags == FCP_RESID_UNDER) &&
+		(fr_status == SAM_STAT_GOOD);
+}
+
 static inline
 void zfcp_dbf_hba_fsf_resp(char *tag, int level, struct zfcp_fsf_req *req)
 {
@@ -304,7 +328,9 @@ void zfcp_dbf_hba_fsf_response(struct zfcp_fsf_req *req)
 		zfcp_dbf_hba_fsf_resp("fs_perr", 1, req);
 
 	} else if (qtcb->header.fsf_status != FSF_GOOD) {
-		zfcp_dbf_hba_fsf_resp("fs_ferr", 1, req);
+		zfcp_dbf_hba_fsf_resp("fs_ferr",
+				      zfcp_dbf_hba_fsf_resp_suppress(req)
+				      ? 5 : 1, req);
 
 	} else if ((req->fsf_command == FSF_QTCB_OPEN_PORT_WITH_DID) ||
 		   (req->fsf_command == FSF_QTCB_OPEN_LUN)) {
diff --git a/drivers/s390/scsi/zfcp_fsf.h b/drivers/s390/scsi/zfcp_fsf.h
index be1c04b334c5..ea3c76ac0de1 100644
--- a/drivers/s390/scsi/zfcp_fsf.h
+++ b/drivers/s390/scsi/zfcp_fsf.h
@@ -3,7 +3,7 @@
  *
  * Interface to the FSF support functions.
  *
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
  */
 
 #ifndef FSF_H
@@ -78,6 +78,7 @@
 #define FSF_APP_TAG_CHECK_FAILURE		0x00000082
 #define FSF_REF_TAG_CHECK_FAILURE		0x00000083
 #define FSF_ADAPTER_STATUS_AVAILABLE		0x000000AD
+#define FSF_FCP_RSP_AVAILABLE			0x000000AF
 #define FSF_UNKNOWN_COMMAND			0x000000E2
 #define FSF_UNKNOWN_OP_SUBTYPE                  0x000000E3
 #define FSF_INVALID_COMMAND_OPTION              0x000000E5
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 052/235] scsi: zfcp: fix rport unblock race with LUN recovery
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (50 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 051/235] scsi: zfcp: do not trace pure benign residual HBA responses at default level Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 053/235] scsi: avoid a permanent stop of the scsi device's request queue Jiri Slaby
                   ` (184 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Steffen Maier, Martin K . Petersen, Jiri Slaby

From: Steffen Maier <maier@linux.vnet.ibm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6f2ce1c6af37191640ee3ff6e8fc39ea10352f4c upstream.

It is unavoidable that zfcp_scsi_queuecommand() has to finish requests
with DID_IMM_RETRY (like fc_remote_port_chkready()) during the time
window when zfcp detected an unavailable rport but
fc_remote_port_delete(), which is asynchronous via
zfcp_scsi_schedule_rport_block(), has not yet blocked the rport.

However, for the case when the rport becomes available again, we should
prevent unblocking the rport too early.  In contrast to other FCP LLDDs,
zfcp has to open each LUN with the FCP channel hardware before it can
send I/O to a LUN.  So if a port already has LUNs attached and we
unblock the rport just after port recovery, recoveries of LUNs behind
this port can still be pending which in turn force
zfcp_scsi_queuecommand() to unnecessarily finish requests with
DID_IMM_RETRY.

This also opens a time window with unblocked rport (until the followup
LUN reopen recovery has finished).  If a scsi_cmnd timeout occurs during
this time window fc_timed_out() cannot work as desired and such command
would indeed time out and trigger scsi_eh. This prevents a clean and
timely path failover.  This should not happen if the path issue can be
recovered on FC transport layer such as path issues involving RSCNs.

Fix this by only calling zfcp_scsi_schedule_rport_register(), to
asynchronously trigger fc_remote_port_add(), after all LUN recoveries as
children of the rport have finished and no new recoveries of equal or
higher order were triggered meanwhile.  Finished intentionally includes
any recovery result no matter if successful or failed (still unblock
rport so other successful LUNs work).  For simplicity, we check after
each finished LUN recovery if there is another LUN recovery pending on
the same port and then do nothing.  We handle the special case of a
successful recovery of a port without LUN children the same way without
changing this case's semantics.

For debugging we introduce 2 new trace records written if the rport
unblock attempt was aborted due to still unfinished or freshly triggered
recovery. The records are only written above the default trace level.

Benjamin noticed the important special case of new recovery that can be
triggered between having given up the erp_lock and before calling
zfcp_erp_action_cleanup() within zfcp_erp_strategy().  We must avoid the
following sequence:

ERP thread                 rport_work      other context
-------------------------  --------------  --------------------------------
port is unblocked, rport still blocked,
 due to pending/running ERP action,
 so ((port->status & ...UNBLOCK) != 0)
 and (port->rport == NULL)
unlock ERP
zfcp_erp_action_cleanup()
case ZFCP_ERP_ACTION_REOPEN_LUN:
zfcp_erp_try_rport_unblock()
((status & ...UNBLOCK) != 0) [OLD!]
                                           zfcp_erp_port_reopen()
                                           lock ERP
                                           zfcp_erp_port_block()
                                           port->status clear ...UNBLOCK
                                           unlock ERP
                                           zfcp_scsi_schedule_rport_block()
                                           port->rport_task = RPORT_DEL
                                           queue_work(rport_work)
                           zfcp_scsi_rport_work()
                           (port->rport_task != RPORT_ADD)
                           port->rport_task = RPORT_NONE
                           zfcp_scsi_rport_block()
                           if (!port->rport) return
zfcp_scsi_schedule_rport_register()
port->rport_task = RPORT_ADD
queue_work(rport_work)
                           zfcp_scsi_rport_work()
                           (port->rport_task == RPORT_ADD)
                           port->rport_task = RPORT_NONE
                           zfcp_scsi_rport_register()
                           (port->rport == NULL)
                           rport = fc_remote_port_add()
                           port->rport = rport;

Now the rport was erroneously unblocked while the zfcp_port is blocked.
This is another situation we want to avoid due to scsi_eh
potential. This state would at least remain until the new recovery from
the other context finished successfully, or potentially forever if it
failed.  In order to close this race, we take the erp_lock inside
zfcp_erp_try_rport_unblock() when checking the status of zfcp_port or
LUN.  With that, the possible corresponding rport state sequences would
be: (unblock[ERP thread],block[other context]) if the ERP thread gets
erp_lock first and still sees ((port->status & ...UNBLOCK) != 0),
(block[other context],NOP[ERP thread]) if the ERP thread gets erp_lock
after the other context has already cleard ...UNBLOCK from port->status.

Since checking fields of struct erp_action is unsafe because they could
have been overwritten (re-used for new recovery) meanwhile, we only
check status of zfcp_port and LUN since these are only changed under
erp_lock elsewhere. Regarding the check of the proper status flags (port
or port_forced are similar to the shown adapter recovery):

[zfcp_erp_adapter_shutdown()]
zfcp_erp_adapter_reopen()
 zfcp_erp_adapter_block()
  * clear UNBLOCK ---------------------------------------+
 zfcp_scsi_schedule_rports_block()                       |
 write_lock_irqsave(&adapter->erp_lock, flags);-------+  |
 zfcp_erp_action_enqueue()                            |  |
  zfcp_erp_setup_act()                                |  |
   * set ERP_INUSE -----------------------------------|--|--+
 write_unlock_irqrestore(&adapter->erp_lock, flags);--+  |  |
.context-switch.                                         |  |
zfcp_erp_thread()                                        |  |
 zfcp_erp_strategy()                                     |  |
  write_lock_irqsave(&adapter->erp_lock, flags);------+  |  |
  ...                                                 |  |  |
  zfcp_erp_strategy_check_target()                    |  |  |
   zfcp_erp_strategy_check_adapter()                  |  |  |
    zfcp_erp_adapter_unblock()                        |  |  |
     * set UNBLOCK -----------------------------------|--+  |
  zfcp_erp_action_dequeue()                           |     |
   * clear ERP_INUSE ---------------------------------|-----+
  ...                                                 |
  write_unlock_irqrestore(&adapter->erp_lock, flags);-+

Hence, we should check for both UNBLOCK and ERP_INUSE because they are
interleaved.  Also we need to explicitly check ERP_FAILED for the link
down case which currently does not clear the UNBLOCK flag in
zfcp_fsf_link_down_info_eval().

Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Fixes: 8830271c4819 ("[SCSI] zfcp: Dont fail SCSI commands when transitioning to blocked fc_rport")
Fixes: a2fa0aede07c ("[SCSI] zfcp: Block FC transport rports early on errors")
Fixes: 5f852be9e11d ("[SCSI] zfcp: Fix deadlock between zfcp ERP and SCSI")
Fixes: 338151e06608 ("[SCSI] zfcp: make use of fc_remote_port_delete when target port is unavailable")
Fixes: 3859f6a248cb ("[PATCH] zfcp: add rports to enable scsi_add_device to work again")
Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/s390/scsi/zfcp_dbf.c  | 17 +++++++++---
 drivers/s390/scsi/zfcp_erp.c  | 61 +++++++++++++++++++++++++++++++++++++++++--
 drivers/s390/scsi/zfcp_ext.h  |  4 ++-
 drivers/s390/scsi/zfcp_scsi.c |  4 +--
 4 files changed, 77 insertions(+), 9 deletions(-)

diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c
index 371aed75eb83..79f0f2e096cb 100644
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -289,11 +289,12 @@ void zfcp_dbf_rec_trig(char *tag, struct zfcp_adapter *adapter,
 
 
 /**
- * zfcp_dbf_rec_run - trace event related to running recovery
+ * zfcp_dbf_rec_run_lvl - trace event related to running recovery
+ * @level: trace level to be used for event
  * @tag: identifier for event
  * @erp: erp_action running
  */
-void zfcp_dbf_rec_run(char *tag, struct zfcp_erp_action *erp)
+void zfcp_dbf_rec_run_lvl(int level, char *tag, struct zfcp_erp_action *erp)
 {
 	struct zfcp_dbf *dbf = erp->adapter->dbf;
 	struct zfcp_dbf_rec *rec = &dbf->rec_buf;
@@ -319,11 +320,21 @@ void zfcp_dbf_rec_run(char *tag, struct zfcp_erp_action *erp)
 	else
 		rec->u.run.rec_count = atomic_read(&erp->adapter->erp_counter);
 
-	debug_event(dbf->rec, 1, rec, sizeof(*rec));
+	debug_event(dbf->rec, level, rec, sizeof(*rec));
 	spin_unlock_irqrestore(&dbf->rec_lock, flags);
 }
 
 /**
+ * zfcp_dbf_rec_run - trace event related to running recovery
+ * @tag: identifier for event
+ * @erp: erp_action running
+ */
+void zfcp_dbf_rec_run(char *tag, struct zfcp_erp_action *erp)
+{
+	zfcp_dbf_rec_run_lvl(1, tag, erp);
+}
+
+/**
  * zfcp_dbf_rec_run_wka - trace wka port event with info like running recovery
  * @tag: identifier for event
  * @wka_port: well known address port
diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
index ac86ff90c897..acb0b8c3989d 100644
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -3,7 +3,7 @@
  *
  * Error Recovery Procedures (ERP).
  *
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
  */
 
 #define KMSG_COMPONENT "zfcp"
@@ -1211,6 +1211,62 @@ static void zfcp_erp_action_dequeue(struct zfcp_erp_action *erp_action)
 	}
 }
 
+/**
+ * zfcp_erp_try_rport_unblock - unblock rport if no more/new recovery
+ * @port: zfcp_port whose fc_rport we should try to unblock
+ */
+static void zfcp_erp_try_rport_unblock(struct zfcp_port *port)
+{
+	unsigned long flags;
+	struct zfcp_adapter *adapter = port->adapter;
+	int port_status;
+	struct Scsi_Host *shost = adapter->scsi_host;
+	struct scsi_device *sdev;
+
+	write_lock_irqsave(&adapter->erp_lock, flags);
+	port_status = atomic_read(&port->status);
+	if ((port_status & ZFCP_STATUS_COMMON_UNBLOCKED)    == 0 ||
+	    (port_status & (ZFCP_STATUS_COMMON_ERP_INUSE |
+			    ZFCP_STATUS_COMMON_ERP_FAILED)) != 0) {
+		/* new ERP of severity >= port triggered elsewhere meanwhile or
+		 * local link down (adapter erp_failed but not clear unblock)
+		 */
+		zfcp_dbf_rec_run_lvl(4, "ertru_p", &port->erp_action);
+		write_unlock_irqrestore(&adapter->erp_lock, flags);
+		return;
+	}
+	spin_lock(shost->host_lock);
+	__shost_for_each_device(sdev, shost) {
+		struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
+		int lun_status;
+
+		if (zsdev->port != port)
+			continue;
+		/* LUN under port of interest */
+		lun_status = atomic_read(&zsdev->status);
+		if ((lun_status & ZFCP_STATUS_COMMON_ERP_FAILED) != 0)
+			continue; /* unblock rport despite failed LUNs */
+		/* LUN recovery not given up yet [maybe follow-up pending] */
+		if ((lun_status & ZFCP_STATUS_COMMON_UNBLOCKED) == 0 ||
+		    (lun_status & ZFCP_STATUS_COMMON_ERP_INUSE) != 0) {
+			/* LUN blocked:
+			 * not yet unblocked [LUN recovery pending]
+			 * or meanwhile blocked [new LUN recovery triggered]
+			 */
+			zfcp_dbf_rec_run_lvl(4, "ertru_l", &zsdev->erp_action);
+			spin_unlock(shost->host_lock);
+			write_unlock_irqrestore(&adapter->erp_lock, flags);
+			return;
+		}
+	}
+	/* now port has no child or all children have completed recovery,
+	 * and no ERP of severity >= port was meanwhile triggered elsewhere
+	 */
+	zfcp_scsi_schedule_rport_register(port);
+	spin_unlock(shost->host_lock);
+	write_unlock_irqrestore(&adapter->erp_lock, flags);
+}
+
 static void zfcp_erp_action_cleanup(struct zfcp_erp_action *act, int result)
 {
 	struct zfcp_adapter *adapter = act->adapter;
@@ -1221,6 +1277,7 @@ static void zfcp_erp_action_cleanup(struct zfcp_erp_action *act, int result)
 	case ZFCP_ERP_ACTION_REOPEN_LUN:
 		if (!(act->status & ZFCP_STATUS_ERP_NO_REF))
 			scsi_device_put(sdev);
+		zfcp_erp_try_rport_unblock(port);
 		break;
 
 	case ZFCP_ERP_ACTION_REOPEN_PORT:
@@ -1231,7 +1288,7 @@ static void zfcp_erp_action_cleanup(struct zfcp_erp_action *act, int result)
 		 */
 		if (act->step != ZFCP_ERP_STEP_UNINITIALIZED)
 			if (result == ZFCP_ERP_SUCCEEDED)
-				zfcp_scsi_schedule_rport_register(port);
+				zfcp_erp_try_rport_unblock(port);
 		/* fall through */
 	case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED:
 		put_device(&port->dev);
diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h
index 1f1fe41ecb97..0c8c8b8fc1de 100644
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -3,7 +3,7 @@
  *
  * External function declarations.
  *
- * Copyright IBM Corp. 2002, 2015
+ * Copyright IBM Corp. 2002, 2016
  */
 
 #ifndef ZFCP_EXT_H
@@ -35,6 +35,8 @@ extern void zfcp_dbf_adapter_unregister(struct zfcp_adapter *);
 extern void zfcp_dbf_rec_trig(char *, struct zfcp_adapter *,
 			      struct zfcp_port *, struct scsi_device *, u8, u8);
 extern void zfcp_dbf_rec_run(char *, struct zfcp_erp_action *);
+extern void zfcp_dbf_rec_run_lvl(int level, char *tag,
+				 struct zfcp_erp_action *erp);
 extern void zfcp_dbf_rec_run_wka(char *, struct zfcp_fc_wka_port *, u64);
 extern void zfcp_dbf_hba_fsf_uss(char *, struct zfcp_fsf_req *);
 extern void zfcp_dbf_hba_fsf_res(char *, int, struct zfcp_fsf_req *);
diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
index 0bbc2a9a95c5..66c37e77ac7c 100644
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -109,9 +109,7 @@ int zfcp_scsi_queuecommand(struct Scsi_Host *shost, struct scsi_cmnd *scpnt)
 	}
 
 	if (unlikely(!(status & ZFCP_STATUS_COMMON_UNBLOCKED))) {
-		/* This could be either
-		 * open LUN pending: this is temporary, will result in
-		 *	open LUN or ERP_FAILED, so retry command
+		/* This could be
 		 * call to rport_delete pending: mimic retry from
 		 * 	fc_remote_port_chkready until rport is BLOCKED
 		 */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 053/235] scsi: avoid a permanent stop of the scsi device's request queue
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (51 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 052/235] scsi: zfcp: fix rport unblock race with LUN recovery Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 054/235] s390/vmlogrdr: fix IUCV buffer allocation Jiri Slaby
                   ` (183 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Wei Fang, Martin K . Petersen, Jiri Slaby

From: Wei Fang <fangwei1@huawei.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d2a145252c52792bc59e4767b486b26c430af4bb upstream.

A race between scanning and fc_remote_port_delete() may result in a
permanent stop if the device gets blocked before scsi_sysfs_add_sdev()
and unblocked after.  The reason is that blocking a device sets both the
SDEV_BLOCKED state and the QUEUE_FLAG_STOPPED.  However,
scsi_sysfs_add_sdev() unconditionally sets SDEV_RUNNING which causes the
device to be ignored by scsi_target_unblock() and thus never have its
QUEUE_FLAG_STOPPED cleared leading to a device which is apparently
running but has a stopped queue.

We actually have two places where SDEV_RUNNING is set: once in
scsi_add_lun() which respects the blocked flag and once in
scsi_sysfs_add_sdev() which doesn't.  Since the second set is entirely
spurious, simply remove it to fix the problem.

Reported-by: Zengxi Chen <chenzengxi@huawei.com>
Signed-off-by: Wei Fang <fangwei1@huawei.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/scsi/scsi_sysfs.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
index 14ad111b2851..970f655f8532 100644
--- a/drivers/scsi/scsi_sysfs.c
+++ b/drivers/scsi/scsi_sysfs.c
@@ -905,10 +905,6 @@ int scsi_sysfs_add_sdev(struct scsi_device *sdev)
 	struct request_queue *rq = sdev->request_queue;
 	struct scsi_target *starget = sdev->sdev_target;
 
-	error = scsi_device_set_state(sdev, SDEV_RUNNING);
-	if (error)
-		return error;
-
 	error = scsi_target_add(starget);
 	if (error)
 		return error;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 054/235] s390/vmlogrdr: fix IUCV buffer allocation
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (52 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 053/235] scsi: avoid a permanent stop of the scsi device's request queue Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 055/235] md/raid5: limit request size according to implementation limits Jiri Slaby
                   ` (182 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Gerald Schaefer, Martin Schwidefsky, Jiri Slaby

From: Gerald Schaefer <gerald.schaefer@de.ibm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5457e03de918f7a3e294eb9d26a608ab8a579976 upstream.

The buffer for iucv_message_receive() needs to be below 2 GB. In
__iucv_message_receive(), the buffer address is casted to an u32, which
would result in either memory corruption or an addressing exception when
using addresses >= 2 GB.

Fix this by using GFP_DMA for the buffer allocation.

Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/s390/char/vmlogrdr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/s390/char/vmlogrdr.c b/drivers/s390/char/vmlogrdr.c
index cf31d3321dab..a7f44f30273b 100644
--- a/drivers/s390/char/vmlogrdr.c
+++ b/drivers/s390/char/vmlogrdr.c
@@ -873,7 +873,7 @@ static int __init vmlogrdr_init(void)
 		goto cleanup;
 
 	for (i=0; i < MAXMINOR; ++i ) {
-		sys_ser[i].buffer = (char *) get_zeroed_page(GFP_KERNEL);
+		sys_ser[i].buffer = (char *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
 		if (!sys_ser[i].buffer) {
 			rc = -ENOMEM;
 			break;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 055/235] md/raid5: limit request size according to implementation limits
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (53 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 054/235] s390/vmlogrdr: fix IUCV buffer allocation Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 056/235] kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) Jiri Slaby
                   ` (181 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Konstantin Khlebnikov, Shaohua Li, Neil Brown,
	Shaohua Li, Jiri Slaby

From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e8d7c33232e5fdfa761c3416539bc5b4acd12db5 upstream.

Current implementation employ 16bit counter of active stripes in lower
bits of bio->bi_phys_segments. If request is big enough to overflow
this counter bio will be completed and freed too early.

Fortunately this not happens in default configuration because several
other limits prevent that: stripe_cache_size * nr_disks effectively
limits count of active stripes. And small max_sectors_kb at lower
disks prevent that during normal read/write operations.

Overflow easily happens in discard if it's enabled by module parameter
"devices_handle_discard_safely" and stripe_cache_size is set big enough.

This patch limits requests size with 256Mb - 8Kb to prevent overflows.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Shaohua Li <shli@kernel.org>
Cc: Neil Brown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/md/raid5.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index 9fbc77c6e132..01757b23e1fc 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -5943,6 +5943,15 @@ static int run(struct mddev *mddev)
 			stripe = (stripe | (stripe-1)) + 1;
 		mddev->queue->limits.discard_alignment = stripe;
 		mddev->queue->limits.discard_granularity = stripe;
+
+		/*
+		 * We use 16-bit counter of active stripes in bi_phys_segments
+		 * (minus one for over-loaded initialization)
+		 */
+		blk_queue_max_hw_sectors(mddev->queue, 0xfffe * STRIPE_SECTORS);
+		blk_queue_max_discard_sectors(mddev->queue,
+					      0xfffe * STRIPE_SECTORS);
+
 		/*
 		 * unaligned part of discard request will be ignored, so can't
 		 * guarantee discard_zeroes_data
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 056/235] kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF)
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (54 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 055/235] md/raid5: limit request size according to implementation limits Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 057/235] ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it Jiri Slaby
                   ` (180 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Jim Mattson, Paolo Bonzini, Jiri Slaby

From: Jim Mattson <jmattson@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ef85b67385436ddc1998f45f1d6a210f935b3388 upstream.

When L2 exits to L0 due to "exception or NMI", software exceptions
(#BP and #OF) for which L1 has requested an intercept should be
handled by L1 rather than L0. Previously, only hardware exceptions
were forwarded to L1.

Signed-off-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/kvm/vmx.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index b81c81bce181..c7f2b3c52d92 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1052,10 +1052,10 @@ static inline int nested_cpu_has_ept(struct vmcs12 *vmcs12)
 	return nested_cpu_has2(vmcs12, SECONDARY_EXEC_ENABLE_EPT);
 }
 
-static inline bool is_exception(u32 intr_info)
+static inline bool is_nmi(u32 intr_info)
 {
 	return (intr_info & (INTR_INFO_INTR_TYPE_MASK | INTR_INFO_VALID_MASK))
-		== (INTR_TYPE_HARD_EXCEPTION | INTR_INFO_VALID_MASK);
+		== (INTR_TYPE_NMI_INTR | INTR_INFO_VALID_MASK);
 }
 
 static void nested_vmx_vmexit(struct kvm_vcpu *vcpu);
@@ -4769,7 +4769,7 @@ static int handle_exception(struct kvm_vcpu *vcpu)
 	if (is_machine_check(intr_info))
 		return handle_machine_check(vcpu);
 
-	if ((intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR)
+	if (is_nmi(intr_info))
 		return 1;  /* already handled by vmx_vcpu_run() */
 
 	if (is_no_device(intr_info)) {
@@ -6653,7 +6653,7 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
 
 	switch (exit_reason) {
 	case EXIT_REASON_EXCEPTION_NMI:
-		if (!is_exception(intr_info))
+		if (is_nmi(intr_info))
 			return 0;
 		else if (is_page_fault(intr_info))
 			return enable_ept;
@@ -6962,8 +6962,7 @@ static void vmx_complete_atomic_exit(struct vcpu_vmx *vmx)
 		kvm_machine_check();
 
 	/* We need to handle NMIs before interrupts are enabled */
-	if ((exit_intr_info & INTR_INFO_INTR_TYPE_MASK) == INTR_TYPE_NMI_INTR &&
-	    (exit_intr_info & INTR_INFO_VALID_MASK)) {
+	if (is_nmi(exit_intr_info)) {
 		kvm_before_handle_nmi(&vmx->vcpu);
 		asm("int $2");
 		kvm_after_handle_nmi(&vmx->vcpu);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 057/235] ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (55 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 056/235] kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 058/235] IB/mad: Fix an array index check Jiri Slaby
                   ` (179 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Steven Rostedt (Red Hat), Jiri Slaby

From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 847fa1a6d3d00f3bdf68ef5fa4a786f644a0dd67 upstream.

With new binutils, gcc may get smart with its optimization and change a jmp
from a 5 byte jump to a 2 byte one even though it was jumping to a global
function. But that global function existed within a 2 byte radius, and gcc
was able to optimize it. Unfortunately, that jump was also being modified
when function graph tracing begins. Since ftrace expected that jump to be 5
bytes, but it was only two, it overwrote code after the jump, causing a
crash.

This was fixed for x86_64 with commit 8329e818f149, with the same subject as
this commit, but nothing was done for x86_32.

Fixes: d61f82d06672 ("ftrace: use dynamic patching for updating mcount calls")
Reported-by: Colin Ian King <colin.king@canonical.com>
Tested-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/kernel/entry_32.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index 1f1c33d0a13c..a78db5ed8b3f 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -1113,8 +1113,8 @@ ftrace_graph_call:
 	jmp ftrace_stub
 #endif
 
-.globl ftrace_stub
-ftrace_stub:
+/* This is weak to keep gas from relaxing the jumps */
+WEAK(ftrace_stub)
 	ret
 END(ftrace_caller)
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 058/235] IB/mad: Fix an array index check
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (56 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 057/235] ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 059/235] IB/multicast: Check ib_find_pkey() return value Jiri Slaby
                   ` (178 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Bart Van Assche, Sean Hefty, Doug Ledford, Jiri Slaby

From: Bart Van Assche <bart.vanassche@sandisk.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 2fe2f378dd45847d2643638c07a7658822087836 upstream.

The array ib_mad_mgmt_class_table.method_table has MAX_MGMT_CLASS
(80) elements. Hence compare the array index with that value instead
of with IB_MGMT_MAX_METHODS (128). This patch avoids that Coverity
reports the following:

Overrunning array class->method_table of 80 8-byte elements at element index 127 (byte offset 1016) using index convert_mgmt_class(mad_hdr->mgmt_class) (which evaluates to 127).

Fixes: commit b7ab0b19a85f ("IB/mad: Verify mgmt class in received MADs")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Sean Hefty <sean.hefty@intel.com>
Reviewed-by: Hal Rosenstock <hal@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/infiniband/core/mad.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 4c837e66516b..f93fca41464f 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -1598,7 +1598,7 @@ find_mad_agent(struct ib_mad_port_private *port_priv,
 			if (!class)
 				goto out;
 			if (convert_mgmt_class(mad->mad_hdr.mgmt_class) >=
-			    IB_MGMT_MAX_METHODS)
+			    ARRAY_SIZE(class->method_table))
 				goto out;
 			method = class->method_table[convert_mgmt_class(
 							mad->mad_hdr.mgmt_class)];
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 059/235] IB/multicast: Check ib_find_pkey() return value
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (57 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 058/235] IB/mad: Fix an array index check Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 060/235] PCI: Check for PME in targeted sleep state Jiri Slaby
                   ` (177 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Bart Van Assche, Sean Hefty, Doug Ledford, Jiri Slaby

From: Bart Van Assche <bart.vanassche@sandisk.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d3a2418ee36a59bc02e9d454723f3175dcf4bfd9 upstream.

This patch avoids that Coverity complains about not checking the
ib_find_pkey() return value.

Fixes: commit 547af76521b3 ("IB/multicast: Report errors on multicast groups if P_key changes")
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Cc: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/infiniband/core/multicast.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/multicast.c b/drivers/infiniband/core/multicast.c
index 180d7f436ed5..2f861b59cbc1 100644
--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -516,8 +516,11 @@ static void join_handler(int status, struct ib_sa_mcmember_rec *rec,
 	if (status)
 		process_join_error(group, status);
 	else {
-		ib_find_pkey(group->port->dev->device, group->port->port_num,
-			     be16_to_cpu(rec->pkey), &pkey_index);
+
+		if (ib_find_pkey(group->port->dev->device,
+				 group->port->port_num, be16_to_cpu(rec->pkey),
+				 &pkey_index))
+			pkey_index = MCAST_INVALID_PKEY_INDEX;
 
 		spin_lock_irq(&group->port->lock);
 		group->rec = *rec;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 060/235] PCI: Check for PME in targeted sleep state
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (58 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 059/235] IB/multicast: Check ib_find_pkey() return value Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 061/235] libceph: verify authorize reply on connect Jiri Slaby
                   ` (176 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alan Stern, Bjorn Helgaas, Lukas Wunner, Jiri Slaby

From: Alan Stern <stern@rowland.harvard.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6496ebd7edf446fccf8266a1a70ffcb64252593e upstream.

One some systems, the firmware does not allow certain PCI devices to be put
in deep D-states.  This can cause problems for wakeup signalling, if the
device does not support PME# in the deepest allowed suspend state.  For
example, Pierre reports that on his system, ACPI does not permit his xHCI
host controller to go into D3 during runtime suspend -- but D3 is the only
state in which the controller can generate PME# signals.  As a result, the
controller goes into runtime suspend but never wakes up, so it doesn't work
properly.  USB devices plugged into the controller are never detected.

If the device relies on PME# for wakeup signals but is not capable of
generating PME# in the target state, the PCI core should accurately report
that it cannot do wakeup from runtime suspend.  This patch modifies the
pci_dev_run_wake() routine to add this check.

Reported-by: Pierre de Villemereuil <flyos@mailoo.org>
Tested-by: Pierre de Villemereuil <flyos@mailoo.org>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
CC: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/pci/pci.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 36c3e71d54b5..1b9548fb9102 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1906,6 +1906,10 @@ bool pci_dev_run_wake(struct pci_dev *dev)
 	if (!dev->pme_support)
 		return false;
 
+	/* PME-capable in principle, but not from the intended sleep state */
+	if (!pci_pme_capable(dev, pci_target_state(dev)))
+		return false;
+
 	while (bus->parent) {
 		struct pci_dev *bridge = bus->self;
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 061/235] libceph: verify authorize reply on connect
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (59 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 060/235] PCI: Check for PME in targeted sleep state Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 062/235] nfs_write_end(): fix handling of short copies Jiri Slaby
                   ` (175 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Ilya Dryomov, Jiri Slaby

From: Ilya Dryomov <idryomov@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5c056fdc5b474329037f2aa18401bd73033e0ce0 upstream.

After sending an authorizer (ceph_x_authorize_a + ceph_x_authorize_b),
the client gets back a ceph_x_authorize_reply, which it is supposed to
verify to ensure the authenticity and protect against replay attacks.
The code for doing this is there (ceph_x_verify_authorizer_reply(),
ceph_auth_verify_authorizer_reply() + plumbing), but it is never
invoked by the the messenger.

AFAICT this goes back to 2009, when ceph authentication protocols
support was added to the kernel client in 4e7a5dcd1bba ("ceph:
negotiate authentication protocol; implement AUTH_NONE protocol").

The second param of ceph_connection_operations::verify_authorizer_reply
is unused all the way down.  Pass 0 to facilitate backporting, and kill
it in the next commit.

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/ceph/messenger.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 469f3138d0f6..ecdf164c80fe 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1972,6 +1972,19 @@ static int process_connect(struct ceph_connection *con)
 
 	dout("process_connect on %p tag %d\n", con, (int)con->in_tag);
 
+	if (con->auth_reply_buf) {
+		/*
+		 * Any connection that defines ->get_authorizer()
+		 * should also define ->verify_authorizer_reply().
+		 * See get_connect_authorizer().
+		 */
+		ret = con->ops->verify_authorizer_reply(con, 0);
+		if (ret < 0) {
+			con->error_msg = "bad authorize reply";
+			return ret;
+		}
+	}
+
 	switch (con->in_reply.tag) {
 	case CEPH_MSGR_TAG_FEATURES:
 		pr_err("%s%lld %s feature set mismatch,"
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 062/235] nfs_write_end(): fix handling of short copies
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (60 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 061/235] libceph: verify authorize reply on connect Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 063/235] powerpc/ps3: Fix system hang with GCC 5 builds Jiri Slaby
                   ` (174 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c0cf3ef5e0f47e385920450b245d22bead93e7ad upstream.

What matters when deciding if we should make a page uptodate is
not how much we _wanted_ to copy, but how much we actually have
copied.  As it is, on architectures that do not zero tail on
short copy we can leave uninitialized data in page marked uptodate.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/nfs/file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/nfs/file.c b/fs/nfs/file.c
index 1e6bfdbc1aff..0a0b5063e50e 100644
--- a/fs/nfs/file.c
+++ b/fs/nfs/file.c
@@ -425,7 +425,7 @@ static int nfs_write_end(struct file *file, struct address_space *mapping,
 	 */
 	if (!PageUptodate(page)) {
 		unsigned pglen = nfs_page_length(page);
-		unsigned end = offset + len;
+		unsigned end = offset + copied;
 
 		if (pglen == 0) {
 			zero_user_segments(page, 0, offset,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 063/235] powerpc/ps3: Fix system hang with GCC 5 builds
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (61 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 062/235] nfs_write_end(): fix handling of short copies Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 064/235] powerpc: Convert cmp to cmpd in idle enter sequence Jiri Slaby
                   ` (173 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Geoff Levand, Michael Ellerman, Jiri Slaby

From: Geoff Levand <geoff@infradead.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6dff5b67054e17c91bd630bcdda17cfca5aa4215 upstream.

GCC 5 generates different code for this bootwrapper null check that
causes the PS3 to hang very early in its bootup. This check is of
limited value, so just get rid of it.

Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/powerpc/boot/ps3-head.S | 5 -----
 arch/powerpc/boot/ps3.c      | 8 +-------
 2 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/arch/powerpc/boot/ps3-head.S b/arch/powerpc/boot/ps3-head.S
index b6fcbaf5027b..3dc44b05fb97 100644
--- a/arch/powerpc/boot/ps3-head.S
+++ b/arch/powerpc/boot/ps3-head.S
@@ -57,11 +57,6 @@ __system_reset_overlay:
 	bctr
 
 1:
-	/* Save the value at addr zero for a null pointer write check later. */
-
-	li	r4, 0
-	lwz	r3, 0(r4)
-
 	/* Primary delays then goes to _zimage_start in wrapper. */
 
 	or	31, 31, 31 /* db16cyc */
diff --git a/arch/powerpc/boot/ps3.c b/arch/powerpc/boot/ps3.c
index 9954d98871d0..029ea3ce1588 100644
--- a/arch/powerpc/boot/ps3.c
+++ b/arch/powerpc/boot/ps3.c
@@ -119,13 +119,12 @@ void ps3_copy_vectors(void)
 	flush_cache((void *)0x100, 512);
 }
 
-void platform_init(unsigned long null_check)
+void platform_init(void)
 {
 	const u32 heapsize = 0x1000000 - (u32)_end; /* 16MiB */
 	void *chosen;
 	unsigned long ft_addr;
 	u64 rm_size;
-	unsigned long val;
 
 	console_ops.write = ps3_console_write;
 	platform_ops.exit = ps3_exit;
@@ -153,11 +152,6 @@ void platform_init(unsigned long null_check)
 
 	printf(" flat tree at 0x%lx\n\r", ft_addr);
 
-	val = *(unsigned long *)0;
-
-	if (val != null_check)
-		printf("null check failed: %lx != %lx\n\r", val, null_check);
-
 	((kernel_entry_t)0)(ft_addr, 0, NULL);
 
 	ps3_exit();
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 064/235] powerpc: Convert cmp to cmpd in idle enter sequence
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (62 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 063/235] powerpc/ps3: Fix system hang with GCC 5 builds Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 065/235] kconfig/nconf: Fix hang when editing symbol with a long prompt Jiri Slaby
                   ` (172 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Segher Boessenkool, Michael Ellerman, Joel Stanley,
	Jiri Slaby

From: Segher Boessenkool <segher@kernel.crashing.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 80f23935cadb1c654e81951f5a8b7ceae0acc1b4 upstream.

PowerPC's "cmp" instruction has four operands. Normally people write
"cmpw" or "cmpd" for the second cmp operand 0 or 1. But, frequently
people forget, and write "cmp" with just three operands.

With older binutils this is silently accepted as if this was "cmpw",
while often "cmpd" is wanted. With newer binutils GAS will complain
about this for 64-bit code. For 32-bit code it still silently assumes
"cmpw" is what is meant.

In this instance the code comes directly from ISA v2.07, including the
cmp, but cmpd is correct. Backport to stable so that new toolchains can
build old kernels.

Fixes: 948cf67c4726 ("powerpc: Add NAP mode support on Power7 in HV mode")
Reviewed-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
Signed-off-by: Segher Boessenkool <segher@kernel.crashing.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/powerpc/kernel/idle_power7.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/idle_power7.S b/arch/powerpc/kernel/idle_power7.S
index df930727f73b..6ff0f4ef08be 100644
--- a/arch/powerpc/kernel/idle_power7.S
+++ b/arch/powerpc/kernel/idle_power7.S
@@ -110,7 +110,7 @@ power7_enter_nap_mode:
 	std	r0,0(r1)
 	ptesync
 	ld	r0,0(r1)
-1:	cmp	cr0,r0,r0
+1:	cmpd	cr0,r0,r0
 	bne	1b
 	PPC_NAP
 	b	.
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 065/235] kconfig/nconf: Fix hang when editing symbol with a long prompt
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (63 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 064/235] powerpc: Convert cmp to cmpd in idle enter sequence Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 066/235] sg_write()/bsg_write() is not fit to be called under KERNEL_DS Jiri Slaby
                   ` (171 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Ben Hutchings, Jiri Slaby

From: Ben Hutchings <ben.hutchings@codethink.co.uk>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 79e51b5c2deea542b3bb8c66e0d502230b017dde upstream.

Currently it is impossible to edit the value of a config symbol with a
prompt longer than (terminal width - 2) characters.  dialog_inputbox()
calculates a negative x-offset for the input window and newwin() fails
as this is invalid.  It also doesn't check for this failure, so it
busy-loops calling wgetch(NULL) which immediately returns -1.

The additions in the offset calculations also don't match the intended
size of the window.

Limit the window size and calculate the offset similarly to
show_scroll_win().

Fixes: 692d97c380c6 ("kconfig: new configuration interface (nconfig)")
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 scripts/kconfig/nconf.gui.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
index 8275f0e55106..4b2f44c20caf 100644
--- a/scripts/kconfig/nconf.gui.c
+++ b/scripts/kconfig/nconf.gui.c
@@ -364,12 +364,14 @@ int dialog_inputbox(WINDOW *main_window,
 	WINDOW *prompt_win;
 	WINDOW *form_win;
 	PANEL *panel;
-	int i, x, y;
+	int i, x, y, lines, columns, win_lines, win_cols;
 	int res = -1;
 	int cursor_position = strlen(init);
 	int cursor_form_win;
 	char *result = *resultp;
 
+	getmaxyx(stdscr, lines, columns);
+
 	if (strlen(init)+1 > *result_len) {
 		*result_len = strlen(init)+1;
 		*resultp = result = realloc(result, *result_len);
@@ -386,14 +388,19 @@ int dialog_inputbox(WINDOW *main_window,
 	if (title)
 		prompt_width = max(prompt_width, strlen(title));
 
+	win_lines = min(prompt_lines+6, lines-2);
+	win_cols = min(prompt_width+7, columns-2);
+	prompt_lines = max(win_lines-6, 0);
+	prompt_width = max(win_cols-7, 0);
+
 	/* place dialog in middle of screen */
-	y = (getmaxy(stdscr)-(prompt_lines+4))/2;
-	x = (getmaxx(stdscr)-(prompt_width+4))/2;
+	y = (lines-win_lines)/2;
+	x = (columns-win_cols)/2;
 
 	strncpy(result, init, *result_len);
 
 	/* create the windows */
-	win = newwin(prompt_lines+6, prompt_width+7, y, x);
+	win = newwin(win_lines, win_cols, y, x);
 	prompt_win = derwin(win, prompt_lines+1, prompt_width, 2, 2);
 	form_win = derwin(win, 1, prompt_width, prompt_lines+3, 2);
 	keypad(form_win, TRUE);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 066/235] sg_write()/bsg_write() is not fit to be called under KERNEL_DS
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (64 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 065/235] kconfig/nconf: Fix hang when editing symbol with a long prompt Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 067/235] ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it Jiri Slaby
                   ` (170 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 128394eff343fc6d2f32172f03e24829539c5835 upstream.

Both damn things interpret userland pointers embedded into the payload;
worse, they are actually traversing those.  Leaving aside the bad
API design, this is very much _not_ safe to call with KERNEL_DS.
Bail out early if that happens.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 block/bsg.c       | 3 +++
 drivers/scsi/sg.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/block/bsg.c b/block/bsg.c
index 420a5a9f1b23..76801e57f556 100644
--- a/block/bsg.c
+++ b/block/bsg.c
@@ -675,6 +675,9 @@ bsg_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
 
 	dprintk("%s: write %Zd bytes\n", bd->name, count);
 
+	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+		return -EINVAL;
+
 	bsg_set_block(bd, file);
 
 	bytes_written = 0;
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 1f65e32db285..291791a9be8b 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -568,6 +568,9 @@ sg_write(struct file *filp, const char __user *buf, size_t count, loff_t * ppos)
 	sg_io_hdr_t *hp;
 	unsigned char cmnd[MAX_COMMAND_SIZE];
 
+	if (unlikely(segment_eq(get_fs(), KERNEL_DS)))
+		return -EINVAL;
+
 	if ((!(sfp = (Sg_fd *) filp->private_data)) || (!(sdp = sfp->parentdp)))
 		return -ENXIO;
 	SCSI_LOG_TIMEOUT(3, printk("sg_write: %s, count=%d\n",
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 067/235] ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (65 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 066/235] sg_write()/bsg_write() is not fit to be called under KERNEL_DS Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 068/235] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms Jiri Slaby
                   ` (169 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Steven Rostedt, Jiri Slaby

From: Steven Rostedt <rostedt@goodmis.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8329e818f14926a6040df86b2668568bde342ebf upstream.

Matt Fleming reported seeing crashes when enabling and disabling
function profiling which uses function graph tracer. Later Namhyung Kim
hit a similar issue and he found that the issue was due to the jmp to
ftrace_stub in ftrace_graph_call was only two bytes, and when it was
changed to jump to the tracing code, it overwrote the ftrace_stub that
was after it.

Masami Hiramatsu bisected this down to a binutils change:

8dcea93252a9ea7dff57e85220a719e2a5e8ab41 is the first bad commit
commit 8dcea93252a9ea7dff57e85220a719e2a5e8ab41
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Fri May 15 03:17:31 2015 -0700

    Add -mshared option to x86 ELF assembler

    This patch adds -mshared option to x86 ELF assembler.  By default,
    assembler will optimize out non-PLT relocations against defined non-weak
    global branch targets with default visibility.  The -mshared option tells
    the assembler to generate code which may go into a shared library
    where all non-weak global branch targets with default visibility can
    be preempted.  The resulting code is slightly bigger.  This option
    only affects the handling of branch instructions.

Declaring ftrace_stub as a weak call prevents gas from using two byte
jumps to it, which would be converted to a jump to the function graph
code.

Link: http://lkml.kernel.org/r/20160516230035.1dbae571@gandalf.local.home

Reported-by: Matt Fleming <matt@codeblueprint.co.uk>
Reported-by: Namhyung Kim <namhyung@kernel.org>
Tested-by: Matt Fleming <matt@codeblueprint.co.uk>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/kernel/entry_64.S | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index ead3e7c9672e..ceb8d113938b 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -122,7 +122,8 @@ GLOBAL(ftrace_graph_call)
 	jmp ftrace_stub
 #endif
 
-GLOBAL(ftrace_stub)
+/* This is weak to keep gas from relaxing the jumps */
+WEAK(ftrace_stub)
 	retq
 END(ftrace_caller)
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 068/235] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (66 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 067/235] ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 069/235] usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host Jiri Slaby
                   ` (168 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Lu Baolu, Mathias Nyman, Greg Kroah-Hartman, Jiri Slaby

From: Lu Baolu <baolu.lu@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ccc04afb72cddbdf7c0e1c17e92886405a71b754 upstream.

Intel Broxton M was verifed to require XHCI_PME_STUCK_QUIRK quirk as well.

Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/xhci-pci.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index 1ee8c97ae6be..348a36d15c8e 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -41,6 +41,7 @@
 #define PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI		0x22b5
 #define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI		0xa12f
 #define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI	0x9d2f
+#define PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI		0x0aa8
 
 static const char hcd_name[] = "xhci_hcd";
 
@@ -138,7 +139,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
 	if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
 		(pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
 		 pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI ||
-		 pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI)) {
+		 pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
+		 pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI)) {
 		xhci->quirks |= XHCI_PME_STUCK_QUIRK;
 	}
 	if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 069/235] usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (67 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 068/235] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 070/235] usb: dwc3: pci: Add PCI ID for Intel Braswell Jiri Slaby
                   ` (167 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Rafal Redzimski, Robert Dobrowolski, Mathias Nyman,
	Greg Kroah-Hartman, Jiri Slaby

From: Rafal Redzimski <rafal.f.redzimski@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 0d46faca6f887a849efb07c1655b5a9f7c288b45 upstream.

Broxton B0 also requires XHCI_PME_STUCK_QUIRK.
Adding PCI device ID for Broxton B and adding to quirk.

Signed-off-by: Rafal Redzimski <rafal.f.redzimski@intel.com>
Signed-off-by: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/xhci-pci.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index 348a36d15c8e..9c3f2c4eaceb 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -42,6 +42,7 @@
 #define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI		0xa12f
 #define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI	0x9d2f
 #define PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI		0x0aa8
+#define PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI		0x1aa8
 
 static const char hcd_name[] = "xhci_hcd";
 
@@ -140,7 +141,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
 		(pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
 		 pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI ||
 		 pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
-		 pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI)) {
+		 pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI ||
+		 pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI)) {
 		xhci->quirks |= XHCI_PME_STUCK_QUIRK;
 	}
 	if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 070/235] usb: dwc3: pci: Add PCI ID for Intel Braswell
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (68 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 069/235] usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 071/235] usb: dwc3: pci: add support for Intel Sunrise Point PCH Jiri Slaby
                   ` (166 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Alan Cox, Mika Westerberg, Heikki Krogerus,
	Felipe Balbi, Jiri Slaby

From: Alan Cox <alan@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7d643664ea559b36188cae264047ce3c9bfec3a2 upstream.

The device controller is the same but it has different PCI ID. Add this new
ID to the driver's list of supported IDs.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/dwc3/dwc3-pci.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
index 2e252aae51ca..adade0ae4c30 100644
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -30,6 +30,7 @@
 #define PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3	0xabcd
 #define PCI_DEVICE_ID_INTEL_BYT		0x0f37
 #define PCI_DEVICE_ID_INTEL_MRFLD	0x119e
+#define PCI_DEVICE_ID_INTEL_BSW		0x22B7
 
 struct dwc3_pci {
 	struct device		*dev;
@@ -189,6 +190,7 @@ static DEFINE_PCI_DEVICE_TABLE(dwc3_pci_id_table) = {
 		PCI_DEVICE(PCI_VENDOR_ID_SYNOPSYS,
 				PCI_DEVICE_ID_SYNOPSYS_HAPSUSB3),
 	},
+	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
 	{  }	/* Terminating Entry */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 071/235] usb: dwc3: pci: add support for Intel Sunrise Point PCH
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (69 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 070/235] usb: dwc3: pci: Add PCI ID for Intel Braswell Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 072/235] usb: dwc3: pci: add support for Intel Broxton SOC Jiri Slaby
                   ` (165 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Heikki Krogerus, Felipe Balbi, Jiri Slaby

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 84a2b61b6eb94036093531cdabc448dddfbae45a upstream.

Add PCI IDs for Intel Sunrise Point PCH.

Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/dwc3/dwc3-pci.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
index adade0ae4c30..f721d9796dd7 100644
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -31,6 +31,8 @@
 #define PCI_DEVICE_ID_INTEL_BYT		0x0f37
 #define PCI_DEVICE_ID_INTEL_MRFLD	0x119e
 #define PCI_DEVICE_ID_INTEL_BSW		0x22B7
+#define PCI_DEVICE_ID_INTEL_SPTLP	0x9d30
+#define PCI_DEVICE_ID_INTEL_SPTH	0xa130
 
 struct dwc3_pci {
 	struct device		*dev;
@@ -193,6 +195,8 @@ static DEFINE_PCI_DEVICE_TABLE(dwc3_pci_id_table) = {
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BSW), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BYT), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
+	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), },
+	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), },
 	{  }	/* Terminating Entry */
 };
 MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 072/235] usb: dwc3: pci: add support for Intel Broxton SOC
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (70 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 071/235] usb: dwc3: pci: add support for Intel Sunrise Point PCH Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 073/235] usb: dwc3: pci: add ID for one more Intel Broxton platform Jiri Slaby
                   ` (164 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Heikki Krogerus, Felipe Balbi, Jiri Slaby

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b4c580a43d520b7812c0fd064fbab929ce2f1da0 upstream.

PCI IDs for Broxton based platforms.

Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/dwc3/dwc3-pci.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
index f721d9796dd7..643f633d5107 100644
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -33,6 +33,8 @@
 #define PCI_DEVICE_ID_INTEL_BSW		0x22B7
 #define PCI_DEVICE_ID_INTEL_SPTLP	0x9d30
 #define PCI_DEVICE_ID_INTEL_SPTH	0xa130
+#define PCI_DEVICE_ID_INTEL_BXT			0x0aaa
+#define PCI_DEVICE_ID_INTEL_APL			0x5aaa
 
 struct dwc3_pci {
 	struct device		*dev;
@@ -197,6 +199,8 @@ static DEFINE_PCI_DEVICE_TABLE(dwc3_pci_id_table) = {
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_MRFLD), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), },
+	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), },
+	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), },
 	{  }	/* Terminating Entry */
 };
 MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 073/235] usb: dwc3: pci: add ID for one more Intel Broxton platform
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (71 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 072/235] usb: dwc3: pci: add support for Intel Broxton SOC Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 074/235] usb: dwc3: pci: add Intel Kabylake PCI ID Jiri Slaby
                   ` (163 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Heikki Krogerus, Felipe Balbi, Jiri Slaby

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 1ffb4d5cc78a3a99109ff0808ce6915de07a0588 upstream.

BXT-M is a Intel Broxton SoC based platform with unique PCI ID.

Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/dwc3/dwc3-pci.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
index 643f633d5107..894b26545a64 100644
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -34,6 +34,7 @@
 #define PCI_DEVICE_ID_INTEL_SPTLP	0x9d30
 #define PCI_DEVICE_ID_INTEL_SPTH	0xa130
 #define PCI_DEVICE_ID_INTEL_BXT			0x0aaa
+#define PCI_DEVICE_ID_INTEL_BXT_M		0x1aaa
 #define PCI_DEVICE_ID_INTEL_APL			0x5aaa
 
 struct dwc3_pci {
@@ -200,6 +201,7 @@ static DEFINE_PCI_DEVICE_TABLE(dwc3_pci_id_table) = {
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTLP), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_SPTH), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), },
+	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT_M), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), },
 	{  }	/* Terminating Entry */
 };
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 074/235] usb: dwc3: pci: add Intel Kabylake PCI ID
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (72 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 073/235] usb: dwc3: pci: add ID for one more Intel Broxton platform Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 075/235] ALSA: hda - Fix up GPIO for ASUS ROG Ranger Jiri Slaby
                   ` (162 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Heikki Krogerus, Felipe Balbi, Jiri Slaby

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 4491ed5042f0419b22a4b08331adb54af31e2caa upstream.

Intel Kabylake PCH has the same DWC3 than Intel
Sunrisepoint. Add the new ID to the supported devices.

Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/dwc3/dwc3-pci.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
index 894b26545a64..bbdf7a97026f 100644
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -36,6 +36,7 @@
 #define PCI_DEVICE_ID_INTEL_BXT			0x0aaa
 #define PCI_DEVICE_ID_INTEL_BXT_M		0x1aaa
 #define PCI_DEVICE_ID_INTEL_APL			0x5aaa
+#define PCI_DEVICE_ID_INTEL_KBP			0xa2b0
 
 struct dwc3_pci {
 	struct device		*dev;
@@ -203,6 +204,7 @@ static DEFINE_PCI_DEVICE_TABLE(dwc3_pci_id_table) = {
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT_M), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), },
+	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBP), },
 	{  }	/* Terminating Entry */
 };
 MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 075/235] ALSA: hda - Fix up GPIO for ASUS ROG Ranger
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (73 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 074/235] usb: dwc3: pci: add Intel Kabylake PCI ID Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 076/235] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL Jiri Slaby
                   ` (161 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Takashi Iwai, Jiri Slaby

From: Takashi Iwai <tiwai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 85bcf96caba8b4a7c0805555638629ba3c67ea0c upstream.

ASUS ROG Ranger VIII with ALC1150 codec requires the extra GPIO pin to
up for the front panel.  Just use the existing fixup for setting up
the GPIO pins.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=189411
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 sound/pci/hda/patch_realtek.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 06e80327567c..2dfee77ed285 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -2194,6 +2194,7 @@ static const struct snd_pci_quirk alc882_fixup_tbl[] = {
 	SND_PCI_QUIRK(0x1043, 0x1971, "Asus W2JC", ALC882_FIXUP_ASUS_W2JC),
 	SND_PCI_QUIRK(0x1043, 0x835f, "Asus Eee 1601", ALC888_FIXUP_EEE1601),
 	SND_PCI_QUIRK(0x1043, 0x84bc, "ASUS ET2700", ALC887_FIXUP_ASUS_BASS),
+	SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3),
 	SND_PCI_QUIRK(0x104d, 0x9047, "Sony Vaio TT", ALC889_FIXUP_VAIO_TT),
 	SND_PCI_QUIRK(0x104d, 0x905a, "Sony Vaio Z", ALC882_FIXUP_NO_PRIMARY_HP),
 	SND_PCI_QUIRK(0x104d, 0x9043, "Sony Vaio VGC-LN51JGB", ALC882_FIXUP_NO_PRIMARY_HP),
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 076/235] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (74 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 075/235] ALSA: hda - Fix up GPIO for ASUS ROG Ranger Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 077/235] ARM: davinci: da850: don't add emac clock to lookup table twice Jiri Slaby
                   ` (160 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Takashi Iwai, Jiri Slaby

From: Takashi Iwai <tiwai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c7efff9284dfde95a11aaa811c9d8ec8167f0f6e upstream.

Although the old quirk table showed ASUS X71SL with ALC663 codec being
compatible with asus-mode3 fixup, the bugzilla reporter explained that
asus-model8 fits better for the dual headphone controls.  So be it.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=191781
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 sound/pci/hda/patch_realtek.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 2dfee77ed285..8b816bf65405 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4983,6 +4983,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
 	SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
 	SND_PCI_QUIRK(0x1043, 0x11cd, "Asus N550", ALC662_FIXUP_BASS_1A_CHMAP),
 	SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_BASS_CHMAP),
+	SND_PCI_QUIRK(0x1043, 0x1963, "ASUS X71SL", ALC662_FIXUP_ASUS_MODE8),
 	SND_PCI_QUIRK(0x1043, 0x1bf3, "ASUS N76VZ", ALC662_FIXUP_BASS_CHMAP),
 	SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
 	SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2),
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 077/235] ARM: davinci: da850: don't add emac clock to lookup table twice
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (75 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 076/235] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 078/235] usb: gadgetfs: restrict upper bound on device configuration size Jiri Slaby
                   ` (159 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Bartosz Golaszewski, Sekhar Nori, Jiri Slaby

From: Bartosz Golaszewski <bgolaszewski@baylibre.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ef37427ac5677331145ab27a17e6f5f1b43f0c11 upstream.

Similarly to the aemif clock - this screws up the linked list of clock
children. Create a separate clock for mdio inheriting the rate from
emac_clk.

Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
[nsekhar@ti.com: add a comment over mdio_clk to explaing its existence +
		 commit headline updates]
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm/mach-davinci/da850.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/arch/arm/mach-davinci/da850.c b/arch/arm/mach-davinci/da850.c
index f56e5fbfa2fd..25f11492c33f 100644
--- a/arch/arm/mach-davinci/da850.c
+++ b/arch/arm/mach-davinci/da850.c
@@ -297,6 +297,16 @@ static struct clk emac_clk = {
 	.gpsc		= 1,
 };
 
+/*
+ * In order to avoid adding the emac_clk to the clock lookup table twice (and
+ * screwing up the linked list in the process) create a separate clock for
+ * mdio inheriting the rate from emac_clk.
+ */
+static struct clk mdio_clk = {
+	.name		= "mdio",
+	.parent		= &emac_clk,
+};
+
 static struct clk mcasp_clk = {
 	.name		= "mcasp",
 	.parent		= &pll0_sysclk2,
@@ -461,7 +471,7 @@ static struct clk_lookup da850_clks[] = {
 	CLK(NULL,		"arm",		&arm_clk),
 	CLK(NULL,		"rmii",		&rmii_clk),
 	CLK("davinci_emac.1",	NULL,		&emac_clk),
-	CLK("davinci_mdio.0",	"fck",		&emac_clk),
+	CLK("davinci_mdio.0",	"fck",		&mdio_clk),
 	CLK("davinci-mcasp.0",	NULL,		&mcasp_clk),
 	CLK("da8xx_lcdc.0",	"fck",		&lcdc_clk),
 	CLK("da830-mmc.0",	NULL,		&mmcsd0_clk),
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 078/235] usb: gadgetfs: restrict upper bound on device configuration size
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (76 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 077/235] ARM: davinci: da850: don't add emac clock to lookup table twice Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 079/235] USB: gadgetfs: fix unbounded memory allocation bug Jiri Slaby
                   ` (158 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Greg Kroah-Hartman, Felipe Balbi, Jiri Slaby

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 0994b0a257557e18ee8f0b7c5f0f73fe2b54eec1 upstream.

Andrey Konovalov reported that we were not properly checking the upper
limit before of a device configuration size before calling
memdup_user(), which could cause some problems.

So set the upper limit to PAGE_SIZE * 4, which should be good enough for
all devices.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/gadget/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index 4ac9e9928d67..2b56e59a413f 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1849,7 +1849,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 	u32			tag;
 	char			*kbuf;
 
-	if (len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4))
+	if ((len < (USB_DT_CONFIG_SIZE + USB_DT_DEVICE_SIZE + 4)) ||
+	    (len > PAGE_SIZE * 4))
 		return -EINVAL;
 
 	/* we might need to change message format someday */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 079/235] USB: gadgetfs: fix unbounded memory allocation bug
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (77 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 078/235] usb: gadgetfs: restrict upper bound on device configuration size Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 080/235] USB: gadgetfs: fix use-after-free bug Jiri Slaby
                   ` (157 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alan Stern, Felipe Balbi, Jiri Slaby

From: Alan Stern <stern@rowland.harvard.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit faab50984fe6636e616c7cc3d30308ba391d36fd upstream.

Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN warning in gadgetfs:

BUG: KASAN: slab-out-of-bounds in dev_config+0x86f/0x1190 at addr ffff88003c47e160
Write of size 65537 by task syz-executor0/6356
CPU: 3 PID: 6356 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88003c107ad8 ffffffff81f96aba ffffffff3dc11ef0 1ffff10007820eee
 ffffed0007820ee6 ffff88003dc11f00 0000000041b58ab3 ffffffff8598b4c8
 ffffffff81f96828 ffffffff813fb4a0 ffff88003b6eadc0 ffff88003c107738
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
 [<     inline     >] print_address_description mm/kasan/report.c:197
 [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
 [<ffffffff817e5705>] kasan_report+0x35/0x40 mm/kasan/report.c:306
 [<     inline     >] check_memory_region_inline mm/kasan/kasan.c:308
 [<ffffffff817e3fb9>] check_memory_region+0x139/0x190 mm/kasan/kasan.c:315
 [<ffffffff817e4044>] kasan_check_write+0x14/0x20 mm/kasan/kasan.c:326
 [<     inline     >] copy_from_user arch/x86/include/asm/uaccess.h:689
 [<     inline     >] ep0_write drivers/usb/gadget/legacy/inode.c:1135
 [<ffffffff83228caf>] dev_config+0x86f/0x1190 drivers/usb/gadget/legacy/inode.c:1759
 [<ffffffff817fdd55>] __vfs_write+0x5d5/0x760 fs/read_write.c:510
 [<ffffffff817ff650>] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [<     inline     >] SYSC_write fs/read_write.c:607
 [<ffffffff81803a5b>] SyS_write+0xfb/0x230 fs/read_write.c:599
 [<ffffffff84f47ec1>] entry_SYSCALL_64_fastpath+0x1f/0xc2

Indeed, there is a comment saying that the value of len is restricted
to a 16-bit integer, but the code doesn't actually do this.

This patch fixes the warning.  It replaces the comment with a
computation that forces the amount of data copied from the user in
ep0_write() to be no larger than the wLength size for the control
transfer, which is a 16-bit quantity.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/gadget/inode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index 2b56e59a413f..6a6ef2160e7e 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1199,7 +1199,7 @@ ep0_write (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 	/* data and/or status stage for control request */
 	} else if (dev->state == STATE_DEV_SETUP) {
 
-		/* IN DATA+STATUS caller makes len <= wLength */
+		len = min_t(size_t, len, dev->setup_wLength);
 		if (dev->setup_in) {
 			retval = setup_req (dev->gadget->ep0, dev->req, len);
 			if (retval == 0) {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 080/235] USB: gadgetfs: fix use-after-free bug
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (78 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 079/235] USB: gadgetfs: fix unbounded memory allocation bug Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 081/235] USB: gadgetfs: fix checks of wTotalLength in config descriptors Jiri Slaby
                   ` (156 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alan Stern, Felipe Balbi, Jiri Slaby

From: Alan Stern <stern@rowland.harvard.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit add333a81a16abbd4f106266a2553677a165725f upstream.

Andrey Konovalov reports that fuzz testing with syzkaller causes a
KASAN use-after-free bug report in gadgetfs:

BUG: KASAN: use-after-free in gadgetfs_setup+0x208a/0x20e0 at addr ffff88003dfe5bf2
Read of size 2 by task syz-executor0/22994
CPU: 3 PID: 22994 Comm: syz-executor0 Not tainted 4.9.0-rc7+ #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006df06a18 ffffffff81f96aba ffffffffe0528500 1ffff1000dbe0cd6
 ffffed000dbe0cce ffff88006df068f0 0000000041b58ab3 ffffffff8598b4c8
 ffffffff81f96828 1ffff1000dbe0ccd ffff88006df06708 ffff88006df06748
Call Trace:
 <IRQ> [  201.343209]  [<     inline     >] __dump_stack lib/dump_stack.c:15
 <IRQ> [  201.343209]  [<ffffffff81f96aba>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff817e4dec>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
 [<     inline     >] print_address_description mm/kasan/report.c:197
 [<ffffffff817e5080>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:286
 [<     inline     >] kasan_report mm/kasan/report.c:306
 [<ffffffff817e562a>] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:337
 [<     inline     >] config_buf drivers/usb/gadget/legacy/inode.c:1298
 [<ffffffff8322c8fa>] gadgetfs_setup+0x208a/0x20e0 drivers/usb/gadget/legacy/inode.c:1368
 [<ffffffff830fdcd0>] dummy_timer+0x11f0/0x36d0 drivers/usb/gadget/udc/dummy_hcd.c:1858
 [<ffffffff814807c1>] call_timer_fn+0x241/0x800 kernel/time/timer.c:1308
 [<     inline     >] expire_timers kernel/time/timer.c:1348
 [<ffffffff81482de6>] __run_timers+0xa06/0xec0 kernel/time/timer.c:1641
 [<ffffffff814832c1>] run_timer_softirq+0x21/0x80 kernel/time/timer.c:1654
 [<ffffffff84f4af8b>] __do_softirq+0x2fb/0xb63 kernel/softirq.c:284

The cause of the bug is subtle.  The dev_config() routine gets called
twice by the fuzzer.  The first time, the user data contains both a
full-speed configuration descriptor and a high-speed config
descriptor, causing dev->hs_config to be set.  But it also contains an
invalid device descriptor, so the buffer containing the descriptors is
deallocated and dev_config() returns an error.

The second time dev_config() is called, the user data contains only a
full-speed config descriptor.  But dev->hs_config still has the stale
pointer remaining from the first call, causing the routine to think
that there is a valid high-speed config.  Later on, when the driver
dereferences the stale pointer to copy that descriptor, we get a
use-after-free access.

The fix is simple: Clear dev->hs_config if the passed-in data does not
contain a high-speed config descriptor.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/gadget/inode.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index 6a6ef2160e7e..19e1efaeafa0 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1887,6 +1887,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 			goto fail;
 		kbuf += total;
 		length -= total;
+	} else {
+		dev->hs_config = NULL;
 	}
 
 	/* could support multiple configs, using another encoding! */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 081/235] USB: gadgetfs: fix checks of wTotalLength in config descriptors
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (79 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 080/235] USB: gadgetfs: fix use-after-free bug Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 082/235] USB: fix problems with duplicate endpoint addresses Jiri Slaby
                   ` (155 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Alan Stern, Andrey Konovalov, Felipe Balbi, Jiri Slaby

From: Alan Stern <stern@rowland.harvard.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 1c069b057dcf64fada952eaa868d35f02bb0cfc2 upstream.

Andrey Konovalov's fuzz testing of gadgetfs showed that we should
improve the driver's checks for valid configuration descriptors passed
in by the user.  In particular, the driver needs to verify that the
wTotalLength value in the descriptor is not too short (smaller
than USB_DT_CONFIG_SIZE).  And the check for whether wTotalLength is
too large has to be changed, because the driver assumes there is
always enough room remaining in the buffer to hold a device descriptor
(at least USB_DT_DEVICE_SIZE bytes).

This patch adds the additional check and fixes the existing check.  It
may do a little more than strictly necessary, but one extra check
won't hurt.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/gadget/inode.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index 19e1efaeafa0..8fa7ba0f6beb 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1829,10 +1829,12 @@ static struct usb_gadget_driver probe_driver = {
  * such as configuration notifications.
  */
 
-static int is_valid_config (struct usb_config_descriptor *config)
+static int is_valid_config(struct usb_config_descriptor *config,
+		unsigned int total)
 {
 	return config->bDescriptorType == USB_DT_CONFIG
 		&& config->bLength == USB_DT_CONFIG_SIZE
+		&& total >= USB_DT_CONFIG_SIZE
 		&& config->bConfigurationValue != 0
 		&& (config->bmAttributes & USB_CONFIG_ATT_ONE) != 0
 		&& (config->bmAttributes & USB_CONFIG_ATT_WAKEUP) == 0;
@@ -1874,7 +1876,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 	/* full or low speed config */
 	dev->config = (void *) kbuf;
 	total = le16_to_cpu(dev->config->wTotalLength);
-	if (!is_valid_config (dev->config) || total >= length)
+	if (!is_valid_config(dev->config, total) ||
+			total > length - USB_DT_DEVICE_SIZE)
 		goto fail;
 	kbuf += total;
 	length -= total;
@@ -1883,7 +1886,8 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 	if (kbuf [1] == USB_DT_CONFIG) {
 		dev->hs_config = (void *) kbuf;
 		total = le16_to_cpu(dev->hs_config->wTotalLength);
-		if (!is_valid_config (dev->hs_config) || total >= length)
+		if (!is_valid_config(dev->hs_config, total) ||
+				total > length - USB_DT_DEVICE_SIZE)
 			goto fail;
 		kbuf += total;
 		length -= total;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 082/235] USB: fix problems with duplicate endpoint addresses
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (80 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 081/235] USB: gadgetfs: fix checks of wTotalLength in config descriptors Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 083/235] USB: dummy-hcd: fix bug in stop_activity (handle ep0) Jiri Slaby
                   ` (154 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alan Stern, Jiri Slaby

From: Alan Stern <stern@rowland.harvard.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 0a8fd1346254974c3a852338508e4a4cddbb35f1 upstream.

When checking a new device's descriptors, the USB core does not check
for duplicate endpoint addresses.  This can cause a problem when the
sysfs files for those endpoints are created; trying to create multiple
files with the same name will provoke a WARNING:

WARNING: CPU: 2 PID: 865 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x8a/0xa0
sysfs: cannot create duplicate filename
'/devices/platform/dummy_hcd.0/usb2/2-1/2-1:64.0/ep_05'
Kernel panic - not syncing: panic_on_warn set ...

CPU: 2 PID: 865 Comm: kworker/2:1 Not tainted 4.9.0-rc7+ #34
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
 ffff88006bee64c8 ffffffff81f96b8a ffffffff00000001 1ffff1000d7dcc2c
 ffffed000d7dcc24 0000000000000001 0000000041b58ab3 ffffffff8598b510
 ffffffff81f968f8 ffffffff850fee20 ffffffff85cff020 dffffc0000000000
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff8168c88e>] panic+0x1cb/0x3a9 kernel/panic.c:179
 [<ffffffff812b80b4>] __warn+0x1c4/0x1e0 kernel/panic.c:542
 [<ffffffff812b8195>] warn_slowpath_fmt+0xc5/0x110 kernel/panic.c:565
 [<ffffffff819e70ca>] sysfs_warn_dup+0x8a/0xa0 fs/sysfs/dir.c:30
 [<ffffffff819e7308>] sysfs_create_dir_ns+0x178/0x1d0 fs/sysfs/dir.c:59
 [<     inline     >] create_dir lib/kobject.c:71
 [<ffffffff81fa1b07>] kobject_add_internal+0x227/0xa60 lib/kobject.c:229
 [<     inline     >] kobject_add_varg lib/kobject.c:366
 [<ffffffff81fa2479>] kobject_add+0x139/0x220 lib/kobject.c:411
 [<ffffffff82737a63>] device_add+0x353/0x1660 drivers/base/core.c:1088
 [<ffffffff82738d8d>] device_register+0x1d/0x20 drivers/base/core.c:1206
 [<ffffffff82cb77d3>] usb_create_ep_devs+0x163/0x260 drivers/usb/core/endpoint.c:195
 [<ffffffff82c9f27b>] create_intf_ep_devs+0x13b/0x200 drivers/usb/core/message.c:1030
 [<ffffffff82ca39d3>] usb_set_configuration+0x1083/0x18d0 drivers/usb/core/message.c:1937
 [<ffffffff82cc9e2e>] generic_probe+0x6e/0xe0 drivers/usb/core/generic.c:172
 [<ffffffff82caa7fa>] usb_probe_device+0xaa/0xe0 drivers/usb/core/driver.c:263

This patch prevents the problem by checking for duplicate endpoint
addresses during enumeration and skipping any duplicates.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/core/config.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index ce6225959f2c..15b39065f1dc 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -207,6 +207,16 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
 	if (ifp->desc.bNumEndpoints >= num_ep)
 		goto skip_to_next_endpoint_or_interface_descriptor;
 
+	/* Check for duplicate endpoint addresses */
+	for (i = 0; i < ifp->desc.bNumEndpoints; ++i) {
+		if (ifp->endpoint[i].desc.bEndpointAddress ==
+		    d->bEndpointAddress) {
+			dev_warn(ddev, "config %d interface %d altsetting %d has a duplicate endpoint with address 0x%X, skipping\n",
+			    cfgno, inum, asnum, d->bEndpointAddress);
+			goto skip_to_next_endpoint_or_interface_descriptor;
+		}
+	}
+
 	endpoint = &ifp->endpoint[ifp->desc.bNumEndpoints];
 	++ifp->desc.bNumEndpoints;
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 083/235] USB: dummy-hcd: fix bug in stop_activity (handle ep0)
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (81 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 082/235] USB: fix problems with duplicate endpoint addresses Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 084/235] usb: gadget: composite: Test get_alt() presence instead of set_alt() Jiri Slaby
                   ` (153 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alan Stern, Felipe Balbi, Jiri Slaby

From: Alan Stern <stern@rowland.harvard.edu>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit bcdbeb844773333d2d1c08004f3b3e25921040e5 upstream.

The stop_activity() routine in dummy-hcd is supposed to unlink all
active requests for every endpoint, among other things.  But it
doesn't handle ep0.  As a result, fuzz testing can generate a WARNING
like the following:

WARNING: CPU: 0 PID: 4410 at drivers/usb/gadget/udc/dummy_hcd.c:672 dummy_free_request+0x153/0x170
Modules linked in:
CPU: 0 PID: 4410 Comm: syz-executor Not tainted 4.9.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006a64ed10 ffffffff81f96b8a ffffffff41b58ab3 1ffff1000d4c9d35
 ffffed000d4c9d2d ffff880065f8ac00 0000000041b58ab3 ffffffff8598b510
 ffffffff81f968f8 0000000041b58ab3 ffffffff859410e0 ffffffff813f0590
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81f96b8a>] dump_stack+0x292/0x398 lib/dump_stack.c:51
 [<ffffffff812b808f>] __warn+0x19f/0x1e0 kernel/panic.c:550
 [<ffffffff812b831c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
 [<ffffffff830fcb13>] dummy_free_request+0x153/0x170 drivers/usb/gadget/udc/dummy_hcd.c:672
 [<ffffffff830ed1b0>] usb_ep_free_request+0xc0/0x420 drivers/usb/gadget/udc/core.c:195
 [<ffffffff83225031>] gadgetfs_unbind+0x131/0x190 drivers/usb/gadget/legacy/inode.c:1612
 [<ffffffff830ebd8f>] usb_gadget_remove_driver+0x10f/0x2b0 drivers/usb/gadget/udc/core.c:1228
 [<ffffffff830ec084>] usb_gadget_unregister_driver+0x154/0x240 drivers/usb/gadget/udc/core.c:1357

This patch fixes the problem by iterating over all the endpoints in
the driver's ep array instead of iterating over the gadget's ep_list,
which explicitly leaves out ep0.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/gadget/dummy_hcd.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/dummy_hcd.c b/drivers/usb/gadget/dummy_hcd.c
index b8a2376971a4..341976289d15 100644
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -266,7 +266,7 @@ static void nuke(struct dummy *dum, struct dummy_ep *ep)
 /* caller must hold lock */
 static void stop_activity(struct dummy *dum)
 {
-	struct dummy_ep	*ep;
+	int i;
 
 	/* prevent any more requests */
 	dum->address = 0;
@@ -274,8 +274,8 @@ static void stop_activity(struct dummy *dum)
 	/* The timer is left running so that outstanding URBs can fail */
 
 	/* nuke any pending requests first, so driver i/o is quiesced */
-	list_for_each_entry(ep, &dum->gadget.ep_list, ep.ep_list)
-		nuke(dum, ep);
+	for (i = 0; i < DUMMY_ENDPOINTS; ++i)
+		nuke(dum, &dum->ep[i]);
 
 	/* driver now does any non-usb quiescing necessary */
 }
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 084/235] usb: gadget: composite: Test get_alt() presence instead of set_alt()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (82 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 083/235] USB: dummy-hcd: fix bug in stop_activity (handle ep0) Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 085/235] xhci: workaround for hosts missing CAS bit Jiri Slaby
                   ` (152 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Krzysztof Opasiak, Felipe Balbi, Jiri Slaby

From: Krzysztof Opasiak <k.opasiak@samsung.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7e4da3fcf7c9fe042f2f7cb7bf23861a899b4a8f upstream.

By convention (according to doc) if function does not provide
get_alt() callback composite framework should assume that it has only
altsetting 0 and should respond with error if host tries to set
other one.

After commit dd4dff8b035f ("USB: composite: Fix bug: should test
set_alt function pointer before use it")
we started checking set_alt() callback instead of get_alt().
This check is useless as we check if set_alt() is set inside
usb_add_function() and fail if it's NULL.

Let's fix this check and move comment about why we check the get
method instead of set a little bit closer to prevent future false
fixes.

Fixes: dd4dff8b035f ("USB: composite: Fix bug: should test set_alt function pointer before use it")
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/gadget/composite.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index bd6400b4af89..2bacd2761764 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1320,9 +1320,7 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
 		value = min(w_length, (u16) 1);
 		break;
 
-	/* function drivers must handle get/set altsetting; if there's
-	 * no get() method, we know only altsetting zero works.
-	 */
+	/* function drivers must handle get/set altsetting */
 	case USB_REQ_SET_INTERFACE:
 		if (ctrl->bRequestType != USB_RECIP_INTERFACE)
 			goto unknown;
@@ -1331,7 +1329,13 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
 		f = cdev->config->interface[intf];
 		if (!f)
 			break;
-		if (w_value && !f->set_alt)
+
+		/*
+		 * If there's no get_alt() method, we know only altsetting zero
+		 * works. There is no need to check if set_alt() is not NULL
+		 * as we check this in usb_add_function().
+		 */
+		if (w_value && !f->get_alt)
 			break;
 		value = f->set_alt(f, w_index, w_value);
 		if (value == USB_GADGET_DELAYED_STATUS) {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 085/235] xhci: workaround for hosts missing CAS bit
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (83 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 084/235] usb: gadget: composite: Test get_alt() presence instead of set_alt() Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 086/235] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake Jiri Slaby
                   ` (151 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Mathias Nyman, Jiri Slaby

From: Mathias Nyman <mathias.nyman@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 346e99736c3ce328fd42d678343b70243aca5f36 upstream.

If a device is unplugged and replugged during Sx system suspend
some  Intel xHC hosts will overwrite the CAS (Cold attach status) flag
and no device connection is noticed in resume.

A device in this state can be identified in resume if its link state
is in polling or compliance mode, and the current connect status is 0.
A device in this state needs to be warm reset.

Intel 100/c230 series PCH specification update Doc #332692-006 Errata #8

Observed on Cherryview and Apollolake as they go into compliance mode
if LFPS times out during polling, and re-plugged devices are not
discovered at resume.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/xhci-hub.c | 37 +++++++++++++++++++++++++++++++++++++
 drivers/usb/host/xhci-pci.c |  6 ++++++
 drivers/usb/host/xhci.h     |  3 +++
 3 files changed, 46 insertions(+)

diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index 8a79270ca44d..f97a382e3e76 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1221,6 +1221,35 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
 	return 0;
 }
 
+/*
+ * Workaround for missing Cold Attach Status (CAS) if device re-plugged in S3.
+ * warm reset a USB3 device stuck in polling or compliance mode after resume.
+ * See Intel 100/c230 series PCH specification update Doc #332692-006 Errata #8
+ */
+static bool xhci_port_missing_cas_quirk(int port_index,
+					     __le32 __iomem **port_array)
+{
+	u32 portsc;
+
+	portsc = readl(port_array[port_index]);
+
+	/* if any of these are set we are not stuck */
+	if (portsc & (PORT_CONNECT | PORT_CAS))
+		return false;
+
+	if (((portsc & PORT_PLS_MASK) != XDEV_POLLING) &&
+	    ((portsc & PORT_PLS_MASK) != XDEV_COMP_MODE))
+		return false;
+
+	/* clear wakeup/change bits, and do a warm port reset */
+	portsc &= ~(PORT_RWC_BITS | PORT_CEC | PORT_WAKE_BITS);
+	portsc |= PORT_WR;
+	writel(portsc, port_array[port_index]);
+	/* flush write */
+	readl(port_array[port_index]);
+	return true;
+}
+
 int xhci_bus_resume(struct usb_hcd *hcd)
 {
 	struct xhci_hcd	*xhci = hcd_to_xhci(hcd);
@@ -1255,6 +1284,14 @@ int xhci_bus_resume(struct usb_hcd *hcd)
 		int slot_id;
 
 		temp = xhci_readl(xhci, port_array[port_index]);
+
+		/* warm reset CAS limited ports stuck in polling/compliance */
+		if ((xhci->quirks & XHCI_MISSING_CAS) &&
+		    (hcd->speed >= HCD_USB3) &&
+		    xhci_port_missing_cas_quirk(port_index, port_array)) {
+			xhci_dbg(xhci, "reset stuck port %d\n", port_index);
+			continue;
+		}
 		if (DEV_SUPERSPEED(temp))
 			temp &= ~(PORT_RWC_BITS | PORT_CEC | PORT_WAKE_BITS);
 		else
diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index 9c3f2c4eaceb..946f63852434 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -43,6 +43,7 @@
 #define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI	0x9d2f
 #define PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI		0x0aa8
 #define PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI		0x1aa8
+#define PCI_DEVICE_ID_INTEL_APL_XHCI			0x5aa8
 
 static const char hcd_name[] = "xhci_hcd";
 
@@ -145,6 +146,11 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
 		 pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI)) {
 		xhci->quirks |= XHCI_PME_STUCK_QUIRK;
 	}
+	if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+	    (pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
+	     pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI))
+		xhci->quirks |= XHCI_MISSING_CAS;
+
 	if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
 			pdev->device == PCI_DEVICE_ID_ASROCK_P67) {
 		xhci->quirks |= XHCI_RESET_ON_RESUME;
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index 0419137c4732..83bfb60d19c0 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -286,6 +286,8 @@ struct xhci_op_regs {
 #define XDEV_U2		(0x2 << 5)
 #define XDEV_U3		(0x3 << 5)
 #define XDEV_INACTIVE	(0x6 << 5)
+#define XDEV_POLLING	(0x7 << 5)
+#define XDEV_COMP_MODE  (0xa << 5)
 #define XDEV_RESUME	(0xf << 5)
 /* true: port has power (see HCC_PPC) */
 #define PORT_POWER	(1 << 9)
@@ -1555,6 +1557,7 @@ struct xhci_hcd {
 #define XHCI_SLOW_SUSPEND	(1 << 17)
 #define XHCI_SPURIOUS_WAKEUP	(1 << 18)
 #define XHCI_PME_STUCK_QUIRK	(1 << 20)
+#define XHCI_MISSING_CAS	(1 << 24)
 	unsigned int		num_active_eps;
 	unsigned int		limit_active_eps;
 	/* There are two roothubs to keep track of bus suspend info for */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 086/235] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (84 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 085/235] xhci: workaround for hosts missing CAS bit Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 087/235] xhci: free xhci virtual devices with leaf nodes first Jiri Slaby
                   ` (150 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Wan Ahmad Zainie, Mathias Nyman, Jiri Slaby

From: Wan Ahmad Zainie <wan.ahmad.zainie.wan.mohamad@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6c97cfc1a097b1e0786c836e92b7a72b4d031e25 upstream.

Intel Apollo Lake also requires XHCI_PME_STUCK_QUIRK.
Adding its PCI ID to quirk.

Signed-off-by: Wan Ahmad Zainie <wan.ahmad.zainie.wan.mohamad@intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/xhci-pci.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index 946f63852434..6b11f6df76aa 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -143,7 +143,8 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
 		 pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI ||
 		 pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
 		 pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI ||
-		 pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI)) {
+		 pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI ||
+		 pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI)) {
 		xhci->quirks |= XHCI_PME_STUCK_QUIRK;
 	}
 	if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 087/235] xhci: free xhci virtual devices with leaf nodes first
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (85 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 086/235] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 088/235] USB: serial: omninet: fix NULL-derefs at open and disconnect Jiri Slaby
                   ` (149 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Mathias Nyman, Jiri Slaby

From: Mathias Nyman <mathias.nyman@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ee8665e28e8d90ce69d4abe5a469c14a8707ae0e upstream.

the tt_info provided by a HS hub might be in use to by a child device
Make sure we free the devices in the correct order.

This is needed in special cases such as when xhci controller is
reset when resuming from hibernate, and all virt_devices are freed.

Also free the virt_devices starting from max slot_id as children
more commonly have higher slot_id than parent.

Reported-by: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/xhci-mem.c | 38 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index bc5307f9367f..f2fae31fe79b 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -865,6 +865,40 @@ void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id)
 	xhci->devs[slot_id] = NULL;
 }
 
+/*
+ * Free a virt_device structure.
+ * If the virt_device added a tt_info (a hub) and has children pointing to
+ * that tt_info, then free the child first. Recursive.
+ * We can't rely on udev at this point to find child-parent relationships.
+ */
+void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_id)
+{
+	struct xhci_virt_device *vdev;
+	struct list_head *tt_list_head;
+	struct xhci_tt_bw_info *tt_info, *next;
+	int i;
+
+	vdev = xhci->devs[slot_id];
+	if (!vdev)
+		return;
+
+	tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts);
+	list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) {
+		/* is this a hub device that added a tt_info to the tts list */
+		if (tt_info->slot_id == slot_id) {
+			/* are any devices using this tt_info? */
+			for (i = 1; i < HCS_MAX_SLOTS(xhci->hcs_params1); i++) {
+				vdev = xhci->devs[i];
+				if (vdev && (vdev->tt_info == tt_info))
+					xhci_free_virt_devices_depth_first(
+						xhci, i);
+			}
+		}
+	}
+	/* we are now at a leaf device */
+	xhci_free_virt_device(xhci, slot_id);
+}
+
 int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,
 		struct usb_device *udev, gfp_t flags)
 {
@@ -1735,8 +1769,8 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci)
 		}
 	}
 
-	for (i = 1; i < MAX_HC_SLOTS; ++i)
-		xhci_free_virt_device(xhci, i);
+	for (i = HCS_MAX_SLOTS(xhci->hcs_params1); i > 0; i--)
+		xhci_free_virt_devices_depth_first(xhci, i);
 
 	if (xhci->segment_pool)
 		dma_pool_destroy(xhci->segment_pool);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 088/235] USB: serial: omninet: fix NULL-derefs at open and disconnect
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (86 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 087/235] xhci: free xhci virtual devices with leaf nodes first Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 089/235] USB: serial: quatech2: fix sleep-while-atomic in close Jiri Slaby
                   ` (148 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit a5bc01949e3b19d8a23b5eabc6fc71bb50dc820e upstream.

Fix NULL-pointer dereferences at open() and disconnect() should the
device lack the expected bulk-out endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 000000b4
...
[c0170ff0>] (__lock_acquire) from [<c0172f00>] (lock_acquire+0x108/0x264)
[<c0172f00>] (lock_acquire) from [<c06a5090>] (_raw_spin_lock_irqsave+0x58/0x6c)
[<c06a5090>] (_raw_spin_lock_irqsave) from [<c0470684>] (tty_port_tty_set+0x28/0xa4)
[<c0470684>] (tty_port_tty_set) from [<bf08d384>] (omninet_open+0x30/0x40 [omninet])
[<bf08d384>] (omninet_open [omninet]) from [<bf07c118>] (serial_port_activate+0x68/0x98 [usbserial])

Unable to handle kernel NULL pointer dereference at virtual address 00000234
...
[<bf01f418>] (omninet_disconnect [omninet]) from [<bf0016c0>] (usb_serial_disconnect+0xe4/0x100 [usbserial])

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/omninet.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/usb/serial/omninet.c b/drivers/usb/serial/omninet.c
index 5739bf6f7200..24720f656387 100644
--- a/drivers/usb/serial/omninet.c
+++ b/drivers/usb/serial/omninet.c
@@ -39,6 +39,7 @@ static int  omninet_write(struct tty_struct *tty, struct usb_serial_port *port,
 				const unsigned char *buf, int count);
 static int  omninet_write_room(struct tty_struct *tty);
 static void omninet_disconnect(struct usb_serial *serial);
+static int omninet_attach(struct usb_serial *serial);
 static int omninet_port_probe(struct usb_serial_port *port);
 static int omninet_port_remove(struct usb_serial_port *port);
 
@@ -57,6 +58,7 @@ static struct usb_serial_driver zyxel_omninet_device = {
 	.description =		"ZyXEL - omni.net lcd plus usb",
 	.id_table =		id_table,
 	.num_ports =		1,
+	.attach =		omninet_attach,
 	.port_probe =		omninet_port_probe,
 	.port_remove =		omninet_port_remove,
 	.open =			omninet_open,
@@ -105,6 +107,17 @@ struct omninet_data {
 	__u8	od_outseq;	/* Sequence number for bulk_out URBs */
 };
 
+static int omninet_attach(struct usb_serial *serial)
+{
+	/* The second bulk-out endpoint is used for writing. */
+	if (serial->num_bulk_out < 2) {
+		dev_err(&serial->interface->dev, "missing endpoints\n");
+		return -ENODEV;
+	}
+
+	return 0;
+}
+
 static int omninet_port_probe(struct usb_serial_port *port)
 {
 	struct omninet_data *od;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 089/235] USB: serial: quatech2: fix sleep-while-atomic in close
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (87 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 088/235] USB: serial: omninet: fix NULL-derefs at open and disconnect Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 090/235] USB: serial: pl2303: fix NULL-deref at open Jiri Slaby
                   ` (147 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f09d1886a41e9063b43da493ef0e845ac8afd2fa upstream.

The write URB was being killed using the synchronous interface while
holding a spin lock in close().

Simply drop the lock and busy-flag update, something which would have
been taken care of by the completion handler if the URB was in flight.

Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/quatech2.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/drivers/usb/serial/quatech2.c b/drivers/usb/serial/quatech2.c
index 58ab9e52a938..d0ee758dff0b 100644
--- a/drivers/usb/serial/quatech2.c
+++ b/drivers/usb/serial/quatech2.c
@@ -409,16 +409,12 @@ static void qt2_close(struct usb_serial_port *port)
 {
 	struct usb_serial *serial;
 	struct qt2_port_private *port_priv;
-	unsigned long flags;
 	int i;
 
 	serial = port->serial;
 	port_priv = usb_get_serial_port_data(port);
 
-	spin_lock_irqsave(&port_priv->urb_lock, flags);
 	usb_kill_urb(port_priv->write_urb);
-	port_priv->urb_in_use = false;
-	spin_unlock_irqrestore(&port_priv->urb_lock, flags);
 
 	/* flush the port transmit buffer */
 	i = usb_control_msg(serial->dev,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 090/235] USB: serial: pl2303: fix NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (88 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 089/235] USB: serial: quatech2: fix sleep-while-atomic in close Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 091/235] USB: serial: keyspan_pda: verify endpoints at probe Jiri Slaby
                   ` (146 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 76ab439ed1b68778e9059c79ecc5d14de76c89a8 upstream.

Fix NULL-pointer dereference in open() should a type-0 or type-1 device
lack the expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at pl2303_open+0x38/0xec [pl2303]

Note that a missing interrupt-in endpoint would have caused open() to
fail.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/pl2303.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c
index e47f9c642404..23f11751e05a 100644
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -176,9 +176,17 @@ static int pl2303_vendor_write(__u16 value, __u16 index,
 static int pl2303_startup(struct usb_serial *serial)
 {
 	struct pl2303_serial_private *spriv;
+	unsigned char num_ports = serial->num_ports;
 	enum pl2303_type type = type_0;
 	unsigned char *buf;
 
+	if (serial->num_bulk_in < num_ports ||
+			serial->num_bulk_out < num_ports ||
+			serial->num_interrupt_in < num_ports) {
+		dev_err(&serial->interface->dev, "missing endpoints\n");
+		return -ENODEV;
+	}
+
 	spriv = kzalloc(sizeof(*spriv), GFP_KERNEL);
 	if (!spriv)
 		return -ENOMEM;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 091/235] USB: serial: keyspan_pda: verify endpoints at probe
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (89 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 090/235] USB: serial: pl2303: fix NULL-deref at open Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 092/235] USB: serial: spcp8x5: fix NULL-deref at open Jiri Slaby
                   ` (145 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5d9b0f859babe96175cd33d7162a9463a875ffde upstream.

Check for the expected endpoints in attach() and fail loudly if not
present.

Note that failing to do this appears to be benign since da280e348866
("USB: keyspan_pda: clean up write-urb busy handling") which prevents a
NULL-pointer dereference in write() by never marking a non-existent
write-urb as free.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/keyspan_pda.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/usb/serial/keyspan_pda.c b/drivers/usb/serial/keyspan_pda.c
index 5f1d382e55cf..05c567bf5cfa 100644
--- a/drivers/usb/serial/keyspan_pda.c
+++ b/drivers/usb/serial/keyspan_pda.c
@@ -697,6 +697,19 @@ MODULE_FIRMWARE("keyspan_pda/keyspan_pda.fw");
 MODULE_FIRMWARE("keyspan_pda/xircom_pgs.fw");
 #endif
 
+static int keyspan_pda_attach(struct usb_serial *serial)
+{
+	unsigned char num_ports = serial->num_ports;
+
+	if (serial->num_bulk_out < num_ports ||
+			serial->num_interrupt_in < num_ports) {
+		dev_err(&serial->interface->dev, "missing endpoints\n");
+		return -ENODEV;
+	}
+
+	return 0;
+}
+
 static int keyspan_pda_port_probe(struct usb_serial_port *port)
 {
 
@@ -774,6 +787,7 @@ static struct usb_serial_driver keyspan_pda_device = {
 	.break_ctl =		keyspan_pda_break_ctl,
 	.tiocmget =		keyspan_pda_tiocmget,
 	.tiocmset =		keyspan_pda_tiocmset,
+	.attach =		keyspan_pda_attach,
 	.port_probe =		keyspan_pda_port_probe,
 	.port_remove =		keyspan_pda_port_remove,
 };
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 092/235] USB: serial: spcp8x5: fix NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (90 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 091/235] USB: serial: keyspan_pda: verify endpoints at probe Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 093/235] USB: serial: io_ti: " Jiri Slaby
                   ` (144 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit cc0909248258f679c4bb4cd315565d40abaf6bc6 upstream.

Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at spcp8x5_open+0x30/0xd0 [spcp8x5]

Fixes: 619a6f1d1423 ("USB: add usb-serial spcp8x5 driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/spcp8x5.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/usb/serial/spcp8x5.c b/drivers/usb/serial/spcp8x5.c
index 5b793c352267..ab754d23244c 100644
--- a/drivers/usb/serial/spcp8x5.c
+++ b/drivers/usb/serial/spcp8x5.c
@@ -155,6 +155,19 @@ static int spcp8x5_probe(struct usb_serial *serial,
 	return 0;
 }
 
+static int spcp8x5_attach(struct usb_serial *serial)
+{
+	unsigned char num_ports = serial->num_ports;
+
+	if (serial->num_bulk_in < num_ports ||
+			serial->num_bulk_out < num_ports) {
+		dev_err(&serial->interface->dev, "missing endpoints\n");
+		return -ENODEV;
+	}
+
+	return 0;
+}
+
 static int spcp8x5_port_probe(struct usb_serial_port *port)
 {
 	const struct usb_device_id *id = usb_get_serial_data(port->serial);
@@ -479,6 +492,7 @@ static struct usb_serial_driver spcp8x5_device = {
 	.tiocmget		= spcp8x5_tiocmget,
 	.tiocmset		= spcp8x5_tiocmset,
 	.probe			= spcp8x5_probe,
+	.attach			= spcp8x5_attach,
 	.port_probe		= spcp8x5_port_probe,
 	.port_remove		= spcp8x5_port_remove,
 };
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 093/235] USB: serial: io_ti: fix NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (91 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 092/235] USB: serial: spcp8x5: fix NULL-deref at open Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 094/235] USB: serial: io_ti: fix another " Jiri Slaby
                   ` (143 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit a323fefc6f5079844dc62ffeb54f491d0242ca35 upstream.

Fix NULL-pointer dereference when clearing halt at open should a
malicious device lack the expected endpoints when in download mode.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf011ed8>] (edge_open [io_ti]) from [<bf000118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf000118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf000da0>] (serial_open+0x48/0x6c [usbserial])
[<bf000da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/io_ti.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index 0385bc4efefa..5717996cf87d 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -2409,6 +2409,13 @@ static int edge_startup(struct usb_serial *serial)
 	struct edgeport_serial *edge_serial;
 	int status;
 
+	/* Make sure we have the required endpoints when in download mode. */
+	if (serial->interface->cur_altsetting->desc.bNumEndpoints > 1) {
+		if (serial->num_bulk_in < serial->num_ports ||
+				serial->num_bulk_out < serial->num_ports)
+			return -ENODEV;
+	}
+
 	/* create our private serial structure */
 	edge_serial = kzalloc(sizeof(struct edgeport_serial), GFP_KERNEL);
 	if (edge_serial == NULL) {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 094/235] USB: serial: io_ti: fix another NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (92 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 093/235] USB: serial: io_ti: " Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 095/235] USB: serial: iuu_phoenix: fix " Jiri Slaby
                   ` (142 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 4f9785cc99feeb3673993b471f646b4dbaec2cc1 upstream.

In case a device is left in "boot-mode" we must not register any port
devices in order to avoid a NULL-pointer dereference on open due to
missing endpoints. This could be used by a malicious device to trigger
an OOPS:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf0caa84>] (edge_open [io_ti]) from [<bf0b0118>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0b0118>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf0b0da0>] (serial_open+0x48/0x6c [usbserial])
[<bf0b0da0>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/io_ti.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index 5717996cf87d..19cf36853e96 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1399,7 +1399,7 @@ stayinbootmode:
 	dev_dbg(dev, "%s - STAYING IN BOOT MODE\n", __func__);
 	serial->product_info.TiMode = TI_MODE_BOOT;
 
-	return 0;
+	return 1;
 }
 
 
@@ -2427,11 +2427,14 @@ static int edge_startup(struct usb_serial *serial)
 	usb_set_serial_data(serial, edge_serial);
 
 	status = download_fw(edge_serial);
-	if (status) {
+	if (status < 0) {
 		kfree(edge_serial);
 		return status;
 	}
 
+	if (status > 0)
+		return 1;	/* bind but do not register any ports */
+
 	return 0;
 }
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 095/235] USB: serial: iuu_phoenix: fix NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (93 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 094/235] USB: serial: io_ti: fix another " Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 096/235] USB: serial: garmin_gps: fix memory leak on failed URB submit Jiri Slaby
                   ` (141 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 90507d54f712d81b74815ef3a4bbb555cd9fab2f upstream.

Fix NULL-pointer dereference at open should the device lack a bulk-in or
bulk-out endpoint:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at iuu_open+0x78/0x59c [iuu_phoenix]

Fixes: 07c3b1a10016 ("USB: remove broken usb-serial num_endpoints
check")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/iuu_phoenix.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
index 57c439a24b5a..66ca41f83ffc 100644
--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -69,6 +69,16 @@ struct iuu_private {
 	u32 clk;
 };
 
+static int iuu_attach(struct usb_serial *serial)
+{
+	unsigned char num_ports = serial->num_ports;
+
+	if (serial->num_bulk_in < num_ports || serial->num_bulk_out < num_ports)
+		return -ENODEV;
+
+	return 0;
+}
+
 static int iuu_port_probe(struct usb_serial_port *port)
 {
 	struct iuu_private *priv;
@@ -1197,6 +1207,7 @@ static struct usb_serial_driver iuu_device = {
 	.tiocmset = iuu_tiocmset,
 	.set_termios = iuu_set_termios,
 	.init_termios = iuu_init_termios,
+	.attach = iuu_attach,
 	.port_probe = iuu_port_probe,
 	.port_remove = iuu_port_remove,
 };
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 096/235] USB: serial: garmin_gps: fix memory leak on failed URB submit
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (94 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 095/235] USB: serial: iuu_phoenix: fix " Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 097/235] USB: serial: ti_usb_3410_5052: fix NULL-deref at open Jiri Slaby
                   ` (140 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c4ac4496e835b78a45dfbf74f6173932217e4116 upstream.

Make sure to free the URB transfer buffer in case submission fails (e.g.
due to a disconnect).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/garmin_gps.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/serial/garmin_gps.c b/drivers/usb/serial/garmin_gps.c
index 04b5ed90ffb2..9f1381dfce8c 100644
--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1049,6 +1049,7 @@ static int garmin_write_bulk(struct usb_serial_port *port,
 		   "%s - usb_submit_urb(write bulk) failed with status = %d\n",
 				__func__, status);
 		count = status;
+		kfree(buffer);
 	}
 
 	/* we are done with this urb, so let the host driver
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 097/235] USB: serial: ti_usb_3410_5052: fix NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (95 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 096/235] USB: serial: garmin_gps: fix memory leak on failed URB submit Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 098/235] USB: serial: io_edgeport: " Jiri Slaby
                   ` (139 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ef079936d3cd09e63612834fe2698eeada0d8e3f upstream.

Fix NULL-pointer dereference in open() should a malicious device lack
the expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
..
[<bf06a6b0>] (ti_open [ti_usb_3410_5052]) from [<bf02e118>] (serial_port_activate+0x68/0x98 [usbserial])

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/ti_usb_3410_5052.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
index 11b402935fbd..a7c3f0800de9 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -341,6 +341,13 @@ static int ti_startup(struct usb_serial *serial)
 		goto free_tdev;
 	}
 
+	if (serial->num_bulk_in < serial->num_ports ||
+			serial->num_bulk_out < serial->num_ports) {
+		dev_err(&serial->interface->dev, "missing endpoints\n");
+		status = -ENODEV;
+		goto free_tdev;
+	}
+
 	return 0;
 
 free_tdev:
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 098/235] USB: serial: io_edgeport: fix NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (96 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 097/235] USB: serial: ti_usb_3410_5052: fix NULL-deref at open Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 099/235] USB: serial: oti6858: " Jiri Slaby
                   ` (138 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 0dd408425eb21ddf26a692b3c8044c9e7d1a7948 upstream.

Fix NULL-pointer dereference when initialising URBs at open should a
non-EPIC device lack a bulk-in or interrupt-in endpoint.

Unable to handle kernel NULL pointer dereference at virtual address 00000028
...
PC is at edge_open+0x24c/0x3e8 [io_edgeport]

Note that the EPIC-device probe path has the required sanity checks so
this makes those checks partially redundant.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/io_edgeport.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index 0d037cc40e51..75e5ed82d17e 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2781,6 +2781,11 @@ static int edge_startup(struct usb_serial *serial)
 					EDGE_COMPATIBILITY_MASK1,
 					EDGE_COMPATIBILITY_MASK2 };
 
+	if (serial->num_bulk_in < 1 || serial->num_interrupt_in < 1) {
+		dev_err(&serial->interface->dev, "missing endpoints\n");
+		return -ENODEV;
+	}
+
 	dev = serial->dev;
 
 	/* create our private serial structure */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 099/235] USB: serial: oti6858: fix NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (97 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 098/235] USB: serial: io_edgeport: " Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 100/235] USB: serial: cyberjack: " Jiri Slaby
                   ` (137 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5afeef2366db14587b65558bbfd5a067542e07fb upstream.

Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at oti6858_open+0x30/0x1d0 [oti6858]

Note that a missing interrupt-in endpoint would have caused open() to
fail.

Fixes: 49cdee0ed0fc ("USB: oti6858 usb-serial driver (in Nokia CA-42
cable)")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/oti6858.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/drivers/usb/serial/oti6858.c b/drivers/usb/serial/oti6858.c
index a2080ac7b7e5..da6404c868e9 100644
--- a/drivers/usb/serial/oti6858.c
+++ b/drivers/usb/serial/oti6858.c
@@ -135,6 +135,7 @@ static int oti6858_tiocmget(struct tty_struct *tty);
 static int oti6858_tiocmset(struct tty_struct *tty,
 				unsigned int set, unsigned int clear);
 static int oti6858_tiocmiwait(struct tty_struct *tty, unsigned long arg);
+static int oti6858_attach(struct usb_serial *serial);
 static int oti6858_port_probe(struct usb_serial_port *port);
 static int oti6858_port_remove(struct usb_serial_port *port);
 
@@ -159,6 +160,7 @@ static struct usb_serial_driver oti6858_device = {
 	.write_bulk_callback =	oti6858_write_bulk_callback,
 	.write_room =		oti6858_write_room,
 	.chars_in_buffer =	oti6858_chars_in_buffer,
+	.attach =		oti6858_attach,
 	.port_probe =		oti6858_port_probe,
 	.port_remove =		oti6858_port_remove,
 };
@@ -328,6 +330,20 @@ static void send_data(struct work_struct *work)
 	usb_serial_port_softint(port);
 }
 
+static int oti6858_attach(struct usb_serial *serial)
+{
+	unsigned char num_ports = serial->num_ports;
+
+	if (serial->num_bulk_in < num_ports ||
+			serial->num_bulk_out < num_ports ||
+			serial->num_interrupt_in < num_ports) {
+		dev_err(&serial->interface->dev, "missing endpoints\n");
+		return -ENODEV;
+	}
+
+	return 0;
+}
+
 static int oti6858_port_probe(struct usb_serial_port *port)
 {
 	struct oti6858_private *priv;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 100/235] USB: serial: cyberjack: fix NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (98 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 099/235] USB: serial: oti6858: " Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 101/235] USB: serial: kobil_sct: fix NULL-deref in write Jiri Slaby
                   ` (136 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3dca01114dcecb1cf324534cd8d75fd1306a516b upstream.

Fix NULL-pointer dereference when clearing halt at open should the device
lack a bulk-out endpoint.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at cyberjack_open+0x40/0x9c [cyberjack]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/cyberjack.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/usb/serial/cyberjack.c b/drivers/usb/serial/cyberjack.c
index 781426230d69..bb3c7f09f059 100644
--- a/drivers/usb/serial/cyberjack.c
+++ b/drivers/usb/serial/cyberjack.c
@@ -51,6 +51,7 @@
 #define CYBERJACK_PRODUCT_ID	0x0100
 
 /* Function prototypes */
+static int cyberjack_attach(struct usb_serial *serial);
 static int cyberjack_port_probe(struct usb_serial_port *port);
 static int cyberjack_port_remove(struct usb_serial_port *port);
 static int  cyberjack_open(struct tty_struct *tty,
@@ -78,6 +79,7 @@ static struct usb_serial_driver cyberjack_device = {
 	.description =		"Reiner SCT Cyberjack USB card reader",
 	.id_table =		id_table,
 	.num_ports =		1,
+	.attach =		cyberjack_attach,
 	.port_probe =		cyberjack_port_probe,
 	.port_remove =		cyberjack_port_remove,
 	.open =			cyberjack_open,
@@ -101,6 +103,14 @@ struct cyberjack_private {
 	short		wrsent;		/* Data already sent */
 };
 
+static int cyberjack_attach(struct usb_serial *serial)
+{
+	if (serial->num_bulk_out < serial->num_ports)
+		return -ENODEV;
+
+	return 0;
+}
+
 static int cyberjack_port_probe(struct usb_serial_port *port)
 {
 	struct cyberjack_private *priv;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 101/235] USB: serial: kobil_sct: fix NULL-deref in write
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (99 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 100/235] USB: serial: cyberjack: " Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 102/235] USB: serial: mos7840: fix NULL-deref at open Jiri Slaby
                   ` (135 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 21ce57840243c7b70fbc1ebd3dceeb70bb6e9e09 upstream.

Fix NULL-pointer dereference in write() should the device lack the
expected interrupt-out endpoint:

Unable to handle kernel NULL pointer dereference at virtual address 00000054
...
PC is at kobil_write+0x144/0x2a0 [kobil_sct]

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/kobil_sct.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/usb/serial/kobil_sct.c b/drivers/usb/serial/kobil_sct.c
index efa75b4e51f2..63fa400a822f 100644
--- a/drivers/usb/serial/kobil_sct.c
+++ b/drivers/usb/serial/kobil_sct.c
@@ -52,6 +52,7 @@
 
 
 /* Function prototypes */
+static int kobil_attach(struct usb_serial *serial);
 static int kobil_port_probe(struct usb_serial_port *probe);
 static int kobil_port_remove(struct usb_serial_port *probe);
 static int  kobil_open(struct tty_struct *tty, struct usb_serial_port *port);
@@ -87,6 +88,7 @@ static struct usb_serial_driver kobil_device = {
 	.description =		"KOBIL USB smart card terminal",
 	.id_table =		id_table,
 	.num_ports =		1,
+	.attach =		kobil_attach,
 	.port_probe =		kobil_port_probe,
 	.port_remove =		kobil_port_remove,
 	.ioctl =		kobil_ioctl,
@@ -114,6 +116,16 @@ struct kobil_private {
 };
 
 
+static int kobil_attach(struct usb_serial *serial)
+{
+	if (serial->num_interrupt_out < serial->num_ports) {
+		dev_err(&serial->interface->dev, "missing interrupt-out endpoint\n");
+		return -ENODEV;
+	}
+
+	return 0;
+}
+
 static int kobil_port_probe(struct usb_serial_port *port)
 {
 	struct usb_serial *serial = port->serial;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 102/235] USB: serial: mos7840: fix NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (100 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 101/235] USB: serial: kobil_sct: fix NULL-deref in write Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 103/235] USB: serial: mos7720: " Jiri Slaby
                   ` (134 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5c75633ef751dd4cd8f443dc35152c1ae563162e upstream.

Fix NULL-pointer dereference in open() should the device lack the
expected endpoints:

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
PC is at mos7840_open+0x88/0x8dc [mos7840]

Note that we continue to treat the interrupt-in endpoint as optional for
now.

Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/mos7840.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 29b33ecd048b..0b1659026d85 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -2192,6 +2192,17 @@ static int mos7840_calc_num_ports(struct usb_serial *serial)
 	return mos7840_num_ports;
 }
 
+static int mos7840_attach(struct usb_serial *serial)
+{
+	if (serial->num_bulk_in < serial->num_ports ||
+			serial->num_bulk_out < serial->num_ports) {
+		dev_err(&serial->interface->dev, "missing endpoints\n");
+		return -ENODEV;
+	}
+
+	return 0;
+}
+
 static int mos7840_port_probe(struct usb_serial_port *port)
 {
 	struct usb_serial *serial = port->serial;
@@ -2472,6 +2483,7 @@ static struct usb_serial_driver moschip7840_4port_device = {
 	.tiocmset = mos7840_tiocmset,
 	.tiocmiwait = usb_serial_generic_tiocmiwait,
 	.get_icount = usb_serial_generic_get_icount,
+	.attach = mos7840_attach,
 	.port_probe = mos7840_port_probe,
 	.port_remove = mos7840_port_remove,
 	.read_bulk_callback = mos7840_bulk_in_callback,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 103/235] USB: serial: mos7720: fix NULL-deref at open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (101 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 102/235] USB: serial: mos7840: fix NULL-deref at open Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 104/235] USB: serial: mos7720: fix use-after-free on probe errors Jiri Slaby
                   ` (133 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b05aebc25fdc5aeeac3ee29f0dc9f58dd07c13cc upstream.

Fix NULL-pointer dereference at port open if a device lacks the expected
bulk in and out endpoints.

Unable to handle kernel NULL pointer dereference at virtual address 00000030
...
[<bf071c20>] (mos7720_open [mos7720]) from [<bf0490e0>] (serial_port_activate+0x68/0x98 [usbserial])
[<bf0490e0>] (serial_port_activate [usbserial]) from [<c0470ca4>] (tty_port_open+0x9c/0xe8)
[<c0470ca4>] (tty_port_open) from [<bf049d98>] (serial_open+0x48/0x6c [usbserial])
[<bf049d98>] (serial_open [usbserial]) from [<c0469178>] (tty_open+0xcc/0x5cc)

Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/mos7720.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index d40e1dccb998..b0695b667fb2 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1916,6 +1916,11 @@ static int mos7720_startup(struct usb_serial *serial)
 	u16 product;
 	int ret_val;
 
+	if (serial->num_bulk_in < 2 || serial->num_bulk_out < 2) {
+		dev_err(&serial->interface->dev, "missing bulk endpoints\n");
+		return -ENODEV;
+	}
+
 	product = le16_to_cpu(serial->dev->descriptor.idProduct);
 	dev = serial->dev;
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 104/235] USB: serial: mos7720: fix use-after-free on probe errors
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (102 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 103/235] USB: serial: mos7720: " Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 105/235] USB: serial: mos7720: fix parport " Jiri Slaby
                   ` (132 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 91a1ff4d53c5184d383d0baeeaeab6f9736f2ff3 upstream.

The interrupt URB was submitted on probe but never stopped on probe
errors. This can lead to use-after-free issues in the completion
handler when accessing the freed usb-serial struct:

Unable to handle kernel paging request at virtual address 6b6b6be7
...
[<bf052e70>] (mos7715_interrupt_callback [mos7720]) from [<c052a894>] (__usb_hcd_giveback_urb+0x80/0x140)
[<c052a894>] (__usb_hcd_giveback_urb) from [<c052a9a4>] (usb_hcd_giveback_urb+0x50/0x138)
[<c052a9a4>] (usb_hcd_giveback_urb) from [<c0550684>] (musb_giveback+0xc8/0x1cc)

Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/mos7720.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index b0695b667fb2..67be5d26d7a3 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1961,8 +1961,10 @@ static int mos7720_startup(struct usb_serial *serial)
 #ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
 	if (product == MOSCHIP_DEVICE_ID_7715) {
 		ret_val = mos7715_parport_init(serial);
-		if (ret_val < 0)
+		if (ret_val < 0) {
+			usb_kill_urb(serial->port[0]->interrupt_in_urb);
 			return ret_val;
+		}
 	}
 #endif
 	/* LSR For Port 1 */
@@ -1974,6 +1976,8 @@ static int mos7720_startup(struct usb_serial *serial)
 
 static void mos7720_release(struct usb_serial *serial)
 {
+	usb_kill_urb(serial->port[0]->interrupt_in_urb);
+
 #ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
 	/* close the parallel port */
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 105/235] USB: serial: mos7720: fix parport use-after-free on probe errors
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (103 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 104/235] USB: serial: mos7720: fix use-after-free on probe errors Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:53 ` [PATCH 3.12 106/235] USB: serial: mos7720: fix parallel probe Jiri Slaby
                   ` (131 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 75dd211e773afcbc264677b0749d1cf7d937ab2d upstream.

Do not submit the interrupt URB until after the parport has been
successfully registered to avoid another use-after-free in the
completion handler when accessing the freed parport private data in case
of a racing completion.

Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/mos7720.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index 67be5d26d7a3..ea0ef552f445 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -1951,22 +1951,20 @@ static int mos7720_startup(struct usb_serial *serial)
 	usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
 			(__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000);
 
-	/* start the interrupt urb */
-	ret_val = usb_submit_urb(serial->port[0]->interrupt_in_urb, GFP_KERNEL);
-	if (ret_val)
-		dev_err(&dev->dev,
-			"%s - Error %d submitting control urb\n",
-			__func__, ret_val);
-
 #ifdef CONFIG_USB_SERIAL_MOS7715_PARPORT
 	if (product == MOSCHIP_DEVICE_ID_7715) {
 		ret_val = mos7715_parport_init(serial);
-		if (ret_val < 0) {
-			usb_kill_urb(serial->port[0]->interrupt_in_urb);
+		if (ret_val < 0)
 			return ret_val;
-		}
 	}
 #endif
+	/* start the interrupt urb */
+	ret_val = usb_submit_urb(serial->port[0]->interrupt_in_urb, GFP_KERNEL);
+	if (ret_val) {
+		dev_err(&dev->dev, "failed to submit interrupt urb: %d\n",
+			ret_val);
+	}
+
 	/* LSR For Port 1 */
 	read_mos_reg(serial, 0, LSR, &data);
 	dev_dbg(&dev->dev, "LSR:%x\n", data);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 106/235] USB: serial: mos7720: fix parallel probe
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (104 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 105/235] USB: serial: mos7720: fix parport " Jiri Slaby
@ 2017-01-27 10:53 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 107/235] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL Jiri Slaby
                   ` (130 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:53 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit fde1faf872ed86d88e245191bc15a8e57368cd1c upstream.

A static usb-serial-driver structure that is used to initialise the
interrupt URB was modified during probe depending on the currently
probed device type, something which could break a parallel probe of a
device of a different type.

Fix this up by overriding the default completion callback for MCS7715
devices in attach() instead. We may want to use two usb-serial driver
instances for the two types later.

Fixes: fb088e335d78 ("USB: serial: add support for serial port on the moschip 7715")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/mos7720.c | 30 +++++++-----------------------
 1 file changed, 7 insertions(+), 23 deletions(-)

diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index ea0ef552f445..c5274908ea92 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -66,8 +66,6 @@ struct moschip_port {
 	struct urb		*write_urb_pool[NUM_URBS];
 };
 
-static struct usb_serial_driver moschip7720_2port_driver;
-
 #define USB_VENDOR_ID_MOSCHIP		0x9710
 #define MOSCHIP_DEVICE_ID_7720		0x7720
 #define MOSCHIP_DEVICE_ID_7715		0x7715
@@ -966,25 +964,6 @@ static void mos7720_bulk_out_data_callback(struct urb *urb)
 		tty_port_tty_wakeup(&mos7720_port->port->port);
 }
 
-/*
- * mos77xx_probe
- *	this function installs the appropriate read interrupt endpoint callback
- *	depending on whether the device is a 7720 or 7715, thus avoiding costly
- *	run-time checks in the high-frequency callback routine itself.
- */
-static int mos77xx_probe(struct usb_serial *serial,
-			 const struct usb_device_id *id)
-{
-	if (id->idProduct == MOSCHIP_DEVICE_ID_7715)
-		moschip7720_2port_driver.read_int_callback =
-			mos7715_interrupt_callback;
-	else
-		moschip7720_2port_driver.read_int_callback =
-			mos7720_interrupt_callback;
-
-	return 0;
-}
-
 static int mos77xx_calc_num_ports(struct usb_serial *serial)
 {
 	u16 product = le16_to_cpu(serial->dev->descriptor.idProduct);
@@ -1945,6 +1924,12 @@ static int mos7720_startup(struct usb_serial *serial)
 			tmp->interrupt_in_endpointAddress;
 		serial->port[1]->interrupt_in_urb = NULL;
 		serial->port[1]->interrupt_in_buffer = NULL;
+
+		if (serial->port[0]->interrupt_in_urb) {
+			struct urb *urb = serial->port[0]->interrupt_in_urb;
+
+			urb->complete = mos7715_interrupt_callback;
+		}
 	}
 
 	/* setting configuration feature to one */
@@ -2058,7 +2043,6 @@ static struct usb_serial_driver moschip7720_2port_driver = {
 	.close			= mos7720_close,
 	.throttle		= mos7720_throttle,
 	.unthrottle		= mos7720_unthrottle,
-	.probe			= mos77xx_probe,
 	.attach			= mos7720_startup,
 	.release		= mos7720_release,
 	.port_probe		= mos7720_port_probe,
@@ -2072,7 +2056,7 @@ static struct usb_serial_driver moschip7720_2port_driver = {
 	.chars_in_buffer	= mos7720_chars_in_buffer,
 	.break_ctl		= mos7720_break,
 	.read_bulk_callback	= mos7720_bulk_in_callback,
-	.read_int_callback	= NULL  /* dynamically assigned in probe() */
+	.read_int_callback	= mos7720_interrupt_callback,
 };
 
 static struct usb_serial_driver * const serial_drivers[] = {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 107/235] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (105 preceding siblings ...)
  2017-01-27 10:53 ` [PATCH 3.12 106/235] USB: serial: mos7720: fix parallel probe Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 108/235] usb: dwc3: pci: add Intel Gemini Lake PCI ID Jiri Slaby
                   ` (129 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dan Carpenter, Mathias Nyman, Jiri Slaby

From: Dan Carpenter <dan.carpenter@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c95a9f83711bf53faeb4ed9bbb63a3f065613dfb upstream.

We normally use the passed in gfp flags for allocations, it's just these
two which were missed.

Fixes: 22d45f01a836 ("usb/xhci: replace pci_*_consistent() with dma_*_coherent()")
Cc: Mathias Nyman <mathias.nyman@intel.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/xhci-mem.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index f2fae31fe79b..34323aa444e3 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -2304,7 +2304,7 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
 	 * "physically contiguous and 64-byte (cache line) aligned".
 	 */
 	xhci->dcbaa = dma_alloc_coherent(dev, sizeof(*xhci->dcbaa), &dma,
-			GFP_KERNEL);
+			flags);
 	if (!xhci->dcbaa)
 		goto fail;
 	memset(xhci->dcbaa, 0, sizeof *(xhci->dcbaa));
@@ -2399,7 +2399,7 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
 
 	xhci->erst.entries = dma_alloc_coherent(dev,
 			sizeof(struct xhci_erst_entry) * ERST_NUM_SEGS, &dma,
-			GFP_KERNEL);
+			flags);
 	if (!xhci->erst.entries)
 		goto fail;
 	xhci_dbg_trace(xhci, trace_xhci_dbg_init,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 108/235] usb: dwc3: pci: add Intel Gemini Lake PCI ID
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (106 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 107/235] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 109/235] usb: musb: Fix trying to free already-free IRQ 4 Jiri Slaby
                   ` (128 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Heikki Krogerus, Felipe Balbi, Jiri Slaby

From: Heikki Krogerus <heikki.krogerus@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8f8983a5683623b62b339d159573f95a1fce44f3 upstream.

Intel Gemini Lake SoC has the same DWC3 than Broxton. Add
the new ID to the supported Devices.

Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/dwc3/dwc3-pci.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
index bbdf7a97026f..b4e123152533 100644
--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -37,6 +37,7 @@
 #define PCI_DEVICE_ID_INTEL_BXT_M		0x1aaa
 #define PCI_DEVICE_ID_INTEL_APL			0x5aaa
 #define PCI_DEVICE_ID_INTEL_KBP			0xa2b0
+#define PCI_DEVICE_ID_INTEL_GLK			0x31aa
 
 struct dwc3_pci {
 	struct device		*dev;
@@ -205,6 +206,7 @@ static DEFINE_PCI_DEVICE_TABLE(dwc3_pci_id_table) = {
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_BXT_M), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_APL), },
 	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_KBP), },
+	{ PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_GLK), },
 	{  }	/* Terminating Entry */
 };
 MODULE_DEVICE_TABLE(pci, dwc3_pci_id_table);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 109/235] usb: musb: Fix trying to free already-free IRQ 4
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (107 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 108/235] usb: dwc3: pci: add Intel Gemini Lake PCI ID Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 110/235] usb: hub: Move hub_port_disable() to fix warning if PM is disabled Jiri Slaby
                   ` (127 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Tony Lindgren, Bin Liu, Jiri Slaby

From: Tony Lindgren <tony@atomide.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8c300fe282fa254ea730c92cb0983e2642dc1fff upstream.

When unloading omap2430, we can get the following splat:

WARNING: CPU: 1 PID: 295 at kernel/irq/manage.c:1478 __free_irq+0xa8/0x2c8
Trying to free already-free IRQ 4
...
[<c01a8b78>] (free_irq) from [<bf0aea84>]
(musbhs_dma_controller_destroy+0x28/0xb0 [musb_hdrc])
[<bf0aea84>] (musbhs_dma_controller_destroy [musb_hdrc]) from
[<bf09f88c>] (musb_remove+0xf0/0x12c [musb_hdrc])
[<bf09f88c>] (musb_remove [musb_hdrc]) from [<c056a384>]
(platform_drv_remove+0x24/0x3c)
...

This is because the irq number in use is 260 nowadays, and the dma
controller is using u8 instead of int.

Fixes: 6995eb68aab7 ("USB: musb: enable low level DMA operation for Blackfin")
Signed-off-by: Tony Lindgren <tony@atomide.com>
[b-liu@ti.com: added Fixes tag]
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/musb/musbhsdma.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/musb/musbhsdma.h b/drivers/usb/musb/musbhsdma.h
index f7b13fd25257..a3dcbd55e436 100644
--- a/drivers/usb/musb/musbhsdma.h
+++ b/drivers/usb/musb/musbhsdma.h
@@ -157,5 +157,5 @@ struct musb_dma_controller {
 	void __iomem			*base;
 	u8				channel_count;
 	u8				used_channels;
-	u8				irq;
+	int				irq;
 };
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 110/235] usb: hub: Move hub_port_disable() to fix warning if PM is disabled
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (108 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 109/235] usb: musb: Fix trying to free already-free IRQ 4 Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 111/235] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() Jiri Slaby
                   ` (126 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Geert Uytterhoeven, Jiri Slaby

From: Geert Uytterhoeven <geert@linux-m68k.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3bc02bce908c7250781376052248f5cd60a4e3d4 upstream.

If CONFIG_PM=n:

    drivers/usb/core/hub.c:107: warning: ‘hub_usb3_port_prepare_disable’ declared inline after being called
    drivers/usb/core/hub.c:107: warning: previous declaration of ‘hub_usb3_port_prepare_disable’ was here

To fix this, move hub_port_disable() after
hub_usb3_port_prepare_disable(), and adjust forward declarations.

Fixes: 37be66767e3cae4f ("usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/core/hub.c | 60 +++++++++++++++++++++++++-------------------------
 1 file changed, 30 insertions(+), 30 deletions(-)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 2b11c552a909..770cea7de0ec 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -115,8 +115,7 @@ EXPORT_SYMBOL_GPL(ehci_cf_port_reset_rwsem);
 
 static int usb_reset_and_verify_device(struct usb_device *udev);
 static void hub_release(struct kref *kref);
-static void hub_usb3_port_prepare_disable(struct usb_hub *hub,
-					  struct usb_port *port_dev);
+static int hub_port_disable(struct usb_hub *hub, int port1, int set_state);
 
 static inline char *portspeed(struct usb_hub *hub, int portstatus)
 {
@@ -880,34 +879,6 @@ static int hub_set_port_link_state(struct usb_hub *hub, int port1,
 }
 
 /*
- * USB-3 does not have a similar link state as USB-2 that will avoid negotiating
- * a connection with a plugged-in cable but will signal the host when the cable
- * is unplugged. Disable remote wake and set link state to U3 for USB-3 devices
- */
-static int hub_port_disable(struct usb_hub *hub, int port1, int set_state)
-{
-	struct usb_device *hdev = hub->hdev;
-	int ret = 0;
-
-	if (!hub->error) {
-		if (hub_is_superspeed(hub->hdev)) {
-			hub_usb3_port_prepare_disable(hub, hub->ports[port1 - 1]);
-			ret = hub_set_port_link_state(hub, hub->ports[port1 - 1]->portnum,
-						      USB_SS_PORT_LS_U3);
-		} else {
-			ret = usb_clear_port_feature(hdev, port1,
-					USB_PORT_FEAT_ENABLE);
-		}
-	}
-	if (hub->ports[port1 - 1]->child && set_state)
-		usb_set_device_state(hub->ports[port1 - 1]->child, USB_STATE_NOTATTACHED);
-	if (ret && ret != -ENODEV)
-		dev_err(hub->intfdev, "cannot disable port %d (err = %d)\n",
-				port1, ret);
-	return ret;
-}
-
-/*
  * Disable a port and mark a logical connect-change event, so that some
  * time later khubd will disconnect() any existing usb_device on the port
  * and will re-enumerate if there actually is a device attached.
@@ -3891,6 +3862,35 @@ EXPORT_SYMBOL_GPL(usb_enable_ltm);
 
 #endif	/* CONFIG_PM */
 
+/*
+ * USB-3 does not have a similar link state as USB-2 that will avoid negotiating
+ * a connection with a plugged-in cable but will signal the host when the cable
+ * is unplugged. Disable remote wake and set link state to U3 for USB-3 devices
+ */
+static int hub_port_disable(struct usb_hub *hub, int port1, int set_state)
+{
+	struct usb_port *port_dev = hub->ports[port1 - 1];
+	struct usb_device *hdev = hub->hdev;
+	int ret = 0;
+
+	if (!hub->error) {
+		if (hub_is_superspeed(hub->hdev)) {
+			hub_usb3_port_prepare_disable(hub, port_dev);
+			ret = hub_set_port_link_state(hub, port_dev->portnum,
+						      USB_SS_PORT_LS_U3);
+		} else {
+			ret = usb_clear_port_feature(hdev, port1,
+					USB_PORT_FEAT_ENABLE);
+		}
+	}
+	if (port_dev->child && set_state)
+		usb_set_device_state(port_dev->child, USB_STATE_NOTATTACHED);
+	if (ret && ret != -ENODEV)
+		dev_err(hub->intfdev, "cannot disable port %d (err = %d)\n",
+				port1, ret);
+	return ret;
+}
+
 
 /* USB 2.0 spec, 7.1.7.3 / fig 7-29:
  *
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 111/235] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (109 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 110/235] usb: hub: Move hub_port_disable() to fix warning if PM is disabled Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 112/235] USB: serial: kl5kusb105: abort on open exception path Jiri Slaby
                   ` (125 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Takashi Iwai, Jiri Slaby

From: Takashi Iwai <tiwai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 4763601a56f155ddf94ef35fc2c41504a2de15f5 upstream.

The function returns -EINVAL even if it builds the stream properly.
The bogus error code sneaked in during the code refactoring, but it
wasn't noticed until now since the returned error code itself is
ignored in anyway.  Kill it here, but there is no behavior change by
this patch, obviously.

Fixes: e5779998bf8b ('ALSA: usb-audio: refactor code')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 sound/usb/card.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sound/usb/card.c b/sound/usb/card.c
index 96a09226be7d..96a429945e3a 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -205,7 +205,6 @@ static int snd_usb_create_stream(struct snd_usb_audio *chip, int ctrlif, int int
 	if (! snd_usb_parse_audio_interface(chip, interface)) {
 		usb_set_interface(dev, interface, 0); /* reset the current interface */
 		usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L);
-		return -EINVAL;
 	}
 
 	return 0;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 112/235] USB: serial: kl5kusb105: abort on open exception path
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (110 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 111/235] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 113/235] USB: phy: am335x-control: fix device and of_node leaks Jiri Slaby
                   ` (124 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Pan Bian, Johan Hovold, Jiri Slaby

From: Pan Bian <bianpan2016@163.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3c3dd1e058cb01e835dcade4b54a6f13ffaeaf7c upstream.

Function klsi_105_open() calls usb_control_msg() (to "enable read") and
checks its return value. When the return value is unexpected, it only
assigns the error code to the return variable retval, but does not
terminate the exception path. This patch fixes the bug by inserting
"goto err_generic_close;" when the call to usb_control_msg() fails.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Pan Bian <bianpan2016@163.com>
[johan: rebase on prerequisite fix and amend commit message]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/kl5kusb105.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/serial/kl5kusb105.c b/drivers/usb/serial/kl5kusb105.c
index 70e163d21e9a..69eb056dd6ea 100644
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -319,6 +319,7 @@ static int  klsi_105_open(struct tty_struct *tty, struct usb_serial_port *port)
 	if (rc < 0) {
 		dev_err(&port->dev, "Enabling read failed (error = %d)\n", rc);
 		retval = rc;
+		goto err_generic_close;
 	} else
 		dev_dbg(&port->dev, "%s - enabled reading\n", __func__);
 
@@ -345,6 +346,7 @@ err_disable_read:
 			     0, /* index */
 			     NULL, 0,
 			     KLSI_TIMEOUT);
+err_generic_close:
 	usb_serial_generic_close(port);
 err_free_cfg:
 	kfree(cfg);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 113/235] USB: phy: am335x-control: fix device and of_node leaks
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (111 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 112/235] USB: serial: kl5kusb105: abort on open exception path Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 114/235] USB: serial: io_ti: bind to interface after fw download Jiri Slaby
                   ` (123 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Felipe Balbi, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 015105b12183556771e111e93f5266851e7c5582 upstream.

Make sure to drop the references taken by of_parse_phandle() and
bus_find_device() before returning from am335x_get_phy_control().

Note that there is no guarantee that the devres-managed struct
phy_control will be valid for the lifetime of the sibling phy device
regardless of this change.

Fixes: 3bb869c8b3f1 ("usb: phy: Add AM335x PHY driver")
Acked-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/phy/phy-am335x-control.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/phy/phy-am335x-control.c b/drivers/usb/phy/phy-am335x-control.c
index 22cf07d62e4c..0b8efff8524c 100644
--- a/drivers/usb/phy/phy-am335x-control.c
+++ b/drivers/usb/phy/phy-am335x-control.c
@@ -85,7 +85,9 @@ struct phy_control *am335x_get_phy_control(struct device *dev)
 		return NULL;
 
 	dev = bus_find_device(&platform_bus_type, NULL, node, match);
+	of_node_put(node);
 	ctrl_usb = dev_get_drvdata(dev);
+	put_device(dev);
 	if (!ctrl_usb)
 		return NULL;
 	return &ctrl_usb->phy_ctrl;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 114/235] USB: serial: io_ti: bind to interface after fw download
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (112 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 113/235] USB: phy: am335x-control: fix device and of_node leaks Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 115/235] staging: iio: ad7606: fix improper setting of oversampling pins Jiri Slaby
                   ` (122 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e35d6d7c4e6532a89732cf4bace0e910ee684c88 upstream.

Bind to the interface, but do not register any ports, after having
downloaded the firmware. The device will still disconnect and
re-enumerate, but this way we avoid an error messages from being logged
as part of the process:

io_ti: probe of 1-1.3:1.0 failed with error -5

Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/io_ti.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/usb/serial/io_ti.c b/drivers/usb/serial/io_ti.c
index 19cf36853e96..d569d773e1ce 100644
--- a/drivers/usb/serial/io_ti.c
+++ b/drivers/usb/serial/io_ti.c
@@ -1390,8 +1390,7 @@ static int download_fw(struct edgeport_serial *serial)
 
 		dev_dbg(dev, "%s - Download successful -- Device rebooting...\n", __func__);
 
-		/* return an error on purpose */
-		return -ENODEV;
+		return 1;
 	}
 
 stayinbootmode:
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 115/235] staging: iio: ad7606: fix improper setting of oversampling pins
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (113 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 114/235] USB: serial: io_ti: bind to interface after fw download Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 116/235] usb: dwc3: gadget: always unmap EP0 requests Jiri Slaby
                   ` (121 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Eva Rachel Retuya, Jonathan Cameron, Jiri Slaby

From: Eva Rachel Retuya <eraretuya@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b321a38d2407c7e425c54bc09be909a34e49f740 upstream.

The oversampling ratio is controlled using the oversampling pins,
OS [2:0] with OS2 being the MSB control bit, and OS0 the LSB control
bit.

The gpio connected to the OS2 pin is not being set correctly, only OS0
and OS1 pins are being set. Fix the typo to allow proper control of the
oversampling pins.

Signed-off-by: Eva Rachel Retuya <eraretuya@gmail.com>
Fixes: b9618c0 ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4")
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/staging/iio/adc/ad7606_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/iio/adc/ad7606_core.c b/drivers/staging/iio/adc/ad7606_core.c
index 72868ceda360..740a8eab262a 100644
--- a/drivers/staging/iio/adc/ad7606_core.c
+++ b/drivers/staging/iio/adc/ad7606_core.c
@@ -189,7 +189,7 @@ static ssize_t ad7606_store_oversampling_ratio(struct device *dev,
 	mutex_lock(&indio_dev->mlock);
 	gpio_set_value(st->pdata->gpio_os0, (ret >> 0) & 1);
 	gpio_set_value(st->pdata->gpio_os1, (ret >> 1) & 1);
-	gpio_set_value(st->pdata->gpio_os1, (ret >> 2) & 1);
+	gpio_set_value(st->pdata->gpio_os2, (ret >> 2) & 1);
 	st->oversampling = lval;
 	mutex_unlock(&indio_dev->mlock);
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 116/235] usb: dwc3: gadget: always unmap EP0 requests
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (114 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 115/235] staging: iio: ad7606: fix improper setting of oversampling pins Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 117/235] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected Jiri Slaby
                   ` (120 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Felipe Balbi, Jiri Slaby

From: Felipe Balbi <felipe.balbi@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d62145929992f331fdde924d5963ab49588ccc7d upstream.

commit 0416e494ce7d ("usb: dwc3: ep0: correct cache
sync issue in case of ep0_bounced") introduced a bug
where we would leak DMA resources which would cause
us to starve the system of them resulting in failing
DMA transfers.

Fix the bug by making sure that we always unmap EP0
requests since those are *always* mapped.

Fixes: 0416e494ce7d ("usb: dwc3: ep0: correct cache
	sync issue in case of ep0_bounced")
Tested-by: Tomasz Medrek <tomaszx.medrek@intel.com>
Reported-by: Janusz Dziedzic <januszx.dziedzic@linux.intel.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/dwc3/gadget.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index af03ea2c9c78..f4a36f4669bb 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -245,11 +245,11 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req,
 	if (req->request.status == -EINPROGRESS)
 		req->request.status = status;
 
-	if (dwc->ep0_bounced && dep->number == 0)
+	if (dwc->ep0_bounced && dep->number <= 1)
 		dwc->ep0_bounced = false;
-	else
-		usb_gadget_unmap_request(&dwc->gadget, &req->request,
-				req->direction);
+
+	usb_gadget_unmap_request(&dwc->gadget, &req->request,
+			req->direction);
 
 	dev_dbg(dwc->dev, "request %p from %s completed %d/%d ===> %d\n",
 			req, dep->name, req->request.actual,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 117/235] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (115 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 116/235] usb: dwc3: gadget: always unmap EP0 requests Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 118/235] hwmon: (ds620) Fix overflows seen when writing temperature limits Jiri Slaby
                   ` (119 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Guenter Roeck, Jesper Nilsson, Jiri Slaby

From: Guenter Roeck <linux@roeck-us.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 328cf6927bb72cadefddebbc9a23c793108147a2 upstream.

If CONFIG_ETRAX_AXISFLASHMAP is not configured, the flash rescue image
object file is empty. With recent versions of binutils, this results
in the following build error.

cris-linux-objcopy: error:
	the input file 'arch/cris/boot/rescue/rescue.o' has no sections

This is seen, for example, when trying to build cris:allnoconfig
with recently generated toolchains.

Since it does not make sense to build a flash rescue image if there is
no flash, only build it if CONFIG_ETRAX_AXISFLASHMAP is enabled.

Reported-by: kbuild test robot <fengguang.wu@intel.com>
Fixes: 66ab3a74c5ce ("CRIS: Merge machine dependent boot/compressed ..")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/cris/boot/rescue/Makefile | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/cris/boot/rescue/Makefile b/arch/cris/boot/rescue/Makefile
index 52bd0bd1dd22..d98edbb30a18 100644
--- a/arch/cris/boot/rescue/Makefile
+++ b/arch/cris/boot/rescue/Makefile
@@ -10,6 +10,9 @@
 
 asflags-y += $(LINUXINCLUDE)
 ccflags-y += -O2 $(LINUXINCLUDE)
+
+ifdef CONFIG_ETRAX_AXISFLASHMAP
+
 arch-$(CONFIG_ETRAX_ARCH_V10) = v10
 arch-$(CONFIG_ETRAX_ARCH_V32) = v32
 
@@ -28,6 +31,11 @@ $(obj)/rescue.bin: $(obj)/rescue.o FORCE
 	$(call if_changed,objcopy)
 	cp -p $(obj)/rescue.bin $(objtree)
 
+else
+$(obj)/rescue.bin:
+
+endif
+
 $(obj)/testrescue.bin: $(obj)/testrescue.o
 	$(OBJCOPY) $(OBJCOPYFLAGS) $(obj)/testrescue.o tr.bin
 # Pad it to 784 bytes
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 118/235] hwmon: (ds620) Fix overflows seen when writing temperature limits
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (116 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 117/235] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 119/235] hwmon: (g762) Fix overflows and crash seen when writing limit attributes Jiri Slaby
                   ` (118 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Guenter Roeck, Jiri Slaby

From: Guenter Roeck <linux@roeck-us.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e36ce99ee0815d7919a7b589bfb66f3de50b6bc7 upstream.

Module test reports:

temp1_max: Suspected overflow: [160000 vs. 0]
temp1_min: Suspected overflow: [160000 vs. 0]

This is seen because the values passed when writing temperature limits
are unbound.

Reviewed-by: Jean Delvare <jdelvare@suse.de>
Fixes: 6099469805c2 ("hwmon: Support for Dallas Semiconductor DS620")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/hwmon/ds620.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hwmon/ds620.c b/drivers/hwmon/ds620.c
index 0918b9136588..2a50ab613238 100644
--- a/drivers/hwmon/ds620.c
+++ b/drivers/hwmon/ds620.c
@@ -166,7 +166,7 @@ static ssize_t set_temp(struct device *dev, struct device_attribute *da,
 	if (res)
 		return res;
 
-	val = (val * 10 / 625) * 8;
+	val = (clamp_val(val, -128000, 128000) * 10 / 625) * 8;
 
 	mutex_lock(&data->update_lock);
 	data->temp[attr->index] = val;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 119/235] hwmon: (g762) Fix overflows and crash seen when writing limit attributes
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (117 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 118/235] hwmon: (ds620) Fix overflows seen when writing temperature limits Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 120/235] clk: clk-wm831x: fix a logic error Jiri Slaby
                   ` (117 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Guenter Roeck, Arnaud Ebalard, Jiri Slaby

From: Guenter Roeck <linux@roeck-us.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 4fccd4a1e8944033bcd7693ea4e8fb478cd2059a upstream.

Fix overflows seen when writing into fan speed limit attributes.
Also fix crash due to division by zero, seen when certain very
large values (such as 2147483648, or 0x80000000) are written
into fan speed limit attributes.

Fixes: 594fbe713bf60 ("Add support for GMT G762/G763 PWM fan controllers")
Cc: Arnaud Ebalard <arno@natisbad.org>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/hwmon/g762.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/hwmon/g762.c b/drivers/hwmon/g762.c
index b4b8b5bef718..3bc0e8224b33 100644
--- a/drivers/hwmon/g762.c
+++ b/drivers/hwmon/g762.c
@@ -193,14 +193,17 @@ static inline unsigned int rpm_from_cnt(u8 cnt, u32 clk_freq, u16 p,
  * Convert fan RPM value from sysfs into count value for fan controller
  * register (FAN_SET_CNT).
  */
-static inline unsigned char cnt_from_rpm(u32 rpm, u32 clk_freq, u16 p,
+static inline unsigned char cnt_from_rpm(unsigned long rpm, u32 clk_freq, u16 p,
 					 u8 clk_div, u8 gear_mult)
 {
-	if (!rpm)         /* to stop the fan, set cnt to 255 */
+	unsigned long f1 = clk_freq * 30 * gear_mult;
+	unsigned long f2 = p * clk_div;
+
+	if (!rpm)	/* to stop the fan, set cnt to 255 */
 		return 0xff;
 
-	return clamp_val(((clk_freq * 30 * gear_mult) / (rpm * p * clk_div)),
-			 0, 255);
+	rpm = clamp_val(rpm, f1 / (255 * f2), ULONG_MAX / f2);
+	return DIV_ROUND_CLOSEST(f1, rpm * f2);
 }
 
 /* helper to grab and cache data, at most one time per second */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 120/235] clk: clk-wm831x: fix a logic error
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (118 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 119/235] hwmon: (g762) Fix overflows and crash seen when writing limit attributes Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 121/235] iommu/amd: Fix the left value check of cmd buffer Jiri Slaby
                   ` (116 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Pan Bian, Stephen Boyd, Jiri Slaby

From: Pan Bian <bianpan2016@163.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 20979202ee6e4c68dab7bcf408787225a656d18e upstream.

Fix bug https://bugzilla.kernel.org/show_bug.cgi?id=188561. Function
wm831x_clkout_is_prepared() returns "true" when it fails to read
CLOCK_CONTROL_1. "true" means the device is already prepared. So
return "true" on the read failure seems improper.

Signed-off-by: Pan Bian <bianpan2016@163.com>
Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Fixes: f05259a6ffa4 ("clk: wm831x: Add initial WM831x clock driver")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/clk/clk-wm831x.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/clk/clk-wm831x.c b/drivers/clk/clk-wm831x.c
index 805b4c344006..ee5f2c985f4d 100644
--- a/drivers/clk/clk-wm831x.c
+++ b/drivers/clk/clk-wm831x.c
@@ -248,7 +248,7 @@ static int wm831x_clkout_is_prepared(struct clk_hw *hw)
 	if (ret < 0) {
 		dev_err(wm831x->dev, "Unable to read CLOCK_CONTROL_1: %d\n",
 			ret);
-		return true;
+		return false;
 	}
 
 	return (ret & WM831X_CLKOUT_ENA) != 0;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 121/235] iommu/amd: Fix the left value check of cmd buffer
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (119 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 120/235] clk: clk-wm831x: fix a logic error Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 122/235] scsi: mvsas: fix command_active typo Jiri Slaby
                   ` (115 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Huang Rui, Joerg Roedel, Jiri Slaby

From: Huang Rui <ray.huang@amd.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 432abf68a79332282329286d190e21fe3ac02a31 upstream.

The generic command buffer entry is 128 bits (16 bytes), so the offset
of tail and head pointer should be 16 bytes aligned and increased with
0x10 per command.

When cmd buf is full, head = (tail + 0x10) % CMD_BUFFER_SIZE.

So when left space of cmd buf should be able to store only two
command, we should be issued one COMPLETE_WAIT additionally to wait
all older commands completed. Then the left space should be increased
after IOMMU fetching from cmd buf.

So left check value should be left <= 0x20 (two commands).

Signed-off-by: Huang Rui <ray.huang@amd.com>
Fixes: ac0ea6e92b222 ('x86/amd-iommu: Improve handling of full command buffer')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/iommu/amd_iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
index 71f9cd108590..557824a7e5b8 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -1044,7 +1044,7 @@ again:
 	next_tail = (tail + sizeof(*cmd)) % iommu->cmd_buf_size;
 	left      = (head - next_tail) % iommu->cmd_buf_size;
 
-	if (left <= 2) {
+	if (left <= 0x20) {
 		struct iommu_cmd sync_cmd;
 		volatile u64 sem = 0;
 		int ret;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 122/235] scsi: mvsas: fix command_active typo
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (120 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 121/235] iommu/amd: Fix the left value check of cmd buffer Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 123/235] target/iscsi: Fix double free in lio_target_tiqn_addtpg() Jiri Slaby
                   ` (114 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Arnd Bergmann, Martin K . Petersen, Jiri Slaby

From: Arnd Bergmann <arnd@arndb.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit af15769ffab13d777e55fdef09d0762bf0c249c4 upstream.

gcc-7 notices that the condition in mvs_94xx_command_active looks
suspicious:

drivers/scsi/mvsas/mv_94xx.c: In function 'mvs_94xx_command_active':
drivers/scsi/mvsas/mv_94xx.c:671:15: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context]

This was introduced when the mv_printk() statement got added, and leads
to the condition being ignored. This is probably harmless.

Changing '&&' to '&' makes the code look reasonable, as we check the
command bit before setting and printing it.

Fixes: a4632aae8b66 ("[SCSI] mvsas: Add new macros and functions")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/scsi/mvsas/mv_94xx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/mvsas/mv_94xx.c b/drivers/scsi/mvsas/mv_94xx.c
index 1e4479f3331a..55716c5184f7 100644
--- a/drivers/scsi/mvsas/mv_94xx.c
+++ b/drivers/scsi/mvsas/mv_94xx.c
@@ -621,7 +621,7 @@ static void mvs_94xx_command_active(struct mvs_info *mvi, u32 slot_idx)
 {
 	u32 tmp;
 	tmp = mvs_cr32(mvi, MVS_COMMAND_ACTIVE+(slot_idx >> 3));
-	if (tmp && 1 << (slot_idx % 32)) {
+	if (tmp & 1 << (slot_idx % 32)) {
 		mv_printk("command active %08X,  slot [%x].\n", tmp, slot_idx);
 		mvs_cw32(mvi, MVS_COMMAND_ACTIVE + (slot_idx >> 3),
 			1 << (slot_idx % 32));
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 123/235] target/iscsi: Fix double free in lio_target_tiqn_addtpg()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (121 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 122/235] scsi: mvsas: fix command_active typo Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 124/235] mmc: mmc_test: Uninitialized return value Jiri Slaby
                   ` (113 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dan Carpenter, Bart Van Assche, Jiri Slaby

From: Dan Carpenter <dan.carpenter@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit a91918cd3ea11f91c68e08e1e8ce1b560447a80e upstream.

This iscsit_tpg_add_portal_group() function is only called from
lio_target_tiqn_addtpg().  Both functions free the "tpg" pointer on
error so it's a double free bug.  The memory is allocated in the caller
so it should be freed in the caller and not here.

Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: David Disseldorp <ddiss@suse.de>
[ bvanassche: Added "Fix" at start of patch title ]
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/target/iscsi/iscsi_target_tpg.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/target/iscsi/iscsi_target_tpg.c b/drivers/target/iscsi/iscsi_target_tpg.c
index b713d63a86f7..ed4ea4ef1420 100644
--- a/drivers/target/iscsi/iscsi_target_tpg.c
+++ b/drivers/target/iscsi/iscsi_target_tpg.c
@@ -258,7 +258,6 @@ err_out:
 		iscsi_release_param_list(tpg->param_list);
 		tpg->param_list = NULL;
 	}
-	kfree(tpg);
 	return -ENOMEM;
 }
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 124/235] mmc: mmc_test: Uninitialized return value
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (122 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 123/235] target/iscsi: Fix double free in lio_target_tiqn_addtpg() Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 125/235] md: MD_RECOVERY_NEEDED is set for mddev->recovery Jiri Slaby
                   ` (112 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dan Carpenter, Ulf Hansson, Jiri Slaby

From: Dan Carpenter <dan.carpenter@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 16652a936e96f5dae53c3fbd38a570497baadaa8 upstream.

We never set "ret" to RESULT_OK.

Fixes: 9f9c4180f88d ("mmc: mmc_test: add test for non-blocking transfers")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/mmc/card/mmc_test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mmc/card/mmc_test.c b/drivers/mmc/card/mmc_test.c
index 0c0fc52d42c5..b2ef5f2b4c53 100644
--- a/drivers/mmc/card/mmc_test.c
+++ b/drivers/mmc/card/mmc_test.c
@@ -795,7 +795,7 @@ static int mmc_test_nonblock_transfer(struct mmc_test_card *test,
 	struct mmc_async_req *cur_areq = &test_areq[0].areq;
 	struct mmc_async_req *other_areq = &test_areq[1].areq;
 	int i;
-	int ret;
+	int ret = RESULT_OK;
 
 	test_areq[0].test = test;
 	test_areq[1].test = test;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 125/235] md: MD_RECOVERY_NEEDED is set for mddev->recovery
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (123 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 124/235] mmc: mmc_test: Uninitialized return value Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 126/235] powerpc/pci/rpadlpar: Fix device reference leaks Jiri Slaby
                   ` (111 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Shaohua Li, Jiri Slaby

From: Shaohua Li <shli@fb.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 82a301cb0ea2df8a5c88213094a01660067c7fb4 upstream.

Fixes: 90f5f7ad4f38("md: Wait for md_check_recovery before attempting device
removal.")

Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/md/md.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/md/md.c b/drivers/md/md.c
index 81bf511b3182..87e8cd29ca5f 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -6431,7 +6431,7 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
 		/* need to ensure recovery thread has run */
 		wait_event_interruptible_timeout(mddev->sb_wait,
 						 !test_bit(MD_RECOVERY_NEEDED,
-							   &mddev->flags),
+							   &mddev->recovery),
 						 msecs_to_jiffies(5000));
 	if (cmd == STOP_ARRAY || cmd == STOP_ARRAY_RO) {
 		/* Need to flush page cache, and ensure no-one else opens
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 126/235] powerpc/pci/rpadlpar: Fix device reference leaks
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (124 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 125/235] md: MD_RECOVERY_NEEDED is set for mddev->recovery Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 127/235] cred/userns: define current_user_ns() as a function Jiri Slaby
                   ` (110 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Michael Ellerman, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 99e5cde5eae78bef95bfe7c16ccda87fb070149b upstream.

Make sure to drop any device reference taken by vio_find_node() when
adding and removing virtual I/O slots.

Fixes: 5eeb8c63a38f ("[PATCH] PCI Hotplug: rpaphp: Move VIO registration")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/pci/hotplug/rpadlpar_core.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/pci/hotplug/rpadlpar_core.c b/drivers/pci/hotplug/rpadlpar_core.c
index bb7af78e4eed..6a995e0919dd 100644
--- a/drivers/pci/hotplug/rpadlpar_core.c
+++ b/drivers/pci/hotplug/rpadlpar_core.c
@@ -259,8 +259,13 @@ static int dlpar_add_phb(char *drc_name, struct device_node *dn)
 
 static int dlpar_add_vio_slot(char *drc_name, struct device_node *dn)
 {
-	if (vio_find_node(dn))
+	struct vio_dev *vio_dev;
+
+	vio_dev = vio_find_node(dn);
+	if (vio_dev) {
+		put_device(&vio_dev->dev);
 		return -EINVAL;
+	}
 
 	if (!vio_register_device_node(dn)) {
 		printk(KERN_ERR
@@ -336,6 +341,9 @@ static int dlpar_remove_vio_slot(char *drc_name, struct device_node *dn)
 		return -EINVAL;
 
 	vio_unregister_device(vio_dev);
+
+	put_device(&vio_dev->dev);
+
 	return 0;
 }
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 127/235] cred/userns: define current_user_ns() as a function
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (125 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 126/235] powerpc/pci/rpadlpar: Fix device reference leaks Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 128/235] net: ti: cpmac: Fix compiler warning due to type confusion Jiri Slaby
                   ` (109 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Arnd Bergmann, David Howells, Yaowei Bai,
	James Morris, Paul E. McKenney, Andrew Morton, Linus Torvalds,
	Jiri Slaby

From: Arnd Bergmann <arnd@arndb.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 0335695dfa4df01edff5bb102b9a82a0668ee51e upstream.

The current_user_ns() macro currently returns &init_user_ns when user
namespaces are disabled, and that causes several warnings when building
with gcc-6.0 in code that compares the result of the macro to
&init_user_ns itself:

  fs/xfs/xfs_ioctl.c: In function 'xfs_ioctl_setattr_check_projid':
  fs/xfs/xfs_ioctl.c:1249:22: error: self-comparison always evaluates to true [-Werror=tautological-compare]
    if (current_user_ns() == &init_user_ns)

This is a legitimate warning in principle, but here it isn't really
helpful, so I'm reprasing the definition in a way that shuts up the
warning.  Apparently gcc only warns when comparing identical literals,
but it can figure out that the result of an inline function can be
identical to a constant expression in order to optimize a condition yet
not warn about the fact that the condition is known at compile time.
This is exactly what we want here, and it looks reasonable because we
generally prefer inline functions over macros anyway.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Yaowei Bai <baiyaowei@cmss.chinamobile.com>
Cc: James Morris <james.l.morris@oracle.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/linux/capability.h | 2 --
 include/linux/cred.h       | 5 ++++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index aa93e5ef594c..c2eb39ff1a53 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -40,8 +40,6 @@ struct inode;
 struct dentry;
 struct user_namespace;
 
-struct user_namespace *current_user_ns(void);
-
 extern const kernel_cap_t __cap_empty_set;
 extern const kernel_cap_t __cap_init_eff_set;
 
diff --git a/include/linux/cred.h b/include/linux/cred.h
index 6c58dd7cb9ac..cd3fb73dc421 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -345,7 +345,10 @@ extern struct user_namespace init_user_ns;
 #ifdef CONFIG_USER_NS
 #define current_user_ns()	(current_cred_xxx(user_ns))
 #else
-#define current_user_ns()	(&init_user_ns)
+static inline struct user_namespace *current_user_ns(void)
+{
+	return &init_user_ns;
+}
 #endif
 
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 128/235] net: ti: cpmac: Fix compiler warning due to type confusion
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (126 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 127/235] cred/userns: define current_user_ns() as a function Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 129/235] tick/broadcast: Prevent NULL pointer dereference Jiri Slaby
                   ` (108 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Paul Burton, David S . Miller, Jiri Slaby

From: Paul Burton <paul.burton@imgtec.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 2f5281ba2a8feaf6f0aee93356f350855bb530fc upstream.

cpmac_start_xmit() used the max() macro on skb->len (an unsigned int)
and ETH_ZLEN (a signed int literal). This led to the following compiler
warning:

  In file included from include/linux/list.h:8:0,
                   from include/linux/module.h:9,
                   from drivers/net/ethernet/ti/cpmac.c:19:
  drivers/net/ethernet/ti/cpmac.c: In function 'cpmac_start_xmit':
  include/linux/kernel.h:748:17: warning: comparison of distinct pointer
  types lacks a cast
    (void) (&_max1 == &_max2);  \
                   ^
  drivers/net/ethernet/ti/cpmac.c:560:8: note: in expansion of macro 'max'
    len = max(skb->len, ETH_ZLEN);
          ^

On top of this, it assigned the result of the max() macro to a signed
integer whilst all further uses of it result in it being cast to varying
widths of unsigned integer.

Fix this up by using max_t to ensure the comparison is performed as
unsigned integers, and for consistency change the type of the len
variable to unsigned int.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/ethernet/ti/cpmac.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/ti/cpmac.c b/drivers/net/ethernet/ti/cpmac.c
index 2dc16b6efaf0..97f3e626b535 100644
--- a/drivers/net/ethernet/ti/cpmac.c
+++ b/drivers/net/ethernet/ti/cpmac.c
@@ -557,7 +557,8 @@ fatal_error:
 
 static int cpmac_start_xmit(struct sk_buff *skb, struct net_device *dev)
 {
-	int queue, len;
+	int queue;
+	unsigned int len;
 	struct cpmac_desc *desc;
 	struct cpmac_priv *priv = netdev_priv(dev);
 
@@ -567,7 +568,7 @@ static int cpmac_start_xmit(struct sk_buff *skb, struct net_device *dev)
 	if (unlikely(skb_padto(skb, ETH_ZLEN)))
 		return NETDEV_TX_OK;
 
-	len = max(skb->len, ETH_ZLEN);
+	len = max_t(unsigned int, skb->len, ETH_ZLEN);
 	queue = skb_get_queue_mapping(skb);
 	netif_stop_subqueue(dev, queue);
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 129/235] tick/broadcast: Prevent NULL pointer dereference
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (127 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 128/235] net: ti: cpmac: Fix compiler warning due to type confusion Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 130/235] usb: gadget: composite: always set ep->mult to a sensible value Jiri Slaby
                   ` (107 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Thomas Gleixner, Mark Rutland, Anna-Maria Gleixner,
	Richard Cochran, Sebastian Andrzej Siewior, Daniel Lezcano,
	Peter Zijlstra, Sebastian Frias, Thibaud Cornic, Robin Murphy,
	Jiri Slaby

From: Thomas Gleixner <tglx@linutronix.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c1a9eeb938b5433947e5ea22f89baff3182e7075 upstream.

When a disfunctional timer, e.g. dummy timer, is installed, the tick core
tries to setup the broadcast timer.

If no broadcast device is installed, the kernel crashes with a NULL pointer
dereference in tick_broadcast_setup_oneshot() because the function has no
sanity check.

Reported-by: Mason <slash.tmp@free.fr>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
Cc: Richard Cochran <rcochran@linutronix.de>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: Peter Zijlstra <peterz@infradead.org>,
Cc: Sebastian Frias <sf84@laposte.net>
Cc: Thibaud Cornic <thibaud_cornic@sigmadesigns.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Link: http://lkml.kernel.org/r/1147ef90-7877-e4d2-bb2b-5c4fa8d3144b@free.fr
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 kernel/time/tick-broadcast.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
index 8a95408b1345..f27eb5db3260 100644
--- a/kernel/time/tick-broadcast.c
+++ b/kernel/time/tick-broadcast.c
@@ -778,6 +778,9 @@ void tick_broadcast_setup_oneshot(struct clock_event_device *bc)
 {
 	int cpu = smp_processor_id();
 
+	if (!bc)
+		return;
+
 	/* Set it up only once ! */
 	if (bc->event_handler != tick_handle_oneshot_broadcast) {
 		int was_periodic = bc->mode == CLOCK_EVT_MODE_PERIODIC;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 130/235] usb: gadget: composite: always set ep->mult to a sensible value
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (128 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 129/235] tick/broadcast: Prevent NULL pointer dereference Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 131/235] netvsc: reduce maximum GSO size Jiri Slaby
                   ` (106 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Felipe Balbi, Jiri Slaby

From: Felipe Balbi <felipe.balbi@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit eaa496ffaaf19591fe471a36cef366146eeb9153 upstream.

ep->mult is supposed to be set to Isochronous and
Interrupt Endapoint's multiplier value. This value
is computed from different places depending on the
link speed.

If we're dealing with HighSpeed, then it's part of
bits [12:11] of wMaxPacketSize. This case wasn't
taken into consideration before.

While at that, also make sure the ep->mult defaults
to one so drivers can use it unconditionally and
assume they'll never multiply ep->maxpacket to zero.

Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/gadget/composite.c | 9 +++++++--
 drivers/usb/gadget/uvc_video.c | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 2bacd2761764..2c0f38811ee7 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -129,7 +129,12 @@ ep_found:
 	_ep->desc = chosen_desc;
 	_ep->comp_desc = NULL;
 	_ep->maxburst = 0;
-	_ep->mult = 0;
+	_ep->mult = 1;
+
+	if (g->speed == USB_SPEED_HIGH && (usb_endpoint_xfer_isoc(_ep->desc) ||
+				usb_endpoint_xfer_int(_ep->desc)))
+		_ep->mult = ((usb_endpoint_maxp(_ep->desc) & 0x1800) >> 11) + 1;
+
 	if (!want_comp_desc)
 		return 0;
 
@@ -146,7 +151,7 @@ ep_found:
 		switch (usb_endpoint_type(_ep->desc)) {
 		case USB_ENDPOINT_XFER_ISOC:
 			/* mult: bits 1:0 of bmAttributes */
-			_ep->mult = comp_desc->bmAttributes & 0x3;
+			_ep->mult = (comp_desc->bmAttributes & 0x3) + 1;
 		case USB_ENDPOINT_XFER_BULK:
 		case USB_ENDPOINT_XFER_INT:
 			_ep->maxburst = comp_desc->bMaxBurst + 1;
diff --git a/drivers/usb/gadget/uvc_video.c b/drivers/usb/gadget/uvc_video.c
index 71e896d4c5ae..43e8c65fd9ed 100644
--- a/drivers/usb/gadget/uvc_video.c
+++ b/drivers/usb/gadget/uvc_video.c
@@ -240,7 +240,7 @@ uvc_video_alloc_requests(struct uvc_video *video)
 
 	req_size = video->ep->maxpacket
 		 * max_t(unsigned int, video->ep->maxburst, 1)
-		 * (video->ep->mult + 1);
+		 * (video->ep->mult);
 
 	for (i = 0; i < UVC_NUM_REQUESTS; ++i) {
 		video->req_buffer[i] = kmalloc(req_size, GFP_KERNEL);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 131/235] netvsc: reduce maximum GSO size
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (129 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 130/235] usb: gadget: composite: always set ep->mult to a sensible value Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 132/235] ser_gigaset: return -ENOMEM on error instead of success Jiri Slaby
                   ` (105 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, stephen hemminger, Stephen Hemminger,
	David S . Miller, Jiri Slaby

From: stephen hemminger <stephen@networkplumber.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit a50af86dd49ee1851d1ccf06dd0019c05b95e297 ]

Hyper-V (and Azure) support using NVGRE which requires some extra space
for encapsulation headers. Because of this the largest allowed TSO
packet is reduced.

For older releases, hard code a fixed reduced value.  For next release,
there is a better solution which uses result of host offload
negotiation.

Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/hyperv/netvsc_drv.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
index 616b4e1dd44c..eb6d0d8a3e06 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -48,6 +48,9 @@ struct net_device_context {
 	struct work_struct work;
 };
 
+/* Restrict GSO size to account for NVGRE */
+#define NETVSC_GSO_MAX_SIZE	62768
+
 #define RING_SIZE_MIN 64
 static int ring_size = 128;
 module_param(ring_size, int, S_IRUGO);
@@ -435,6 +438,7 @@ static int netvsc_probe(struct hv_device *dev,
 
 	SET_ETHTOOL_OPS(net, &ethtool_ops);
 	SET_NETDEV_DEV(net, &dev->device);
+	netif_set_gso_max_size(net, NETVSC_GSO_MAX_SIZE);
 
 	ret = register_netdev(net);
 	if (ret != 0) {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 132/235] ser_gigaset: return -ENOMEM on error instead of success
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (130 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 131/235] netvsc: reduce maximum GSO size Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 133/235] ipv6: handle -EFAULT from skb_copy_bits Jiri Slaby
                   ` (104 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dan Carpenter, David S . Miller, Jiri Slaby

From: Dan Carpenter <dan.carpenter@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 93a97c50cbf1c007caf12db5cc23e0d5b9c8473c ]

If we can't allocate the resources in gigaset_initdriver() then we
should return -ENOMEM instead of zero.

Fixes: 2869b23e4b95 ("[PATCH] drivers/isdn/gigaset: new M101 driver (v2)")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/isdn/gigaset/ser-gigaset.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c
index 3ac9c4194814..53dfe1693e50 100644
--- a/drivers/isdn/gigaset/ser-gigaset.c
+++ b/drivers/isdn/gigaset/ser-gigaset.c
@@ -787,8 +787,10 @@ static int __init ser_gigaset_init(void)
 	driver = gigaset_initdriver(GIGASET_MINOR, GIGASET_MINORS,
 				    GIGASET_MODULENAME, GIGASET_DEVNAME,
 				    &ops, THIS_MODULE);
-	if (!driver)
+	if (!driver) {
+		rc = -ENOMEM;
 		goto error;
+	}
 
 	rc = tty_register_ldisc(N_GIGASET_M101, &gigaset_ldisc);
 	if (rc != 0) {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 133/235] ipv6: handle -EFAULT from skb_copy_bits
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (131 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 132/235] ser_gigaset: return -ENOMEM on error instead of success Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 134/235] net, sched: fix soft lockup in tc_classify Jiri Slaby
                   ` (103 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dave Jones, David S . Miller, Jiri Slaby

From: Dave Jones <davej@codemonkey.org.uk>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit a98f91758995cb59611e61318dddd8a6956b52c3 ]

By setting certain socket options on ipv6 raw sockets, we can confuse the
length calculation in rawv6_push_pending_frames triggering a BUG_ON.

RIP: 0010:[<ffffffff817c6390>] [<ffffffff817c6390>] rawv6_sendmsg+0xc30/0xc40
RSP: 0018:ffff881f6c4a7c18  EFLAGS: 00010282
RAX: 00000000fffffff2 RBX: ffff881f6c681680 RCX: 0000000000000002
RDX: ffff881f6c4a7cf8 RSI: 0000000000000030 RDI: ffff881fed0f6a00
RBP: ffff881f6c4a7da8 R08: 0000000000000000 R09: 0000000000000009
R10: ffff881fed0f6a00 R11: 0000000000000009 R12: 0000000000000030
R13: ffff881fed0f6a00 R14: ffff881fee39ba00 R15: ffff881fefa93a80

Call Trace:
 [<ffffffff8118ba23>] ? unmap_page_range+0x693/0x830
 [<ffffffff81772697>] inet_sendmsg+0x67/0xa0
 [<ffffffff816d93f8>] sock_sendmsg+0x38/0x50
 [<ffffffff816d982f>] SYSC_sendto+0xef/0x170
 [<ffffffff816da27e>] SyS_sendto+0xe/0x10
 [<ffffffff81002910>] do_syscall_64+0x50/0xa0
 [<ffffffff817f7cbc>] entry_SYSCALL64_slow_path+0x25/0x25

Handle by jumping to the failure path if skb_copy_bits gets an EFAULT.

Reproducer:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define LEN 504

int main(int argc, char* argv[])
{
	int fd;
	int zero = 0;
	char buf[LEN];

	memset(buf, 0, LEN);

	fd = socket(AF_INET6, SOCK_RAW, 7);

	setsockopt(fd, SOL_IPV6, IPV6_CHECKSUM, &zero, 4);
	setsockopt(fd, SOL_IPV6, IPV6_DSTOPTS, &buf, LEN);

	sendto(fd, buf, 1, 0, (struct sockaddr *) buf, 110);
}

Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/ipv6/raw.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index c4e69763c602..c2afb29dc1d7 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -585,8 +585,11 @@ static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
 	}
 
 	offset += skb_transport_offset(skb);
-	if (skb_copy_bits(skb, offset, &csum, 2))
-		BUG();
+	err = skb_copy_bits(skb, offset, &csum, 2);
+	if (err < 0) {
+		ip6_flush_pending_frames(sk);
+		goto out;
+	}
 
 	/* in case cksum was not initialized */
 	if (unlikely(csum))
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 134/235] net, sched: fix soft lockup in tc_classify
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (132 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 133/235] ipv6: handle -EFAULT from skb_copy_bits Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 135/235] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open Jiri Slaby
                   ` (102 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Daniel Borkmann, Cong Wang, David S . Miller, Jiri Slaby

From: Daniel Borkmann <daniel@iogearbox.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 628185cfddf1dfb701c4efe2cfd72cf5b09f5702 ]

Shahar reported a soft lockup in tc_classify(), where we run into an
endless loop when walking the classifier chain due to tp->next == tp
which is a state we should never run into. The issue only seems to
trigger under load in the tc control path.

What happens is that in tc_ctl_tfilter(), thread A allocates a new
tp, initializes it, sets tp_created to 1, and calls into tp->ops->change()
with it. In that classifier callback we had to unlock/lock the rtnl
mutex and returned with -EAGAIN. One reason why we need to drop there
is, for example, that we need to request an action module to be loaded.

This happens via tcf_exts_validate() -> tcf_action_init/_1() meaning
after we loaded and found the requested action, we need to redo the
whole request so we don't race against others. While we had to unlock
rtnl in that time, thread B's request was processed next on that CPU.
Thread B added a new tp instance successfully to the classifier chain.
When thread A returned grabbing the rtnl mutex again, propagating -EAGAIN
and destroying its tp instance which never got linked, we goto replay
and redo A's request.

This time when walking the classifier chain in tc_ctl_tfilter() for
checking for existing tp instances we had a priority match and found
the tp instance that was created and linked by thread B. Now calling
again into tp->ops->change() with that tp was successful and returned
without error.

tp_created was never cleared in the second round, thus kernel thinks
that we need to link it into the classifier chain (once again). tp and
*back point to the same object due to the match we had earlier on. Thus
for thread B's already public tp, we reset tp->next to tp itself and
link it into the chain, which eventually causes the mentioned endless
loop in tc_classify() once a packet hits the data path.

Fix is to clear tp_created at the beginning of each request, also when
we replay it. On the paths that can cause -EAGAIN we already destroy
the original tp instance we had and on replay we really need to start
from scratch. It seems that this issue was first introduced in commit
12186be7d2e1 ("net_cls: fix unconfigured struct tcf_proto keeps chaining
and avoid kernel panic when we use cls_cgroup").

Fixes: 12186be7d2e1 ("net_cls: fix unconfigured struct tcf_proto keeps chaining and avoid kernel panic when we use cls_cgroup")
Reported-by: Shahar Klein <shahark@mellanox.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Tested-by: Shahar Klein <shahark@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/sched/cls_api.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 2ea40d1877a6..042e5d839623 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -136,12 +136,14 @@ static int tc_ctl_tfilter(struct sk_buff *skb, struct nlmsghdr *n)
 	unsigned long cl;
 	unsigned long fh;
 	int err;
-	int tp_created = 0;
+	int tp_created;
 
 	if ((n->nlmsg_type != RTM_GETTFILTER) && !netlink_capable(skb, CAP_NET_ADMIN))
 		return -EPERM;
 
 replay:
+	tp_created = 0;
+
 	err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, NULL);
 	if (err < 0)
 		return err;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 135/235] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (133 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 134/235] net, sched: fix soft lockup in tc_classify Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 136/235] drop_monitor: add missing call to genlmsg_end Jiri Slaby
                   ` (101 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Florian Fainelli, David S . Miller, Jiri Slaby

From: Florian Fainelli <f.fainelli@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 5701659004d68085182d2fd4199c79172165fa65 ]

There is currently a small window during which the network device registered by
stmmac can be made visible, yet all resources, including and clock and MDIO bus
have not had a chance to be set up, this can lead to the following error to
occur:

[  473.919358] stmmaceth 0000:01:00.0 (unnamed net_device) (uninitialized):
                stmmac_dvr_probe: warning: cannot get CSR clock
[  473.919382] stmmaceth 0000:01:00.0: no reset control found
[  473.919412] stmmac - user ID: 0x10, Synopsys ID: 0x42
[  473.919429] stmmaceth 0000:01:00.0: DMA HW capability register supported
[  473.919436] stmmaceth 0000:01:00.0: RX Checksum Offload Engine supported
[  473.919443] stmmaceth 0000:01:00.0: TX Checksum insertion supported
[  473.919451] stmmaceth 0000:01:00.0 (unnamed net_device) (uninitialized):
                Enable RX Mitigation via HW Watchdog Timer
[  473.921395] libphy: PHY stmmac-1:00 not found
[  473.921417] stmmaceth 0000:01:00.0 eth0: Could not attach to PHY
[  473.921427] stmmaceth 0000:01:00.0 eth0: stmmac_open: Cannot attach to
                PHY (error: -19)
[  473.959710] libphy: stmmac: probed
[  473.959724] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 0 IRQ POLL
                (stmmac-1:00) active
[  473.959728] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 1 IRQ POLL
                (stmmac-1:01)
[  473.959731] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 2 IRQ POLL
                (stmmac-1:02)
[  473.959734] stmmaceth 0000:01:00.0 eth0: PHY ID 01410cc2 at 3 IRQ POLL
                (stmmac-1:03)

Fix this by making sure that register_netdev() is the last thing being done,
which guarantees that the clock and the MDIO bus are available.

Fixes: 4bfcbd7abce2 ("stmmac: Move the mdio_register/_unregister in probe/remove")
Reported-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 3b5459696310..4ce28987c3c1 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -2723,12 +2723,6 @@ struct stmmac_priv *stmmac_dvr_probe(struct device *device,
 	spin_lock_init(&priv->lock);
 	spin_lock_init(&priv->tx_lock);
 
-	ret = register_netdev(ndev);
-	if (ret) {
-		pr_err("%s: ERROR %i registering the device\n", __func__, ret);
-		goto error_netdev_register;
-	}
-
 	priv->stmmac_clk = clk_get(priv->device, STMMAC_RESOURCE_NAME);
 	if (IS_ERR(priv->stmmac_clk)) {
 		pr_warn("%s: warning: cannot get CSR clock\n", __func__);
@@ -2759,13 +2753,23 @@ struct stmmac_priv *stmmac_dvr_probe(struct device *device,
 		}
 	}
 
+	ret = register_netdev(ndev);
+	if (ret) {
+		netdev_err(priv->dev, "%s: ERROR %i registering the device\n",
+			   __func__, ret);
+		goto error_netdev_register;
+	}
+
 	return priv;
 
+error_netdev_register:
+	if (priv->pcs != STMMAC_PCS_RGMII &&
+	    priv->pcs != STMMAC_PCS_TBI &&
+	    priv->pcs != STMMAC_PCS_RTBI)
+		stmmac_mdio_unregister(ndev);
 error_mdio_register:
 	clk_put(priv->stmmac_clk);
 error_clk_get:
-	unregister_netdev(ndev);
-error_netdev_register:
 	netif_napi_del(&priv->napi);
 error_free_netdev:
 	free_netdev(ndev);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 136/235] drop_monitor: add missing call to genlmsg_end
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (134 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 135/235] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 137/235] drop_monitor: consider inserted data in genlmsg_end Jiri Slaby
                   ` (100 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Reiter Wolfgang, David S . Miller, Jiri Slaby

From: Reiter Wolfgang <wr0112358@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 4200462d88f47f3759bdf4705f87e207b0f5b2e4 ]

Update nlmsg_len field with genlmsg_end to enable userspace processing
using nlmsg_next helper. Also adds error handling.

Signed-off-by: Reiter Wolfgang <wr0112358@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/core/drop_monitor.c | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
index f27d126239b1..9c511cbb100d 100644
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -80,6 +80,7 @@ static struct sk_buff *reset_per_cpu_data(struct per_cpu_dm_data *data)
 	struct nlattr *nla;
 	struct sk_buff *skb;
 	unsigned long flags;
+	void *msg_header;
 
 	al = sizeof(struct net_dm_alert_msg);
 	al += dm_hit_limit * sizeof(struct net_dm_drop_point);
@@ -87,17 +88,31 @@ static struct sk_buff *reset_per_cpu_data(struct per_cpu_dm_data *data)
 
 	skb = genlmsg_new(al, GFP_KERNEL);
 
-	if (skb) {
-		genlmsg_put(skb, 0, 0, &net_drop_monitor_family,
-				0, NET_DM_CMD_ALERT);
-		nla = nla_reserve(skb, NLA_UNSPEC,
-				  sizeof(struct net_dm_alert_msg));
-		msg = nla_data(nla);
-		memset(msg, 0, al);
-	} else {
-		mod_timer(&data->send_timer, jiffies + HZ / 10);
+	if (!skb)
+		goto err;
+
+	msg_header = genlmsg_put(skb, 0, 0, &net_drop_monitor_family,
+				 0, NET_DM_CMD_ALERT);
+	if (!msg_header) {
+		nlmsg_free(skb);
+		skb = NULL;
+		goto err;
+	}
+	nla = nla_reserve(skb, NLA_UNSPEC,
+			  sizeof(struct net_dm_alert_msg));
+	if (!nla) {
+		nlmsg_free(skb);
+		skb = NULL;
+		goto err;
 	}
+	msg = nla_data(nla);
+	memset(msg, 0, al);
+	genlmsg_end(skb, msg_header);
+	goto out;
 
+err:
+	mod_timer(&data->send_timer, jiffies + HZ / 10);
+out:
 	spin_lock_irqsave(&data->lock, flags);
 	swap(data->skb, skb);
 	spin_unlock_irqrestore(&data->lock, flags);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 137/235] drop_monitor: consider inserted data in genlmsg_end
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (135 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 136/235] drop_monitor: add missing call to genlmsg_end Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 138/235] igmp: Make igmp group member RFC 3376 compliant Jiri Slaby
                   ` (99 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Reiter Wolfgang, David S . Miller, Jiri Slaby

From: Reiter Wolfgang <wr0112358@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 3b48ab2248e61408910e792fe84d6ec466084c1a ]

Final nlmsg_len field update must reflect inserted net_dm_drop_point
data.

This patch depends on previous patch:
"drop_monitor: add missing call to genlmsg_end"

Signed-off-by: Reiter Wolfgang <wr0112358@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/core/drop_monitor.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
index 9c511cbb100d..5b40f7319504 100644
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -107,7 +107,6 @@ static struct sk_buff *reset_per_cpu_data(struct per_cpu_dm_data *data)
 	}
 	msg = nla_data(nla);
 	memset(msg, 0, al);
-	genlmsg_end(skb, msg_header);
 	goto out;
 
 err:
@@ -117,6 +116,13 @@ out:
 	swap(data->skb, skb);
 	spin_unlock_irqrestore(&data->lock, flags);
 
+	if (skb) {
+		struct nlmsghdr *nlh = (struct nlmsghdr *)skb->data;
+		struct genlmsghdr *gnlh = (struct genlmsghdr *)nlmsg_data(nlh);
+
+		genlmsg_end(skb, genlmsg_data(gnlh));
+	}
+
 	return skb;
 }
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 138/235] igmp: Make igmp group member RFC 3376 compliant
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (136 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 137/235] drop_monitor: consider inserted data in genlmsg_end Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 139/235] gro: Enter slow-path if there is no tailroom Jiri Slaby
                   ` (98 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Michal Tesar, David S . Miller, Jiri Slaby

From: Michal Tesar <mtesar@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 7ababb782690e03b78657e27bd051e20163af2d6 ]

5.2. Action on Reception of a Query

 When a system receives a Query, it does not respond immediately.
 Instead, it delays its response by a random amount of time, bounded
 by the Max Resp Time value derived from the Max Resp Code in the
 received Query message.  A system may receive a variety of Queries on
 different interfaces and of different kinds (e.g., General Queries,
 Group-Specific Queries, and Group-and-Source-Specific Queries), each
 of which may require its own delayed response.

 Before scheduling a response to a Query, the system must first
 consider previously scheduled pending responses and in many cases
 schedule a combined response.  Therefore, the system must be able to
 maintain the following state:

 o A timer per interface for scheduling responses to General Queries.

 o A per-group and interface timer for scheduling responses to Group-
   Specific and Group-and-Source-Specific Queries.

 o A per-group and interface list of sources to be reported in the
   response to a Group-and-Source-Specific Query.

 When a new Query with the Router-Alert option arrives on an
 interface, provided the system has state to report, a delay for a
 response is randomly selected in the range (0, [Max Resp Time]) where
 Max Resp Time is derived from Max Resp Code in the received Query
 message.  The following rules are then used to determine if a Report
 needs to be scheduled and the type of Report to schedule.  The rules
 are considered in order and only the first matching rule is applied.

 1. If there is a pending response to a previous General Query
    scheduled sooner than the selected delay, no additional response
    needs to be scheduled.

 2. If the received Query is a General Query, the interface timer is
    used to schedule a response to the General Query after the
    selected delay.  Any previously pending response to a General
    Query is canceled.
--8<--

Currently the timer is rearmed with new random expiration time for
every incoming query regardless of possibly already pending report.
Which is not aligned with the above RFE.
It also might happen that higher rate of incoming queries can
postpone the report after the expiration time of the first query
causing group membership loss.

Now the per interface general query timer is rearmed only
when there is no pending report already scheduled on that interface or
the newly selected expiration time is before the already pending
scheduled report.

Signed-off-by: Michal Tesar <mtesar@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/ipv4/igmp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 931bc8d6d8ee..38ab073783e2 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -221,9 +221,14 @@ static void igmp_start_timer(struct ip_mc_list *im, int max_delay)
 static void igmp_gq_start_timer(struct in_device *in_dev)
 {
 	int tv = net_random() % in_dev->mr_maxdelay;
+	unsigned long exp = jiffies + tv + 2;
+
+	if (in_dev->mr_gq_running &&
+	    time_after_eq(exp, (in_dev->mr_gq_timer).expires))
+		return;
 
 	in_dev->mr_gq_running = 1;
-	if (!mod_timer(&in_dev->mr_gq_timer, jiffies+tv+2))
+	if (!mod_timer(&in_dev->mr_gq_timer, exp))
 		in_dev_hold(in_dev);
 }
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 139/235] gro: Enter slow-path if there is no tailroom
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (137 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 138/235] igmp: Make igmp group member RFC 3376 compliant Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 140/235] gro: use min_t() in skb_gro_reset_offset() Jiri Slaby
                   ` (97 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Herbert Xu, Eric Dumazet, David S . Miller, Jiri Slaby

From: Herbert Xu <herbert@gondor.apana.org.au>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 1272ce87fa017ca4cf32920764d879656b7a005a ]

The GRO path has a fast-path where we avoid calling pskb_may_pull
and pskb_expand by directly accessing frag0.  However, this should
only be done if we have enough tailroom in the skb as otherwise
we'll have to expand it later anyway.

This patch adds the check by capping frag0_len with the skb tailroom.

Fixes: cb18978cbf45 ("gro: Open-code final pskb_may_pull")
Reported-by: Slava Shwartsman <slavash@mellanox.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/core/dev.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index fa6d9a47f71f..3595e536e0fd 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3969,7 +3969,8 @@ static void skb_gro_reset_offset(struct sk_buff *skb)
 	    pinfo->nr_frags &&
 	    !PageHighMem(skb_frag_page(frag0))) {
 		NAPI_GRO_CB(skb)->frag0 = skb_frag_address(frag0);
-		NAPI_GRO_CB(skb)->frag0_len = skb_frag_size(frag0);
+		NAPI_GRO_CB(skb)->frag0_len = min(skb_frag_size(frag0),
+						  skb->end - skb->tail);
 	}
 }
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 140/235] gro: use min_t() in skb_gro_reset_offset()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (138 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 139/235] gro: Enter slow-path if there is no tailroom Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 141/235] gro: Disable frag0 optimization on IPv6 ext headers Jiri Slaby
                   ` (96 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Eric Dumazet, David S . Miller, Jiri Slaby

From: Eric Dumazet <edumazet@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 7cfd5fd5a9813f1430290d20c0fead9b4582a307 ]

On 32bit arches, (skb->end - skb->data) is not 'unsigned int',
so we shall use min_t() instead of min() to avoid a compiler error.

Fixes: 1272ce87fa01 ("gro: Enter slow-path if there is no tailroom")
Reported-by: kernel test robot <fengguang.wu@intel.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/core/dev.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 3595e536e0fd..6b0ddf661f92 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3969,8 +3969,9 @@ static void skb_gro_reset_offset(struct sk_buff *skb)
 	    pinfo->nr_frags &&
 	    !PageHighMem(skb_frag_page(frag0))) {
 		NAPI_GRO_CB(skb)->frag0 = skb_frag_address(frag0);
-		NAPI_GRO_CB(skb)->frag0_len = min(skb_frag_size(frag0),
-						  skb->end - skb->tail);
+		NAPI_GRO_CB(skb)->frag0_len = min_t(unsigned int,
+						    skb_frag_size(frag0),
+						    skb->end - skb->tail);
 	}
 }
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 141/235] gro: Disable frag0 optimization on IPv6 ext headers
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (139 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 140/235] gro: use min_t() in skb_gro_reset_offset() Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 142/235] HID: hid-cypress: validate length of report Jiri Slaby
                   ` (95 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Herbert Xu, Eric Dumazet, David S . Miller, Jiri Slaby

From: Herbert Xu <herbert@gondor.apana.org.au>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

[ Upstream commit 57ea52a865144aedbcd619ee0081155e658b6f7d ]

The GRO fast path caches the frag0 address.  This address becomes
invalid if frag0 is modified by pskb_may_pull or its variants.
So whenever that happens we must disable the frag0 optimization.

This is usually done through the combination of gro_header_hard
and gro_header_slow, however, the IPv6 extension header path did
the pulling directly and would continue to use the GRO fast path
incorrectly.

This patch fixes it by disabling the fast path when we enter the
IPv6 extension header path.

Fixes: 78a478d0efd9 ("gro: Inline skb_gro_header and cache frag0 virtual address")
Reported-by: Slava Shwartsman <slavash@mellanox.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/linux/netdevice.h | 9 +++++++--
 net/ipv6/ip6_offload.c    | 1 +
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 41239f739d51..0a793dcd975f 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1829,14 +1829,19 @@ static inline int skb_gro_header_hard(struct sk_buff *skb, unsigned int hlen)
 	return NAPI_GRO_CB(skb)->frag0_len < hlen;
 }
 
+static inline void skb_gro_frag0_invalidate(struct sk_buff *skb)
+{
+	NAPI_GRO_CB(skb)->frag0 = NULL;
+	NAPI_GRO_CB(skb)->frag0_len = 0;
+}
+
 static inline void *skb_gro_header_slow(struct sk_buff *skb, unsigned int hlen,
 					unsigned int offset)
 {
 	if (!pskb_may_pull(skb, hlen))
 		return NULL;
 
-	NAPI_GRO_CB(skb)->frag0 = NULL;
-	NAPI_GRO_CB(skb)->frag0_len = 0;
+	skb_gro_frag0_invalidate(skb);
 	return skb->data + offset;
 }
 
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index d82de7228100..1a6ef4c8cd8b 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -177,6 +177,7 @@ static struct sk_buff **ipv6_gro_receive(struct sk_buff **head,
 	ops = rcu_dereference(inet6_offloads[proto]);
 	if (!ops || !ops->callbacks.gro_receive) {
 		__pskb_pull(skb, skb_gro_offset(skb));
+		skb_gro_frag0_invalidate(skb);
 		proto = ipv6_gso_pull_exthdrs(skb, proto);
 		skb_gro_pull(skb, -skb_transport_offset(skb));
 		skb_reset_transport_header(skb);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 142/235] HID: hid-cypress: validate length of report
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (140 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 141/235] gro: Disable frag0 optimization on IPv6 ext headers Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 143/235] powerpc: Fix build warning on 32-bit PPC Jiri Slaby
                   ` (94 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Greg Kroah-Hartman, Jiri Slaby, Jiri Kosina

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 1ebb71143758f45dc0fa76e2f48429e13b16d110 upstream.

Make sure we have enough of a report structure to validate before
looking at it.

Reported-by: Benoit Camredon <benoit.camredon@airbus.com>
Tested-by: Benoit Camredon <benoit.camredon@airbus.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
 drivers/hid/hid-cypress.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/hid/hid-cypress.c b/drivers/hid/hid-cypress.c
index c4ef3bc726e3..e299576004ce 100644
--- a/drivers/hid/hid-cypress.c
+++ b/drivers/hid/hid-cypress.c
@@ -39,6 +39,9 @@ static __u8 *cp_report_fixup(struct hid_device *hdev, __u8 *rdesc,
 	if (!(quirks & CP_RDESC_SWAPPED_MIN_MAX))
 		return rdesc;
 
+	if (*rsize < 4)
+		return rdesc;
+
 	for (i = 0; i < *rsize - 4; i++)
 		if (rdesc[i] == 0x29 && rdesc[i + 2] == 0x19) {
 			__u8 tmp;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 143/235] powerpc: Fix build warning on 32-bit PPC
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (141 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 142/235] HID: hid-cypress: validate length of report Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 144/235] mm/init: fix zone boundary creation Jiri Slaby
                   ` (93 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Larry Finger, Nicholas Piggin,
	Benjamin Herrenschmidt, Paul Mackerras, Michael Ellerman,
	linuxppc-dev, Linus Torvalds, Jiri Slaby

From: Larry Finger <Larry.Finger@lwfinger.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8ae679c4bc2ea2d16d92620da8e3e9332fa4039f upstream.

I am getting the following warning when I build kernel 4.9-git on my
PowerBook G4 with a 32-bit PPC processor:

    AS      arch/powerpc/kernel/misc_32.o
  arch/powerpc/kernel/misc_32.S:299:7: warning: "CONFIG_FSL_BOOKE" is not defined [-Wundef]

This problem is evident after commit 989cea5c14be ("kbuild: prevent
lib-ksyms.o rebuilds"); however, this change in kbuild only exposes an
error that has been in the code since 2005 when this source file was
created.  That was with commit 9994a33865f4 ("powerpc: Introduce
entry_{32,64}.S, misc_{32,64}.S, systbl.S").

The offending line does not make a lot of sense.  This error does not
seem to cause any errors in the executable, thus I am not recommending
that it be applied to any stable versions.

Thanks to Nicholas Piggin for suggesting this solution.

Fixes: 9994a33865f4 ("powerpc: Introduce entry_{32,64}.S, misc_{32,64}.S, systbl.S")
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: linuxppc-dev@lists.ozlabs.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/powerpc/kernel/misc_32.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/misc_32.S b/arch/powerpc/kernel/misc_32.S
index ace34137a501..e23298f065df 100644
--- a/arch/powerpc/kernel/misc_32.S
+++ b/arch/powerpc/kernel/misc_32.S
@@ -313,7 +313,7 @@ _GLOBAL(flush_instruction_cache)
 	lis	r3, KERNELBASE@h
 	iccci	0,r3
 #endif
-#elif CONFIG_FSL_BOOKE
+#elif defined(CONFIG_FSL_BOOKE)
 BEGIN_FTR_SECTION
 	mfspr   r3,SPRN_L1CSR0
 	ori     r3,r3,L1CSR0_CFI|L1CSR0_CLFC
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 144/235] mm/init: fix zone boundary creation
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (142 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 143/235] powerpc: Fix build warning on 32-bit PPC Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 145/235] Input: xpad - use correct product id for x360w controllers Jiri Slaby
                   ` (92 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Oliver O'Halloran, Anton Blanchard,
	Benjamin Herrenschmidt, Paul Mackerras, Mel Gorman,
	Andrew Morton, Linus Torvalds, Arnd Bergmann, Jiri Slaby

From: Oliver O'Halloran <oohall@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 90cae1fe1c3540f791d5b8e025985fa5e699b2bb upstream.

As a part of memory initialisation the architecture passes an array to
free_area_init_nodes() which specifies the max PFN of each memory zone.
This array is not necessarily monotonic (due to unused zones) so this
array is parsed to build monotonic lists of the min and max PFN for each
zone.  ZONE_MOVABLE is special cased here as its limits are managed by
the mm subsystem rather than the architecture.  Unfortunately, this
special casing is broken when ZONE_MOVABLE is the not the last zone in
the zone list.  The core of the issue is:

	if (i == ZONE_MOVABLE)
		continue;
	arch_zone_lowest_possible_pfn[i] =
		arch_zone_highest_possible_pfn[i-1];

As ZONE_MOVABLE is skipped the lowest_possible_pfn of the next zone will
be set to zero.  This patch fixes this bug by adding explicitly tracking
where the next zone should start rather than relying on the contents
arch_zone_highest_possible_pfn[].

Thie is low priority.  To get bitten by this you need to enable a zone
that appears after ZONE_MOVABLE in the zone_type enum.  As far as I can
tell this means running a kernel with ZONE_DEVICE or ZONE_CMA enabled,
so I can't see this affecting too many people.

I only noticed this because I've been fiddling with ZONE_DEVICE on
powerpc and 4.6 broke my test kernel.  This bug, in conjunction with the
changes in Taku Izumi's kernelcore=mirror patch (d91749c1dda71) and
powerpc being the odd architecture which initialises max_zone_pfn[] to
~0ul instead of 0 caused all of system memory to be placed into
ZONE_DEVICE at boot, followed a panic since device memory cannot be used
for kernel allocations.  I've already submitted a patch to fix the
powerpc specific bits, but I figured this should be fixed too.

Link: http://lkml.kernel.org/r/1462435033-15601-1-git-send-email-oohall@gmail.com
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Cc: Anton Blanchard <anton@samba.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 mm/page_alloc.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 7abab3b7d140..8927c8d0ff4e 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -5279,15 +5279,18 @@ void __init free_area_init_nodes(unsigned long *max_zone_pfn)
 				sizeof(arch_zone_lowest_possible_pfn));
 	memset(arch_zone_highest_possible_pfn, 0,
 				sizeof(arch_zone_highest_possible_pfn));
-	arch_zone_lowest_possible_pfn[0] = find_min_pfn_with_active_regions();
-	arch_zone_highest_possible_pfn[0] = max_zone_pfn[0];
-	for (i = 1; i < MAX_NR_ZONES; i++) {
+
+	start_pfn = find_min_pfn_with_active_regions();
+
+	for (i = 0; i < MAX_NR_ZONES; i++) {
 		if (i == ZONE_MOVABLE)
 			continue;
-		arch_zone_lowest_possible_pfn[i] =
-			arch_zone_highest_possible_pfn[i-1];
-		arch_zone_highest_possible_pfn[i] =
-			max(max_zone_pfn[i], arch_zone_lowest_possible_pfn[i]);
+
+		end_pfn = max(max_zone_pfn[i], start_pfn);
+		arch_zone_lowest_possible_pfn[i] = start_pfn;
+		arch_zone_highest_possible_pfn[i] = end_pfn;
+
+		start_pfn = end_pfn;
 	}
 	arch_zone_lowest_possible_pfn[ZONE_MOVABLE] = 0;
 	arch_zone_highest_possible_pfn[ZONE_MOVABLE] = 0;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 145/235] Input: xpad - use correct product id for x360w controllers
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (143 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 144/235] mm/init: fix zone boundary creation Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 146/235] Input: i8042 - add Pegatron touchpad to noloop table Jiri Slaby
                   ` (91 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Pavel Rojtberg, Dmitry Torokhov, Jiri Slaby

From: Pavel Rojtberg <rojtberg@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b6fc513da50c5dbc457a8ad6b58b046a6a68fd9d upstream.

currently the controllers get the same product id as the wireless
receiver. However the controllers actually have their own product id.

The patch makes the driver expose the same product id as the windows
driver.

This improves compatibility when running applications with WINE.

see https://github.com/paroj/xpad/issues/54

Signed-off-by: Pavel Rojtberg <rojtberg@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/joystick/xpad.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index 5be10fb2edf2..a711aab97ae7 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1094,6 +1094,12 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
 	input_dev->name = xpad_device[i].name;
 	input_dev->phys = xpad->phys;
 	usb_to_input_id(udev, &input_dev->id);
+
+	if (xpad->xtype == XTYPE_XBOX360W) {
+		/* x360w controllers and the receiver have different ids */
+		input_dev->id.product = 0x02a1;
+	}
+
 	input_dev->dev.parent = &intf->dev;
 
 	input_set_drvdata(input_dev, xpad);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 146/235] Input: i8042 - add Pegatron touchpad to noloop table
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (144 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 145/235] Input: xpad - use correct product id for x360w controllers Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 147/235] selftests: do not require bash to run netsocktests testcase Jiri Slaby
                   ` (90 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Marcos Paulo de Souza, Dmitry Torokhov, Jiri Slaby

From: Marcos Paulo de Souza <marcos.souza.org@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 41c567a5d7d1a986763e58c3394782813c3bcb03 upstream.

Avoid AUX loopback in Pegatron C15B touchpad, so input subsystem is able
to recognize a Synaptics touchpad in the AUX port.

Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=93791
(Touchpad is not detected on DNS 0801480 notebook (PEGATRON C15B))

Suggested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/input/serio/i8042-x86ia64io.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
index ccb36fb565de..3f3c517f2039 100644
--- a/drivers/input/serio/i8042-x86ia64io.h
+++ b/drivers/input/serio/i8042-x86ia64io.h
@@ -211,6 +211,12 @@ static const struct dmi_system_id __initconst i8042_dmi_noloop_table[] = {
 			DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
 		},
 	},
+	{
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "PEGATRON CORPORATION"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "C15B"),
+		},
+	},
 	{ }
 };
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 147/235] selftests: do not require bash to run netsocktests testcase
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (145 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 146/235] Input: i8042 - add Pegatron touchpad to noloop table Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 148/235] ocfs2: fix crash caused by stale lvb with fsdlm plugin Jiri Slaby
                   ` (89 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Rolf Eike Beer, Shuah Khan, Jiri Slaby

From: Rolf Eike Beer <eb@emlix.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3659f98b5375d195f1870c3e508fe51e52206839 upstream.

Nothing in this minimal script seems to require bash. We often run these
tests on embedded devices where the only shell available is the busybox
ash. Use sh instead.

Signed-off-by: Rolf Eike Beer <eb@emlix.com>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 tools/testing/selftests/net/run_netsocktests | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/run_netsocktests b/tools/testing/selftests/net/run_netsocktests
index c09a682df56a..16058bbea7a8 100644
--- a/tools/testing/selftests/net/run_netsocktests
+++ b/tools/testing/selftests/net/run_netsocktests
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 echo "--------------------"
 echo "running socket test"
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 148/235] ocfs2: fix crash caused by stale lvb with fsdlm plugin
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (146 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 147/235] selftests: do not require bash to run netsocktests testcase Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 149/235] mm/hugetlb.c: fix reservation race when freeing surplus pages Jiri Slaby
                   ` (88 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Eric Ren, Mark Fasheh, Joel Becker, Junxiao Bi,
	Andrew Morton, Linus Torvalds, Jiri Slaby

From: Eric Ren <zren@suse.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e7ee2c089e94067d68475990bdeed211c8852917 upstream.

The crash happens rather often when we reset some cluster nodes while
nodes contend fiercely to do truncate and append.

The crash backtrace is below:

   dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover_grant 1 locks on 971 resources
   dlm: C21CBDA5E0774F4BA5A9D4F317717495: dlm_recover 9 generation 5 done: 4 ms
   ocfs2: Begin replay journal (node 318952601, slot 2) on device (253,18)
   ocfs2: End replay journal (node 318952601, slot 2) on device (253,18)
   ocfs2: Beginning quota recovery on device (253,18) for slot 2
   ocfs2: Finishing quota recovery on device (253,18) for slot 2
   (truncate,30154,1):ocfs2_truncate_file:470 ERROR: bug expression: le64_to_cpu(fe->i_size) != i_size_read(inode)
   (truncate,30154,1):ocfs2_truncate_file:470 ERROR: Inode 290321, inode i_size = 732 != di i_size = 937, i_flags = 0x1
   ------------[ cut here ]------------
   kernel BUG at /usr/src/linux/fs/ocfs2/file.c:470!
   invalid opcode: 0000 [#1] SMP
   Modules linked in: ocfs2_stack_user(OEN) ocfs2(OEN) ocfs2_nodemanager ocfs2_stackglue(OEN) quota_tree dlm(OEN) configfs fuse sd_mod    iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi af_packet iscsi_ibft iscsi_boot_sysfs softdog xfs libcrc32c ppdev parport_pc pcspkr parport      joydev virtio_balloon virtio_net i2c_piix4 acpi_cpufreq button processor ext4 crc16 jbd2 mbcache ata_generic cirrus virtio_blk ata_piix               drm_kms_helper ahci syscopyarea libahci sysfillrect sysimgblt fb_sys_fops ttm floppy libata drm virtio_pci virtio_ring uhci_hcd virtio ehci_hcd       usbcore serio_raw usb_common sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
   Supported: No, Unsupported modules are loaded
   CPU: 1 PID: 30154 Comm: truncate Tainted: G           OE   N  4.4.21-69-default #1
   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
   task: ffff88004ff6d240 ti: ffff880074e68000 task.ti: ffff880074e68000
   RIP: 0010:[<ffffffffa05c8c30>]  [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]
   RSP: 0018:ffff880074e6bd50  EFLAGS: 00010282
   RAX: 0000000000000074 RBX: 000000000000029e RCX: 0000000000000000
   RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246
   RBP: ffff880074e6bda8 R08: 000000003675dc7a R09: ffffffff82013414
   R10: 0000000000034c50 R11: 0000000000000000 R12: ffff88003aab3448
   R13: 00000000000002dc R14: 0000000000046e11 R15: 0000000000000020
   FS:  00007f839f965700(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
   CR2: 00007f839f97e000 CR3: 0000000036723000 CR4: 00000000000006e0
   Call Trace:
     ocfs2_setattr+0x698/0xa90 [ocfs2]
     notify_change+0x1ae/0x380
     do_truncate+0x5e/0x90
     do_sys_ftruncate.constprop.11+0x108/0x160
     entry_SYSCALL_64_fastpath+0x12/0x6d
   Code: 24 28 ba d6 01 00 00 48 c7 c6 30 43 62 a0 8b 41 2c 89 44 24 08 48 8b 41 20 48 c7 c1 78 a3 62 a0 48 89 04 24 31 c0 e8 a0 97 f9 ff <0f> 0b 3d 00 fe ff ff 0f 84 ab fd ff ff 83 f8 fc 0f 84 a2 fd ff
   RIP  [<ffffffffa05c8c30>] ocfs2_truncate_file+0x640/0x6c0 [ocfs2]

It's because ocfs2_inode_lock() get us stale LVB in which the i_size is
not equal to the disk i_size.  We mistakenly trust the LVB because the
underlaying fsdlm dlm_lock() doesn't set lkb_sbflags with
DLM_SBF_VALNOTVALID properly for us.  But, why?

The current code tries to downconvert lock without DLM_LKF_VALBLK flag
to tell o2cb don't update RSB's LVB if it's a PR->NULL conversion, even
if the lock resource type needs LVB.  This is not the right way for
fsdlm.

The fsdlm plugin behaves different on DLM_LKF_VALBLK, it depends on
DLM_LKF_VALBLK to decide if we care about the LVB in the LKB.  If
DLM_LKF_VALBLK is not set, fsdlm will skip recovering RSB's LVB from
this lkb and set the right DLM_SBF_VALNOTVALID appropriately when node
failure happens.

The following diagram briefly illustrates how this crash happens:

RSB1 is inode metadata lock resource with LOCK_TYPE_USES_LVB;

The 1st round:

             Node1                                    Node2
RSB1: PR
                                                  RSB1(master): NULL->EX
ocfs2_downconvert_lock(PR->NULL, set_lvb==0)
  ocfs2_dlm_lock(no DLM_LKF_VALBLK)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

dlm_lock(no DLM_LKF_VALBLK)
  convert_lock(overwrite lkb->lkb_exflags
               with no DLM_LKF_VALBLK)

RSB1: NULL                                        RSB1: EX
                                                  reset Node2
dlm_recover_rsbs()
  recover_lvb()

/* The LVB is not trustable if the node with EX fails and
 * no lock >= PR is left. We should set RSB_VALNOTVALID for RSB1.
 */

 if(!(kb_exflags & DLM_LKF_VALBLK)) /* This means we miss the chance to
           return;                   * to invalid the LVB here.
                                     */

The 2nd round:

         Node 1                                Node2
RSB1(become master from recovery)

ocfs2_setattr()
  ocfs2_inode_lock(NULL->EX)
    /* dlm_lock() return the stale lvb without setting DLM_SBF_VALNOTVALID */
    ocfs2_meta_lvb_is_trustable() return 1 /* so we don't refresh inode from disk */
  ocfs2_truncate_file()
      mlog_bug_on_msg(disk isize != i_size_read(inode))  /* crash! */

The fix is quite straightforward.  We keep to set DLM_LKF_VALBLK flag
for dlm_lock() if the lock resource type needs LVB and the fsdlm plugin
is uesed.

Link: http://lkml.kernel.org/r/1481275846-6604-1-git-send-email-zren@suse.com
Signed-off-by: Eric Ren <zren@suse.com>
Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mfasheh@versity.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ocfs2/dlmglue.c   | 10 ++++++++++
 fs/ocfs2/stackglue.c |  6 ++++++
 fs/ocfs2/stackglue.h |  3 +++
 3 files changed, 19 insertions(+)

diff --git a/fs/ocfs2/dlmglue.c b/fs/ocfs2/dlmglue.c
index 416a2ab68ac1..9c93df0f241d 100644
--- a/fs/ocfs2/dlmglue.c
+++ b/fs/ocfs2/dlmglue.c
@@ -3302,6 +3302,16 @@ static int ocfs2_downconvert_lock(struct ocfs2_super *osb,
 	mlog(ML_BASTS, "lockres %s, level %d => %d\n", lockres->l_name,
 	     lockres->l_level, new_level);
 
+	/*
+	 * On DLM_LKF_VALBLK, fsdlm behaves differently with o2cb. It always
+	 * expects DLM_LKF_VALBLK being set if the LKB has LVB, so that
+	 * we can recover correctly from node failure. Otherwise, we may get
+	 * invalid LVB in LKB, but without DLM_SBF_VALNOTVALID being set.
+	 */
+	if (!ocfs2_is_o2cb_active() &&
+	    lockres->l_ops->flags & LOCK_TYPE_USES_LVB)
+		lvb = 1;
+
 	if (lvb)
 		dlm_flags |= DLM_LKF_VALBLK;
 
diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c
index 39abf89697ed..88610b3cbc04 100644
--- a/fs/ocfs2/stackglue.c
+++ b/fs/ocfs2/stackglue.c
@@ -48,6 +48,12 @@ static char ocfs2_hb_ctl_path[OCFS2_MAX_HB_CTL_PATH] = "/sbin/ocfs2_hb_ctl";
  */
 static struct ocfs2_stack_plugin *active_stack;
 
+inline int ocfs2_is_o2cb_active(void)
+{
+	return !strcmp(active_stack->sp_name, OCFS2_STACK_PLUGIN_O2CB);
+}
+EXPORT_SYMBOL_GPL(ocfs2_is_o2cb_active);
+
 static struct ocfs2_stack_plugin *ocfs2_stack_lookup(const char *name)
 {
 	struct ocfs2_stack_plugin *p;
diff --git a/fs/ocfs2/stackglue.h b/fs/ocfs2/stackglue.h
index 1ec56fdb8d0d..fa49d8a1dc7b 100644
--- a/fs/ocfs2/stackglue.h
+++ b/fs/ocfs2/stackglue.h
@@ -289,4 +289,7 @@ void ocfs2_stack_glue_set_max_proto_version(struct ocfs2_protocol_version *max_p
 int ocfs2_stack_glue_register(struct ocfs2_stack_plugin *plugin);
 void ocfs2_stack_glue_unregister(struct ocfs2_stack_plugin *plugin);
 
+/* In ocfs2_downconvert_lock(), we need to know which stack we are using */
+int ocfs2_is_o2cb_active(void);
+
 #endif  /* STACKGLUE_H */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 149/235] mm/hugetlb.c: fix reservation race when freeing surplus pages
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (147 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 148/235] ocfs2: fix crash caused by stale lvb with fsdlm plugin Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 150/235] KVM: x86: fix emulation of "MOV SS, null selector" Jiri Slaby
                   ` (87 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Mike Kravetz, Masayoshi Mizuma, Naoya Horiguchi,
	Aneesh Kumar, Hillf Danton, Andrew Morton, Linus Torvalds,
	Jiri Slaby

From: Mike Kravetz <mike.kravetz@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e5bbc8a6c992901058bc09e2ce01d16c111ff047 upstream.

return_unused_surplus_pages() decrements the global reservation count,
and frees any unused surplus pages that were backing the reservation.

Commit 7848a4bf51b3 ("mm/hugetlb.c: add cond_resched_lock() in
return_unused_surplus_pages()") added a call to cond_resched_lock in the
loop freeing the pages.

As a result, the hugetlb_lock could be dropped, and someone else could
use the pages that will be freed in subsequent iterations of the loop.
This could result in inconsistent global hugetlb page state, application
api failures (such as mmap) failures or application crashes.

When dropping the lock in return_unused_surplus_pages, make sure that
the global reservation count (resv_huge_pages) remains sufficiently
large to prevent someone else from claiming pages about to be freed.

Analyzed by Paul Cassella.

Fixes: 7848a4bf51b3 ("mm/hugetlb.c: add cond_resched_lock() in return_unused_surplus_pages()")
Link: http://lkml.kernel.org/r/1483991767-6879-1-git-send-email-mike.kravetz@oracle.com
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reported-by: Paul Cassella <cassella@cray.com>
Suggested-by: Michal Hocko <mhocko@kernel.org>
Cc: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Aneesh Kumar <aneesh.kumar@linux.vnet.ibm.com>
Cc: Hillf Danton <hillf.zj@alibaba-inc.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 mm/hugetlb.c | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 2aaf11bdfb17..24d50334d51c 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1114,23 +1114,32 @@ free:
 }
 
 /*
- * When releasing a hugetlb pool reservation, any surplus pages that were
- * allocated to satisfy the reservation must be explicitly freed if they were
- * never used.
- * Called with hugetlb_lock held.
+ * This routine has two main purposes:
+ * 1) Decrement the reservation count (resv_huge_pages) by the value passed
+ *    in unused_resv_pages.  This corresponds to the prior adjustments made
+ *    to the associated reservation map.
+ * 2) Free any unused surplus pages that may have been allocated to satisfy
+ *    the reservation.  As many as unused_resv_pages may be freed.
+ *
+ * Called with hugetlb_lock held.  However, the lock could be dropped (and
+ * reacquired) during calls to cond_resched_lock.  Whenever dropping the lock,
+ * we must make sure nobody else can claim pages we are in the process of
+ * freeing.  Do this by ensuring resv_huge_page always is greater than the
+ * number of huge pages we plan to free when dropping the lock.
  */
 static void return_unused_surplus_pages(struct hstate *h,
 					unsigned long unused_resv_pages)
 {
 	unsigned long nr_pages;
 
-	/* Uncommit the reservation */
-	h->resv_huge_pages -= unused_resv_pages;
-
 	/* Cannot return gigantic pages currently */
 	if (h->order >= MAX_ORDER)
-		return;
+		goto out;
 
+	/*
+	 * Part (or even all) of the reservation could have been backed
+	 * by pre-allocated pages. Only free surplus pages.
+	 */
 	nr_pages = min(unused_resv_pages, h->surplus_huge_pages);
 
 	/*
@@ -1140,12 +1149,22 @@ static void return_unused_surplus_pages(struct hstate *h,
 	 * when the nodes with surplus pages have no free pages.
 	 * free_pool_huge_page() will balance the the freed pages across the
 	 * on-line nodes with memory and will handle the hstate accounting.
+	 *
+	 * Note that we decrement resv_huge_pages as we free the pages.  If
+	 * we drop the lock, resv_huge_pages will still be sufficiently large
+	 * to cover subsequent pages we may free.
 	 */
 	while (nr_pages--) {
+		h->resv_huge_pages--;
+		unused_resv_pages--;
 		if (!free_pool_huge_page(h, &node_states[N_MEMORY], 1))
-			break;
+			goto out;
 		cond_resched_lock(&hugetlb_lock);
 	}
+
+out:
+	/* Fully uncommit the reservation */
+	h->resv_huge_pages -= unused_resv_pages;
 }
 
 /*
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 150/235] KVM: x86: fix emulation of "MOV SS, null selector"
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (148 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 149/235] mm/hugetlb.c: fix reservation race when freeing surplus pages Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 151/235] jump_labels: API for flushing deferred jump label updates Jiri Slaby
                   ` (86 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Paolo Bonzini, Jiri Slaby

From: Paolo Bonzini <pbonzini@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 33ab91103b3415e12457e3104f0e4517ce12d0f3 upstream.

This is CVE-2017-2583.  On Intel this causes a failed vmentry because
SS's type is neither 3 nor 7 (even though the manual says this check is
only done for usable SS, and the dmesg splat says that SS is unusable!).
On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.

The fix fabricates a data segment descriptor when SS is set to a null
selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
this in turn ensures CPL < 3 because RPL must be equal to CPL.

Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
the bug and deciphering the manuals.

[js] backport to 3.12

Reported-by: Xiaohan Zhang <zhangxiaohan1@huawei.com>
Fixes: 79d5b4c3cd809c770d4bf9812635647016c56011
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/kvm/emulate.c | 48 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 38 insertions(+), 10 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 77d373211053..1bc518bdbd87 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1444,7 +1444,6 @@ static int write_segment_descriptor(struct x86_emulate_ctxt *ctxt,
 				    &ctxt->exception);
 }
 
-/* Does not support long mode */
 static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
 				   u16 selector, int seg,
 				   struct desc_struct *desc)
@@ -1458,6 +1457,21 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
 	int ret;
 	u16 dummy;
 
+
+	/*
+	 * None of MOV, POP and LSS can load a NULL selector in CPL=3, but
+	 * they can load it at CPL<3 (Intel's manual says only LSS can,
+	 * but it's wrong).
+	 *
+	 * However, the Intel manual says that putting IST=1/DPL=3 in
+	 * an interrupt gate will result in SS=3 (the AMD manual instead
+	 * says it doesn't), so allow SS=3 in __load_segment_descriptor
+	 * and only forbid it here.
+	 */
+	if (seg == VCPU_SREG_SS && selector == 3 &&
+	    ctxt->mode == X86EMUL_MODE_PROT64)
+		return emulate_exception(ctxt, GP_VECTOR, 0, true);
+
 	memset(&seg_desc, 0, sizeof seg_desc);
 
 	if (ctxt->mode == X86EMUL_MODE_REAL) {
@@ -1480,20 +1494,34 @@ static int load_segment_descriptor(struct x86_emulate_ctxt *ctxt,
 	rpl = selector & 3;
 	cpl = ctxt->ops->cpl(ctxt);
 
-	/* NULL selector is not valid for TR, CS and SS (except for long mode) */
-	if ((seg == VCPU_SREG_CS
-	     || (seg == VCPU_SREG_SS
-		 && (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl))
-	     || seg == VCPU_SREG_TR)
-	    && null_selector)
-		goto exception;
-
 	/* TR should be in GDT only */
 	if (seg == VCPU_SREG_TR && (selector & (1 << 2)))
 		goto exception;
 
-	if (null_selector) /* for NULL selector skip all following checks */
+	/* NULL selector is not valid for TR, CS and (except for long mode) SS */
+	if (null_selector) {
+		if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
+			goto exception;
+
+		if (seg == VCPU_SREG_SS) {
+			if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
+				goto exception;
+
+			/*
+			 * ctxt->ops->set_segment expects the CPL to be in
+			 * SS.DPL, so fake an expand-up 32-bit data segment.
+			 */
+			seg_desc.type = 3;
+			seg_desc.p = 1;
+			seg_desc.s = 1;
+			seg_desc.dpl = cpl;
+			seg_desc.d = 1;
+			seg_desc.g = 1;
+		}
+
+		/* Skip all following checks */
 		goto load;
+	}
 
 	ret = read_segment_descriptor(ctxt, selector, &seg_desc, &desc_addr);
 	if (ret != X86EMUL_CONTINUE)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 151/235] jump_labels: API for flushing deferred jump label updates
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (149 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 150/235] KVM: x86: fix emulation of "MOV SS, null selector" Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 152/235] KVM: x86: flush pending lapic jump label updates on module unload Jiri Slaby
                   ` (85 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, David Matlack, Paolo Bonzini, Jiri Slaby

From: David Matlack <dmatlack@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b6416e61012429e0277bd15a229222fd17afc1c1 upstream.

Modules that use static_key_deferred need a way to synchronize with
any delayed work that is still pending when the module is unloaded.
Introduce static_key_deferred_flush() which flushes any pending
jump label updates.

[js] no STATIC_KEY_CHECK_USE in 3.12 -> remove it

Signed-off-by: David Matlack <dmatlack@google.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 include/linux/jump_label_ratelimit.h | 4 ++++
 kernel/jump_label.c                  | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/include/linux/jump_label_ratelimit.h b/include/linux/jump_label_ratelimit.h
index 113788389b3d..3f66ce8f0819 100644
--- a/include/linux/jump_label_ratelimit.h
+++ b/include/linux/jump_label_ratelimit.h
@@ -14,6 +14,7 @@ struct static_key_deferred {
 
 #ifdef HAVE_JUMP_LABEL
 extern void static_key_slow_dec_deferred(struct static_key_deferred *key);
+extern void static_key_deferred_flush(struct static_key_deferred *key);
 extern void
 jump_label_rate_limit(struct static_key_deferred *key, unsigned long rl);
 
@@ -25,6 +26,9 @@ static inline void static_key_slow_dec_deferred(struct static_key_deferred *key)
 {
 	static_key_slow_dec(&key->key);
 }
+static inline void static_key_deferred_flush(struct static_key_deferred *key)
+{
+}
 static inline void
 jump_label_rate_limit(struct static_key_deferred *key,
 		unsigned long rl)
diff --git a/kernel/jump_label.c b/kernel/jump_label.c
index 297a9247a3b3..9ce813e99a56 100644
--- a/kernel/jump_label.c
+++ b/kernel/jump_label.c
@@ -113,6 +113,12 @@ void static_key_slow_dec_deferred(struct static_key_deferred *key)
 }
 EXPORT_SYMBOL_GPL(static_key_slow_dec_deferred);
 
+void static_key_deferred_flush(struct static_key_deferred *key)
+{
+	flush_delayed_work(&key->work);
+}
+EXPORT_SYMBOL_GPL(static_key_deferred_flush);
+
 void jump_label_rate_limit(struct static_key_deferred *key,
 		unsigned long rl)
 {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 152/235] KVM: x86: flush pending lapic jump label updates on module unload
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (150 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 151/235] jump_labels: API for flushing deferred jump label updates Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 153/235] KVM: x86: Introduce segmented_write_std Jiri Slaby
                   ` (84 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, David Matlack, Paolo Bonzini, Jiri Slaby

From: David Matlack <dmatlack@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit cef84c302fe051744b983a92764d3fcca933415d upstream.

KVM's lapic emulation uses static_key_deferred (apic_{hw,sw}_disabled).
These are implemented with delayed_work structs which can still be
pending when the KVM module is unloaded. We've seen this cause kernel
panics when the kvm_intel module is quickly reloaded.

Use the new static_key_deferred_flush() API to flush pending updates on
module unload.

Signed-off-by: David Matlack <dmatlack@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/kvm/lapic.c | 6 ++++++
 arch/x86/kvm/lapic.h | 1 +
 arch/x86/kvm/x86.c   | 1 +
 3 files changed, 8 insertions(+)

diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index a4ce2b2f1418..33d479540373 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1908,3 +1908,9 @@ void kvm_lapic_init(void)
 	jump_label_rate_limit(&apic_hw_disabled, HZ);
 	jump_label_rate_limit(&apic_sw_disabled, HZ);
 }
+
+void kvm_lapic_exit(void)
+{
+	static_key_deferred_flush(&apic_hw_disabled);
+	static_key_deferred_flush(&apic_sw_disabled);
+}
diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
index fc87568fc409..f1fd0753b6ba 100644
--- a/arch/x86/kvm/lapic.h
+++ b/arch/x86/kvm/lapic.h
@@ -93,6 +93,7 @@ static inline bool kvm_hv_vapic_assist_page_enabled(struct kvm_vcpu *vcpu)
 
 int kvm_lapic_enable_pv_eoi(struct kvm_vcpu *vcpu, u64 data);
 void kvm_lapic_init(void);
+void kvm_lapic_exit(void);
 
 static inline u32 kvm_apic_get_reg(struct kvm_lapic *apic, int reg_off)
 {
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 8562aff68884..69e7b0b9a6bb 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5573,6 +5573,7 @@ out:
 
 void kvm_arch_exit(void)
 {
+	kvm_lapic_exit();
 	perf_unregister_guest_info_callbacks(&kvm_guest_cbs);
 
 	if (!boot_cpu_has(X86_FEATURE_CONSTANT_TSC))
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 153/235] KVM: x86: Introduce segmented_write_std
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (151 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 152/235] KVM: x86: flush pending lapic jump label updates on module unload Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 154/235] USB: serial: kl5kusb105: fix line-state error handling Jiri Slaby
                   ` (83 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Steve Rutherford, Paolo Bonzini, Jiri Slaby

From: Steve Rutherford <srutherford@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 129a72a0d3c8e139a04512325384fe5ac119e74d upstream.

Introduces segemented_write_std.

Switches from emulated reads/writes to standard read/writes in fxsave,
fxrstor, sgdt, and sidt.  This fixes CVE-2017-2584, a longstanding
kernel memory leak.

Since commit 283c95d0e389 ("KVM: x86: emulate FXSAVE and FXRSTOR",
2016-11-09), which is luckily not yet in any final release, this would
also be an exploitable kernel memory *write*!

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: 96051572c819194c37a8367624b285be10297eca
Fixes: 283c95d0e3891b64087706b344a4b545d04a6e62
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Steve Rutherford <srutherford@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/kvm/emulate.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 1bc518bdbd87..0b45efc5318f 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -744,6 +744,20 @@ static int segmented_read_std(struct x86_emulate_ctxt *ctxt,
 	return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception);
 }
 
+static int segmented_write_std(struct x86_emulate_ctxt *ctxt,
+			       struct segmented_address addr,
+			       void *data,
+			       unsigned int size)
+{
+	int rc;
+	ulong linear;
+
+	rc = linearize(ctxt, addr, size, true, &linear);
+	if (rc != X86EMUL_CONTINUE)
+		return rc;
+	return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception);
+}
+
 /*
  * Fetch the next byte of the instruction being emulated which is pointed to
  * by ctxt->_eip, then increment ctxt->_eip.
@@ -3207,8 +3221,8 @@ static int emulate_store_desc_ptr(struct x86_emulate_ctxt *ctxt,
 	}
 	/* Disable writeback. */
 	ctxt->dst.type = OP_NONE;
-	return segmented_write(ctxt, ctxt->dst.addr.mem,
-			       &desc_ptr, 2 + ctxt->op_bytes);
+	return segmented_write_std(ctxt, ctxt->dst.addr.mem,
+				   &desc_ptr, 2 + ctxt->op_bytes);
 }
 
 static int em_sgdt(struct x86_emulate_ctxt *ctxt)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 154/235] USB: serial: kl5kusb105: fix line-state error handling
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (152 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 153/235] KVM: x86: Introduce segmented_write_std Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 155/235] USB: serial: ch341: fix initial modem-control state Jiri Slaby
                   ` (82 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 146cc8a17a3b4996f6805ee5c080e7101277c410 upstream.

The current implementation failed to detect short transfers when
attempting to read the line state, and also, to make things worse,
logged the content of the uninitialised heap transfer buffer.

Fixes: abf492e7b3ae ("USB: kl5kusb105: fix DMA buffers on stack")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/kl5kusb105.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/serial/kl5kusb105.c b/drivers/usb/serial/kl5kusb105.c
index 69eb056dd6ea..b6794baf0a3b 100644
--- a/drivers/usb/serial/kl5kusb105.c
+++ b/drivers/usb/serial/kl5kusb105.c
@@ -198,10 +198,11 @@ static int klsi_105_get_line_state(struct usb_serial_port *port,
 			     status_buf, KLSI_STATUSBUF_LEN,
 			     10000
 			     );
-	if (rc < 0)
-		dev_err(&port->dev, "Reading line status failed (error = %d)\n",
-			rc);
-	else {
+	if (rc != KLSI_STATUSBUF_LEN) {
+		dev_err(&port->dev, "reading line status failed: %d\n", rc);
+		if (rc >= 0)
+			rc = -EIO;
+	} else {
 		status = get_unaligned_le16(status_buf);
 
 		dev_info(&port->serial->dev->dev, "read status %x %x",
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 155/235] USB: serial: ch341: fix initial modem-control state
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (153 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 154/235] USB: serial: kl5kusb105: fix line-state error handling Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 156/235] USB: serial: ch341: fix open error handling Jiri Slaby
                   ` (81 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 4e2da44691cffbfffb1535f478d19bc2dca3e62b upstream.

DTR and RTS will be asserted by the tty-layer when the port is opened
and deasserted on close (if HUPCL is set). Make sure the initial state
is not-asserted before the port is first opened as well.

Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/ch341.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index c2a4171ab9cb..2272f4f8e4a0 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -252,7 +252,6 @@ static int ch341_port_probe(struct usb_serial_port *port)
 
 	spin_lock_init(&priv->lock);
 	priv->baud_rate = DEFAULT_BAUD_RATE;
-	priv->line_control = CH341_BIT_RTS | CH341_BIT_DTR;
 
 	r = ch341_configure(port->serial->dev, priv);
 	if (r < 0)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 156/235] USB: serial: ch341: fix open error handling
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (154 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 155/235] USB: serial: ch341: fix initial modem-control state Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 157/235] USB: serial: ch341: fix control-message " Jiri Slaby
                   ` (80 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f2950b78547ffb8475297ada6b92bc2d774d5461 upstream.

Make sure to stop the interrupt URB before returning on errors during
open.

Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/ch341.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index 2272f4f8e4a0..52ac5fd05814 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -315,15 +315,15 @@ static int ch341_open(struct tty_struct *tty, struct usb_serial_port *port)
 
 	r = ch341_configure(serial->dev, priv);
 	if (r)
-		goto out;
+		return r;
 
 	r = ch341_set_handshake(serial->dev, priv->line_control);
 	if (r)
-		goto out;
+		return r;
 
 	r = ch341_set_baudrate(serial->dev, priv);
 	if (r)
-		goto out;
+		return r;
 
 	dev_dbg(&port->dev, "%s - submitting interrupt urb", __func__);
 	r = usb_submit_urb(port->interrupt_in_urb, GFP_KERNEL);
@@ -331,12 +331,19 @@ static int ch341_open(struct tty_struct *tty, struct usb_serial_port *port)
 		dev_err(&port->dev, "%s - failed submitting interrupt urb,"
 			" error %d\n", __func__, r);
 		ch341_close(port);
-		goto out;
+		return r;
 	}
 
 	r = usb_serial_generic_open(tty, port);
+	if (r)
+		goto err_kill_interrupt_urb;
 
-out:	return r;
+	return 0;
+
+err_kill_interrupt_urb:
+	usb_kill_urb(port->interrupt_in_urb);
+
+	return r;
 }
 
 /* Old_termios contains the original termios settings and
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 157/235] USB: serial: ch341: fix control-message error handling
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (155 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 156/235] USB: serial: ch341: fix open error handling Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 158/235] USB: serial: ch341: fix open and resume after B0 Jiri Slaby
                   ` (79 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 2d5a9c72d0c4ac73cf97f4b7814ed6c44b1e49ae upstream.

A short control transfer would currently fail to be detected, something
which could lead to stale buffer data being used as valid input.

Check for short transfers, and make sure to log any transfer errors.

Note that this also avoids leaking heap data to user space (TIOCMGET)
and the remote device (break control).

Fixes: 6ce76104781a ("USB: Driver for CH341 USB-serial adaptor")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/ch341.c | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index 52ac5fd05814..db37b16a275a 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -97,6 +97,8 @@ static int ch341_control_out(struct usb_device *dev, u8 request,
 	r = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), request,
 			    USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_OUT,
 			    value, index, NULL, 0, DEFAULT_TIMEOUT);
+	if (r < 0)
+		dev_err(&dev->dev, "failed to send control message: %d\n", r);
 
 	return r;
 }
@@ -114,7 +116,20 @@ static int ch341_control_in(struct usb_device *dev,
 	r = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), request,
 			    USB_TYPE_VENDOR | USB_RECIP_DEVICE | USB_DIR_IN,
 			    value, index, buf, bufsize, DEFAULT_TIMEOUT);
-	return r;
+	if (r < bufsize) {
+		if (r >= 0) {
+			dev_err(&dev->dev,
+				"short control message received (%d < %u)\n",
+				r, bufsize);
+			r = -EIO;
+		}
+
+		dev_err(&dev->dev, "failed to receive control message: %d\n",
+			r);
+		return r;
+	}
+
+	return 0;
 }
 
 static int ch341_set_baudrate(struct usb_device *dev,
@@ -156,9 +171,9 @@ static int ch341_set_handshake(struct usb_device *dev, u8 control)
 
 static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv)
 {
+	const unsigned int size = 2;
 	char *buffer;
 	int r;
-	const unsigned size = 8;
 	unsigned long flags;
 
 	buffer = kmalloc(size, GFP_KERNEL);
@@ -169,15 +184,10 @@ static int ch341_get_status(struct usb_device *dev, struct ch341_private *priv)
 	if (r < 0)
 		goto out;
 
-	/* setup the private status if available */
-	if (r == 2) {
-		r = 0;
-		spin_lock_irqsave(&priv->lock, flags);
-		priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
-		priv->multi_status_change = 0;
-		spin_unlock_irqrestore(&priv->lock, flags);
-	} else
-		r = -EPROTO;
+	spin_lock_irqsave(&priv->lock, flags);
+	priv->line_status = (~(*buffer)) & CH341_BITS_MODEM_STAT;
+	priv->multi_status_change = 0;
+	spin_unlock_irqrestore(&priv->lock, flags);
 
 out:	kfree(buffer);
 	return r;
@@ -187,9 +197,9 @@ out:	kfree(buffer);
 
 static int ch341_configure(struct usb_device *dev, struct ch341_private *priv)
 {
+	const unsigned int size = 2;
 	char *buffer;
 	int r;
-	const unsigned size = 8;
 
 	buffer = kmalloc(size, GFP_KERNEL);
 	if (!buffer)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 158/235] USB: serial: ch341: fix open and resume after B0
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (156 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 157/235] USB: serial: ch341: fix control-message " Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 159/235] i2c: fix kernel memory disclosure in dev interface Jiri Slaby
                   ` (78 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit a20047f36e2f6a1eea4f1fd261aaa55882369868 upstream.

The private baud_rate variable is used to configure the port at open and
reset-resume and must never be set to (and left at) zero or reset-resume
and all further open attempts will fail.

Fixes: aa91def41a7b ("USB: ch341: set tty baud speed according to tty struct")
Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/ch341.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index db37b16a275a..e9cfd40e9e4a 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -368,12 +368,11 @@ static void ch341_set_termios(struct tty_struct *tty,
 
 	baud_rate = tty_get_baud_rate(tty);
 
-	priv->baud_rate = baud_rate;
-
 	if (baud_rate) {
 		spin_lock_irqsave(&priv->lock, flags);
 		priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
 		spin_unlock_irqrestore(&priv->lock, flags);
+		priv->baud_rate = baud_rate;
 		ch341_set_baudrate(port->serial->dev, priv);
 	} else {
 		spin_lock_irqsave(&priv->lock, flags);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 159/235] i2c: fix kernel memory disclosure in dev interface
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (157 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 158/235] USB: serial: ch341: fix open and resume after B0 Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 160/235] xhci: fix deadlock at host remove by running watchdog correctly Jiri Slaby
                   ` (77 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Vlad Tsyrklevich, Wolfram Sang, Jiri Slaby

From: Vlad Tsyrklevich <vlad@tsyrklevich.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 30f939feaeee23e21391cfc7b484f012eb189c3c upstream.

i2c_smbus_xfer() does not always fill an entire block, allowing
kernel stack memory disclosure through the temp variable. Clear
it before it's read to.

Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/i2c/i2c-dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index c3ccdea3d180..fa3ecec524fa 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -328,7 +328,7 @@ static noinline int i2cdev_ioctl_smbus(struct i2c_client *client,
 		unsigned long arg)
 {
 	struct i2c_smbus_ioctl_data data_arg;
-	union i2c_smbus_data temp;
+	union i2c_smbus_data temp = {};
 	int datasize, res;
 
 	if (copy_from_user(&data_arg,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 160/235] xhci: fix deadlock at host remove by running watchdog correctly
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (158 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 159/235] i2c: fix kernel memory disclosure in dev interface Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 161/235] vme: Fix wrong pointer utilization in ca91cx42_slave_get Jiri Slaby
                   ` (76 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Mathias Nyman, Jiri Slaby

From: Mathias Nyman <mathias.nyman@linux.intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d6169d04097fd9ddf811e63eae4e5cd71e6666e2 upstream.

If a URB is killed while the host is removed we can end up in a situation
where the hub thread takes the roothub device lock, and waits for
the URB to be given back by xhci-hcd, blocking the host remove code.

xhci-hcd tries to stop the endpoint and give back the urb, but can't
as the host is removed from PCI bus at the same time, preventing the normal
way of giving back urb.

Instead we need to rely on the stop command timeout function to give back
the urb. This xhci_stop_endpoint_command_watchdog() timeout function
used a XHCI_STATE_DYING flag to indicate if the timeout function is already
running, but later this flag has been taking into use in other places to
mark that xhci is dying.

Remove checks for XHCI_STATE_DYING in xhci_urb_dequeue. We are still
checking that reading from pci state does not return 0xffffffff or that
host is not halted before trying to stop the endpoint.

This whole area of stopping endpoints, giving back URBs, and the wathdog
timeout need rework, this fix focuses on solving a specific deadlock
issue that we can then send to stable before any major rework.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/host/xhci-ring.c |  7 -------
 drivers/usb/host/xhci.c      | 13 -------------
 2 files changed, 20 deletions(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 4bcea54f60cd..8f1159612593 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -948,13 +948,6 @@ void xhci_stop_endpoint_command_watchdog(unsigned long arg)
 	spin_lock_irqsave(&xhci->lock, flags);
 
 	ep->stop_cmds_pending--;
-	if (xhci->xhc_state & XHCI_STATE_DYING) {
-		xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
-				"Stop EP timer ran, but another timer marked "
-				"xHCI as DYING, exiting.");
-		spin_unlock_irqrestore(&xhci->lock, flags);
-		return;
-	}
 	if (!(ep->stop_cmds_pending == 0 && (ep->ep_state & EP_HALT_PENDING))) {
 		xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
 				"Stop EP timer ran, but no command pending, "
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index ea185eaeae28..04ba50b05075 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1538,19 +1538,6 @@ int xhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
 		xhci_urb_free_priv(xhci, urb_priv);
 		return ret;
 	}
-	if ((xhci->xhc_state & XHCI_STATE_DYING) ||
-			(xhci->xhc_state & XHCI_STATE_HALTED)) {
-		xhci_dbg_trace(xhci, trace_xhci_dbg_cancel_urb,
-				"Ep 0x%x: URB %p to be canceled on "
-				"non-responsive xHCI host.",
-				urb->ep->desc.bEndpointAddress, urb);
-		/* Let the stop endpoint command watchdog timer (which set this
-		 * state) finish cleaning up the endpoint TD lists.  We must
-		 * have caught it in the middle of dropping a lock and giving
-		 * back an URB.
-		 */
-		goto done;
-	}
 
 	ep_index = xhci_get_endpoint_index(&urb->ep->desc);
 	ep = &xhci->devs[urb->dev->slot_id]->eps[ep_index];
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 161/235] vme: Fix wrong pointer utilization in ca91cx42_slave_get
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (159 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 160/235] xhci: fix deadlock at host remove by running watchdog correctly Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 162/235] sysrq: attach sysrq handler correctly for 32-bit kernel Jiri Slaby
                   ` (75 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Augusto Mecking Caringi, Jiri Slaby

From: Augusto Mecking Caringi <augustocaringi@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c8a6a09c1c617402cc9254b2bc8da359a0347d75 upstream.

In ca91cx42_slave_get function, the value pointed by vme_base pointer is
set through:

*vme_base = ioread32(bridge->base + CA91CX42_VSI_BS[i]);

So it must be dereferenced to be used in calculation of pci_base:

*pci_base = (dma_addr_t)*vme_base + pci_offset;

This bug was caught thanks to the following gcc warning:

drivers/vme/bridges/vme_ca91cx42.c: In function ‘ca91cx42_slave_get’:
drivers/vme/bridges/vme_ca91cx42.c:467:14: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
*pci_base = (dma_addr_t)vme_base + pci_offset;

Signed-off-by: Augusto Mecking Caringi <augustocaringi@gmail.com>
Acked-By: Martyn Welch <martyn@welchs.me.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/vme/bridges/vme_ca91cx42.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/vme/bridges/vme_ca91cx42.c b/drivers/vme/bridges/vme_ca91cx42.c
index 1abbf80ffb19..9733b8a7fea7 100644
--- a/drivers/vme/bridges/vme_ca91cx42.c
+++ b/drivers/vme/bridges/vme_ca91cx42.c
@@ -468,7 +468,7 @@ static int ca91cx42_slave_get(struct vme_slave_resource *image, int *enabled,
 	vme_bound = ioread32(bridge->base + CA91CX42_VSI_BD[i]);
 	pci_offset = ioread32(bridge->base + CA91CX42_VSI_TO[i]);
 
-	*pci_base = (dma_addr_t)vme_base + pci_offset;
+	*pci_base = (dma_addr_t)*vme_base + pci_offset;
 	*size = (unsigned long long)((vme_bound - *vme_base) + granularity);
 
 	*enabled = 0;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 162/235] sysrq: attach sysrq handler correctly for 32-bit kernel
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (160 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 161/235] vme: Fix wrong pointer utilization in ca91cx42_slave_get Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 163/235] sysctl: Drop reference added by grab_header in proc_sys_readdir Jiri Slaby
                   ` (74 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Akinobu Mita, Jiri Slaby, Greg Kroah-Hartman, Jiri Slaby

From: Akinobu Mita <akinobu.mita@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 802c03881f29844af0252b6e22be5d2f65f93fd0 upstream.

The sysrq input handler should be attached to the input device which has
a left alt key.

On 32-bit kernels, some input devices which has a left alt key cannot
attach sysrq handler.  Because the keybit bitmap in struct input_device_id
for sysrq is not correctly initialized.  KEY_LEFTALT is 56 which is
greater than BITS_PER_LONG on 32-bit kernels.

I found this problem when using a matrix keypad device which defines
a KEY_LEFTALT (56) but doesn't have a KEY_O (24 == 56%32).

Cc: Jiri Slaby <jslaby@suse.com>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/tty/sysrq.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index 3b9b80856c1b..aefe343b4212 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -925,8 +925,8 @@ static const struct input_device_id sysrq_ids[] = {
 	{
 		.flags = INPUT_DEVICE_ID_MATCH_EVBIT |
 				INPUT_DEVICE_ID_MATCH_KEYBIT,
-		.evbit = { BIT_MASK(EV_KEY) },
-		.keybit = { BIT_MASK(KEY_LEFTALT) },
+		.evbit = { [BIT_WORD(EV_KEY)] = BIT_MASK(EV_KEY) },
+		.keybit = { [BIT_WORD(KEY_LEFTALT)] = BIT_MASK(KEY_LEFTALT) },
 	},
 	{ },
 };
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 163/235] sysctl: Drop reference added by grab_header in proc_sys_readdir
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (161 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 162/235] sysrq: attach sysrq handler correctly for 32-bit kernel Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 164/235] drm/radeon: drop verde dpm quirks Jiri Slaby
                   ` (73 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Zhou Chengming, Eric W . Biederman, Jiri Slaby

From: Zhou Chengming <zhouchengming1@huawei.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 93362fa47fe98b62e4a34ab408c4a418432e7939 upstream.

Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
added by grab_header when return from !dir_emit_dots path.
It can cause any path called unregister_sysctl_table will
wait forever.

The calltrace of CVE-2016-9191:

[ 5535.960522] Call Trace:
[ 5535.963265]  [<ffffffff817cdaaf>] schedule+0x3f/0xa0
[ 5535.968817]  [<ffffffff817d33fb>] schedule_timeout+0x3db/0x6f0
[ 5535.975346]  [<ffffffff817cf055>] ? wait_for_completion+0x45/0x130
[ 5535.982256]  [<ffffffff817cf0d3>] wait_for_completion+0xc3/0x130
[ 5535.988972]  [<ffffffff810d1fd0>] ? wake_up_q+0x80/0x80
[ 5535.994804]  [<ffffffff8130de64>] drop_sysctl_table+0xc4/0xe0
[ 5536.001227]  [<ffffffff8130de17>] drop_sysctl_table+0x77/0xe0
[ 5536.007648]  [<ffffffff8130decd>] unregister_sysctl_table+0x4d/0xa0
[ 5536.014654]  [<ffffffff8130deff>] unregister_sysctl_table+0x7f/0xa0
[ 5536.021657]  [<ffffffff810f57f5>] unregister_sched_domain_sysctl+0x15/0x40
[ 5536.029344]  [<ffffffff810d7704>] partition_sched_domains+0x44/0x450
[ 5536.036447]  [<ffffffff817d0761>] ? __mutex_unlock_slowpath+0x111/0x1f0
[ 5536.043844]  [<ffffffff81167684>] rebuild_sched_domains_locked+0x64/0xb0
[ 5536.051336]  [<ffffffff8116789d>] update_flag+0x11d/0x210
[ 5536.057373]  [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
[ 5536.064186]  [<ffffffff81167acb>] ? cpuset_css_offline+0x1b/0x60
[ 5536.070899]  [<ffffffff810fce3d>] ? trace_hardirqs_on+0xd/0x10
[ 5536.077420]  [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
[ 5536.084234]  [<ffffffff8115a9f5>] ? css_killed_work_fn+0x25/0x220
[ 5536.091049]  [<ffffffff81167ae5>] cpuset_css_offline+0x35/0x60
[ 5536.097571]  [<ffffffff8115aa2c>] css_killed_work_fn+0x5c/0x220
[ 5536.104207]  [<ffffffff810bc83f>] process_one_work+0x1df/0x710
[ 5536.110736]  [<ffffffff810bc7c0>] ? process_one_work+0x160/0x710
[ 5536.117461]  [<ffffffff810bce9b>] worker_thread+0x12b/0x4a0
[ 5536.123697]  [<ffffffff810bcd70>] ? process_one_work+0x710/0x710
[ 5536.130426]  [<ffffffff810c3f7e>] kthread+0xfe/0x120
[ 5536.135991]  [<ffffffff817d4baf>] ret_from_fork+0x1f/0x40
[ 5536.142041]  [<ffffffff810c3e80>] ? kthread_create_on_node+0x230/0x230

One cgroup maintainer mentioned that "cgroup is trying to offline
a cpuset css, which takes place under cgroup_mutex.  The offlining
ends up trying to drain active usages of a sysctl table which apprently
is not happening."
The real reason is that proc_sys_readdir doesn't drop reference added
by grab_header when return from !dir_emit_dots path. So this cpuset
offline path will wait here forever.

See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13

Fixes: f0c3b5093add ("[readdir] convert procfs")
Reported-by: CAI Qian <caiqian@redhat.com>
Tested-by: Yang Shukui <yangshukui@huawei.com>
Signed-off-by: Zhou Chengming <zhouchengming1@huawei.com>
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/proc/proc_sysctl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 71290463a1d3..c615a4592572 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -666,7 +666,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx)
 	ctl_dir = container_of(head, struct ctl_dir, header);
 
 	if (!dir_emit_dots(file, ctx))
-		return 0;
+		goto out;
 
 	pos = 2;
 
@@ -676,6 +676,7 @@ static int proc_sys_readdir(struct file *file, struct dir_context *ctx)
 			break;
 		}
 	}
+out:
 	sysctl_head_finish(head);
 	return 0;
 }
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 164/235] drm/radeon: drop verde dpm quirks
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (162 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 163/235] sysctl: Drop reference added by grab_header in proc_sys_readdir Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 165/235] USB: serial: ch341: fix resume after reset Jiri Slaby
                   ` (72 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alex Deucher, Adrian Fiergolski, Jiri Slaby

From: Alex Deucher <alexander.deucher@amd.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8a08403bcb39f5d0e733bcf59a8a74f16b538f6e upstream.

fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=98897
https://bugs.launchpad.net/bugs/1651981

Acked-by: Edward O'Callaghan <funfunctor@folklore1984.net>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Adrian Fiergolski <A.Fiergolski@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/gpu/drm/radeon/si_dpm.c | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/drivers/gpu/drm/radeon/si_dpm.c b/drivers/gpu/drm/radeon/si_dpm.c
index 38686f92536f..f7af7a8e4cd0 100644
--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -2943,19 +2943,6 @@ static void si_apply_state_adjust_rules(struct radeon_device *rdev,
 		    (rdev->pdev->device == 0x6817) ||
 		    (rdev->pdev->device == 0x6806))
 			max_mclk = 120000;
-	} else if (rdev->family == CHIP_VERDE) {
-		if ((rdev->pdev->revision == 0x81) ||
-		    (rdev->pdev->revision == 0x83) ||
-		    (rdev->pdev->revision == 0x87) ||
-		    (rdev->pdev->device == 0x6820) ||
-		    (rdev->pdev->device == 0x6821) ||
-		    (rdev->pdev->device == 0x6822) ||
-		    (rdev->pdev->device == 0x6823) ||
-		    (rdev->pdev->device == 0x682A) ||
-		    (rdev->pdev->device == 0x682B)) {
-			max_sclk = 75000;
-			max_mclk = 80000;
-		}
 	} else if (rdev->family == CHIP_OLAND) {
 		if ((rdev->pdev->revision == 0xC7) ||
 		    (rdev->pdev->revision == 0x80) ||
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 165/235] USB: serial: ch341: fix resume after reset
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (163 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 164/235] drm/radeon: drop verde dpm quirks Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:54 ` [PATCH 3.12 166/235] USB: serial: ch341: fix modem-control and B0 handling Jiri Slaby
                   ` (71 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ce5e292828117d1b71cbd3edf9e9137cf31acd30 upstream.

Fix reset-resume handling which failed to resubmit the read and
interrupt URBs, thereby leaving a port that was open before suspend in a
broken state until closed and reopened.

Fixes: 1ded7ea47b88 ("USB: ch341 serial: fix port number changed after
resume")
Fixes: 2bfd1c96a9fb ("USB: serial: ch341: remove reset_resume callback")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/ch341.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index e9cfd40e9e4a..be51cd98311e 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -585,14 +585,23 @@ static int ch341_tiocmget(struct tty_struct *tty)
 
 static int ch341_reset_resume(struct usb_serial *serial)
 {
-	struct ch341_private *priv;
-
-	priv = usb_get_serial_port_data(serial->port[0]);
+	struct usb_serial_port *port = serial->port[0];
+	struct ch341_private *priv = usb_get_serial_port_data(port);
+	int ret;
 
 	/* reconfigure ch341 serial port after bus-reset */
 	ch341_configure(serial->dev, priv);
 
-	return 0;
+	if (test_bit(ASYNCB_INITIALIZED, &port->port.flags)) {
+		ret = usb_submit_urb(port->interrupt_in_urb, GFP_NOIO);
+		if (ret) {
+			dev_err(&port->dev, "failed to submit interrupt urb: %d\n",
+				ret);
+			return ret;
+		}
+	}
+
+	return usb_serial_generic_resume(serial);
 }
 
 static struct usb_serial_driver ch341_device = {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 166/235] USB: serial: ch341: fix modem-control and B0 handling
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (164 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 165/235] USB: serial: ch341: fix resume after reset Jiri Slaby
@ 2017-01-27 10:54 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 167/235] x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option Jiri Slaby
                   ` (70 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:54 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 030ee7ae52a46a2be52ccc8242c4a330aba8d38e upstream.

The modem-control signals are managed by the tty-layer during open and
should not be asserted prematurely when set_termios is called from
driver open.

Also make sure that the signals are asserted only when changing speed
from B0.

Fixes: 664d5df92e88 ("USB: usb-serial ch341: support for DTR/RTS/CTS")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/usb/serial/ch341.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/usb/serial/ch341.c b/drivers/usb/serial/ch341.c
index be51cd98311e..a4e5be5aea46 100644
--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -369,24 +369,24 @@ static void ch341_set_termios(struct tty_struct *tty,
 	baud_rate = tty_get_baud_rate(tty);
 
 	if (baud_rate) {
-		spin_lock_irqsave(&priv->lock, flags);
-		priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
-		spin_unlock_irqrestore(&priv->lock, flags);
 		priv->baud_rate = baud_rate;
 		ch341_set_baudrate(port->serial->dev, priv);
-	} else {
-		spin_lock_irqsave(&priv->lock, flags);
-		priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
-		spin_unlock_irqrestore(&priv->lock, flags);
 	}
 
-	ch341_set_handshake(port->serial->dev, priv->line_control);
-
 	/* Unimplemented:
 	 * (cflag & CSIZE) : data bits [5, 8]
 	 * (cflag & PARENB) : parity {NONE, EVEN, ODD}
 	 * (cflag & CSTOPB) : stop bits [1, 2]
 	 */
+
+	spin_lock_irqsave(&priv->lock, flags);
+	if (C_BAUD(tty) == B0)
+		priv->line_control &= ~(CH341_BIT_DTR | CH341_BIT_RTS);
+	else if (old_termios && (old_termios->c_cflag & CBAUD) == B0)
+		priv->line_control |= (CH341_BIT_DTR | CH341_BIT_RTS);
+	spin_unlock_irqrestore(&priv->lock, flags);
+
+	ch341_set_handshake(port->serial->dev, priv->line_control);
 }
 
 static void ch341_break_ctl(struct tty_struct *tty, int break_state)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 167/235] x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (165 preceding siblings ...)
  2017-01-27 10:54 ` [PATCH 3.12 166/235] USB: serial: ch341: fix modem-control and B0 handling Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 168/235] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Jiri Slaby
                   ` (69 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Lukasz Odzioba, Linus Torvalds, Peter Zijlstra,
	Thomas Gleixner, andi.kleen, bp, dave.hansen, luto, slaoub,
	Ingo Molnar, Jiri Slaby

From: Lukasz Odzioba <lukasz.odzioba@intel.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit dd853fd216d1485ed3045ff772079cc8689a9a4a upstream.

A negative number can be specified in the cmdline which will be used as
setup_clear_cpu_cap() argument. With that we can clear/set some bit in
memory predceeding boot_cpu_data/cpu_caps_cleared which may cause kernel
to misbehave. This patch adds lower bound check to setup_disablecpuid().

Boris Petkov reproduced a crash:

  [    1.234575] BUG: unable to handle kernel paging request at ffffffff858bd540
  [    1.236535] IP: memcpy_erms+0x6/0x10

Signed-off-by: Lukasz Odzioba <lukasz.odzioba@intel.com>
Acked-by: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: andi.kleen@intel.com
Cc: bp@alien8.de
Cc: dave.hansen@linux.intel.com
Cc: luto@kernel.org
Cc: slaoub@gmail.com
Fixes: ac72e7888a61 ("x86: add generic clearcpuid=... option")
Link: http://lkml.kernel.org/r/1482933340-11857-1-git-send-email-lukasz.odzioba@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/kernel/cpu/common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 9364936b47c2..f415fd820c86 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -1067,7 +1067,7 @@ static __init int setup_disablecpuid(char *arg)
 {
 	int bit;
 
-	if (get_option(&arg, &bit) && bit < NCAPINTS*32)
+	if (get_option(&arg, &bit) && bit >= 0 && bit < NCAPINTS * 32)
 		setup_clear_cpu_cap(bit);
 	else
 		return 0;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 000/235] 3.12.70-stable review
@ 2017-01-27 10:55 Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 001/235] driver core: Delete an unnecessary check before the function call "put_device" Jiri Slaby
                   ` (236 more replies)
  0 siblings, 237 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux, shuahkh, linux-kernel, Jiri Slaby

This is the start of the stable review cycle for the 3.12.70 release.
There are 235 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue Jan 31 11:52:54 CET 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	http://kernel.org/pub/linux/kernel/people/jirislaby/stable-review/patch-3.12.70-rc1.xz
and the diffstat can be found below.

thanks,
js

===============


Akinobu Mita (1):
  sysrq: attach sysrq handler correctly for 32-bit kernel

Al Viro (3):
  nfs_write_end(): fix handling of short copies
  sg_write()/bsg_write() is not fit to be called under KERNEL_DS
  move the call of __d_drop(anon) into __d_materialise_unique(dentry,
    anon)

Alan Cox (1):
  usb: dwc3: pci: Add PCI ID for Intel Braswell

Alan Stern (7):
  USB: UHCI: report non-PME wakeup signalling for Intel hardware
  PCI: Check for PME in targeted sleep state
  USB: gadgetfs: fix unbounded memory allocation bug
  USB: gadgetfs: fix use-after-free bug
  USB: gadgetfs: fix checks of wTotalLength in config descriptors
  USB: fix problems with duplicate endpoint addresses
  USB: dummy-hcd: fix bug in stop_activity (handle ep0)

Aleksa Sarai (1):
  fs: exec: apply CLOEXEC before changing dumpable task flags

Alex Deucher (2):
  drm/radeon: add additional pci revision to dpm workaround
  drm/radeon: drop verde dpm quirks

Alex Porosanu (1):
  crypto: caam - fix AEAD givenc descriptors

Alexey Klimov (1):
  clockevents/drivers/exynos_mct: Remove unneeded container_of()

Arnaldo Carvalho de Melo (1):
  perf scripting: Avoid leaking the scripting_context variable

Arnd Bergmann (3):
  scsi: mvsas: fix command_active typo
  cred/userns: define current_user_ns() as a function
  ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation

Augusto Mecking Caringi (1):
  vme: Fix wrong pointer utilization in ca91cx42_slave_get

Aurelien Aptel (1):
  fs/cifs: make share unaccessible at root level mountable

Bart Van Assche (2):
  IB/mad: Fix an array index check
  IB/multicast: Check ib_find_pkey() return value

Bartosz Golaszewski (1):
  ARM: davinci: da850: don't add emac clock to lookup table twice

Ben Hutchings (1):
  kconfig/nconf: Fix hang when editing symbol with a long prompt

Benjamin Block (1):
  scsi: zfcp: fix use-after-"free" in FC ingress path after TMF

Benjamin Marzinski (1):
  dm space map metadata: fix 'struct sm_metadata' leak on failed create

Benjamin Poirier (2):
  vmxnet3: Wake queue from reset work
  bna: Add synchronization for tx ring.

Bjorn Helgaas (1):
  x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F

Boris Brezillon (1):
  m68k: Fix ndelay() macro

Boris Ostrovsky (1):
  xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing

Calvin Owens (1):
  sg: Fix double-free when drives detach during SG_IO

Chandan Rajendra (2):
  ext4: fix mballoc breakage with 64k block size
  ext4: fix stack memory corruption with 64k block size

Con Kolivas (1):
  ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to
    volume_control_quirks

Dan Carpenter (6):
  ext4: return -ENOMEM instead of success
  usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
  target/iscsi: Fix double free in lio_target_tiqn_addtpg()
  mmc: mmc_test: Uninitialized return value
  ser_gigaset: return -ENOMEM on error instead of success
  [media] xc2028: unlock on error in xc2028_set_config()

Daniel Borkmann (1):
  net, sched: fix soft lockup in tc_classify

Daniele Palmas (1):
  USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041

Darrick J. Wong (1):
  ext4: reject inodes with negative size

Dave Jones (1):
  ipv6: handle -EFAULT from skb_copy_bits

Dave Martin (3):
  arm64/ptrace: Preserve previous registers for short regset write
  arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
  arm64/ptrace: Reject attempts to set incomplete hardware breakpoint
    fields

David Matlack (2):
  jump_labels: API for flushing deferred jump label updates
  KVM: x86: flush pending lapic jump label updates on module unload

Eric Dumazet (1):
  gro: use min_t() in skb_gro_reset_offset()

Eric Ren (1):
  ocfs2: fix crash caused by stale lvb with fsdlm plugin

Eric Sandeen (1):
  xfs: set AGI buffer type in xlog_recover_clear_agi_bucket

Eva Rachel Retuya (1):
  staging: iio: ad7606: fix improper setting of oversampling pins

Fabien Parent (1):
  ARM: dts: da850-evm: fix read access to SPI flash

Felipe Balbi (3):
  usb: gadget: composite: correctly initialize ep->maxpacket
  usb: dwc3: gadget: always unmap EP0 requests
  usb: gadget: composite: always set ep->mult to a sensible value

Florian Fainelli (1):
  net: stmmac: Fix race between stmmac_drv_probe and stmmac_open

Gabriel Krisman Bertazi (1):
  serial: 8250_pci: Detach low-level driver during PCI error recovery

Geert Uytterhoeven (1):
  usb: hub: Move hub_port_disable() to fix warning if PM is disabled

Geoff Levand (1):
  powerpc/ps3: Fix system hang with GCC 5 builds

Gerald Schaefer (1):
  s390/vmlogrdr: fix IUCV buffer allocation

Giuseppe Lippolis (1):
  USB: serial: option: add dlink dwm-158

Greg Kroah-Hartman (2):
  usb: gadgetfs: restrict upper bound on device configuration size
  HID: hid-cypress: validate length of report

Gu Zheng (1):
  tmpfs: clear S_ISGID when setting posix ACLs

Guenter Roeck (3):
  cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is
    selected
  hwmon: (ds620) Fix overflows seen when writing temperature limits
  hwmon: (g762) Fix overflows and crash seen when writing limit
    attributes

Hauke Mehrtens (1):
  mtd: nand: xway: disable module support

Heikki Krogerus (5):
  usb: dwc3: pci: add support for Intel Sunrise Point PCH
  usb: dwc3: pci: add support for Intel Broxton SOC
  usb: dwc3: pci: add ID for one more Intel Broxton platform
  usb: dwc3: pci: add Intel Kabylake PCI ID
  usb: dwc3: pci: add Intel Gemini Lake PCI ID

Heinrich Schuchardt (1):
  apparmor: do not expose kernel stack

Herbert Xu (2):
  gro: Enter slow-path if there is no tailroom
  gro: Disable frag0 optimization on IPv6 ext headers

Huang Rui (1):
  iommu/amd: Fix the left value check of cmd buffer

Ilya Dryomov (1):
  libceph: verify authorize reply on connect

J. Bruce Fields (1):
  svcrpc: don't leak contexts on PROC_DESTROY

Jan Kara (2):
  ext4: fix data exposure after a crash
  posix_acl: Clear SGID bit when setting file permissions

Jeff Mahoney (1):
  Revert "Btrfs: don't delay inode ref updates during log, replay"

Jim Mattson (1):
  kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF)

Johan Hovold (32):
  USB: serial: kl5kusb105: fix open error path
  USB: serial: omninet: fix NULL-derefs at open and disconnect
  USB: serial: quatech2: fix sleep-while-atomic in close
  USB: serial: pl2303: fix NULL-deref at open
  USB: serial: keyspan_pda: verify endpoints at probe
  USB: serial: spcp8x5: fix NULL-deref at open
  USB: serial: io_ti: fix NULL-deref at open
  USB: serial: io_ti: fix another NULL-deref at open
  USB: serial: iuu_phoenix: fix NULL-deref at open
  USB: serial: garmin_gps: fix memory leak on failed URB submit
  USB: serial: ti_usb_3410_5052: fix NULL-deref at open
  USB: serial: io_edgeport: fix NULL-deref at open
  USB: serial: oti6858: fix NULL-deref at open
  USB: serial: cyberjack: fix NULL-deref at open
  USB: serial: kobil_sct: fix NULL-deref in write
  USB: serial: mos7840: fix NULL-deref at open
  USB: serial: mos7720: fix NULL-deref at open
  USB: serial: mos7720: fix use-after-free on probe errors
  USB: serial: mos7720: fix parport use-after-free on probe errors
  USB: serial: mos7720: fix parallel probe
  USB: phy: am335x-control: fix device and of_node leaks
  USB: serial: io_ti: bind to interface after fw download
  powerpc/pci/rpadlpar: Fix device reference leaks
  USB: serial: kl5kusb105: fix line-state error handling
  USB: serial: ch341: fix initial modem-control state
  USB: serial: ch341: fix open error handling
  USB: serial: ch341: fix control-message error handling
  USB: serial: ch341: fix open and resume after B0
  USB: serial: ch341: fix resume after reset
  USB: serial: ch341: fix modem-control and B0 handling
  powerpc/ibmebus: Fix further device reference leaks
  powerpc/ibmebus: Fix device reference leaks in sysfs interface

John Johansen (18):
  apparmor: fix refcount bug in profile replacement
  apparmor: fix replacement bug that adds new child to old parent
  apparmor: fix uninitialized lsm_audit member
  apparmor: exec should not be returning ENOENT when it denies
  apparmor: fix update the mtime of the profile file on replacement
  apparmor: fix disconnected bind mnts reconnection
  apparmor: internal paths should be treated as disconnected
  apparmor: fix put() parent ref after updating the active ref
  apparmor: fix log failures for all profiles in a set
  apparmor: fix audit full profile hname on successful load
  apparmor: ensure the target profile name is always audited
  apparmor: check that xindex is in trans_table bounds
  apparmor: fix refcount race when finding a child profile
  apparmor: add missing id bounds check on dfa verification
  apparmor: don't check for vmalloc_addr if kvzalloc() failed
  apparmor: fix oops in profile_unpack() when policy_db is not present
  apparmor: fix module parameters can be changed after policy is locked
  apparmor: fix arg_size computation for when setprocattr is null
    terminated

Joonyoung Shim (1):
  clocksource/exynos_mct: Clear interrupt when cpu is shut down

Julien Grall (1):
  arm/xen: Use alloc_percpu rather than __alloc_percpu

Jussi Laako (1):
  ALSA: hiface: Fix M2Tech hiFace driver sampling rate change

Konstantin Khlebnikov (1):
  md/raid5: limit request size according to implementation limits

Krzysztof Kozlowski (1):
  thermal: hwmon: Properly report critical temperature in sysfs

Krzysztof Opasiak (1):
  usb: gadget: composite: Test get_alt() presence instead of set_alt()

Larry Finger (2):
  ssb: Fix error routine when fallback SPROM fails
  powerpc: Fix build warning on 32-bit PPC

Liu Bo (1):
  Btrfs: fix memory leak in reading btree blocks

Lu Baolu (1):
  usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms

Lukasz Odzioba (1):
  x86/cpu: Fix bootup crashes by sanitizing the argument of the
    'clearcpuid=' command-line option

Maor Gottlieb (1):
  IB/mlx4: Set traffic class in AH

Marc Kleine-Budde (1):
  can: raw: raw_setsockopt: limit number of can_filter that can be set

Marcos Paulo de Souza (1):
  Input: i8042 - add Pegatron touchpad to noloop table

Mark Rutland (2):
  arm64: avoid returning from bad_mode
  ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs

Markus Elfring (1):
  driver core: Delete an unnecessary check before the function call
    "put_device"

Mathias Nyman (4):
  usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices
  xhci: workaround for hosts missing CAS bit
  xhci: free xhci virtual devices with leaf nodes first
  xhci: fix deadlock at host remove by running watchdog correctly

Mauro Carvalho Chehab (1):
  [media] xc2028: avoid use after free

Michal Hocko (1):
  hotplug: Make register and unregister notifier API symmetric

Michal Tesar (1):
  igmp: Make igmp group member RFC 3376 compliant

Mike Kravetz (1):
  mm/hugetlb.c: fix reservation race when freeing surplus pages

Ming Lei (1):
  driver core: fix race between creating/querying glue dir and its
    cleanup

Mintz, Yuval (1):
  bnx2x: Correct ringparam estimate when DOWN

Nathaniel Quillin (1):
  USB: cdc-acm: add device id for GW Instek AFG-125

NeilBrown (2):
  block_dev: don't test bdev->bd_contains when it is not stable
  NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.

Nicolai Stange (1):
  f2fs: set ->owner for debugfs status file's file_operations

Nicolas Iooss (1):
  ite-cir: initialize use_demodulator before using it

Niklas Söderlund (1):
  pinctrl: sh-pfc: Do not unconditionally support
    PIN_CONFIG_BIAS_DISABLE

Oliver O'Halloran (1):
  mm/init: fix zone boundary creation

Omar Sandoval (1):
  block: fix use-after-free in sys_ioprio_get()

Ondrej Kozina (1):
  dm crypt: mark key as invalid until properly loaded

Pan Bian (2):
  USB: serial: kl5kusb105: abort on open exception path
  clk: clk-wm831x: fix a logic error

Paolo Bonzini (1):
  KVM: x86: fix emulation of "MOV SS, null selector"

Patrik Jakobsson (1):
  drm/gma500: Add compat ioctl

Paul Burton (1):
  net: ti: cpmac: Fix compiler warning due to type confusion

Pavel Rojtberg (1):
  Input: xpad - use correct product id for x360w controllers

Pavel Shilovsky (3):
  CIFS: Fix a possible memory corruption during reconnect
  CIFS: Fix missing nls unload in smb2_reconnect()
  CIFS: Fix a possible memory corruption in push locks

Peter Zijlstra (Intel) (1):
  perf/x86: Fix full width counter, counter overflow

Quinn Tran (1):
  qla2xxx: Fix crash due to null pointer access

Rabin Vincent (1):
  block: protect iterate_bdevs() against concurrent close

Rafal Redzimski (1):
  usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host

Reiter Wolfgang (2):
  drop_monitor: add missing call to genlmsg_end
  drop_monitor: consider inserted data in genlmsg_end

Richard Weinberger (1):
  ubifs: Fix journal replay wrt. xattr nodes

Robbie Ko (1):
  Btrfs: fix tree search logic when replaying directory entry deletes

Robert Doebbelin (1):
  fuse: do not use iocb after it may have been freed

Rolf Eike Beer (1):
  selftests: do not require bash to run netsocktests testcase

Russell Currey (1):
  drivers/gpu/drm/ast: Fix infinite loop if read fails

Sachin Prabhu (4):
  Fix memory leaks in cifs_do_mount()
  Compare prepaths when comparing superblocks
  Move check for prefix path to within cifs_get_root()
  Fix regression which breaks DFS mounting

Saeed Mahameed (1):
  IB/mlx4: Fix port query for 56Gb Ethernet links

Segher Boessenkool (1):
  powerpc: Convert cmp to cmpd in idle enter sequence

Shaohua Li (2):
  mm/vmscan.c: set correct defer count for shrinker
  md: MD_RECOVERY_NEEDED is set for mddev->recovery

Stefan Wahren (1):
  mmc: mxs-mmc: Fix additional cycles after transmission stop

Steffen Maier (2):
  scsi: zfcp: do not trace pure benign residual HBA responses at default
    level
  scsi: zfcp: fix rport unblock race with LUN recovery

Steve Rutherford (1):
  KVM: x86: Introduce segmented_write_std

Steven Rostedt (1):
  ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short
    jumps to it

Steven Rostedt (Red Hat) (1):
  ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short
    jumps to it

Takashi Iwai (5):
  ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO
  ALSA: hda - Fix up GPIO for ASUS ROG Ranger
  ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL
  ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
  xc2028: Fix use-after-free bug properly

Tariq Saeed (1):
  ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed()

Theodore Ts'o (3):
  ext4: use more strict checks for inodes_per_block on mount
  ext4: fix in-superblock mount options processing
  ext4: add sanity checking to count_overhead()

Thomas Gleixner (3):
  locking/rtmutex: Prevent dequeue vs. unlock race
  locking/rtmutex: Use READ_ONCE() in rt_mutex_owner()
  tick/broadcast: Prevent NULL pointer dereference

Tony Lindgren (1):
  usb: musb: Fix trying to free already-free IRQ 4

Trond Myklebust (1):
  NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT

Vegard Nossum (1):
  apparmor: fix oops, validate buffer size in apparmor_setprocattr()

Vlad Tsyrklevich (2):
  i2c: fix kernel memory disclosure in dev interface
  vfio/pci: Fix integer overflows, bitmask check

Vladimir Zapolskiy (3):
  ARM: dts: imx31: fix clock control module interrupts description
  ARM: dts: imx31: move CCM device node to AIPS2 bus devices
  ARM: dts: imx31: fix AVIC base address

Wan Ahmad Zainie (1):
  usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake

Wanpeng Li (1):
  x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq()

Wei Fang (1):
  scsi: avoid a permanent stop of the scsi device's request queue

Zhou Chengming (1):
  sysctl: Drop reference added by grab_header in proc_sys_readdir

stephen hemminger (1):
  netvsc: reduce maximum GSO size

추지호 (1):
  can: peak: fix bad memory access and free sequence

 .../devicetree/bindings/clock/imx31-clock.txt      |   2 +-
 arch/arm/boot/dts/da850-evm.dts                    |   1 +
 arch/arm/boot/dts/imx31.dtsi                       |  18 +--
 arch/arm/include/asm/cputype.h                     |   3 +
 arch/arm/kernel/hw_breakpoint.c                    |  16 +++
 arch/arm/mach-davinci/da850.c                      |  12 +-
 arch/arm/mach-ux500/pm.c                           |   4 +-
 arch/arm/xen/enlighten.c                           |   3 +-
 arch/arm64/include/uapi/asm/ptrace.h               |   1 +
 arch/arm64/kernel/entry.S                          |   2 +-
 arch/arm64/kernel/ptrace.c                         |  11 +-
 arch/arm64/kernel/traps.c                          |  25 +++-
 arch/cris/boot/rescue/Makefile                     |   8 ++
 arch/m68k/include/asm/delay.h                      |   2 +-
 arch/powerpc/boot/ps3-head.S                       |   5 -
 arch/powerpc/boot/ps3.c                            |   8 +-
 arch/powerpc/kernel/ibmebus.c                      |  16 ++-
 arch/powerpc/kernel/idle_power7.S                  |   2 +-
 arch/powerpc/kernel/misc_32.S                      |   2 +-
 arch/x86/include/asm/apic.h                        |   3 +-
 arch/x86/kernel/cpu/common.c                       |   2 +-
 arch/x86/kernel/cpu/perf_event.c                   |   2 +-
 arch/x86/kernel/cpu/perf_event_intel.c             |   2 +-
 arch/x86/kernel/entry_32.S                         |   4 +-
 arch/x86/kernel/entry_64.S                         |   3 +-
 arch/x86/kernel/smp.c                              |   2 +-
 arch/x86/kvm/emulate.c                             |  66 ++++++++--
 arch/x86/kvm/lapic.c                               |   6 +
 arch/x86/kvm/lapic.h                               |   1 +
 arch/x86/kvm/vmx.c                                 |  11 +-
 arch/x86/kvm/x86.c                                 |   1 +
 arch/x86/pci/acpi.c                                |  10 ++
 block/bsg.c                                        |   3 +
 drivers/base/core.c                                |  42 +++++--
 drivers/clk/clk-wm831x.c                           |   2 +-
 drivers/clocksource/exynos_mct.c                   |  17 +--
 drivers/crypto/caam/caamalg.c                      |   4 +-
 drivers/gpu/drm/ast/ast_main.c                     |   7 +-
 drivers/gpu/drm/gma500/psb_drv.c                   |   3 +
 drivers/gpu/drm/radeon/si_dpm.c                    |  14 +--
 drivers/hid/hid-cypress.c                          |   3 +
 drivers/hwmon/ds620.c                              |   2 +-
 drivers/hwmon/g762.c                               |  11 +-
 drivers/i2c/i2c-dev.c                              |   2 +-
 drivers/infiniband/core/mad.c                      |   2 +-
 drivers/infiniband/core/multicast.c                |   7 +-
 drivers/infiniband/hw/mlx4/ah.c                    |   6 +-
 drivers/infiniband/hw/mlx4/main.c                  |   8 +-
 drivers/input/joystick/xpad.c                      |   6 +
 drivers/input/serio/i8042-x86ia64io.h              |   6 +
 drivers/iommu/amd_iommu.c                          |   2 +-
 drivers/isdn/gigaset/ser-gigaset.c                 |   4 +-
 drivers/md/dm-crypt.c                              |   7 +-
 drivers/md/md.c                                    |   2 +-
 drivers/md/persistent-data/dm-space-map-metadata.c |  10 +-
 drivers/md/raid5.c                                 |   9 ++
 drivers/media/rc/ite-cir.c                         |   2 +
 drivers/media/tuners/tuner-xc2028.c                |  34 +++---
 drivers/mmc/card/mmc_test.c                        |   2 +-
 drivers/mmc/host/mxs-mmc.c                         |   6 +-
 drivers/mtd/nand/Kconfig                           |   2 +-
 drivers/net/can/usb/peak_usb/pcan_usb_core.c       |   6 +-
 .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c    |   8 ++
 drivers/net/ethernet/brocade/bna/bnad.c            |   4 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c  |  20 +--
 drivers/net/ethernet/ti/cpmac.c                    |   5 +-
 drivers/net/hyperv/netvsc_drv.c                    |   4 +
 drivers/net/vmxnet3/vmxnet3_drv.c                  |   2 +-
 drivers/pci/hotplug/rpadlpar_core.c                |  10 +-
 drivers/pci/pci.c                                  |   4 +
 drivers/pinctrl/sh-pfc/pinctrl.c                   |   3 +-
 drivers/s390/char/vmlogrdr.c                       |   2 +-
 drivers/s390/scsi/zfcp_dbf.c                       |  17 ++-
 drivers/s390/scsi/zfcp_dbf.h                       |  41 ++++++-
 drivers/s390/scsi/zfcp_erp.c                       |  61 ++++++++-
 drivers/s390/scsi/zfcp_ext.h                       |   4 +-
 drivers/s390/scsi/zfcp_fsf.h                       |   3 +-
 drivers/s390/scsi/zfcp_reqlist.h                   |  30 ++++-
 drivers/s390/scsi/zfcp_scsi.c                      |  61 ++++++++-
 drivers/scsi/mvsas/mv_94xx.c                       |   2 +-
 drivers/scsi/qla2xxx/qla_os.c                      |  16 ++-
 drivers/scsi/scsi_sysfs.c                          |   4 -
 drivers/scsi/sg.c                                  |  11 +-
 drivers/ssb/pci.c                                  |   1 +
 drivers/staging/iio/adc/ad7606_core.c              |   2 +-
 drivers/target/iscsi/iscsi_target_tpg.c            |   1 -
 drivers/thermal/thermal_hwmon.c                    |   2 +-
 drivers/tty/serial/8250/8250_pci.c                 |  23 +++-
 drivers/tty/sysrq.c                                |   4 +-
 drivers/usb/class/cdc-acm.c                        |   1 +
 drivers/usb/core/config.c                          |  10 ++
 drivers/usb/core/hub.c                             | 136 ++++++++-------------
 drivers/usb/dwc3/dwc3-pci.c                        |  16 +++
 drivers/usb/dwc3/gadget.c                          |   8 +-
 drivers/usb/gadget/composite.c                     |  23 ++--
 drivers/usb/gadget/dummy_hcd.c                     |   6 +-
 drivers/usb/gadget/inode.c                         |  17 ++-
 drivers/usb/gadget/uvc_video.c                     |   2 +-
 drivers/usb/host/uhci-pci.c                        |   4 +
 drivers/usb/host/xhci-hub.c                        |  37 ++++++
 drivers/usb/host/xhci-mem.c                        |  42 ++++++-
 drivers/usb/host/xhci-pci.c                        |  13 +-
 drivers/usb/host/xhci-ring.c                       |   7 --
 drivers/usb/host/xhci.c                            |  13 --
 drivers/usb/host/xhci.h                            |   3 +
 drivers/usb/musb/musbhsdma.h                       |   2 +-
 drivers/usb/phy/phy-am335x-control.c               |   2 +
 drivers/usb/serial/ch341.c                         |  90 +++++++++-----
 drivers/usb/serial/cyberjack.c                     |  10 ++
 drivers/usb/serial/garmin_gps.c                    |   1 +
 drivers/usb/serial/io_edgeport.c                   |   5 +
 drivers/usb/serial/io_ti.c                         |  17 ++-
 drivers/usb/serial/iuu_phoenix.c                   |  11 ++
 drivers/usb/serial/keyspan_pda.c                   |  14 +++
 drivers/usb/serial/kl5kusb105.c                    |  44 +++++--
 drivers/usb/serial/kobil_sct.c                     |  12 ++
 drivers/usb/serial/mos7720.c                       |  51 ++++----
 drivers/usb/serial/mos7840.c                       |  12 ++
 drivers/usb/serial/omninet.c                       |  13 ++
 drivers/usb/serial/option.c                        |   7 ++
 drivers/usb/serial/oti6858.c                       |  16 +++
 drivers/usb/serial/pl2303.c                        |   8 ++
 drivers/usb/serial/quatech2.c                      |   4 -
 drivers/usb/serial/spcp8x5.c                       |  14 +++
 drivers/usb/serial/ti_usb_3410_5052.c              |   7 ++
 drivers/vfio/pci/vfio_pci.c                        |  33 +++--
 drivers/vfio/pci/vfio_pci_intrs.c                  |   2 +-
 drivers/vme/bridges/vme_ca91cx42.c                 |   2 +-
 drivers/xen/gntdev.c                               |   2 +-
 fs/9p/acl.c                                        |  40 +++---
 fs/block_dev.c                                     |   9 +-
 fs/btrfs/acl.c                                     |   6 +-
 fs/btrfs/delayed-inode.c                           |   8 --
 fs/btrfs/extent_io.c                               |   9 ++
 fs/btrfs/tree-log.c                                |   3 +-
 fs/cifs/cifs_fs_sb.h                               |   4 +
 fs/cifs/cifsfs.c                                   |  17 ++-
 fs/cifs/cifsglob.h                                 |   3 +
 fs/cifs/cifsproto.h                                |   5 +-
 fs/cifs/connect.c                                  | 116 ++++++++++++++++--
 fs/cifs/dir.c                                      |  20 ++-
 fs/cifs/inode.c                                    |  22 +++-
 fs/cifs/smb2file.c                                 |   2 +-
 fs/cifs/smb2pdu.c                                  |  77 ++++++++----
 fs/cifs/smb2proto.h                                |   1 +
 fs/dcache.c                                        |   7 +-
 fs/exec.c                                          |  10 +-
 fs/ext2/acl.c                                      |  12 +-
 fs/ext3/acl.c                                      |  10 +-
 fs/ext4/acl.c                                      |  12 +-
 fs/ext4/inline.c                                   |   4 +-
 fs/ext4/inode.c                                    |  29 +++--
 fs/ext4/mballoc.c                                  |   4 +-
 fs/ext4/super.c                                    |  64 ++++++----
 fs/f2fs/acl.c                                      |   6 +-
 fs/f2fs/debug.c                                    |   1 +
 fs/fuse/file.c                                     |   5 +-
 fs/generic_acl.c                                   |  12 +-
 fs/gfs2/acl.c                                      |  14 +--
 fs/hfsplus/posix_acl.c                             |   4 +-
 fs/hfsplus/xattr.c                                 |   5 +-
 fs/ioprio.c                                        |   2 +
 fs/jffs2/acl.c                                     |   9 +-
 fs/jfs/xattr.c                                     |   5 +-
 fs/nfs/dir.c                                       |   1 +
 fs/nfs/file.c                                      |   2 +-
 fs/nfs/nfs4filelayoutdev.c                         |   3 +-
 fs/ocfs2/acl.c                                     |  20 ++-
 fs/ocfs2/dlmglue.c                                 |  10 ++
 fs/ocfs2/file.c                                    |   9 +-
 fs/ocfs2/stackglue.c                               |   6 +
 fs/ocfs2/stackglue.h                               |   3 +
 fs/posix_acl.c                                     |  31 +++++
 fs/proc/proc_sysctl.c                              |   3 +-
 fs/reiserfs/xattr_acl.c                            |   8 +-
 fs/ubifs/tnc.c                                     |  25 +++-
 fs/xfs/xfs_acl.c                                   |  15 ++-
 fs/xfs/xfs_log_recover.c                           |   1 +
 include/linux/capability.h                         |   2 -
 include/linux/cpu.h                                |  12 +-
 include/linux/cred.h                               |   5 +-
 include/linux/jump_label_ratelimit.h               |   4 +
 include/linux/netdevice.h                          |   9 +-
 include/linux/posix_acl.h                          |   1 +
 include/uapi/linux/can.h                           |   1 +
 kernel/cpu.c                                       |   3 +-
 kernel/jump_label.c                                |   6 +
 kernel/rtmutex.c                                   |  68 ++++++++++-
 kernel/rtmutex_common.h                            |   5 +-
 kernel/time/tick-broadcast.c                       |   3 +
 mm/hugetlb.c                                       |  37 ++++--
 mm/page_alloc.c                                    |  17 +--
 mm/vmscan.c                                        |  14 ++-
 net/can/raw.c                                      |   3 +
 net/ceph/messenger.c                               |  13 ++
 net/core/dev.c                                     |   4 +-
 net/core/drop_monitor.c                            |  39 ++++--
 net/ipv4/igmp.c                                    |   7 +-
 net/ipv6/ip6_offload.c                             |   1 +
 net/ipv6/raw.c                                     |   7 +-
 net/sched/cls_api.c                                |   4 +-
 net/sunrpc/auth_gss/svcauth_gss.c                  |   2 +-
 scripts/kconfig/nconf.gui.c                        |  15 ++-
 security/apparmor/apparmorfs.c                     |   2 +
 security/apparmor/audit.c                          |   3 +-
 security/apparmor/domain.c                         |  22 ++--
 security/apparmor/file.c                           |   3 +-
 security/apparmor/include/match.h                  |   1 +
 security/apparmor/include/policy.h                 |   2 +
 security/apparmor/lsm.c                            |  60 ++++-----
 security/apparmor/match.c                          |  16 ++-
 security/apparmor/path.c                           |  61 +++++----
 security/apparmor/policy.c                         |  61 ++++++---
 security/apparmor/policy_unpack.c                  |   5 +-
 sound/pci/hda/patch_conexant.c                     |  17 +++
 sound/pci/hda/patch_realtek.c                      |   2 +
 sound/usb/card.c                                   |   1 -
 sound/usb/hiface/pcm.c                             |   2 +
 sound/usb/mixer.c                                  |   3 +-
 tools/perf/util/trace-event-scripting.c            |   6 +-
 tools/testing/selftests/net/run_netsocktests       |   2 +-
 221 files changed, 1992 insertions(+), 800 deletions(-)

-- 
2.11.0

^ permalink raw reply	[flat|nested] 244+ messages in thread

* [PATCH 3.12 168/235] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (166 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 167/235] x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 169/235] powerpc/ibmebus: Fix further device reference leaks Jiri Slaby
                   ` (68 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, NeilBrown, Trond Myklebust, Jiri Slaby

From: NeilBrown <neilb@suse.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit cfd278c280f997cf2fe4662e0acab0fe465f637b upstream.

Various places assume that if nfs4_fl_prepare_ds() turns a non-NULL 'ds',
then ds->ds_clp will also be non-NULL.

This is not necessasrily true in the case when the process received a fatal signal
while nfs4_pnfs_ds_connect is waiting in nfs4_wait_ds_connect().
In that case ->ds_clp may not be set, and the devid may not recently have been marked
unavailable.

So add a test for ds_clp == NULL and return NULL in that case.

Fixes: c23266d532b4 ("NFS4.1 Fix data server connection race")
Signed-off-by: NeilBrown <neilb@suse.com>
Acked-by: Olga Kornievskaia <aglo@umich.edu>
Acked-by: Adamson, Andy <William.Adamson@netapp.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/nfs/nfs4filelayoutdev.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/nfs/nfs4filelayoutdev.c b/fs/nfs/nfs4filelayoutdev.c
index efac602edb37..91de91430b31 100644
--- a/fs/nfs/nfs4filelayoutdev.c
+++ b/fs/nfs/nfs4filelayoutdev.c
@@ -827,7 +827,8 @@ nfs4_fl_prepare_ds(struct pnfs_layout_segment *lseg, u32 ds_idx)
 		nfs4_wait_ds_connect(ds);
 	}
 out_test_devid:
-	if (filelayout_test_devid_unavailable(devid))
+	if (ret->ds_clp == NULL ||
+	    filelayout_test_devid_unavailable(devid))
 		ret = NULL;
 out:
 	return ret;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 169/235] powerpc/ibmebus: Fix further device reference leaks
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (167 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 168/235] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 170/235] powerpc/ibmebus: Fix device reference leaks in sysfs interface Jiri Slaby
                   ` (67 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Michael Ellerman, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 815a7141c4d1b11610dccb7fcbb38633759824f2 upstream.

Make sure to drop any reference taken by bus_find_device() when creating
devices during init and driver registration.

Fixes: 55347cc9962f ("[POWERPC] ibmebus: Add device creation and bus probing based on of_device")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/powerpc/kernel/ibmebus.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/kernel/ibmebus.c b/arch/powerpc/kernel/ibmebus.c
index 16a7c2326d48..435c9bbc6b09 100644
--- a/arch/powerpc/kernel/ibmebus.c
+++ b/arch/powerpc/kernel/ibmebus.c
@@ -180,6 +180,7 @@ static int ibmebus_create_device(struct device_node *dn)
 static int ibmebus_create_devices(const struct of_device_id *matches)
 {
 	struct device_node *root, *child;
+	struct device *dev;
 	int ret = 0;
 
 	root = of_find_node_by_path("/");
@@ -188,9 +189,12 @@ static int ibmebus_create_devices(const struct of_device_id *matches)
 		if (!of_match_node(matches, child))
 			continue;
 
-		if (bus_find_device(&ibmebus_bus_type, NULL, child,
-				    ibmebus_match_node))
+		dev = bus_find_device(&ibmebus_bus_type, NULL, child,
+				      ibmebus_match_node);
+		if (dev) {
+			put_device(dev);
 			continue;
+		}
 
 		ret = ibmebus_create_device(child);
 		if (ret) {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 170/235] powerpc/ibmebus: Fix device reference leaks in sysfs interface
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (168 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 169/235] powerpc/ibmebus: Fix further device reference leaks Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 171/235] pinctrl: sh-pfc: Do not unconditionally support PIN_CONFIG_BIAS_DISABLE Jiri Slaby
                   ` (66 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Johan Hovold, Michael Ellerman, Jiri Slaby

From: Johan Hovold <johan@kernel.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit fe0f3168169f7c34c29b0cf0c489f126a7f29643 upstream.

Make sure to drop any reference taken by bus_find_device() in the sysfs
callbacks that are used to create and destroy devices based on
device-tree entries.

Fixes: 6bccf755ff53 ("[POWERPC] ibmebus: dynamic addition/removal of adapters, some code cleanup")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/powerpc/kernel/ibmebus.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/kernel/ibmebus.c b/arch/powerpc/kernel/ibmebus.c
index 435c9bbc6b09..bc47b7986e37 100644
--- a/arch/powerpc/kernel/ibmebus.c
+++ b/arch/powerpc/kernel/ibmebus.c
@@ -266,6 +266,7 @@ static ssize_t ibmebus_store_probe(struct bus_type *bus,
 				   const char *buf, size_t count)
 {
 	struct device_node *dn = NULL;
+	struct device *dev;
 	char *path;
 	ssize_t rc = 0;
 
@@ -273,8 +274,10 @@ static ssize_t ibmebus_store_probe(struct bus_type *bus,
 	if (!path)
 		return -ENOMEM;
 
-	if (bus_find_device(&ibmebus_bus_type, NULL, path,
-			    ibmebus_match_path)) {
+	dev = bus_find_device(&ibmebus_bus_type, NULL, path,
+			      ibmebus_match_path);
+	if (dev) {
+		put_device(dev);
 		printk(KERN_WARNING "%s: %s has already been probed\n",
 		       __func__, path);
 		rc = -EEXIST;
@@ -310,6 +313,7 @@ static ssize_t ibmebus_store_remove(struct bus_type *bus,
 	if ((dev = bus_find_device(&ibmebus_bus_type, NULL, path,
 				   ibmebus_match_path))) {
 		of_device_unregister(to_platform_device(dev));
+		put_device(dev);
 
 		kfree(path);
 		return count;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 171/235] pinctrl: sh-pfc: Do not unconditionally support PIN_CONFIG_BIAS_DISABLE
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (169 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 170/235] powerpc/ibmebus: Fix device reference leaks in sysfs interface Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 172/235] arm64: avoid returning from bad_mode Jiri Slaby
                   ` (65 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Niklas Söderlund, Geert Uytterhoeven, Jiri Slaby

From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5d7400c4acbf7fe633a976a89ee845f7333de3e4 upstream.

Always stating PIN_CONFIG_BIAS_DISABLE is supported gives untrue output
when examining /sys/kernel/debug/pinctrl/e6060000.pfc/pinconf-pins if
the operation get_bias() is implemented but the pin is not handled by
the get_bias() implementation. In that case the output will state that
"input bias disabled" indicating that this pin has bias control
support.

Make support for PIN_CONFIG_BIAS_DISABLE depend on that the pin either
supports SH_PFC_PIN_CFG_PULL_UP or SH_PFC_PIN_CFG_PULL_DOWN. This also
solves the issue where SoC specific implementations print error messages
if their particular implementation of {set,get}_bias() is called with a
pin it does not know about.

Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/pinctrl/sh-pfc/pinctrl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/pinctrl/sh-pfc/pinctrl.c b/drivers/pinctrl/sh-pfc/pinctrl.c
index e758af95c209..b625a1f062bf 100644
--- a/drivers/pinctrl/sh-pfc/pinctrl.c
+++ b/drivers/pinctrl/sh-pfc/pinctrl.c
@@ -479,7 +479,8 @@ static bool sh_pfc_pinconf_validate(struct sh_pfc *pfc, unsigned int _pin,
 
 	switch (param) {
 	case PIN_CONFIG_BIAS_DISABLE:
-		return true;
+		return pin->configs &
+			(SH_PFC_PIN_CFG_PULL_UP | SH_PFC_PIN_CFG_PULL_DOWN);
 
 	case PIN_CONFIG_BIAS_PULL_UP:
 		return pin->configs & SH_PFC_PIN_CFG_PULL_UP;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 172/235] arm64: avoid returning from bad_mode
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (170 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 171/235] pinctrl: sh-pfc: Do not unconditionally support PIN_CONFIG_BIAS_DISABLE Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 173/235] IB/mlx4: Set traffic class in AH Jiri Slaby
                   ` (64 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Mark Rutland, Will Deacon, Catalin Marinas, Jiri Slaby

From: Mark Rutland <mark.rutland@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7d9e8f71b989230bc613d121ca38507d34ada849 upstream.

Generally, taking an unexpected exception should be a fatal event, and
bad_mode is intended to cater for this. However, it should be possible
to contain unexpected synchronous exceptions from EL0 without bringing
the kernel down, by sending a SIGILL to the task.

We tried to apply this approach in commit 9955ac47f4ba1c95 ("arm64:
don't kill the kernel on a bad esr from el0"), by sending a signal for
any bad_mode call resulting from an EL0 exception.

However, this also applies to other unexpected exceptions, such as
SError and FIQ. The entry paths for these exceptions branch to bad_mode
without configuring the link register, and have no kernel_exit. Thus, if
we take one of these exceptions from EL0, bad_mode will eventually
return to the original user link register value.

This patch fixes this by introducing a new bad_el0_sync handler to cater
for the recoverable case, and restoring bad_mode to its original state,
whereby it calls panic() and never returns. The recoverable case
branches to bad_el0_sync with a bl, and returns to userspace via the
usual ret_to_user mechanism.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Fixes: 9955ac47f4ba1c95 ("arm64: don't kill the kernel on a bad esr from el0")
Reported-by: Mark Salter <msalter@redhat.com>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm64/kernel/entry.S |  2 +-
 arch/arm64/kernel/traps.c | 25 +++++++++++++++++++++----
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 028a1b91e2b3..c405e2421fd8 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -493,7 +493,7 @@ el0_inv:
 	mov	x0, sp
 	mov	x1, #BAD_SYNC
 	mrs	x2, esr_el1
-	b	bad_mode
+	b	bad_el0_sync
 ENDPROC(el0_sync)
 
 	.align	6
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index 7ffadddb645d..7d1f6c5cfa65 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -306,16 +306,33 @@ asmlinkage long do_ni_syscall(struct pt_regs *regs)
 }
 
 /*
- * bad_mode handles the impossible case in the exception vector.
+ * bad_mode handles the impossible case in the exception vector. This is always
+ * fatal.
  */
 asmlinkage void bad_mode(struct pt_regs *regs, int reason, unsigned int esr)
 {
-	siginfo_t info;
-	void __user *pc = (void __user *)instruction_pointer(regs);
 	console_verbose();
 
 	pr_crit("Bad mode in %s handler detected, code 0x%08x\n",
 		handler[reason], esr);
+
+	die("Oops - bad mode", regs, 0);
+	local_irq_disable();
+	panic("bad mode");
+}
+
+/*
+ * bad_el0_sync handles unexpected, but potentially recoverable synchronous
+ * exceptions taken from EL0. Unlike bad_mode, this returns.
+ */
+asmlinkage void bad_el0_sync(struct pt_regs *regs, int reason, unsigned int esr)
+{
+	siginfo_t info;
+	void __user *pc = (void __user *)instruction_pointer(regs);
+	console_verbose();
+
+	pr_crit("Bad EL0 synchronous exception detected on CPU%d, code 0x%08x\n",
+		smp_processor_id(), esr);
 	__show_regs(regs);
 
 	info.si_signo = SIGILL;
@@ -323,7 +340,7 @@ asmlinkage void bad_mode(struct pt_regs *regs, int reason, unsigned int esr)
 	info.si_code  = ILL_ILLOPC;
 	info.si_addr  = pc;
 
-	arm64_notify_die("Oops - bad mode", regs, &info, 0);
+	force_sig_info(info.si_signo, &info, current);
 }
 
 void __pte_error(const char *file, int line, unsigned long val)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 173/235] IB/mlx4: Set traffic class in AH
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (171 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 172/235] arm64: avoid returning from bad_mode Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 174/235] IB/mlx4: Fix port query for 56Gb Ethernet links Jiri Slaby
                   ` (63 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Maor Gottlieb, Daniel Jurgens, Leon Romanovsky,
	Doug Ledford, Jiri Slaby

From: Maor Gottlieb <maorg@mellanox.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit af4295c117b82a521b05d0daf39ce879d26e6cb1 upstream.

Set traffic class within sl_tclass_flowlabel when create iboe AH.
Without this the TOS value will be empty when running VLAN tagged
traffic, because the TOS value is taken from the traffic class in the
address handle attributes.

Fixes: 9106c4106974 ('IB/mlx4: Fix SL to 802.1Q priority-bits mapping for IBoE')
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Mark Bloch <markb@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/infiniband/hw/mlx4/ah.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c
index f55d69500a5f..3a85e7669068 100644
--- a/drivers/infiniband/hw/mlx4/ah.c
+++ b/drivers/infiniband/hw/mlx4/ah.c
@@ -118,7 +118,9 @@ static struct ib_ah *create_iboe_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr
 		       !(1 << ah->av.eth.stat_rate & dev->caps.stat_rate_support))
 			--ah->av.eth.stat_rate;
 	}
-
+	ah->av.eth.sl_tclass_flowlabel |=
+			cpu_to_be32((ah_attr->grh.traffic_class << 20) |
+				    ah_attr->grh.flow_label);
 	/*
 	 * HW requires multicast LID so we just choose one.
 	 */
@@ -126,7 +128,7 @@ static struct ib_ah *create_iboe_ah(struct ib_pd *pd, struct ib_ah_attr *ah_attr
 		ah->av.ib.dlid = cpu_to_be16(0xc000);
 
 	memcpy(ah->av.eth.dgid, ah_attr->grh.dgid.raw, 16);
-	ah->av.eth.sl_tclass_flowlabel = cpu_to_be32(ah_attr->sl << 29);
+	ah->av.eth.sl_tclass_flowlabel |= cpu_to_be32(ah_attr->sl << 29);
 
 	return &ah->ibah;
 }
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 174/235] IB/mlx4: Fix port query for 56Gb Ethernet links
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (172 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 173/235] IB/mlx4: Set traffic class in AH Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 175/235] perf scripting: Avoid leaking the scripting_context variable Jiri Slaby
                   ` (62 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Saeed Mahameed, Yishai Hadas, Daniel Jurgens,
	Leon Romanovsky, Doug Ledford, Jiri Slaby

From: Saeed Mahameed <saeedm@mellanox.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6fa26208206c406fa529cd73f7ae6bf4181e270b upstream.

Report the correct speed in the port attributes when using a 56Gbps
ethernet link.  Without this change the field is incorrectly set to 10.

Fixes: a9c766bb75ee ('IB/mlx4: Fix info returned when querying IBoE ports')
Fixes: 2e96691c31ec ('IB: Use central enum for speed instead of hard-coded values')
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/infiniband/hw/mlx4/main.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
index f0612645de99..9407a31afe20 100644
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -335,9 +335,11 @@ static int eth_link_query_port(struct ib_device *ibdev, u8 port,
 	if (err)
 		goto out;
 
-	props->active_width	=  (((u8 *)mailbox->buf)[5] == 0x40) ?
-						IB_WIDTH_4X : IB_WIDTH_1X;
-	props->active_speed	= IB_SPEED_QDR;
+	props->active_width	=  (((u8 *)mailbox->buf)[5] == 0x40) ||
+				   (((u8 *)mailbox->buf)[5] == 0x20 /*56Gb*/) ?
+					   IB_WIDTH_4X : IB_WIDTH_1X;
+	props->active_speed	=  (((u8 *)mailbox->buf)[5] == 0x20 /*56Gb*/) ?
+					   IB_SPEED_FDR : IB_SPEED_QDR;
 	props->port_cap_flags	= IB_PORT_CM_SUP;
 	props->gid_tbl_len	= mdev->dev->caps.gid_table_len[port];
 	props->max_msg_sz	= mdev->dev->caps.max_msg_sz;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 175/235] perf scripting: Avoid leaking the scripting_context variable
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (173 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 174/235] IB/mlx4: Fix port query for 56Gb Ethernet links Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 176/235] ARM: dts: imx31: fix clock control module interrupts description Jiri Slaby
                   ` (61 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Arnaldo Carvalho de Melo, Adrian Hunter,
	David Ahern, Frederic Weisbecker, Jiri Olsa, Namhyung Kim,
	Tom Zanussi, Wang Nan, Jiri Slaby

From: Arnaldo Carvalho de Melo <acme@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit cf346d5bd4b9d61656df2f72565c9b354ef3ca0d upstream.

Both register_perl_scripting() and register_python_scripting() allocate
this variable, fix it by checking if it already was.

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Tom Zanussi <tzanussi@gmail.com>
Cc: Wang Nan <wangnan0@huawei.com>
Fixes: 7e4b21b84c43 ("perf/scripts: Add Python scripting engine")
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 tools/perf/util/trace-event-scripting.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tools/perf/util/trace-event-scripting.c b/tools/perf/util/trace-event-scripting.c
index 95199e4eea97..f928bfc4852f 100644
--- a/tools/perf/util/trace-event-scripting.c
+++ b/tools/perf/util/trace-event-scripting.c
@@ -91,7 +91,8 @@ static void register_python_scripting(struct scripting_ops *scripting_ops)
 	if (err)
 		die("error registering py script extension");
 
-	scripting_context = malloc(sizeof(struct scripting_context));
+	if (scripting_context == NULL)
+		scripting_context = malloc(sizeof(*scripting_context));
 }
 
 #ifdef NO_LIBPYTHON
@@ -154,7 +155,8 @@ static void register_perl_scripting(struct scripting_ops *scripting_ops)
 	if (err)
 		die("error registering pl script extension");
 
-	scripting_context = malloc(sizeof(struct scripting_context));
+	if (scripting_context == NULL)
+		scripting_context = malloc(sizeof(*scripting_context));
 }
 
 #ifdef NO_LIBPERL
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 176/235] ARM: dts: imx31: fix clock control module interrupts description
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (174 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 175/235] perf scripting: Avoid leaking the scripting_context variable Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 177/235] ARM: dts: imx31: move CCM device node to AIPS2 bus devices Jiri Slaby
                   ` (60 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Vladimir Zapolskiy, Shawn Guo, Jiri Slaby

From: Vladimir Zapolskiy <vz@mleia.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 2e575cbc930901718cc18e084566ecbb9a4b5ebb upstream.

The type of AVIC interrupt controller found on i.MX31 is one-cell,
namely 31 for CCM DVFS and 53 for CCM, however for clock control
module its interrupts are specified as 3-cells, fix it.

Fixes: ef0e4a606fb6 ("ARM: mx31: Replace clk_register_clkdev with clock DT lookup")
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 Documentation/devicetree/bindings/clock/imx31-clock.txt | 2 +-
 arch/arm/boot/dts/imx31.dtsi                            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Documentation/devicetree/bindings/clock/imx31-clock.txt b/Documentation/devicetree/bindings/clock/imx31-clock.txt
index 19df842c694f..8163d565f697 100644
--- a/Documentation/devicetree/bindings/clock/imx31-clock.txt
+++ b/Documentation/devicetree/bindings/clock/imx31-clock.txt
@@ -77,7 +77,7 @@ Examples:
 clks: ccm@53f80000{
 	compatible = "fsl,imx31-ccm";
 	reg = <0x53f80000 0x4000>;
-	interrupts = <0 31 0x04 0 53 0x04>;
+	interrupts = <31>, <53>;
 	#clock-cells = <1>;
 };
 
diff --git a/arch/arm/boot/dts/imx31.dtsi b/arch/arm/boot/dts/imx31.dtsi
index c34f82581248..ad166d74551a 100644
--- a/arch/arm/boot/dts/imx31.dtsi
+++ b/arch/arm/boot/dts/imx31.dtsi
@@ -114,7 +114,7 @@
 			clks: ccm@53f80000{
 				compatible = "fsl,imx31-ccm";
 				reg = <0x53f80000 0x4000>;
-				interrupts = <0 31 0x04 0 53 0x04>;
+				interrupts = <31>, <53>;
 				#clock-cells = <1>;
 			};
 		};
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 177/235] ARM: dts: imx31: move CCM device node to AIPS2 bus devices
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (175 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 176/235] ARM: dts: imx31: fix clock control module interrupts description Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 178/235] ARM: dts: imx31: fix AVIC base address Jiri Slaby
                   ` (59 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Vladimir Zapolskiy, Shawn Guo, Jiri Slaby

From: Vladimir Zapolskiy <vz@mleia.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 1f87aee6a2e55eda466a43ba6248a8b75eede153 upstream.

i.MX31 Clock Control Module controller is found on AIPS2 bus, move it
there from SPBA bus to avoid a conflict of device IO space mismatch.

Fixes: ef0e4a606fb6 ("ARM: mx31: Replace clk_register_clkdev with clock DT lookup")
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm/boot/dts/imx31.dtsi | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/arch/arm/boot/dts/imx31.dtsi b/arch/arm/boot/dts/imx31.dtsi
index ad166d74551a..8ec20b49db7e 100644
--- a/arch/arm/boot/dts/imx31.dtsi
+++ b/arch/arm/boot/dts/imx31.dtsi
@@ -110,13 +110,6 @@
 				interrupts = <19>;
 				clocks = <&clks 25>;
 			};
-
-			clks: ccm@53f80000{
-				compatible = "fsl,imx31-ccm";
-				reg = <0x53f80000 0x4000>;
-				interrupts = <31>, <53>;
-				#clock-cells = <1>;
-			};
 		};
 
 		aips@53f00000 { /* AIPS2 */
@@ -126,6 +119,13 @@
 			reg = <0x53f00000 0x100000>;
 			ranges;
 
+			clks: ccm@53f80000{
+				compatible = "fsl,imx31-ccm";
+				reg = <0x53f80000 0x4000>;
+				interrupts = <31>, <53>;
+				#clock-cells = <1>;
+			};
+
 			gpt: timer@53f90000 {
 				compatible = "fsl,imx31-gpt";
 				reg = <0x53f90000 0x4000>;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 178/235] ARM: dts: imx31: fix AVIC base address
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (176 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 177/235] ARM: dts: imx31: move CCM device node to AIPS2 bus devices Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 179/235] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Jiri Slaby
                   ` (58 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Vladimir Zapolskiy, Shawn Guo, Jiri Slaby

From: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit af92305e567b7f4c9cf48b9e46c1f48ec9ffb1fb upstream.

On i.MX31 AVIC interrupt controller base address is at 0x68000000.

The problem was shadowed by the AVIC driver, which takes the correct
base address from a SoC specific header file.

Fixes: d2a37b3d91f4 ("ARM i.MX31: Add devicetree support")
Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm/boot/dts/imx31.dtsi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm/boot/dts/imx31.dtsi b/arch/arm/boot/dts/imx31.dtsi
index 8ec20b49db7e..626e5e374572 100644
--- a/arch/arm/boot/dts/imx31.dtsi
+++ b/arch/arm/boot/dts/imx31.dtsi
@@ -30,11 +30,11 @@
 		};
 	};
 
-	avic: avic-interrupt-controller@60000000 {
+	avic: interrupt-controller@68000000 {
 		compatible = "fsl,imx31-avic", "fsl,avic";
 		interrupt-controller;
 		#interrupt-cells = <1>;
-		reg = <0x60000000 0x100000>;
+		reg = <0x68000000 0x100000>;
 	};
 
 	soc {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 179/235] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (177 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 178/235] ARM: dts: imx31: fix AVIC base address Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 180/235] svcrpc: don't leak contexts on PROC_DESTROY Jiri Slaby
                   ` (57 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Bjorn Helgaas, Jiri Slaby

From: Bjorn Helgaas <bhelgaas@google.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 89e9f7bcd8744ea25fcf0ac671b8d72c10d7d790 upstream.

Martin reported that the Supermicro X8DTH-i/6/iF/6F advertises incorrect
host bridge windows via _CRS:

  pci_root PNP0A08:00: host bridge window [io  0xf000-0xffff]
  pci_root PNP0A08:01: host bridge window [io  0xf000-0xffff]

Both bridges advertise the 0xf000-0xffff window, which cannot be correct.

Work around this by ignoring _CRS on this system.  The downside is that we
may not assign resources correctly to hot-added PCI devices (if they are
possible on this system).

Link: https://bugzilla.kernel.org/show_bug.cgi?id=42606
Reported-by: Martin Burnicki <martin.burnicki@meinberg.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/pci/acpi.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
index a24e9c2e95da..a33c61c5e34a 100644
--- a/arch/x86/pci/acpi.c
+++ b/arch/x86/pci/acpi.c
@@ -118,6 +118,16 @@ static const struct dmi_system_id pci_crs_quirks[] __initconst = {
 			DMI_MATCH(DMI_BIOS_VERSION, "6JET85WW (1.43 )"),
 		},
 	},
+	/* https://bugzilla.kernel.org/show_bug.cgi?id=42606 */
+	{
+		.callback = set_nouse_crs,
+		.ident = "Supermicro X8DTH",
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "Supermicro"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "X8DTH-i/6/iF/6F"),
+			DMI_MATCH(DMI_BIOS_VERSION, "2.0a"),
+		},
+	},
 
 	/* https://bugzilla.kernel.org/show_bug.cgi?id=15362 */
 	{
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 180/235] svcrpc: don't leak contexts on PROC_DESTROY
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (178 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 179/235] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 181/235] mmc: mxs-mmc: Fix additional cycles after transmission stop Jiri Slaby
                   ` (56 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, J. Bruce Fields, Jiri Slaby

From: "J. Bruce Fields" <bfields@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 78794d1890708cf94e3961261e52dcec2cc34722 upstream.

Context expiry times are in units of seconds since boot, not unix time.

The use of get_seconds() here therefore sets the expiry time decades in
the future.  This prevents timely freeing of contexts destroyed by
client RPC_GSS_PROC_DESTROY requests.  We'd still free them eventually
(when the module is unloaded or the container shut down), but a lot of
contexts could pile up before then.

Fixes: c5b29f885afe "sunrpc: use seconds since boot in expiry cache"
Reported-by: Andy Adamson <andros@netapp.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 9d7e6097ef5b..6d0531a2a5c9 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1485,7 +1485,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
 	case RPC_GSS_PROC_DESTROY:
 		if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq))
 			goto auth_err;
-		rsci->h.expiry_time = get_seconds();
+		rsci->h.expiry_time = seconds_since_boot();
 		set_bit(CACHE_NEGATIVE, &rsci->h.flags);
 		if (resv->iov_len + 4 > PAGE_SIZE)
 			goto drop;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 181/235] mmc: mxs-mmc: Fix additional cycles after transmission stop
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (179 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 180/235] svcrpc: don't leak contexts on PROC_DESTROY Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 182/235] mtd: nand: xway: disable module support Jiri Slaby
                   ` (55 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Stefan Wahren, Ulf Hansson, Jiri Slaby

From: Stefan Wahren <stefan.wahren@i2se.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 01167c7b9cbf099c69fe411a228e4e9c7104e123 upstream.

According to the code the intention is to append 8 SCK cycles
instead of 4 at end of a MMC_STOP_TRANSMISSION command. But this
will never happened because it's an AC command not an ADTC command.
So fix this by moving the statement into the right function.

Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Fixes: e4243f13d10e (mmc: mxs-mmc: add mmc host driver for i.MX23/28)
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/mmc/host/mxs-mmc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/mmc/host/mxs-mmc.c b/drivers/mmc/host/mxs-mmc.c
index f8aac3044670..f87e6e9ce386 100644
--- a/drivers/mmc/host/mxs-mmc.c
+++ b/drivers/mmc/host/mxs-mmc.c
@@ -315,6 +315,9 @@ static void mxs_mmc_ac(struct mxs_mmc_host *host)
 	cmd0 = BF_SSP(cmd->opcode, CMD0_CMD);
 	cmd1 = cmd->arg;
 
+	if (cmd->opcode == MMC_STOP_TRANSMISSION)
+		cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
+
 	if (host->sdio_irq_en) {
 		ctrl0 |= BM_SSP_CTRL0_SDIO_IRQ_CHECK;
 		cmd0 |= BM_SSP_CMD0_CONT_CLKING_EN | BM_SSP_CMD0_SLOW_CLKING_EN;
@@ -423,8 +426,7 @@ static void mxs_mmc_adtc(struct mxs_mmc_host *host)
 		       ssp->base + HW_SSP_BLOCK_SIZE);
 	}
 
-	if ((cmd->opcode == MMC_STOP_TRANSMISSION) ||
-	    (cmd->opcode == SD_IO_RW_EXTENDED))
+	if (cmd->opcode == SD_IO_RW_EXTENDED)
 		cmd0 |= BM_SSP_CMD0_APPEND_8CYC;
 
 	cmd1 = cmd->arg;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 182/235] mtd: nand: xway: disable module support
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (180 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 181/235] mmc: mxs-mmc: Fix additional cycles after transmission stop Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 183/235] qla2xxx: Fix crash due to null pointer access Jiri Slaby
                   ` (54 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Hauke Mehrtens, Boris Brezillon, Jiri Slaby

From: Hauke Mehrtens <hauke@hauke-m.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 73529c872a189c747bdb528ce9b85b67b0e28dec upstream.

The xway_nand driver accesses the ltq_ebu_membase symbol which is not
exported. This also should not get exported and we should handle the
EBU interface in a better way later. This quick fix just deactivated
support for building as module.

Fixes: 99f2b107924c ("mtd: lantiq: Add NAND support on Lantiq XWAY SoC.")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/mtd/nand/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mtd/nand/Kconfig b/drivers/mtd/nand/Kconfig
index d88529841d3f..2bb9c04cb2c5 100644
--- a/drivers/mtd/nand/Kconfig
+++ b/drivers/mtd/nand/Kconfig
@@ -531,7 +531,7 @@ config MTD_NAND_FSMC
 	  Flexible Static Memory Controller (FSMC)
 
 config MTD_NAND_XWAY
-	tristate "Support for NAND on Lantiq XWAY SoC"
+	bool "Support for NAND on Lantiq XWAY SoC"
 	depends on LANTIQ && SOC_TYPE_XWAY
 	select MTD_NAND_PLATFORM
 	help
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 183/235] qla2xxx: Fix crash due to null pointer access
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (181 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 182/235] mtd: nand: xway: disable module support Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 184/235] ubifs: Fix journal replay wrt. xattr nodes Jiri Slaby
                   ` (53 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Quinn Tran, Himanshu Madhani, Bart Van Assche, Jiri Slaby

From: Quinn Tran <quinn.tran@cavium.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit fc1ffd6cb38a1c1af625b9833c41928039e733f5 upstream.

During code inspection, while investigating following stack trace
seen on one of the test setup, we found out there was possibility
of memory leak becuase driver was not unwinding the stack properly.

This issue has not been reproduced in a test environment or on a
customer setup.

Here's stack trace that was seen.

[1469877.797315] Call Trace:
[1469877.799940]  [<ffffffffa03ab6e9>] qla2x00_mem_alloc+0xb09/0x10c0 [qla2xxx]
[1469877.806980]  [<ffffffffa03ac50a>] qla2x00_probe_one+0x86a/0x1b50 [qla2xxx]
[1469877.814013]  [<ffffffff813b6d01>] ? __pm_runtime_resume+0x51/0xa0
[1469877.820265]  [<ffffffff8157c1f5>] ? _raw_spin_lock_irqsave+0x25/0x90
[1469877.826776]  [<ffffffff8157cd2d>] ? _raw_spin_unlock_irqrestore+0x6d/0x80
[1469877.833720]  [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
[1469877.839885]  [<ffffffff8157cd0c>] ? _raw_spin_unlock_irqrestore+0x4c/0x80
[1469877.846830]  [<ffffffff81319b9c>] local_pci_probe+0x4c/0xb0
[1469877.852562]  [<ffffffff810741d1>] ? preempt_count_sub+0xb1/0x100
[1469877.858727]  [<ffffffff81319c89>] pci_call_probe+0x89/0xb0

Signed-off-by: Quinn Tran <quinn.tran@cavium.com>
Signed-off-by: Himanshu Madhani <himanshu.madhani@cavium.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
[ bvanassche: Fixed spelling in patch description ]
Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/scsi/qla2xxx/qla_os.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 36d62fd53511..ebc939e85b76 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3384,7 +3384,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len,
 				sizeof(struct ct6_dsd), 0,
 				SLAB_HWCACHE_ALIGN, NULL);
 			if (!ctx_cachep)
-				goto fail_free_gid_list;
+				goto fail_free_srb_mempool;
 		}
 		ha->ctx_mempool = mempool_create_slab_pool(SRB_MIN_REQ,
 			ctx_cachep);
@@ -3537,7 +3537,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len,
 	ha->loop_id_map = kzalloc(BITS_TO_LONGS(LOOPID_MAP_SIZE) * sizeof(long),
 	    GFP_KERNEL);
 	if (!ha->loop_id_map)
-		goto fail_async_pd;
+		goto fail_loop_id_map;
 	else {
 		qla2x00_set_reserved_loop_ids(ha);
 		ql_dbg_pci(ql_dbg_init, ha->pdev, 0x0123,
@@ -3546,6 +3546,8 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len,
 
 	return 0;
 
+fail_loop_id_map:
+	dma_pool_free(ha->s_dma_pool, ha->async_pd, ha->async_pd_dma);
 fail_async_pd:
 	dma_pool_free(ha->s_dma_pool, ha->ex_init_cb, ha->ex_init_cb_dma);
 fail_ex_init_cb:
@@ -3573,6 +3575,10 @@ fail_free_ms_iocb:
 	dma_pool_free(ha->s_dma_pool, ha->ms_iocb, ha->ms_iocb_dma);
 	ha->ms_iocb = NULL;
 	ha->ms_iocb_dma = 0;
+
+	if (ha->sns_cmd)
+		dma_free_coherent(&ha->pdev->dev, sizeof(struct sns_cmd_pkt),
+		    ha->sns_cmd, ha->sns_cmd_dma);
 fail_dma_pool:
 	if (IS_QLA82XX(ha) || ql2xenabledif) {
 		dma_pool_destroy(ha->fcp_cmnd_dma_pool);
@@ -3590,10 +3596,12 @@ fail_free_nvram:
 	kfree(ha->nvram);
 	ha->nvram = NULL;
 fail_free_ctx_mempool:
-	mempool_destroy(ha->ctx_mempool);
+	if (ha->ctx_mempool)
+		mempool_destroy(ha->ctx_mempool);
 	ha->ctx_mempool = NULL;
 fail_free_srb_mempool:
-	mempool_destroy(ha->srb_mempool);
+	if (ha->srb_mempool)
+		mempool_destroy(ha->srb_mempool);
 	ha->srb_mempool = NULL;
 fail_free_gid_list:
 	dma_free_coherent(&ha->pdev->dev, qla2x00_gid_list_size(ha),
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 184/235] ubifs: Fix journal replay wrt. xattr nodes
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (182 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 183/235] qla2xxx: Fix crash due to null pointer access Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 185/235] clockevents/drivers/exynos_mct: Remove unneeded container_of() Jiri Slaby
                   ` (52 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Richard Weinberger, Jiri Slaby

From: Richard Weinberger <richard@nod.at>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 1cb51a15b576ee325d527726afff40947218fd5e upstream.

When replaying the journal it can happen that a journal entry points to
a garbage collected node.
This is the case when a power-cut occurred between a garbage collect run
and a commit. In such a case nodes have to be read using the failable
read functions to detect whether the found node matches what we expect.

One corner case was forgotten, when the journal contains an entry to
remove an inode all xattrs have to be removed too. UBIFS models xattr
like directory entries, so the TNC code iterates over
all xattrs of the inode and removes them too. This code re-uses the
functions for walking directories and calls ubifs_tnc_next_ent().
ubifs_tnc_next_ent() expects to be used only after the journal and
aborts when a node does not match the expected result. This behavior can
render an UBIFS volume unmountable after a power-cut when xattrs are
used.

Fix this issue by using failable read functions in ubifs_tnc_next_ent()
too when replaying the journal.
Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
Reported-by: Rock Lee <rockdotlee@gmail.com>
Reviewed-by: David Gstir <david@sigma-star.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ubifs/tnc.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
index 349f31a30f40..fdf2ca1dd771 100644
--- a/fs/ubifs/tnc.c
+++ b/fs/ubifs/tnc.c
@@ -34,6 +34,11 @@
 #include <linux/slab.h>
 #include "ubifs.h"
 
+static int try_read_node(const struct ubifs_info *c, void *buf, int type,
+			 int len, int lnum, int offs);
+static int fallible_read_node(struct ubifs_info *c, const union ubifs_key *key,
+			      struct ubifs_zbranch *zbr, void *node);
+
 /*
  * Returned codes of 'matches_name()' and 'fallible_matches_name()' functions.
  * @NAME_LESS: name corresponding to the first argument is less than second
@@ -419,7 +424,19 @@ static int tnc_read_node_nm(struct ubifs_info *c, struct ubifs_zbranch *zbr,
 		return 0;
 	}
 
-	err = ubifs_tnc_read_node(c, zbr, node);
+	if (c->replaying) {
+		err = fallible_read_node(c, &zbr->key, zbr, node);
+		/*
+		 * When the node was not found, return -ENOENT, 0 otherwise.
+		 * Negative return codes stay as-is.
+		 */
+		if (err == 0)
+			err = -ENOENT;
+		else if (err == 1)
+			err = 0;
+	} else {
+		err = ubifs_tnc_read_node(c, zbr, node);
+	}
 	if (err)
 		return err;
 
@@ -2783,7 +2800,11 @@ struct ubifs_dent_node *ubifs_tnc_next_ent(struct ubifs_info *c,
 	if (nm->name) {
 		if (err) {
 			/* Handle collisions */
-			err = resolve_collision(c, key, &znode, &n, nm);
+			if (c->replaying)
+				err = fallible_resolve_collision(c, key, &znode, &n,
+							 nm, 0);
+			else
+				err = resolve_collision(c, key, &znode, &n, nm);
 			dbg_tnc("rc returned %d, znode %p, n %d",
 				err, znode, n);
 			if (unlikely(err < 0))
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 185/235] clockevents/drivers/exynos_mct: Remove unneeded container_of()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (183 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 184/235] ubifs: Fix journal replay wrt. xattr nodes Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55   ` Jiri Slaby
                   ` (51 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Alexey Klimov, Daniel Lezcano, Jiri Slaby

From: Alexey Klimov <klimov.linux@gmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 479a932982944786269296a31682e5642f87b89a upstream.

Patch removes unneeded container_of() macro in exynos4_local_timer_setup().
Instead let's pass mevt pointer to setup and stop functions from
exynos4_mct_cpu_notify() and let them get evt pointer.

Tested on odroid-xu3.

Signed-off-by: Alexey Klimov <klimov.linux@gmail.com>
Acked-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/clocksource/exynos_mct.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index fc0e502022de..af994880be72 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -398,13 +398,11 @@ static irqreturn_t exynos4_mct_tick_isr(int irq, void *dev_id)
 	return IRQ_HANDLED;
 }
 
-static int exynos4_local_timer_setup(struct clock_event_device *evt)
+static int exynos4_local_timer_setup(struct mct_clock_event_device *mevt)
 {
-	struct mct_clock_event_device *mevt;
+	struct clock_event_device *evt = &mevt->evt;
 	unsigned int cpu = smp_processor_id();
 
-	mevt = container_of(evt, struct mct_clock_event_device, evt);
-
 	mevt->base = EXYNOS4_MCT_L_BASE(cpu);
 	sprintf(mevt->name, "mct_tick%d", cpu);
 
@@ -433,8 +431,10 @@ static int exynos4_local_timer_setup(struct clock_event_device *evt)
 	return 0;
 }
 
-static void exynos4_local_timer_stop(struct clock_event_device *evt)
+static void exynos4_local_timer_stop(struct mct_clock_event_device *mevt)
 {
+	struct clock_event_device *evt = &mevt->evt;
+
 	evt->set_mode(CLOCK_EVT_MODE_UNUSED, evt);
 	if (mct_int_type == MCT_INT_SPI) {
 		if (evt->irq != -1)
@@ -456,11 +456,11 @@ static int exynos4_mct_cpu_notify(struct notifier_block *self,
 	switch (action & ~CPU_TASKS_FROZEN) {
 	case CPU_STARTING:
 		mevt = this_cpu_ptr(&percpu_mct_tick);
-		exynos4_local_timer_setup(&mevt->evt);
+		exynos4_local_timer_setup(mevt);
 		break;
 	case CPU_DYING:
 		mevt = this_cpu_ptr(&percpu_mct_tick);
-		exynos4_local_timer_stop(&mevt->evt);
+		exynos4_local_timer_stop(mevt);
 		break;
 	}
 
@@ -526,7 +526,7 @@ static void __init exynos4_timer_resources(struct device_node *np, void __iomem
 		goto out_irq;
 
 	/* Immediately configure the timer on the boot CPU */
-	exynos4_local_timer_setup(&mevt->evt);
+	exynos4_local_timer_setup(mevt);
 	return;
 
 out_irq:
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 186/235] clocksource/exynos_mct: Clear interrupt when cpu is shut down
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 001/235] driver core: Delete an unnecessary check before the function call "put_device" Jiri Slaby
@ 2017-01-27 10:55   ` Jiri Slaby
  2017-01-27 10:52 ` [PATCH 3.12 003/235] ext4: fix data exposure after a crash Jiri Slaby
                     ` (234 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Joonyoung Shim, linux-samsung-soc, cw00.choi,
	daniel.lezcano, javier, kgene, krzk, linux-arm-kernel,
	Thomas Gleixner, Jiri Slaby

From: Joonyoung Shim <jy0922.shim@samsung.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.

When a CPU goes offline a potentially pending timer interrupt is not
cleared. When the CPU comes online again then the pending interrupt is
delivered before the per cpu clockevent device is initialized. As a
consequence the tick interrupt handler dereferences a NULL pointer.

[   51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
[   51.289348] task: ee942d00 task.stack: ee960000
[   51.293861] PC is at tick_periodic+0x38/0xb0
[   51.298102] LR is at tick_handle_periodic+0x1c/0x90

Clear the pending interrupt in the cpu dying path.

Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Cc: linux-samsung-soc@vger.kernel.org
Cc: cw00.choi@samsung.com
Cc: daniel.lezcano@linaro.org
Cc: javier@osg.samsung.com
Cc: kgene@kernel.org
Cc: krzk@kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim@samsung.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/clocksource/exynos_mct.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index af994880be72..26bfe09ce0fb 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -439,6 +439,7 @@ static void exynos4_local_timer_stop(struct mct_clock_event_device *mevt)
 	if (mct_int_type == MCT_INT_SPI) {
 		if (evt->irq != -1)
 			disable_irq_nosync(evt->irq);
+		exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
 	} else {
 		disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 186/235] clocksource/exynos_mct: Clear interrupt when cpu is shut down
@ 2017-01-27 10:55   ` Jiri Slaby
  0 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-samsung-soc, Joonyoung Shim, javier, daniel.lezcano,
	linux-kernel, krzk, cw00.choi, kgene, Thomas Gleixner,
	Jiri Slaby, linux-arm-kernel

From: Joonyoung Shim <jy0922.shim@samsung.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.

When a CPU goes offline a potentially pending timer interrupt is not
cleared. When the CPU comes online again then the pending interrupt is
delivered before the per cpu clockevent device is initialized. As a
consequence the tick interrupt handler dereferences a NULL pointer.

[   51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
[   51.289348] task: ee942d00 task.stack: ee960000
[   51.293861] PC is at tick_periodic+0x38/0xb0
[   51.298102] LR is at tick_handle_periodic+0x1c/0x90

Clear the pending interrupt in the cpu dying path.

Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Cc: linux-samsung-soc@vger.kernel.org
Cc: cw00.choi@samsung.com
Cc: daniel.lezcano@linaro.org
Cc: javier@osg.samsung.com
Cc: kgene@kernel.org
Cc: krzk@kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim@samsung.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/clocksource/exynos_mct.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index af994880be72..26bfe09ce0fb 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -439,6 +439,7 @@ static void exynos4_local_timer_stop(struct mct_clock_event_device *mevt)
 	if (mct_int_type == MCT_INT_SPI) {
 		if (evt->irq != -1)
 			disable_irq_nosync(evt->irq);
+		exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
 	} else {
 		disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 186/235] clocksource/exynos_mct: Clear interrupt when cpu is shut down
@ 2017-01-27 10:55   ` Jiri Slaby
  0 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: linux-arm-kernel

From: Joonyoung Shim <jy0922.shim@samsung.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit bc7c36eedb0c7004aa06c2afc3c5385adada8fa3 upstream.

When a CPU goes offline a potentially pending timer interrupt is not
cleared. When the CPU comes online again then the pending interrupt is
delivered before the per cpu clockevent device is initialized. As a
consequence the tick interrupt handler dereferences a NULL pointer.

[   51.251378] Unable to handle kernel NULL pointer dereference at virtual address 00000040
[   51.289348] task: ee942d00 task.stack: ee960000
[   51.293861] PC is at tick_periodic+0x38/0xb0
[   51.298102] LR is at tick_handle_periodic+0x1c/0x90

Clear the pending interrupt in the cpu dying path.

Fixes: 56a94f13919c ("clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier")
Reported-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Cc: linux-samsung-soc at vger.kernel.org
Cc: cw00.choi at samsung.com
Cc: daniel.lezcano at linaro.org
Cc: javier at osg.samsung.com
Cc: kgene at kernel.org
Cc: krzk at kernel.org
Cc: linux-arm-kernel at lists.infradead.org
Link: http://lkml.kernel.org/r/1484628876-22065-1-git-send-email-jy0922.shim at samsung.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/clocksource/exynos_mct.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/clocksource/exynos_mct.c b/drivers/clocksource/exynos_mct.c
index af994880be72..26bfe09ce0fb 100644
--- a/drivers/clocksource/exynos_mct.c
+++ b/drivers/clocksource/exynos_mct.c
@@ -439,6 +439,7 @@ static void exynos4_local_timer_stop(struct mct_clock_event_device *mevt)
 	if (mct_int_type == MCT_INT_SPI) {
 		if (evt->irq != -1)
 			disable_irq_nosync(evt->irq);
+		exynos4_mct_write(0x1, mevt->base + MCT_L_INT_CSTAT_OFFSET);
 	} else {
 		disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 187/235] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (185 preceding siblings ...)
  2017-01-27 10:55   ` Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 188/235] ARM: dts: da850-evm: fix read access to SPI flash Jiri Slaby
                   ` (49 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Mark Rutland, Russell King, Russell King, Jiri Slaby

From: Mark Rutland <mark.rutland@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ddc37832a1349f474c4532de381498020ed71d31 upstream.

On APQ8060, the kernel crashes in arch_hw_breakpoint_init, taking an
undefined instruction trap within write_wb_reg. This is because Scorpion
CPUs erroneously appear to set DBGPRSR.SPD when WFI is issued, even if
the core is not powered down. When DBGPRSR.SPD is set, breakpoint and
watchpoint registers are treated as undefined.

It's possible to trigger similar crashes later on from userspace, by
requesting the kernel to install a breakpoint or watchpoint, as we can
go idle at any point between the reset of the debug registers and their
later use. This has always been the case.

Given that this has always been broken, no-one has complained until now,
and there is no clear workaround, disable hardware breakpoints and
watchpoints on Scorpion to avoid these issues.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reported-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm/include/asm/cputype.h  |  3 +++
 arch/arm/kernel/hw_breakpoint.c | 16 ++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/arch/arm/include/asm/cputype.h b/arch/arm/include/asm/cputype.h
index 9672e978d50d..569549079bc7 100644
--- a/arch/arm/include/asm/cputype.h
+++ b/arch/arm/include/asm/cputype.h
@@ -76,6 +76,9 @@
 #define ARM_CPU_XSCALE_ARCH_V2		0x4000
 #define ARM_CPU_XSCALE_ARCH_V3		0x6000
 
+/* Qualcomm implemented cores */
+#define ARM_CPU_PART_SCORPION		0x510002d0
+
 extern unsigned int processor_id;
 
 #ifdef CONFIG_CPU_CP15
diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
index 7b95de601357..b3ebae328fac 100644
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -1066,6 +1066,22 @@ static int __init arch_hw_breakpoint_init(void)
 		return 0;
 	}
 
+	/*
+	 * Scorpion CPUs (at least those in APQ8060) seem to set DBGPRSR.SPD
+	 * whenever a WFI is issued, even if the core is not powered down, in
+	 * violation of the architecture.  When DBGPRSR.SPD is set, accesses to
+	 * breakpoint and watchpoint registers are treated as undefined, so
+	 * this results in boot time and runtime failures when these are
+	 * accessed and we unexpectedly take a trap.
+	 *
+	 * It's not clear if/how this can be worked around, so we blacklist
+	 * Scorpion CPUs to avoid these issues.
+	*/
+	if ((read_cpuid_id() & 0xff00fff0) == ARM_CPU_PART_SCORPION) {
+		pr_info("Scorpion CPU detected. Hardware breakpoints and watchpoints disabled\n");
+		return 0;
+	}
+
 	has_ossr = core_has_os_save_restore();
 
 	/* Determine how many BRPs/WRPs are available. */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 188/235] ARM: dts: da850-evm: fix read access to SPI flash
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (186 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 187/235] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 189/235] arm64/ptrace: Preserve previous registers for short regset write Jiri Slaby
                   ` (48 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Fabien Parent, Sekhar Nori, Jiri Slaby, Olof Johansson

From: Fabien Parent <fparent@baylibre.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 43849785e1079f6606a31cb7fda92d1200849728 upstream.

Read access to the SPI flash are broken on da850-evm, i.e. the data
read is not what is actually programmed on the flash.
According to the datasheet for the M25P64 part present on the da850-evm,
if the SPI frequency is higher than 20MHz then the READ command is not
usable anymore and only the FAST_READ command can be used to read data.

This commit specifies in the DTS that we should use FAST_READ command
instead of the READ command.

Tested-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Fabien Parent <fparent@baylibre.com>
[nsekhar@ti.com: subject line adjustment]
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>

Signed-off-by: Olof Johansson <olof@lixom.net>
---
 arch/arm/boot/dts/da850-evm.dts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/boot/dts/da850-evm.dts b/arch/arm/boot/dts/da850-evm.dts
index 588ce58a2959..bd81f1da17a6 100644
--- a/arch/arm/boot/dts/da850-evm.dts
+++ b/arch/arm/boot/dts/da850-evm.dts
@@ -59,6 +59,7 @@
 				#size-cells = <1>;
 				compatible = "m25p64";
 				spi-max-frequency = <30000000>;
+				m25p,fast-read;
 				reg = <0>;
 				partition@0 {
 					label = "U-Boot-SPL";
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 189/235] arm64/ptrace: Preserve previous registers for short regset write
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (187 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 188/235] ARM: dts: da850-evm: fix read access to SPI flash Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 190/235] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Jiri Slaby
                   ` (47 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dave Martin, Catalin Marinas, Jiri Slaby

From: Dave Martin <Dave.Martin@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 9a17b876b573441bfb3387ad55d98bf7184daf9d upstream.

Ensure that if userspace supplies insufficient data to
PTRACE_SETREGSET to fill all the registers, the thread's old
registers are preserved.

Fixes: 478fcb2cdb23 ("arm64: Debugging support")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Will Deacon <Will.Deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm64/kernel/ptrace.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 9b9d651446ba..076bd41bf5ac 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -487,7 +487,7 @@ static int gpr_set(struct task_struct *target, const struct user_regset *regset,
 		   const void *kbuf, const void __user *ubuf)
 {
 	int ret;
-	struct user_pt_regs newregs;
+	struct user_pt_regs newregs = task_pt_regs(target)->user_regs;
 
 	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newregs, 0, -1);
 	if (ret)
@@ -517,7 +517,8 @@ static int fpr_set(struct task_struct *target, const struct user_regset *regset,
 		   const void *kbuf, const void __user *ubuf)
 {
 	int ret;
-	struct user_fpsimd_state newstate;
+	struct user_fpsimd_state newstate =
+		target->thread.fpsimd_state.user_fpsimd;
 
 	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &newstate, 0, -1);
 	if (ret)
@@ -540,7 +541,7 @@ static int tls_set(struct task_struct *target, const struct user_regset *regset,
 		   const void *kbuf, const void __user *ubuf)
 {
 	int ret;
-	unsigned long tls;
+	unsigned long tls = target->thread.tp_value;
 
 	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
 	if (ret)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 190/235] arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (188 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 189/235] arm64/ptrace: Preserve previous registers for short regset write Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 191/235] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Jiri Slaby
                   ` (46 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dave Martin, Catalin Marinas, Jiri Slaby

From: Dave Martin <Dave.Martin@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit aeb1f39d814b2e21e5e5706a48834bfd553d0059 upstream.

This patch adds an explicit __reserved[] field to user_fpsimd_state
to replace what was previously unnamed padding.

This ensures that data in this region are propagated across
assignment rather than being left possibly uninitialised at the
destination.

Fixes: 60ffc30d5652 ("arm64: Exception handling")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Will Deacon <Will.Deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm64/include/uapi/asm/ptrace.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm64/include/uapi/asm/ptrace.h b/arch/arm64/include/uapi/asm/ptrace.h
index 6913643bbe54..c136fd53c847 100644
--- a/arch/arm64/include/uapi/asm/ptrace.h
+++ b/arch/arm64/include/uapi/asm/ptrace.h
@@ -75,6 +75,7 @@ struct user_fpsimd_state {
 	__uint128_t	vregs[32];
 	__u32		fpsr;
 	__u32		fpcr;
+	__u32		__reserved[2];
 };
 
 struct user_hwdebug_state {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 191/235] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (189 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 190/235] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 192/235] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation Jiri Slaby
                   ` (45 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dave Martin, Catalin Marinas, Jiri Slaby

From: Dave Martin <Dave.Martin@arm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ad9e202aa1ce571b1d7fed969d06f66067f8a086 upstream.

We cannot preserve partial fields for hardware breakpoints, because
the values written by userspace to the hardware breakpoint
registers can't subsequently be recovered intact from the hardware.

So, just reject attempts to write incomplete fields with -EINVAL.

Fixes: 478fcb2cdb23 ("arm64: Debugging support")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: Will Deacon <Will.Deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm64/kernel/ptrace.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 076bd41bf5ac..cdf1ec11c015 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -442,6 +442,8 @@ static int hw_break_set(struct task_struct *target,
 	/* (address, ctrl) registers */
 	limit = regset->n * regset->size;
 	while (count && offset < limit) {
+		if (count < PTRACE_HBP_ADDR_SZ)
+			return -EINVAL;
 		ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &addr,
 					 offset, offset + PTRACE_HBP_ADDR_SZ);
 		if (ret)
@@ -451,6 +453,8 @@ static int hw_break_set(struct task_struct *target,
 			return ret;
 		offset += PTRACE_HBP_ADDR_SZ;
 
+		if (!count)
+			break;
 		ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl,
 					 offset, offset + PTRACE_HBP_CTRL_SZ);
 		if (ret)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 192/235] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (190 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 191/235] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 193/235] ite-cir: initialize use_demodulator before using it Jiri Slaby
                   ` (44 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Arnd Bergmann, Linus Walleij, Jiri Slaby

From: Arnd Bergmann <arnd@arndb.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f0e8faa7a5e894b0fc99d24be1b18685a92ea466 upstream.

This function clearly never worked and always returns true,
as pointed out by gcc-7:

arch/arm/mach-ux500/pm.c: In function 'prcmu_is_cpu_in_wfi':
arch/arm/mach-ux500/pm.c:137:212: error: ?:
using integer constants in boolean context, the expression
will always evaluate to 'true' [-Werror=int-in-bool-context]

With the added braces, the condition actually makes sense.

Fixes: 34fe6f107eab ("mfd : Check if the other db8500 core is in WFI")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/arm/mach-ux500/pm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm/mach-ux500/pm.c b/arch/arm/mach-ux500/pm.c
index 1a468f0fd22e..9d532568b8b3 100644
--- a/arch/arm/mach-ux500/pm.c
+++ b/arch/arm/mach-ux500/pm.c
@@ -128,8 +128,8 @@ bool prcmu_pending_irq(void)
  */
 bool prcmu_is_cpu_in_wfi(int cpu)
 {
-	return readl(PRCM_ARM_WFI_STANDBY) & cpu ? PRCM_ARM_WFI_STANDBY_WFI1 :
-		     PRCM_ARM_WFI_STANDBY_WFI0;
+	return readl(PRCM_ARM_WFI_STANDBY) &
+		(cpu ? PRCM_ARM_WFI_STANDBY_WFI1 : PRCM_ARM_WFI_STANDBY_WFI0);
 }
 
 /*
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 193/235] ite-cir: initialize use_demodulator before using it
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (191 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 192/235] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 194/235] posix_acl: Clear SGID bit when setting file permissions Jiri Slaby
                   ` (43 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Nicolas Iooss, Mauro Carvalho Chehab, Jiri Slaby

From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7ec03e60ef81c19b5d3a46dd070ee966774b860f upstream.

Function ite_set_carrier_params() uses variable use_demodulator after
having initialized it to false in some if branches, but this variable is
never set to true otherwise.

This bug has been found using clang -Wsometimes-uninitialized warning
flag.

Fixes: 620a32bba4a2 ("[media] rc: New rc-based ite-cir driver for
several ITE CIRs")

Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/media/rc/ite-cir.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
index 63b42252166a..7a754ec826ac 100644
--- a/drivers/media/rc/ite-cir.c
+++ b/drivers/media/rc/ite-cir.c
@@ -263,6 +263,8 @@ static void ite_set_carrier_params(struct ite_dev *dev)
 
 			if (allowance > ITE_RXDCR_MAX)
 				allowance = ITE_RXDCR_MAX;
+
+			use_demodulator = true;
 		}
 	}
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 194/235] posix_acl: Clear SGID bit when setting file permissions
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (192 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 193/235] ite-cir: initialize use_demodulator before using it Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 195/235] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT Jiri Slaby
                   ` (42 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Jan Kara, Andreas Gruenbacher, Jiri Slaby

From: Jan Kara <jack@suse.cz>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 073931017b49d9458aa351605b43a7e34598caef upstream.

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/9p/acl.c               | 40 +++++++++++++++++-----------------------
 fs/btrfs/acl.c            |  6 ++----
 fs/ext2/acl.c             | 12 ++++--------
 fs/ext3/acl.c             | 10 +++-------
 fs/ext4/acl.c             | 12 ++++--------
 fs/f2fs/acl.c             |  6 ++----
 fs/gfs2/acl.c             | 14 ++++++--------
 fs/hfsplus/posix_acl.c    |  4 ++--
 fs/hfsplus/xattr.c        |  5 +++--
 fs/jffs2/acl.c            |  9 ++++-----
 fs/jfs/xattr.c            |  5 +++--
 fs/ocfs2/acl.c            | 20 +++++++-------------
 fs/posix_acl.c            | 31 +++++++++++++++++++++++++++++++
 fs/reiserfs/xattr_acl.c   |  8 ++------
 fs/xfs/xfs_acl.c          | 15 +++++++--------
 include/linux/posix_acl.h |  1 +
 16 files changed, 98 insertions(+), 100 deletions(-)

diff --git a/fs/9p/acl.c b/fs/9p/acl.c
index 7af425f53bee..9686c1f17653 100644
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -320,32 +320,26 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
 	case ACL_TYPE_ACCESS:
 		name = POSIX_ACL_XATTR_ACCESS;
 		if (acl) {
-			umode_t mode = inode->i_mode;
-			retval = posix_acl_equiv_mode(acl, &mode);
-			if (retval < 0)
+			struct iattr iattr;
+
+			retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
+			if (retval)
 				goto err_out;
-			else {
-				struct iattr iattr;
-				if (retval == 0) {
-					/*
-					 * ACL can be represented
-					 * by the mode bits. So don't
-					 * update ACL.
-					 */
-					acl = NULL;
-					value = NULL;
-					size = 0;
-				}
-				/* Updte the mode bits */
-				iattr.ia_mode = ((mode & S_IALLUGO) |
-						 (inode->i_mode & ~S_IALLUGO));
-				iattr.ia_valid = ATTR_MODE;
-				/* FIXME should we update ctime ?
-				 * What is the following setxattr update the
-				 * mode ?
+			if (!acl) {
+				/*
+				 * ACL can be represented
+				 * by the mode bits. So don't
+				 * update ACL.
 				 */
-				v9fs_vfs_setattr_dotl(dentry, &iattr);
+				value = NULL;
+				size = 0;
 			}
+			iattr.ia_valid = ATTR_MODE;
+			/* FIXME should we update ctime ?
+			 * What is the following setxattr update the
+			 * mode ?
+			 */
+			v9fs_vfs_setattr_dotl(dentry, &iattr);
 		}
 		break;
 	case ACL_TYPE_DEFAULT:
diff --git a/fs/btrfs/acl.c b/fs/btrfs/acl.c
index 0890c83643e9..d6d53e5e7945 100644
--- a/fs/btrfs/acl.c
+++ b/fs/btrfs/acl.c
@@ -118,11 +118,9 @@ static int btrfs_set_acl(struct btrfs_trans_handle *trans,
 	case ACL_TYPE_ACCESS:
 		name = POSIX_ACL_XATTR_ACCESS;
 		if (acl) {
-			ret = posix_acl_equiv_mode(acl, &inode->i_mode);
-			if (ret < 0)
+			ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+			if (ret)
 				return ret;
-			if (ret == 0)
-				acl = NULL;
 		}
 		ret = 0;
 		break;
diff --git a/fs/ext2/acl.c b/fs/ext2/acl.c
index 110b6b371a4e..48c3c2d7d261 100644
--- a/fs/ext2/acl.c
+++ b/fs/ext2/acl.c
@@ -206,15 +206,11 @@ ext2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
 		case ACL_TYPE_ACCESS:
 			name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
 			if (acl) {
-				error = posix_acl_equiv_mode(acl, &inode->i_mode);
-				if (error < 0)
+				error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+				if (error)
 					return error;
-				else {
-					inode->i_ctime = CURRENT_TIME_SEC;
-					mark_inode_dirty(inode);
-					if (error == 0)
-						acl = NULL;
-				}
+				inode->i_ctime = CURRENT_TIME_SEC;
+				mark_inode_dirty(inode);
 			}
 			break;
 
diff --git a/fs/ext3/acl.c b/fs/ext3/acl.c
index dbb5ad59a7fc..2f994bbf73a7 100644
--- a/fs/ext3/acl.c
+++ b/fs/ext3/acl.c
@@ -205,15 +205,11 @@ ext3_set_acl(handle_t *handle, struct inode *inode, int type,
 		case ACL_TYPE_ACCESS:
 			name_index = EXT3_XATTR_INDEX_POSIX_ACL_ACCESS;
 			if (acl) {
-				error = posix_acl_equiv_mode(acl, &inode->i_mode);
+				error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
 				if (error < 0)
 					return error;
-				else {
-					inode->i_ctime = CURRENT_TIME_SEC;
-					ext3_mark_inode_dirty(handle, inode);
-					if (error == 0)
-						acl = NULL;
-				}
+				inode->i_ctime = CURRENT_TIME_SEC;
+				ext3_mark_inode_dirty(handle, inode);
 			}
 			break;
 
diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
index 39a54a0e9fe4..c844f1bfb451 100644
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -211,15 +211,11 @@ ext4_set_acl(handle_t *handle, struct inode *inode, int type,
 	case ACL_TYPE_ACCESS:
 		name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
 		if (acl) {
-			error = posix_acl_equiv_mode(acl, &inode->i_mode);
-			if (error < 0)
+			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+			if (error)
 				return error;
-			else {
-				inode->i_ctime = ext4_current_time(inode);
-				ext4_mark_inode_dirty(handle, inode);
-				if (error == 0)
-					acl = NULL;
-			}
+			inode->i_ctime = ext4_current_time(inode);
+			ext4_mark_inode_dirty(handle, inode);
 		}
 		break;
 
diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
index b7826ec1b470..f4fefc57ff56 100644
--- a/fs/f2fs/acl.c
+++ b/fs/f2fs/acl.c
@@ -223,12 +223,10 @@ static int f2fs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
 	case ACL_TYPE_ACCESS:
 		name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
 		if (acl) {
-			error = posix_acl_equiv_mode(acl, &inode->i_mode);
-			if (error < 0)
+			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+			if (error)
 				return error;
 			set_acl_inode(fi, inode->i_mode);
-			if (error == 0)
-				acl = NULL;
 		}
 		break;
 
diff --git a/fs/gfs2/acl.c b/fs/gfs2/acl.c
index f69ac0af5496..a61b0c2b57ab 100644
--- a/fs/gfs2/acl.c
+++ b/fs/gfs2/acl.c
@@ -268,15 +268,13 @@ static int gfs2_xattr_system_set(struct dentry *dentry, const char *name,
 
 	if (type == ACL_TYPE_ACCESS) {
 		umode_t mode = inode->i_mode;
-		error = posix_acl_equiv_mode(acl, &mode);
+		struct posix_acl *old_acl = acl;
 
-		if (error <= 0) {
-			posix_acl_release(acl);
-			acl = NULL;
-
-			if (error < 0)
-				return error;
-		}
+		error = posix_acl_update_mode(inode, &mode, &acl);
+		if (error < 0)
+			goto out_release;
+		if (!acl)
+			posix_acl_release(old_acl);
 
 		error = gfs2_set_mode(inode, mode);
 		if (error)
diff --git a/fs/hfsplus/posix_acl.c b/fs/hfsplus/posix_acl.c
index b609cc14c72e..9f7cc491ffb1 100644
--- a/fs/hfsplus/posix_acl.c
+++ b/fs/hfsplus/posix_acl.c
@@ -72,8 +72,8 @@ static int hfsplus_set_posix_acl(struct inode *inode,
 	case ACL_TYPE_ACCESS:
 		xattr_name = POSIX_ACL_XATTR_ACCESS;
 		if (acl) {
-			err = posix_acl_equiv_mode(acl, &inode->i_mode);
-			if (err < 0)
+			err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+			if (err)
 				return err;
 		}
 		err = 0;
diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
index bd8471fb9a6a..889be3fef4bc 100644
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -69,8 +69,9 @@ static int can_set_system_xattr(struct inode *inode, const char *name,
 		if (IS_ERR(acl))
 			return PTR_ERR(acl);
 		if (acl) {
-			err = posix_acl_equiv_mode(acl, &inode->i_mode);
-			posix_acl_release(acl);
+			struct posix_acl *old_acl = acl;
+			err = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+			posix_acl_release(old_acl);
 			if (err < 0)
 				return err;
 			mark_inode_dirty(inode);
diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
index 223283c30111..9335b8d3cf52 100644
--- a/fs/jffs2/acl.c
+++ b/fs/jffs2/acl.c
@@ -243,9 +243,10 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
 	case ACL_TYPE_ACCESS:
 		xprefix = JFFS2_XPREFIX_ACL_ACCESS;
 		if (acl) {
-			umode_t mode = inode->i_mode;
-			rc = posix_acl_equiv_mode(acl, &mode);
-			if (rc < 0)
+			umode_t mode;
+
+			rc = posix_acl_update_mode(inode, &mode, &acl);
+			if (rc)
 				return rc;
 			if (inode->i_mode != mode) {
 				struct iattr attr;
@@ -257,8 +258,6 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
 				if (rc < 0)
 					return rc;
 			}
-			if (rc == 0)
-				acl = NULL;
 		}
 		break;
 	case ACL_TYPE_DEFAULT:
diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
index d3472f4cd530..8c9b6a06dcbb 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -693,8 +693,9 @@ static int can_set_system_xattr(struct inode *inode, const char *name,
 			return rc;
 		}
 		if (acl) {
-			rc = posix_acl_equiv_mode(acl, &inode->i_mode);
-			posix_acl_release(acl);
+			struct posix_acl *old_acl = acl;
+			rc = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+			posix_acl_release(old_acl);
 			if (rc < 0) {
 				printk(KERN_ERR
 				       "posix_acl_equiv_mode returned %d\n",
diff --git a/fs/ocfs2/acl.c b/fs/ocfs2/acl.c
index b4f788e0ca31..23095b017752 100644
--- a/fs/ocfs2/acl.c
+++ b/fs/ocfs2/acl.c
@@ -270,20 +270,14 @@ static int ocfs2_set_acl(handle_t *handle,
 	case ACL_TYPE_ACCESS:
 		name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
 		if (acl) {
-			umode_t mode = inode->i_mode;
-			ret = posix_acl_equiv_mode(acl, &mode);
-			if (ret < 0)
+			umode_t mode;
+			ret = posix_acl_update_mode(inode, &mode, &acl);
+			if (ret)
+				return ret;
+			ret = ocfs2_acl_set_mode(inode, di_bh,
+						 handle, mode);
+			if (ret)
 				return ret;
-			else {
-				if (ret == 0)
-					acl = NULL;
-
-				ret = ocfs2_acl_set_mode(inode, di_bh,
-							 handle, mode);
-				if (ret)
-					return ret;
-
-			}
 		}
 		break;
 	case ACL_TYPE_DEFAULT:
diff --git a/fs/posix_acl.c b/fs/posix_acl.c
index 3542f1f814e2..1da000aabb08 100644
--- a/fs/posix_acl.c
+++ b/fs/posix_acl.c
@@ -407,6 +407,37 @@ posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p)
 }
 EXPORT_SYMBOL(posix_acl_create);
 
+/**
+ * posix_acl_update_mode  -  update mode in set_acl
+ *
+ * Update the file mode when setting an ACL: compute the new file permission
+ * bits based on the ACL.  In addition, if the ACL is equivalent to the new
+ * file mode, set *acl to NULL to indicate that no ACL should be set.
+ *
+ * As with chmod, clear the setgit bit if the caller is not in the owning group
+ * or capable of CAP_FSETID (see inode_change_ok).
+ *
+ * Called from set_acl inode operations.
+ */
+int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
+                          struct posix_acl **acl)
+{
+        umode_t mode = inode->i_mode;
+        int error;
+
+        error = posix_acl_equiv_mode(*acl, &mode);
+        if (error < 0)
+                return error;
+        if (error == 0)
+                *acl = NULL;
+        if (!in_group_p(inode->i_gid) &&
+            !capable_wrt_inode_uidgid(inode, CAP_FSETID))
+                mode &= ~S_ISGID;
+        *mode_p = mode;
+        return 0;
+}
+EXPORT_SYMBOL(posix_acl_update_mode);
+
 int
 posix_acl_chmod(struct posix_acl **acl, gfp_t gfp, umode_t mode)
 {
diff --git a/fs/reiserfs/xattr_acl.c b/fs/reiserfs/xattr_acl.c
index 06c04f73da65..a86ad7ec7957 100644
--- a/fs/reiserfs/xattr_acl.c
+++ b/fs/reiserfs/xattr_acl.c
@@ -288,13 +288,9 @@ reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode,
 	case ACL_TYPE_ACCESS:
 		name = POSIX_ACL_XATTR_ACCESS;
 		if (acl) {
-			error = posix_acl_equiv_mode(acl, &inode->i_mode);
-			if (error < 0)
+			error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+			if (error)
 				return error;
-			else {
-				if (error == 0)
-					acl = NULL;
-			}
 		}
 		break;
 	case ACL_TYPE_DEFAULT:
diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
index 0e2f37efedd0..9c7b5ce06f4f 100644
--- a/fs/xfs/xfs_acl.c
+++ b/fs/xfs/xfs_acl.c
@@ -402,16 +402,15 @@ xfs_xattr_acl_set(struct dentry *dentry, const char *name,
 		goto out_release;
 
 	if (type == ACL_TYPE_ACCESS) {
-		umode_t mode = inode->i_mode;
-		error = posix_acl_equiv_mode(acl, &mode);
+		umode_t mode;
+		struct posix_acl *old_acl = acl;
 
-		if (error <= 0) {
-			posix_acl_release(acl);
-			acl = NULL;
+		error = posix_acl_update_mode(inode, &mode, &acl);
 
-			if (error < 0)
-				return error;
-		}
+		if (error)
+			goto out_release;
+		if (!acl)
+			posix_acl_release(old_acl);
 
 		error = xfs_set_mode(inode, mode);
 		if (error)
diff --git a/include/linux/posix_acl.h b/include/linux/posix_acl.h
index 7931efe71175..43cb8d59d0a7 100644
--- a/include/linux/posix_acl.h
+++ b/include/linux/posix_acl.h
@@ -89,6 +89,7 @@ extern int posix_acl_permission(struct inode *, const struct posix_acl *, int);
 extern struct posix_acl *posix_acl_from_mode(umode_t, gfp_t);
 extern int posix_acl_equiv_mode(const struct posix_acl *, umode_t *);
 extern int posix_acl_create(struct posix_acl **, gfp_t, umode_t *);
+extern int posix_acl_update_mode(struct inode *, umode_t *, struct posix_acl **);
 extern int posix_acl_chmod(struct posix_acl **, gfp_t, umode_t);
 
 extern struct posix_acl *get_posix_acl(struct inode *, int);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 195/235] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (193 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 194/235] posix_acl: Clear SGID bit when setting file permissions Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 196/235] vmxnet3: Wake queue from reset work Jiri Slaby
                   ` (41 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Trond Myklebust, Jiri Slaby

From: Trond Myklebust <trond.myklebust@primarydata.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 809fd143de8805970eec02c27c0bc2622a6ecbda upstream.

If the OPEN rpc call to the server fails with an ENOENT call, nfs_atomic_open
will create a negative dentry for that file, however it currently fails
to call nfs_set_verifier(), thus causing the dentry to be immediately
revalidated on the next call to nfs_lookup_revalidate() instead of following
the usual lookup caching rules.

Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/nfs/dir.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index b9670301d7d3..24e6448b7c80 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1487,6 +1487,7 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry,
 		switch (err) {
 		case -ENOENT:
 			d_add(dentry, NULL);
+			nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
 			break;
 		case -EISDIR:
 		case -ENOTDIR:
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 196/235] vmxnet3: Wake queue from reset work
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (194 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 195/235] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 197/235] fs/cifs: make share unaccessible at root level mountable Jiri Slaby
                   ` (40 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Benjamin Poirier, David S . Miller, Jiri Slaby

From: Benjamin Poirier <bpoirier@suse.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 277964e19e1416ca31301e113edb2580c81a8b66 upstream.

vmxnet3_reset_work() expects tx queues to be stopped (via
vmxnet3_quiesce_dev -> netif_tx_disable). However, this races with the
netif_wake_queue() call in netif_tx_timeout() such that the driver's
start_xmit routine may be called unexpectedly, triggering one of the BUG_ON
in vmxnet3_map_pkt with a stack trace like this:

RIP: 0010:[<ffffffffa00cf4bc>] vmxnet3_map_pkt+0x3ac/0x4c0 [vmxnet3]
 [<ffffffffa00cf7e0>] vmxnet3_tq_xmit+0x210/0x4e0 [vmxnet3]
 [<ffffffff813ab144>] dev_hard_start_xmit+0x2e4/0x4c0
 [<ffffffff813c956e>] sch_direct_xmit+0x17e/0x1e0
 [<ffffffff813c96a7>] __qdisc_run+0xd7/0x130
 [<ffffffff813a6a7a>] net_tx_action+0x10a/0x200
 [<ffffffff810691df>] __do_softirq+0x11f/0x260
 [<ffffffff81472fdc>] call_softirq+0x1c/0x30
 [<ffffffff81004695>] do_softirq+0x65/0xa0
 [<ffffffff81069b89>] local_bh_enable_ip+0x99/0xa0
 [<ffffffffa031ff36>] destroy_conntrack+0x96/0x110 [nf_conntrack]
 [<ffffffff813d65e2>] nf_conntrack_destroy+0x12/0x20
 [<ffffffff8139c6d5>] skb_release_head_state+0xb5/0xf0
 [<ffffffff8139d299>] skb_release_all+0x9/0x20
 [<ffffffff8139cfe9>] __kfree_skb+0x9/0x90
 [<ffffffffa00d0069>] vmxnet3_quiesce_dev+0x209/0x340 [vmxnet3]
 [<ffffffffa00d020a>] vmxnet3_reset_work+0x6a/0xa0 [vmxnet3]
 [<ffffffff8107d7cc>] process_one_work+0x16c/0x350
 [<ffffffff810804fa>] worker_thread+0x17a/0x410
 [<ffffffff810848c6>] kthread+0x96/0xa0
 [<ffffffff81472ee4>] kernel_thread_helper+0x4/0x10

Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/vmxnet3/vmxnet3_drv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
index 55d89390b4bc..59dcdfcd0c28 100644
--- a/drivers/net/vmxnet3/vmxnet3_drv.c
+++ b/drivers/net/vmxnet3/vmxnet3_drv.c
@@ -2890,7 +2890,6 @@ vmxnet3_tx_timeout(struct net_device *netdev)
 
 	netdev_err(adapter->netdev, "tx hang\n");
 	schedule_work(&adapter->work);
-	netif_wake_queue(adapter->netdev);
 }
 
 
@@ -2917,6 +2916,7 @@ vmxnet3_reset_work(struct work_struct *data)
 	}
 	rtnl_unlock();
 
+	netif_wake_queue(adapter->netdev);
 	clear_bit(VMXNET3_STATE_BIT_RESETTING, &adapter->state);
 }
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 197/235] fs/cifs: make share unaccessible at root level mountable
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (195 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 196/235] vmxnet3: Wake queue from reset work Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 198/235] Fix memory leaks in cifs_do_mount() Jiri Slaby
                   ` (39 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Aurelien Aptel, Steve French, Jiri Slaby

From: Aurelien Aptel <aaptel@suse.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit a6b5058fafdf508904bbf16c29b24042cef3c496 upstream.

if, when mounting //HOST/share/sub/dir/foo we can query /sub/dir/foo but
not any of the path components above:

- store the /sub/dir/foo prefix in the cifs super_block info
- in the superblock, set root dentry to the subpath dentry (instead of
  the share root)
- set a flag in the superblock to remember it
- use prefixpath when building path from a dentry

fixes bso#8950

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Pavel Shilovsky <pshilovsky@samba.org>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/cifs/cifs_fs_sb.h |  4 ++++
 fs/cifs/cifsfs.c     | 14 +++++++++++++-
 fs/cifs/connect.c    | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 fs/cifs/dir.c        | 20 ++++++++++++++++++--
 fs/cifs/inode.c      | 22 ++++++++++++++++++++--
 5 files changed, 104 insertions(+), 5 deletions(-)

diff --git a/fs/cifs/cifs_fs_sb.h b/fs/cifs/cifs_fs_sb.h
index 37e4a72a7d1c..ae4e35bdc2cd 100644
--- a/fs/cifs/cifs_fs_sb.h
+++ b/fs/cifs/cifs_fs_sb.h
@@ -45,6 +45,9 @@
 #define CIFS_MOUNT_POSIXACL	0x100000 /* mirror of MS_POSIXACL in mnt_cifs_flags */
 #define CIFS_MOUNT_CIFS_BACKUPUID 0x200000 /* backup intent bit for a user */
 #define CIFS_MOUNT_CIFS_BACKUPGID 0x400000 /* backup intent bit for a group */
+#define CIFS_MOUNT_USE_PREFIX_PATH 0x1000000 /* make subpath with unaccessible
+					      * root mountable
+					      */
 
 struct cifs_sb_info {
 	struct rb_root tlink_tree;
@@ -65,5 +68,6 @@ struct cifs_sb_info {
 	char   *mountdata; /* options received at mount time or via DFS refs */
 	struct backing_dev_info bdi;
 	struct delayed_work prune_tlinks;
+	char *prepath;
 };
 #endif				/* _CIFS_FS_SB_H */
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 037b8f7e8a94..259f95121151 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -668,6 +668,14 @@ cifs_do_mount(struct file_system_type *fs_type,
 		goto out_cifs_sb;
 	}
 
+	if (volume_info->prepath) {
+		cifs_sb->prepath = kstrdup(volume_info->prepath, GFP_KERNEL);
+		if (cifs_sb->prepath == NULL) {
+			root = ERR_PTR(-ENOMEM);
+			goto out_cifs_sb;
+		}
+	}
+
 	cifs_setup_cifs_sb(volume_info, cifs_sb);
 
 	rc = cifs_mount(cifs_sb, volume_info);
@@ -706,7 +714,11 @@ cifs_do_mount(struct file_system_type *fs_type,
 		sb->s_flags |= MS_ACTIVE;
 	}
 
-	root = cifs_get_root(volume_info, sb);
+	if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+		root = dget(sb->s_root);
+	else
+		root = cifs_get_root(volume_info, sb);
+
 	if (IS_ERR(root))
 		goto out_super;
 
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index e06790171e89..e4a36223d815 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3437,6 +3437,44 @@ cifs_get_volume_info(char *mount_data, const char *devname)
 	return volume_info;
 }
 
+static int
+cifs_are_all_path_components_accessible(struct TCP_Server_Info *server,
+					unsigned int xid,
+					struct cifs_tcon *tcon,
+					struct cifs_sb_info *cifs_sb,
+					char *full_path)
+{
+	int rc;
+	char *s;
+	char sep, tmp;
+
+	sep = CIFS_DIR_SEP(cifs_sb);
+	s = full_path;
+
+	rc = server->ops->is_path_accessible(xid, tcon, cifs_sb, "");
+	while (rc == 0) {
+		/* skip separators */
+		while (*s == sep)
+			s++;
+		if (!*s)
+			break;
+		/* next separator */
+		while (*s && *s != sep)
+			s++;
+
+		/*
+		 * temporarily null-terminate the path at the end of
+		 * the current component
+		 */
+		tmp = *s;
+		*s = 0;
+		rc = server->ops->is_path_accessible(xid, tcon, cifs_sb,
+						     full_path);
+		*s = tmp;
+	}
+	return rc;
+}
+
 int
 cifs_mount(struct cifs_sb_info *cifs_sb, struct smb_vol *volume_info)
 {
@@ -3563,6 +3601,16 @@ remote_path_check:
 			kfree(full_path);
 			goto mount_fail_check;
 		}
+
+		rc = cifs_are_all_path_components_accessible(server,
+							     xid, tcon, cifs_sb,
+							     full_path);
+		if (rc != 0) {
+			cifs_dbg(VFS, "cannot query dirs between root and final path, "
+				 "enabling CIFS_MOUNT_USE_PREFIX_PATH\n");
+			cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
+			rc = 0;
+		}
 		kfree(full_path);
 	}
 
@@ -3819,6 +3867,7 @@ cifs_umount(struct cifs_sb_info *cifs_sb)
 
 	bdi_destroy(&cifs_sb->bdi);
 	kfree(cifs_sb->mountdata);
+	kfree(cifs_sb->prepath);
 	unload_nls(cifs_sb->local_nls);
 	kfree(cifs_sb);
 }
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index 7347f1678fa7..39660990e4b0 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -84,6 +84,7 @@ build_path_from_dentry(struct dentry *direntry)
 	struct dentry *temp;
 	int namelen;
 	int dfsplen;
+	int pplen = 0;
 	char *full_path;
 	char dirsep;
 	struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
@@ -95,8 +96,12 @@ build_path_from_dentry(struct dentry *direntry)
 		dfsplen = strnlen(tcon->treeName, MAX_TREE_SIZE + 1);
 	else
 		dfsplen = 0;
+
+	if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+		pplen = cifs_sb->prepath ? strlen(cifs_sb->prepath) + 1 : 0;
+
 cifs_bp_rename_retry:
-	namelen = dfsplen;
+	namelen = dfsplen + pplen;
 	seq = read_seqbegin(&rename_lock);
 	rcu_read_lock();
 	for (temp = direntry; !IS_ROOT(temp);) {
@@ -137,7 +142,7 @@ cifs_bp_rename_retry:
 		}
 	}
 	rcu_read_unlock();
-	if (namelen != dfsplen || read_seqretry(&rename_lock, seq)) {
+	if (namelen != dfsplen + pplen || read_seqretry(&rename_lock, seq)) {
 		cifs_dbg(FYI, "did not end path lookup where expected. namelen=%ddfsplen=%d\n",
 			 namelen, dfsplen);
 		/* presumably this is only possible if racing with a rename
@@ -153,6 +158,17 @@ cifs_bp_rename_retry:
 	   those safely to '/' if any are found in the middle of the prepath */
 	/* BB test paths to Windows with '/' in the midst of prepath */
 
+	if (pplen) {
+		int i;
+
+		cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath);
+		memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1);
+		full_path[dfsplen] = '\\';
+		for (i = 0; i < pplen-1; i++)
+			if (full_path[dfsplen+1+i] == '/')
+				full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb);
+	}
+
 	if (dfsplen) {
 		strncpy(full_path, tcon->treeName, dfsplen);
 		if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) {
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index ab9f992ca479..518cf900682f 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -937,12 +937,29 @@ struct inode *cifs_root_iget(struct super_block *sb)
 	struct inode *inode = NULL;
 	long rc;
 	struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+	char *path = NULL;
+	int len;
+
+	if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+	    && cifs_sb->prepath) {
+		len = strlen(cifs_sb->prepath);
+		path = kzalloc(len + 2 /* leading sep + null */, GFP_KERNEL);
+		if (path == NULL)
+			return ERR_PTR(-ENOMEM);
+		path[0] = '/';
+		memcpy(path+1, cifs_sb->prepath, len);
+	} else {
+		path = kstrdup("", GFP_KERNEL);
+		if (path == NULL)
+			return ERR_PTR(-ENOMEM);
+	}
 
 	xid = get_xid();
+	convert_delimiter(path, CIFS_DIR_SEP(cifs_sb));
 	if (tcon->unix_ext)
-		rc = cifs_get_inode_info_unix(&inode, "", sb, xid);
+		rc = cifs_get_inode_info_unix(&inode, path, sb, xid);
 	else
-		rc = cifs_get_inode_info(&inode, "", NULL, sb, xid, NULL);
+		rc = cifs_get_inode_info(&inode, path, NULL, sb, xid, NULL);
 
 	if (!inode) {
 		inode = ERR_PTR(rc);
@@ -970,6 +987,7 @@ struct inode *cifs_root_iget(struct super_block *sb)
 	}
 
 out:
+	kfree(path);
 	/* can not call macro free_xid here since in a void func
 	 * TODO: This is no longer true
 	 */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 198/235] Fix memory leaks in cifs_do_mount()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (196 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 197/235] fs/cifs: make share unaccessible at root level mountable Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 199/235] Compare prepaths when comparing superblocks Jiri Slaby
                   ` (38 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Sachin Prabhu, Steve French, Jiri Slaby

From: Sachin Prabhu <sprabhu@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 4214ebf4654798309364d0c678b799e402f38288 upstream.

Fix memory leaks introduced by the patch
Fs/cifs: make share unaccessible at root level mountable

Also move allocation of cifs_sb->prepath to cifs_setup_cifs_sb().

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/cifs/cifsfs.c    | 20 ++++++++------------
 fs/cifs/cifsproto.h |  2 +-
 fs/cifs/connect.c   | 11 ++++++++++-
 3 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 259f95121151..846b9916fdcd 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -665,26 +665,22 @@ cifs_do_mount(struct file_system_type *fs_type,
 	cifs_sb->mountdata = kstrndup(data, PAGE_SIZE, GFP_KERNEL);
 	if (cifs_sb->mountdata == NULL) {
 		root = ERR_PTR(-ENOMEM);
-		goto out_cifs_sb;
+		goto out_free;
 	}
 
-	if (volume_info->prepath) {
-		cifs_sb->prepath = kstrdup(volume_info->prepath, GFP_KERNEL);
-		if (cifs_sb->prepath == NULL) {
-			root = ERR_PTR(-ENOMEM);
-			goto out_cifs_sb;
-		}
+	rc = cifs_setup_cifs_sb(volume_info, cifs_sb);
+	if (rc) {
+		root = ERR_PTR(rc);
+		goto out_free;
 	}
 
-	cifs_setup_cifs_sb(volume_info, cifs_sb);
-
 	rc = cifs_mount(cifs_sb, volume_info);
 	if (rc) {
 		if (!(flags & MS_SILENT))
 			cifs_dbg(VFS, "cifs_mount failed w/return code = %d\n",
 				 rc);
 		root = ERR_PTR(rc);
-		goto out_mountdata;
+		goto out_free;
 	}
 
 	mnt_data.vol = volume_info;
@@ -731,9 +727,9 @@ out:
 	cifs_cleanup_volume_info(volume_info);
 	return root;
 
-out_mountdata:
+out_free:
+	kfree(cifs_sb->prepath);
 	kfree(cifs_sb->mountdata);
-out_cifs_sb:
 	kfree(cifs_sb);
 out_nls:
 	unload_nls(volume_info->local_nls);
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index 6421d8b433b1..44d825cdf85e 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -179,7 +179,7 @@ extern int cifs_read_from_socket(struct TCP_Server_Info *server, char *buf,
 extern int cifs_readv_from_socket(struct TCP_Server_Info *server,
 		struct kvec *iov_orig, unsigned int nr_segs,
 		unsigned int to_read);
-extern void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
+extern int cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
 			       struct cifs_sb_info *cifs_sb);
 extern int cifs_match_super(struct super_block *, void *);
 extern void cifs_cleanup_volume_info(struct smb_vol *pvolume_info);
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index e4a36223d815..98c9c867f1b3 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3185,7 +3185,7 @@ void reset_cifs_unix_caps(unsigned int xid, struct cifs_tcon *tcon,
 	}
 }
 
-void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
+int cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
 			struct cifs_sb_info *cifs_sb)
 {
 	INIT_DELAYED_WORK(&cifs_sb->prune_tlinks, cifs_prune_tlinks);
@@ -3267,6 +3267,15 @@ void cifs_setup_cifs_sb(struct smb_vol *pvolume_info,
 
 	if ((pvolume_info->cifs_acl) && (pvolume_info->dynperm))
 		cifs_dbg(VFS, "mount option dynperm ignored if cifsacl mount option supported\n");
+
+
+	if (pvolume_info->prepath) {
+		cifs_sb->prepath = kstrdup(pvolume_info->prepath, GFP_KERNEL);
+		if (cifs_sb->prepath == NULL)
+			return -ENOMEM;
+	}
+
+	return 0;
 }
 
 static void
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 199/235] Compare prepaths when comparing superblocks
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (197 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 198/235] Fix memory leaks in cifs_do_mount() Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 200/235] Move check for prefix path to within cifs_get_root() Jiri Slaby
                   ` (37 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Sachin Prabhu, Steve French, Jiri Slaby

From: Sachin Prabhu <sprabhu@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit c1d8b24d18192764fe82067ec6aa8d4c3bf094e0 upstream.

The patch
Fs/cifs: make share unaccessible at root level mountable
makes use of prepaths when any component of the underlying path is
inaccessible.

When mounting 2 separate shares having different prepaths but are other
wise similar in other respects, we end up sharing superblocks when we
shouldn't be doing so.

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/cifs/connect.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 98c9c867f1b3..7491e8445458 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2742,6 +2742,24 @@ compare_mount_options(struct super_block *sb, struct cifs_mnt_data *mnt_data)
 	return 1;
 }
 
+static int
+match_prepath(struct super_block *sb, struct cifs_mnt_data *mnt_data)
+{
+	struct cifs_sb_info *old = CIFS_SB(sb);
+	struct cifs_sb_info *new = mnt_data->cifs_sb;
+
+	if (old->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH) {
+		if (!(new->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH))
+			return 0;
+		/* The prepath should be null terminated strings */
+		if (strcmp(new->prepath, old->prepath))
+			return 0;
+
+		return 1;
+	}
+	return 0;
+}
+
 int
 cifs_match_super(struct super_block *sb, void *data)
 {
@@ -2769,7 +2787,8 @@ cifs_match_super(struct super_block *sb, void *data)
 
 	if (!match_server(tcp_srv, volume_info) ||
 	    !match_session(ses, volume_info) ||
-	    !match_tcon(tcon, volume_info->UNC)) {
+	    !match_tcon(tcon, volume_info->UNC) ||
+	    !match_prepath(sb, mnt_data)) {
 		rc = 0;
 		goto out;
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 200/235] Move check for prefix path to within cifs_get_root()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (198 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 199/235] Compare prepaths when comparing superblocks Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 201/235] Fix regression which breaks DFS mounting Jiri Slaby
                   ` (36 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Sachin Prabhu, Steve French, Jiri Slaby

From: Sachin Prabhu <sprabhu@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 348c1bfa84dfc47da1f1234b7f2bf09fa798edea upstream.

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/cifs/cifsfs.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 846b9916fdcd..75aacb731c54 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -586,6 +586,9 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb)
 	char *s, *p;
 	char sep;
 
+	if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
+		return dget(sb->s_root);
+
 	full_path = cifs_build_path_to_root(vol, cifs_sb,
 					    cifs_sb_master_tcon(cifs_sb));
 	if (full_path == NULL)
@@ -710,11 +713,7 @@ cifs_do_mount(struct file_system_type *fs_type,
 		sb->s_flags |= MS_ACTIVE;
 	}
 
-	if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_USE_PREFIX_PATH)
-		root = dget(sb->s_root);
-	else
-		root = cifs_get_root(volume_info, sb);
-
+	root = cifs_get_root(volume_info, sb);
 	if (IS_ERR(root))
 		goto out_super;
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 201/235] Fix regression which breaks DFS mounting
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (199 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 200/235] Move check for prefix path to within cifs_get_root() Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 202/235] apparmor: fix refcount bug in profile replacement Jiri Slaby
                   ` (35 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Sachin Prabhu, Steve French, Jiri Slaby

From: Sachin Prabhu <sprabhu@redhat.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d171356ff11ab1825e456dfb979755e01b3c54a1 upstream.

Patch a6b5058 results in -EREMOTE returned by is_path_accessible() in
cifs_mount() to be ignored which breaks DFS mounting.

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/cifs/connect.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 7491e8445458..bd54422a260d 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3629,15 +3629,16 @@ remote_path_check:
 			kfree(full_path);
 			goto mount_fail_check;
 		}
-
-		rc = cifs_are_all_path_components_accessible(server,
-							     xid, tcon, cifs_sb,
-							     full_path);
-		if (rc != 0) {
-			cifs_dbg(VFS, "cannot query dirs between root and final path, "
-				 "enabling CIFS_MOUNT_USE_PREFIX_PATH\n");
-			cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
-			rc = 0;
+		if (rc != -EREMOTE) {
+			rc = cifs_are_all_path_components_accessible(server,
+								     xid, tcon, cifs_sb,
+								     full_path);
+			if (rc != 0) {
+				cifs_dbg(VFS, "cannot query dirs between root and final path, "
+					 "enabling CIFS_MOUNT_USE_PREFIX_PATH\n");
+				cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
+				rc = 0;
+			}
 		}
 		kfree(full_path);
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 202/235] apparmor: fix refcount bug in profile replacement
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (200 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 201/235] Fix regression which breaks DFS mounting Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 203/235] apparmor: fix replacement bug that adds new child to old parent Jiri Slaby
                   ` (34 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit dcda617a0c5160c73e0aa02813c871339ea08004 upstream.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/policy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 705c2879d3a9..222052f64e2c 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1189,12 +1189,12 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
 				aa_get_profile(newest);
 				aa_put_profile(parent);
 				rcu_assign_pointer(ent->new->parent, newest);
-			} else
-				aa_put_profile(newest);
+			}
 			/* aafs interface uses replacedby */
 			rcu_assign_pointer(ent->new->replacedby->profile,
 					   aa_get_profile(ent->new));
 			__list_add_profile(&parent->base.profiles, ent->new);
+			aa_put_profile(newest);
 		} else {
 			/* aafs interface uses replacedby */
 			rcu_assign_pointer(ent->new->replacedby->profile,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 203/235] apparmor: fix replacement bug that adds new child to old parent
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (201 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 202/235] apparmor: fix refcount bug in profile replacement Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 204/235] apparmor: fix uninitialized lsm_audit member Jiri Slaby
                   ` (33 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit ec34fa24a934f4c8fd68f39b84abf34c42e5b06a upstream.

When set atomic replacement is used and the parent is updated before the
child, and the child did not exist in the old parent so there is no
direct replacement then the new child is incorrectly added to the old
parent. This results in the new parent not having the child(ren) that
it should and the old parent when being destroyed asserting the
following error.

AppArmor: policy_destroy: internal error, policy '<profile/name>' still
contains profiles

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 222052f64e2c..c92a9f6c1be5 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1193,7 +1193,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
 			/* aafs interface uses replacedby */
 			rcu_assign_pointer(ent->new->replacedby->profile,
 					   aa_get_profile(ent->new));
-			__list_add_profile(&parent->base.profiles, ent->new);
+			__list_add_profile(&newest->base.profiles, ent->new);
 			aa_put_profile(newest);
 		} else {
 			/* aafs interface uses replacedby */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 204/235] apparmor: fix uninitialized lsm_audit member
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (202 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 203/235] apparmor: fix replacement bug that adds new child to old parent Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 205/235] apparmor: exec should not be returning ENOENT when it denies Jiri Slaby
                   ` (32 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b6b1b81b3afba922505b57f4c812bba022f7c4a9 upstream.

BugLink: http://bugs.launchpad.net/bugs/1268727

The task field in the lsm_audit struct needs to be initialized if
a change_hat fails, otherwise the following oops will occur

BUG: unable to handle kernel paging request at 0000002fbead7d08
IP: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
PGD 1e3f35067 PUD 0
Oops: 0002 [#1] SMP
Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF          O 3.13.0-7-generic #25-Ubuntu
Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
RIP: 0010:[<ffffffff8171153e>]  [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
RSP: 0018:ffff880212987b68  EFLAGS: 00010006
RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
FS:  00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
Stack:
 ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009
 0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c
 0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
Call Trace:
 [<ffffffff81075f17>] __lock_task_sighand+0x47/0x80
 [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
 [<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80
 [<ffffffff81075fee>] send_sig_info+0x1e/0x30
 [<ffffffff8130242d>] aa_audit+0x13d/0x190
 [<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130
 [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
 [<ffffffff81304cc2>] aa_change_hat+0x202/0x530
 [<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0
 [<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300
 [<ffffffff812cee56>] security_setprocattr+0x16/0x20
 [<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130
 [<ffffffff811b7604>] vfs_write+0xb4/0x1f0
 [<ffffffff811b8039>] SyS_write+0x49/0xa0
 [<ffffffff8171a1bf>] tracesys+0xe1/0xe6

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/audit.c | 3 ++-
 security/apparmor/file.c  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 031d2d9dd695..47d0f9ecd3bc 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -212,7 +212,8 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
 
 	if (sa->aad->type == AUDIT_APPARMOR_KILL)
 		(void)send_sig_info(SIGKILL, NULL,
-				    sa->aad->tsk ?  sa->aad->tsk : current);
+			sa->type == LSM_AUDIT_DATA_TASK && sa->aad->tsk ?
+				    sa->aad->tsk : current);
 
 	if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
 		return complain_error(sa->aad->error);
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index fdaa50cb1876..a4f7f1a5a798 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -110,7 +110,8 @@ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
 	int type = AUDIT_APPARMOR_AUTO;
 	struct common_audit_data sa;
 	struct apparmor_audit_data aad = {0,};
-	sa.type = LSM_AUDIT_DATA_NONE;
+	sa.type = LSM_AUDIT_DATA_TASK;
+	sa.u.tsk = NULL;
 	sa.aad = &aad;
 	aad.op = op,
 	aad.fs.request = request;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 205/235] apparmor: exec should not be returning ENOENT when it denies
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (203 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 204/235] apparmor: fix uninitialized lsm_audit member Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 206/235] apparmor: fix update the mtime of the profile file on replacement Jiri Slaby
                   ` (31 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 9049a7922124d843a2cd26a02b1d00a17596ec0c upstream.

The current behavior is confusing as it causes exec failures to report
the executable is missing instead of identifying that apparmor
caused the failure.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/domain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 0c23888b9816..a59766fe3b7a 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -437,7 +437,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 				new_profile = aa_get_newest_profile(ns->unconfined);
 				info = "ux fallback";
 			} else {
-				error = -ENOENT;
+				error = -EACCES;
 				info = "profile not found";
 				/* remove MAY_EXEC to audit as failure */
 				perms.allow &= ~MAY_EXEC;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 206/235] apparmor: fix update the mtime of the profile file on replacement
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (204 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 205/235] apparmor: exec should not be returning ENOENT when it denies Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 207/235] apparmor: fix disconnected bind mnts reconnection Jiri Slaby
                   ` (30 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d671e890205a663429da74e1972e652bea4d73ab upstream.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/apparmorfs.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index b30489856741..a798c75c7726 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -380,6 +380,8 @@ void __aa_fs_profile_migrate_dents(struct aa_profile *old,
 
 	for (i = 0; i < AAFS_PROF_SIZEOF; i++) {
 		new->dents[i] = old->dents[i];
+		if (new->dents[i])
+			new->dents[i]->d_inode->i_mtime = CURRENT_TIME;
 		old->dents[i] = NULL;
 	}
 }
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 207/235] apparmor: fix disconnected bind mnts reconnection
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (205 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 206/235] apparmor: fix update the mtime of the profile file on replacement Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 208/235] apparmor: internal paths should be treated as disconnected Jiri Slaby
                   ` (29 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f2e561d190da7ff5ee265fa460e2d7f753dddfda upstream.

Bind mounts can fail to be properly reconnected when PATH_CONNECT is
specified. Ensure that when PATH_CONNECT is specified the path has
a root.

BugLink: http://bugs.launchpad.net/bugs/1319984

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/path.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/path.c b/security/apparmor/path.c
index 35b394a75d76..0f232e5cd18c 100644
--- a/security/apparmor/path.c
+++ b/security/apparmor/path.c
@@ -141,7 +141,10 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
 			error = -EACCES;
 			if (*res == '/')
 				*name = res + 1;
-		}
+		} else if (*res != '/')
+			/* CONNECT_PATH with missing root */
+			error = prepend(name, *name - buf, "/", 1);
+
 	}
 
 out:
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 208/235] apparmor: internal paths should be treated as disconnected
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (206 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 207/235] apparmor: fix disconnected bind mnts reconnection Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 209/235] apparmor: fix put() parent ref after updating the active ref Jiri Slaby
                   ` (28 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit bd35db8b8ca6e27fc17a9057ef78e1ddfc0de351 upstream.

Internal mounts are not mounted anywhere and as such should be treated
as disconnected paths.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/path.c | 64 +++++++++++++++++++++++++++---------------------
 1 file changed, 36 insertions(+), 28 deletions(-)

diff --git a/security/apparmor/path.c b/security/apparmor/path.c
index 0f232e5cd18c..5505e0563bc8 100644
--- a/security/apparmor/path.c
+++ b/security/apparmor/path.c
@@ -25,7 +25,6 @@
 #include "include/path.h"
 #include "include/policy.h"
 
-
 /* modified from dcache.c */
 static int prepend(char **buffer, int buflen, const char *str, int namelen)
 {
@@ -39,6 +38,38 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen)
 
 #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
 
+/* If the path is not connected to the expected root,
+ * check if it is a sysctl and handle specially else remove any
+ * leading / that __d_path may have returned.
+ * Unless
+ *     specifically directed to connect the path,
+ * OR
+ *     if in a chroot and doing chroot relative paths and the path
+ *     resolves to the namespace root (would be connected outside
+ *     of chroot) and specifically directed to connect paths to
+ *     namespace root.
+ */
+static int disconnect(const struct path *path, char *buf, char **name,
+		      int flags)
+{
+	int error = 0;
+
+	if (!(flags & PATH_CONNECT_PATH) &&
+	    !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
+	      our_mnt(path->mnt))) {
+		/* disconnected path, don't return pathname starting
+		 * with '/'
+		 */
+		error = -EACCES;
+		if (**name == '/')
+			*name = *name + 1;
+	} else if (**name != '/')
+		/* CONNECT_PATH with missing root */
+		error = prepend(name, *name - buf, "/", 1);
+
+	return error;
+}
+
 /**
  * d_namespace_path - lookup a name associated with a given path
  * @path: path to lookup  (NOT NULL)
@@ -74,7 +105,8 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
 			 * control instead of hard coded /proc
 			 */
 			return prepend(name, *name - buf, "/proc", 5);
-		}
+		} else
+			return disconnect(path, buf, name, flags);
 		return 0;
 	}
 
@@ -120,32 +152,8 @@ static int d_namespace_path(struct path *path, char *buf, int buflen,
 			goto out;
 	}
 
-	/* If the path is not connected to the expected root,
-	 * check if it is a sysctl and handle specially else remove any
-	 * leading / that __d_path may have returned.
-	 * Unless
-	 *     specifically directed to connect the path,
-	 * OR
-	 *     if in a chroot and doing chroot relative paths and the path
-	 *     resolves to the namespace root (would be connected outside
-	 *     of chroot) and specifically directed to connect paths to
-	 *     namespace root.
-	 */
-	if (!connected) {
-		if (!(flags & PATH_CONNECT_PATH) &&
-			   !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
-			     our_mnt(path->mnt))) {
-			/* disconnected path, don't return pathname starting
-			 * with '/'
-			 */
-			error = -EACCES;
-			if (*res == '/')
-				*name = res + 1;
-		} else if (*res != '/')
-			/* CONNECT_PATH with missing root */
-			error = prepend(name, *name - buf, "/", 1);
-
-	}
+	if (!connected)
+		error = disconnect(path, buf, name, flags);
 
 out:
 	return error;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 209/235] apparmor: fix put() parent ref after updating the active ref
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (207 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 208/235] apparmor: internal paths should be treated as disconnected Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 210/235] apparmor: fix log failures for all profiles in a set Jiri Slaby
                   ` (27 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f351841f8d41072e741e45299070d421a5833a4a upstream.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index c92a9f6c1be5..455c9f89f7e2 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1187,8 +1187,8 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
 			/* parent replaced in this atomic set? */
 			if (newest != parent) {
 				aa_get_profile(newest);
-				aa_put_profile(parent);
 				rcu_assign_pointer(ent->new->parent, newest);
+				aa_put_profile(parent);
 			}
 			/* aafs interface uses replacedby */
 			rcu_assign_pointer(ent->new->replacedby->profile,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 210/235] apparmor: fix log failures for all profiles in a set
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (208 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 209/235] apparmor: fix put() parent ref after updating the active ref Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 211/235] apparmor: fix audit full profile hname on successful load Jiri Slaby
                   ` (26 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit bf15cf0c641be8e57d45f110a9d91464f5bb461a upstream.

currently only the profile that is causing the failure is logged. This
makes it more confusing than necessary about which profiles loaded
and which didn't. So make sure to log success and failure messages for
all profiles in the set being loaded.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/policy.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 455c9f89f7e2..db31bc5e459f 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1067,7 +1067,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname,
  */
 ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
 {
-	const char *ns_name, *name = NULL, *info = NULL;
+	const char *ns_name, *info = NULL;
 	struct aa_namespace *ns = NULL;
 	struct aa_load_ent *ent, *tmp;
 	int op = OP_PROF_REPL;
@@ -1082,18 +1082,15 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
 	/* released below */
 	ns = aa_prepare_namespace(ns_name);
 	if (!ns) {
-		info = "failed to prepare namespace";
-		error = -ENOMEM;
-		name = ns_name;
-		goto fail;
+		error = audit_policy(op, GFP_KERNEL, ns_name,
+				     "failed to prepare namespace", -ENOMEM);
+		goto free;
 	}
 
 	mutex_lock(&ns->lock);
 	/* setup parent and ns info */
 	list_for_each_entry(ent, &lh, list) {
 		struct aa_policy *policy;
-
-		name = ent->new->base.hname;
 		error = __lookup_replace(ns, ent->new->base.hname, noreplace,
 					 &ent->old, &info);
 		if (error)
@@ -1121,7 +1118,6 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
 			if (!p) {
 				error = -ENOENT;
 				info = "parent does not exist";
-				name = ent->new->base.hname;
 				goto fail_lock;
 			}
 			rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
@@ -1214,9 +1210,22 @@ out:
 
 fail_lock:
 	mutex_unlock(&ns->lock);
-fail:
-	error = audit_policy(op, GFP_KERNEL, name, info, error);
 
+	/* audit cause of failure */
+	op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
+	audit_policy(op, GFP_KERNEL, ent->new->base.hname, info, error);
+	/* audit status that rest of profiles in the atomic set failed too */
+	info = "valid profile in failed atomic policy load";
+	list_for_each_entry(tmp, &lh, list) {
+		if (tmp == ent) {
+			info = "unchecked profile in failed atomic policy load";
+			/* skip entry that caused failure */
+			continue;
+		}
+		op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
+		audit_policy(op, GFP_KERNEL, tmp->new->base.hname, info, error);
+	}
+free:
 	list_for_each_entry_safe(ent, tmp, &lh, list) {
 		list_del_init(&ent->list);
 		aa_load_ent_free(ent);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 211/235] apparmor: fix audit full profile hname on successful load
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (209 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 210/235] apparmor: fix log failures for all profiles in a set Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 212/235] apparmor: ensure the target profile name is always audited Jiri Slaby
                   ` (25 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7ee6da25dcce27b6023a8673fdf8be98dcf7cacf upstream.

Currently logging of a successful profile load only logs the basename
of the profile. This can result in confusion when a child profile has
the same name as the another profile in the set. Logging the hname
will ensure there is no confusion.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index db31bc5e459f..ca402d028db8 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1159,7 +1159,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
 		list_del_init(&ent->list);
 		op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
 
-		audit_policy(op, GFP_ATOMIC, ent->new->base.name, NULL, error);
+		audit_policy(op, GFP_ATOMIC, ent->new->base.hname, NULL, error);
 
 		if (ent->old) {
 			__replace_profile(ent->old, ent->new, 1);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 212/235] apparmor: ensure the target profile name is always audited
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (210 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 211/235] apparmor: fix audit full profile hname on successful load Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 213/235] apparmor: check that xindex is in trans_table bounds Jiri Slaby
                   ` (24 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f7da2de01127b58d93cebeab165136d0998e7b1a upstream.

The target profile name was not being correctly audited in a few
cases because the target variable was not being set and gotos
passed the code to set it at apply:

Since it is always based on new_profile just drop the target var
and conditionally report based on new_profile.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/domain.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index a59766fe3b7a..1c7763766135 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -348,7 +348,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 		file_inode(bprm->file)->i_uid,
 		file_inode(bprm->file)->i_mode
 	};
-	const char *name = NULL, *target = NULL, *info = NULL;
+	const char *name = NULL, *info = NULL;
 	int error = cap_bprm_set_creds(bprm);
 	if (error)
 		return error;
@@ -403,6 +403,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 	if (cxt->onexec) {
 		struct file_perms cp;
 		info = "change_profile onexec";
+		new_profile = aa_get_newest_profile(cxt->onexec);
 		if (!(perms.allow & AA_MAY_ONEXEC))
 			goto audit;
 
@@ -417,7 +418,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 
 		if (!(cp.allow & AA_MAY_ONEXEC))
 			goto audit;
-		new_profile = aa_get_newest_profile(cxt->onexec);
 		goto apply;
 	}
 
@@ -449,10 +449,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 		if (!new_profile) {
 			error = -ENOMEM;
 			info = "could not create null profile";
-		} else {
+		} else
 			error = -EACCES;
-			target = new_profile->base.hname;
-		}
 		perms.xindex |= AA_X_UNSAFE;
 	} else
 		/* fail exec */
@@ -463,7 +461,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 	 * fail the exec.
 	 */
 	if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) {
-		aa_put_profile(new_profile);
 		error = -EPERM;
 		goto cleanup;
 	}
@@ -478,10 +475,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 
 	if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
 		error = may_change_ptraced_domain(current, new_profile);
-		if (error) {
-			aa_put_profile(new_profile);
+		if (error)
 			goto audit;
-		}
 	}
 
 	/* Determine if secure exec is needed.
@@ -502,7 +497,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 		bprm->unsafe |= AA_SECURE_X_NEEDED;
 	}
 apply:
-	target = new_profile->base.hname;
 	/* when transitioning profiles clear unsafe personality bits */
 	bprm->per_clear |= PER_CLEAR_ON_SETID;
 
@@ -510,15 +504,19 @@ x_clear:
 	aa_put_profile(cxt->profile);
 	/* transfer new profile reference will be released when cxt is freed */
 	cxt->profile = new_profile;
+	new_profile = NULL;
 
 	/* clear out all temporary/transitional state from the context */
 	aa_clear_task_cxt_trans(cxt);
 
 audit:
 	error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,
-			      name, target, cond.uid, info, error);
+			      name,
+			      new_profile ? new_profile->base.hname : NULL,
+			      cond.uid, info, error);
 
 cleanup:
+	aa_put_profile(new_profile);
 	aa_put_profile(profile);
 	kfree(buffer);
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 213/235] apparmor: check that xindex is in trans_table bounds
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (211 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 212/235] apparmor: ensure the target profile name is always audited Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 214/235] apparmor: fix refcount race when finding a child profile Jiri Slaby
                   ` (23 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 23ca7b640b4a55f8747301b6bd984dd05545f6a7 upstream.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/policy_unpack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index a689f10930b5..c841b1268a84 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -676,7 +676,7 @@ static bool verify_xindex(int xindex, int table_size)
 	int index, xtype;
 	xtype = xindex & AA_X_TYPE_MASK;
 	index = xindex & AA_X_INDEX_MASK;
-	if (xtype == AA_X_TABLE && index > table_size)
+	if (xtype == AA_X_TABLE && index >= table_size)
 		return 0;
 	return 1;
 }
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 214/235] apparmor: fix refcount race when finding a child profile
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (212 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 213/235] apparmor: check that xindex is in trans_table bounds Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 215/235] apparmor: add missing id bounds check on dfa verification Jiri Slaby
                   ` (22 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit de7c4cc947f9f56f61520ee7edaf380434a98c8d upstream.

When finding a child profile via an rcu critical section, the profile
may be put and scheduled for deletion after the child is found but
before its refcount is incremented.

Protect against this by repeating the lookup if the profiles refcount
is 0 and is one its way to deletion.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/policy.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index ca402d028db8..780712553651 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -766,7 +766,9 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
 	struct aa_profile *profile;
 
 	rcu_read_lock();
-	profile = aa_get_profile(__find_child(&parent->base.profiles, name));
+	do {
+		profile = __find_child(&parent->base.profiles, name);
+	} while (profile && !aa_get_profile_not0(profile));
 	rcu_read_unlock();
 
 	/* refcount released by caller */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 215/235] apparmor: add missing id bounds check on dfa verification
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (213 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 214/235] apparmor: fix refcount race when finding a child profile Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 216/235] apparmor: don't check for vmalloc_addr if kvzalloc() failed Jiri Slaby
                   ` (21 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 15756178c6a65b261a080e21af4766f59cafc112 upstream.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/include/match.h | 1 +
 security/apparmor/match.c         | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 001c43aa0406..a1c04fe86790 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -62,6 +62,7 @@ struct table_set_header {
 #define YYTD_ID_ACCEPT2 6
 #define YYTD_ID_NXT	7
 #define YYTD_ID_TSIZE	8
+#define YYTD_ID_MAX	8
 
 #define YYTD_DATA8	1
 #define YYTD_DATA16	2
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 727eb4200d5c..f9f57c626f54 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -47,6 +47,8 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
 	 * it every time we use td_id as an index
 	 */
 	th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
+	if (th.td_id > YYTD_ID_MAX)
+		goto out;
 	th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
 	th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
 	blob += sizeof(struct table_header);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 216/235] apparmor: don't check for vmalloc_addr if kvzalloc() failed
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (214 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 215/235] apparmor: add missing id bounds check on dfa verification Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 217/235] apparmor: fix oops in profile_unpack() when policy_db is not present Jiri Slaby
                   ` (20 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3197f5adf539a3ee6331f433a51483f8c842f890 upstream.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/match.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index f9f57c626f54..32b72eb3d988 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -75,14 +75,14 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
 				     u32, be32_to_cpu);
 		else
 			goto fail;
+		/* if table was vmalloced make sure the page tables are synced
+		 * before it is used, as it goes live to all cpus.
+		 */
+		if (is_vmalloc_addr(table))
+			vm_unmap_aliases();
 	}
 
 out:
-	/* if table was vmalloced make sure the page tables are synced
-	 * before it is used, as it goes live to all cpus.
-	 */
-	if (is_vmalloc_addr(table))
-		vm_unmap_aliases();
 	return table;
 fail:
 	kvfree(table);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 217/235] apparmor: fix oops in profile_unpack() when policy_db is not present
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (215 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 216/235] apparmor: don't check for vmalloc_addr if kvzalloc() failed Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 218/235] apparmor: fix module parameters can be changed after policy is locked Jiri Slaby
                   ` (19 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 5f20fdfed16bc599a325a145bf0123a8e1c9beea upstream.

BugLink: http://bugs.launchpad.net/bugs/1592547

If unpack_dfa() returns NULL due to the dfa not being present,
profile_unpack() is not checking if the dfa is not present (NULL).

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/policy_unpack.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index c841b1268a84..dac2121bc873 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -583,6 +583,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
 			error = PTR_ERR(profile->policy.dfa);
 			profile->policy.dfa = NULL;
 			goto fail;
+		} else if (!profile->policy.dfa) {
+			error = -EPROTO;
+			goto fail;
 		}
 		if (!unpack_u32(e, &profile->policy.start[0], "start"))
 			/* default start state */
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 218/235] apparmor: fix module parameters can be changed after policy is locked
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (216 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 217/235] apparmor: fix oops in profile_unpack() when policy_db is not present Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 219/235] apparmor: do not expose kernel stack Jiri Slaby
                   ` (18 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 58acf9d911c8831156634a44d0b022d683e1e50c upstream.

the policy_lock parameter is a one way switch that prevents policy
from being further modified. Unfortunately some of the module parameters
can effectively modify policy by turning off enforcement.

split policy_admin_capable into a view check and a full admin check,
and update the admin check to test the policy_lock parameter.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/include/policy.h |  2 ++
 security/apparmor/lsm.c            | 22 ++++++++++------------
 security/apparmor/policy.c         | 18 +++++++++++++++++-
 3 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index c28b0f20ab53..52275f040a5f 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -403,6 +403,8 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
 	return profile->audit;
 }
 
+bool policy_view_capable(void);
+bool policy_admin_capable(void);
 bool aa_may_manage_policy(int op);
 
 #endif /* __AA_POLICY_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index fb99e18123b4..00a92de97c82 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -762,51 +762,49 @@ __setup("apparmor=", apparmor_enabled_setup);
 /* set global flag turning off the ability to load policy */
 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
 {
-	if (!capable(CAP_MAC_ADMIN))
+	if (!policy_admin_capable())
 		return -EPERM;
-	if (aa_g_lock_policy)
-		return -EACCES;
 	return param_set_bool(val, kp);
 }
 
 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
 {
-	if (!capable(CAP_MAC_ADMIN))
+	if (!policy_view_capable())
 		return -EPERM;
 	return param_get_bool(buffer, kp);
 }
 
 static int param_set_aabool(const char *val, const struct kernel_param *kp)
 {
-	if (!capable(CAP_MAC_ADMIN))
+	if (!policy_admin_capable())
 		return -EPERM;
 	return param_set_bool(val, kp);
 }
 
 static int param_get_aabool(char *buffer, const struct kernel_param *kp)
 {
-	if (!capable(CAP_MAC_ADMIN))
+	if (!policy_view_capable())
 		return -EPERM;
 	return param_get_bool(buffer, kp);
 }
 
 static int param_set_aauint(const char *val, const struct kernel_param *kp)
 {
-	if (!capable(CAP_MAC_ADMIN))
+	if (!policy_admin_capable())
 		return -EPERM;
 	return param_set_uint(val, kp);
 }
 
 static int param_get_aauint(char *buffer, const struct kernel_param *kp)
 {
-	if (!capable(CAP_MAC_ADMIN))
+	if (!policy_view_capable())
 		return -EPERM;
 	return param_get_uint(buffer, kp);
 }
 
 static int param_get_audit(char *buffer, struct kernel_param *kp)
 {
-	if (!capable(CAP_MAC_ADMIN))
+	if (!policy_view_capable())
 		return -EPERM;
 
 	if (!apparmor_enabled)
@@ -818,7 +816,7 @@ static int param_get_audit(char *buffer, struct kernel_param *kp)
 static int param_set_audit(const char *val, struct kernel_param *kp)
 {
 	int i;
-	if (!capable(CAP_MAC_ADMIN))
+	if (!policy_admin_capable())
 		return -EPERM;
 
 	if (!apparmor_enabled)
@@ -839,7 +837,7 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
 
 static int param_get_mode(char *buffer, struct kernel_param *kp)
 {
-	if (!capable(CAP_MAC_ADMIN))
+	if (!policy_admin_capable())
 		return -EPERM;
 
 	if (!apparmor_enabled)
@@ -851,7 +849,7 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
 static int param_set_mode(const char *val, struct kernel_param *kp)
 {
 	int i;
-	if (!capable(CAP_MAC_ADMIN))
+	if (!policy_admin_capable())
 		return -EPERM;
 
 	if (!apparmor_enabled)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 780712553651..179e68d7dc5f 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -918,6 +918,22 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
 			&sa, NULL);
 }
 
+bool policy_view_capable(void)
+{
+	struct user_namespace *user_ns = current_user_ns();
+	bool response = false;
+
+	if (ns_capable(user_ns, CAP_MAC_ADMIN))
+		response = true;
+
+	return response;
+}
+
+bool policy_admin_capable(void)
+{
+	return policy_view_capable() && !aa_g_lock_policy;
+}
+
 /**
  * aa_may_manage_policy - can the current task manage policy
  * @op: the policy manipulation operation being done
@@ -932,7 +948,7 @@ bool aa_may_manage_policy(int op)
 		return 0;
 	}
 
-	if (!capable(CAP_MAC_ADMIN)) {
+	if (!policy_admin_capable()) {
 		audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
 		return 0;
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 219/235] apparmor: do not expose kernel stack
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (217 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 218/235] apparmor: fix module parameters can be changed after policy is locked Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 220/235] apparmor: fix oops, validate buffer size in apparmor_setprocattr() Jiri Slaby
                   ` (17 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Heinrich Schuchardt, John Johansen, Jiri Slaby

From: Heinrich Schuchardt <xypron.glpk@gmx.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f4ee2def2d70692ccff0d55353df4ee594fd0017 upstream.

Do not copy uninitalized fields th.td_hilen, th.td_data.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/match.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 32b72eb3d988..3f900fcca8fb 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -63,7 +63,9 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
 
 	table = kvzalloc(tsize);
 	if (table) {
-		*table = th;
+		table->td_id = th.td_id;
+		table->td_flags = th.td_flags;
+		table->td_lolen = th.td_lolen;
 		if (th.td_flags == YYTD_DATA8)
 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
 				     u8, byte_to_byte);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 220/235] apparmor: fix oops, validate buffer size in apparmor_setprocattr()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (218 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 219/235] apparmor: do not expose kernel stack Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 221/235] apparmor: fix arg_size computation for when setprocattr is null terminated Jiri Slaby
                   ` (16 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Vegard Nossum, Al Viro, John Johansen, Paul Moore,
	Stephen Smalley, Eric Paris, Casey Schaufler, James Morris,
	Jiri Slaby

From: Vegard Nossum <vegard.nossum@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit e89b8081327ac9efbf273e790b8677e64fd0361a upstream.

When proc_pid_attr_write() was changed to use memdup_user apparmor's
(interface violating) assumption that the setprocattr buffer was always
a single page was violated.

The size test is not strictly speaking needed as proc_pid_attr_write()
will reject anything larger, but for the sake of robustness we can keep
it in.

SMACK and SELinux look safe to me, but somebody else should probably
have a look just in case.

Based on original patch from Vegard Nossum <vegard.nossum@oracle.com>
modified for the case that apparmor provides null termination.

Fixes: bb646cdb12e75d82258c2f2e7746d5952d3e321a
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/lsm.c | 36 +++++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 00a92de97c82..90905af74a8d 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -533,34 +533,34 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
 {
 	struct common_audit_data sa;
 	struct apparmor_audit_data aad = {0,};
-	char *command, *args = value;
+	char *command, *largs = NULL, *args = value;
 	size_t arg_size;
 	int error;
 
 	if (size == 0)
 		return -EINVAL;
-	/* args points to a PAGE_SIZE buffer, AppArmor requires that
-	 * the buffer must be null terminated or have size <= PAGE_SIZE -1
-	 * so that AppArmor can null terminate them
-	 */
-	if (args[size - 1] != '\0') {
-		if (size == PAGE_SIZE)
-			return -EINVAL;
-		args[size] = '\0';
-	}
-
 	/* task can only write its own attributes */
 	if (current != task)
 		return -EACCES;
 
-	args = value;
+	/* AppArmor requires that the buffer must be null terminated atm */
+	if (args[size - 1] != '\0') {
+		/* null terminate */
+		largs = args = kmalloc(size + 1, GFP_KERNEL);
+		if (!args)
+			return -ENOMEM;
+		memcpy(args, value, size);
+		args[size] = '\0';
+	}
+
+	error = -EINVAL;
 	args = strim(args);
 	command = strsep(&args, " ");
 	if (!args)
-		return -EINVAL;
+		goto out;
 	args = skip_spaces(args);
 	if (!*args)
-		return -EINVAL;
+		goto out;
 
 	arg_size = size - (args - (char *) value);
 	if (strcmp(name, "current") == 0) {
@@ -586,10 +586,12 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
 			goto fail;
 	} else
 		/* only support the "current" and "exec" process attributes */
-		return -EINVAL;
+		goto fail;
 
 	if (!error)
 		error = size;
+out:
+	kfree(largs);
 	return error;
 
 fail:
@@ -598,9 +600,9 @@ fail:
 	aad.profile = aa_current_profile();
 	aad.op = OP_SETPROCATTR;
 	aad.info = name;
-	aad.error = -EINVAL;
+	aad.error = error = -EINVAL;
 	aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
-	return -EINVAL;
+	goto out;
 }
 
 static int apparmor_task_setrlimit(struct task_struct *task,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 221/235] apparmor: fix arg_size computation for when setprocattr is null terminated
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (219 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 220/235] apparmor: fix oops, validate buffer size in apparmor_setprocattr() Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 222/235] vfio/pci: Fix integer overflows, bitmask check Jiri Slaby
                   ` (15 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, John Johansen, Jiri Slaby

From: John Johansen <john.johansen@canonical.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d4d03f74a73f3b8b2801d4d02011b6b69778cbcc upstream.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 security/apparmor/lsm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 90905af74a8d..c623e4744f55 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -562,7 +562,7 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
 	if (!*args)
 		goto out;
 
-	arg_size = size - (args - (char *) value);
+	arg_size = size - (args - (largs ? largs : (char *) value));
 	if (strcmp(name, "current") == 0) {
 		if (strcmp(command, "changehat") == 0) {
 			error = aa_setprocattr_changehat(args, arg_size,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 222/235] vfio/pci: Fix integer overflows, bitmask check
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (220 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 221/235] apparmor: fix arg_size computation for when setprocattr is null terminated Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 223/235] bna: Add synchronization for tx ring Jiri Slaby
                   ` (14 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Vlad Tsyrklevich, Alex Williamson, Jiri Slaby

From: Vlad Tsyrklevich <vlad@tsyrklevich.net>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 05692d7005a364add85c6e25a6c4447ce08f913a upstream.

The VFIO_DEVICE_SET_IRQS ioctl did not sufficiently sanitize
user-supplied integers, potentially allowing memory corruption. This
patch adds appropriate integer overflow checks, checks the range bounds
for VFIO_IRQ_SET_DATA_NONE, and also verifies that only single element
in the VFIO_IRQ_SET_DATA_TYPE_MASK bitmask is set.
VFIO_IRQ_SET_ACTION_TYPE_MASK is already correctly checked later in
vfio_pci_set_irqs_ioctl().

Furthermore, a kzalloc is changed to a kcalloc because the use of a
kzalloc with an integer multiplication allowed an integer overflow
condition to be reached without this patch. kcalloc checks for overflow
and should prevent a similar occurrence.

Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/vfio/pci/vfio_pci.c       | 33 +++++++++++++++++++++------------
 drivers/vfio/pci/vfio_pci_intrs.c |  2 +-
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index 275aa3fc4087..f636e2eb0dd8 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -468,8 +468,9 @@ static long vfio_pci_ioctl(void *device_data,
 
 	} else if (cmd == VFIO_DEVICE_SET_IRQS) {
 		struct vfio_irq_set hdr;
+		size_t size;
 		u8 *data = NULL;
-		int ret = 0;
+		int max, ret = 0;
 
 		minsz = offsetofend(struct vfio_irq_set, count);
 
@@ -477,23 +478,31 @@ static long vfio_pci_ioctl(void *device_data,
 			return -EFAULT;
 
 		if (hdr.argsz < minsz || hdr.index >= VFIO_PCI_NUM_IRQS ||
+		    hdr.count >= (U32_MAX - hdr.start) ||
 		    hdr.flags & ~(VFIO_IRQ_SET_DATA_TYPE_MASK |
 				  VFIO_IRQ_SET_ACTION_TYPE_MASK))
 			return -EINVAL;
 
-		if (!(hdr.flags & VFIO_IRQ_SET_DATA_NONE)) {
-			size_t size;
-			int max = vfio_pci_get_irq_count(vdev, hdr.index);
+		max = vfio_pci_get_irq_count(vdev, hdr.index);
+		if (hdr.start >= max || hdr.start + hdr.count > max)
+			return -EINVAL;
 
-			if (hdr.flags & VFIO_IRQ_SET_DATA_BOOL)
-				size = sizeof(uint8_t);
-			else if (hdr.flags & VFIO_IRQ_SET_DATA_EVENTFD)
-				size = sizeof(int32_t);
-			else
-				return -EINVAL;
+		switch (hdr.flags & VFIO_IRQ_SET_DATA_TYPE_MASK) {
+		case VFIO_IRQ_SET_DATA_NONE:
+			size = 0;
+			break;
+		case VFIO_IRQ_SET_DATA_BOOL:
+			size = sizeof(uint8_t);
+			break;
+		case VFIO_IRQ_SET_DATA_EVENTFD:
+			size = sizeof(int32_t);
+			break;
+		default:
+			return -EINVAL;
+		}
 
-			if (hdr.argsz - minsz < hdr.count * size ||
-			    hdr.start >= max || hdr.start + hdr.count > max)
+		if (size) {
+			if (hdr.argsz - minsz < hdr.count * size)
 				return -EINVAL;
 
 			data = memdup_user((void __user *)(arg + minsz),
diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
index 641bc87bdb96..05b0834e26e0 100644
--- a/drivers/vfio/pci/vfio_pci_intrs.c
+++ b/drivers/vfio/pci/vfio_pci_intrs.c
@@ -465,7 +465,7 @@ static int vfio_msi_enable(struct vfio_pci_device *vdev, int nvec, bool msix)
 	if (!is_irq_none(vdev))
 		return -EINVAL;
 
-	vdev->ctx = kzalloc(nvec * sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
+	vdev->ctx = kcalloc(nvec, sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL);
 	if (!vdev->ctx)
 		return -ENOMEM;
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 223/235] bna: Add synchronization for tx ring.
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (221 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 222/235] vfio/pci: Fix integer overflows, bitmask check Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 224/235] [media] xc2028: avoid use after free Jiri Slaby
                   ` (13 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Benjamin Poirier, David S . Miller, Jiri Slaby

From: Benjamin Poirier <bpoirier@suse.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit d667f78514c656a6a8bf0b3d6134a7fe5cd4d317 upstream.

We received two reports of BUG_ON in bnad_txcmpl_process() where
hw_consumer_index appeared to be ahead of producer_index. Out of order
write/read of these variables could explain these reports.

bnad_start_xmit(), as a producer of tx descriptors, has a few memory
barriers sprinkled around writes to producer_index and the device's
doorbell but they're not paired with anything in bnad_txcmpl_process(), a
consumer.

Since we are synchronizing with a device, we must use mandatory barriers,
not smp_*. Also, I didn't see the purpose of the last smp_mb() in
bnad_start_xmit().

Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/ethernet/brocade/bna/bnad.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/brocade/bna/bnad.c b/drivers/net/ethernet/brocade/bna/bnad.c
index 45ce6e2214b3..2deabae1d66e 100644
--- a/drivers/net/ethernet/brocade/bna/bnad.c
+++ b/drivers/net/ethernet/brocade/bna/bnad.c
@@ -193,6 +193,7 @@ bnad_txcmpl_process(struct bnad *bnad, struct bna_tcb *tcb)
 		return 0;
 
 	hw_cons = *(tcb->hw_consumer_index);
+	rmb();
 	cons = tcb->consumer_index;
 	q_depth = tcb->q_depth;
 
@@ -2906,13 +2907,12 @@ bnad_start_xmit(struct sk_buff *skb, struct net_device *netdev)
 	BNA_QE_INDX_INC(prod, q_depth);
 	tcb->producer_index = prod;
 
-	smp_mb();
+	wmb();
 
 	if (unlikely(!test_bit(BNAD_TXQ_TX_STARTED, &tcb->flags)))
 		return NETDEV_TX_OK;
 
 	bna_txq_prod_indx_doorbell(tcb);
-	smp_mb();
 
 	return NETDEV_TX_OK;
 }
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 224/235] [media] xc2028: avoid use after free
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (222 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 223/235] bna: Add synchronization for tx ring Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 225/235] [media] xc2028: unlock on error in xc2028_set_config() Jiri Slaby
                   ` (12 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Mauro Carvalho Chehab, Jiri Slaby

From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 upstream.

If struct xc2028_config is passed without a firmware name,
the following trouble may happen:

[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G        W      ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------

[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012] 	___slab_alloc+0x581/0x5b0
[11009.908014] 	__slab_alloc+0x51/0x90
[11009.908017] 	__kmalloc+0x27b/0x350
[11009.908022] 	xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026] 	usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029] 	usb_submit_urb+0xb0e/0x1200
[11009.908032] 	usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035] 	usb_serial_generic_write+0x92/0xc0
[11009.908039] 	usb_console_write+0x38a/0x560
[11009.908045] 	call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051] 	console_unlock+0x40d/0x900
[11009.908056] 	vprintk_emit+0x4b4/0x830
[11009.908061] 	vprintk_default+0x1f/0x30
[11009.908064] 	printk+0x99/0xb5
[11009.908067] 	kasan_report_error+0x10a/0x550
[11009.908070] 	__asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077] 	__slab_free+0x2ec/0x460
[11009.908080] 	kfree+0x266/0x280
[11009.908083] 	xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086] 	xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090] 	em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094] 	em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098] 	em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101] 	em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105] 	em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108] 	do_one_initcall+0x141/0x300
[11009.908111] 	do_init_module+0x1d0/0x5ad
[11009.908114] 	load_module+0x6666/0x9ba0
[11009.908117] 	SyS_finit_module+0x108/0x130
[11009.908120] 	entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x          (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001

[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00  ....*....(......
[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff  ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G    B   W       4.5.0-rc1+ #43
[11009.908140] Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142]  ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148]  ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153]  ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162]  [<ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165]  [<ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168]  [<ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171]  [<ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182]  [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185]  [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189]  [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192]  [<ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196]  [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200]  [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203]  [<ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206]  [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211]  [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215]  [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219]  [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222]  [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226]  [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230]  [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233]  [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238]  [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242]  [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245]  [<ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249]  [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253]  [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260]  [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264]  [<ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268]  [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275]  [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278]  [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292]  [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299]  [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302]  [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306]  [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309]  [<ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314]  [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317]  [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320]  [<ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324]  [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327]  [<ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330]  [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346]  [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350]  [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353]  [<ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356]  [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361]  [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366]  [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369]  [<ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374]  [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377]  [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379]  [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383]  [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394]  [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398]  ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401]  ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405]                                            ^
[11009.908407]  ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409]  ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================

In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/media/tuners/tuner-xc2028.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
index 9771cd83c06e..38afc54ef349 100644
--- a/drivers/media/tuners/tuner-xc2028.c
+++ b/drivers/media/tuners/tuner-xc2028.c
@@ -1385,11 +1385,12 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
 	 * in order to avoid troubles during device release.
 	 */
 	kfree(priv->ctrl.fname);
+	priv->ctrl.fname = NULL;
 	memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
 	if (p->fname) {
 		priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
 		if (priv->ctrl.fname == NULL)
-			rc = -ENOMEM;
+			return -ENOMEM;
 	}
 
 	/*
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 225/235] [media] xc2028: unlock on error in xc2028_set_config()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (223 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 224/235] [media] xc2028: avoid use after free Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:55 ` [PATCH 3.12 226/235] block: fix use-after-free in sys_ioprio_get() Jiri Slaby
                   ` (11 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Dan Carpenter, Mauro Carvalho Chehab, Jiri Slaby

From: Dan Carpenter <dan.carpenter@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d upstream.

We have to unlock before returning -ENOMEM.

Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/media/tuners/tuner-xc2028.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
index 38afc54ef349..ab0bfc46f99f 100644
--- a/drivers/media/tuners/tuner-xc2028.c
+++ b/drivers/media/tuners/tuner-xc2028.c
@@ -1389,8 +1389,10 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
 	memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
 	if (p->fname) {
 		priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
-		if (priv->ctrl.fname == NULL)
-			return -ENOMEM;
+		if (priv->ctrl.fname == NULL) {
+			rc = -ENOMEM;
+			goto unlock;
+		}
 	}
 
 	/*
@@ -1422,6 +1424,7 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
 		} else
 			priv->state = XC2028_WAITING_FIRMWARE;
 	}
+unlock:
 	mutex_unlock(&priv->lock);
 
 	return rc;
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 226/235] block: fix use-after-free in sys_ioprio_get()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (224 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 225/235] [media] xc2028: unlock on error in xc2028_set_config() Jiri Slaby
@ 2017-01-27 10:55 ` Jiri Slaby
  2017-01-27 10:56 ` [PATCH 3.12 227/235] xc2028: Fix use-after-free bug properly Jiri Slaby
                   ` (10 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:55 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Omar Sandoval, Jens Axboe, Jiri Slaby

From: Omar Sandoval <osandov@fb.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 8ba8682107ee2ca3347354e018865d8e1967c5f4 upstream.

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

int main(int argc, char **argv)
{
	pid_t pid, child;
	long nproc, i;

	/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
	syscall(SYS_ioprio_set, 1, 0, 0x6000);

	nproc = sysconf(_SC_NPROCESSORS_ONLN);

	for (i = 0; i < nproc; i++) {
		pid = fork();
		assert(pid != -1);
		if (pid == 0) {
			for (;;) {
				pid = fork();
				assert(pid != -1);
				if (pid == 0) {
					_exit(0);
				} else {
					child = wait(NULL);
					assert(child == pid);
				}
			}
		}

		pid = fork();
		assert(pid != -1);
		if (pid == 0) {
			for (;;) {
				/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
				syscall(SYS_ioprio_get, 2, 0);
			}
		}
	}

	for (;;) {
		/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
		syscall(SYS_ioprio_get, 2, 0);
	}

	return 0;
}

This gets us KASAN dumps like this:

[   35.526914] ==================================================================
[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[   35.530009] Read of size 2 by task ioprio-gpf/363
[   35.530009] =============================================================================
[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[   35.530009] -----------------------------------------------------------------------------

[   35.530009] Disabling lock debugging due to kernel taint
[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[   35.530009] 	___slab_alloc+0x55d/0x5a0
[   35.530009] 	__slab_alloc.isra.20+0x2b/0x40
[   35.530009] 	kmem_cache_alloc_node+0x84/0x200
[   35.530009] 	create_task_io_context+0x2b/0x370
[   35.530009] 	get_task_io_context+0x92/0xb0
[   35.530009] 	copy_process.part.8+0x5029/0x5660
[   35.530009] 	_do_fork+0x155/0x7e0
[   35.530009] 	SyS_clone+0x19/0x20
[   35.530009] 	do_syscall_64+0x195/0x3a0
[   35.530009] 	return_from_SYSCALL_64+0x0/0x6a
[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[   35.530009] 	__slab_free+0x27b/0x3d0
[   35.530009] 	kmem_cache_free+0x1fb/0x220
[   35.530009] 	put_io_context+0xe7/0x120
[   35.530009] 	put_io_context_active+0x238/0x380
[   35.530009] 	exit_io_context+0x66/0x80
[   35.530009] 	do_exit+0x158e/0x2b90
[   35.530009] 	do_group_exit+0xe5/0x2b0
[   35.530009] 	SyS_exit_group+0x1d/0x20
[   35.530009] 	entry_SYSCALL_64_fastpath+0x1a/0xa4
[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[   35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ioprio.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/ioprio.c b/fs/ioprio.c
index 31666c92b46a..563435684c3c 100644
--- a/fs/ioprio.c
+++ b/fs/ioprio.c
@@ -149,8 +149,10 @@ static int get_task_ioprio(struct task_struct *p)
 	if (ret)
 		goto out;
 	ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
+	task_lock(p);
 	if (p->io_context)
 		ret = p->io_context->ioprio;
+	task_unlock(p);
 out:
 	return ret;
 }
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 227/235] xc2028: Fix use-after-free bug properly
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (225 preceding siblings ...)
  2017-01-27 10:55 ` [PATCH 3.12 226/235] block: fix use-after-free in sys_ioprio_get() Jiri Slaby
@ 2017-01-27 10:56 ` Jiri Slaby
  2017-01-27 10:56 ` [PATCH 3.12 228/235] sg: Fix double-free when drives detach during SG_IO Jiri Slaby
                   ` (9 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:56 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Takashi Iwai, Mauro Carvalho Chehab, Jiri Slaby

From: Takashi Iwai <tiwai@suse.de>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 22a1e7783e173ab3d86018eb590107d68df46c11 upstream.

The commit 8dfbcc4351a0 ("[media] xc2028: avoid use after free") tried
to address the reported use-after-free by clearing the reference.

However, it's clearing the wrong pointer; it sets NULL to
priv->ctrl.fname, but it's anyway overwritten by the next line
memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).

OTOH, the actual code accessing the freed string is the strcmp() call
with priv->fname:
	if (!firmware_name[0] && p->fname &&
	    priv->fname && strcmp(p->fname, priv->fname))
		free_firmware(priv);

where priv->fname points to the previous file name, and this was
already freed by kfree().

For fixing the bug properly, this patch does the following:

- Keep the copy of firmware file name in only priv->fname,
  priv->ctrl.fname isn't changed;
- The allocation is done only when the firmware gets loaded;
- The kfree() is called in free_firmware() commonly

Fixes: commit 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/media/tuners/tuner-xc2028.c | 36 ++++++++++++++++--------------------
 1 file changed, 16 insertions(+), 20 deletions(-)

diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
index ab0bfc46f99f..3a615e4c4991 100644
--- a/drivers/media/tuners/tuner-xc2028.c
+++ b/drivers/media/tuners/tuner-xc2028.c
@@ -289,6 +289,14 @@ static void free_firmware(struct xc2028_data *priv)
 	int i;
 	tuner_dbg("%s called\n", __func__);
 
+	/* free allocated f/w string */
+	if (priv->fname != firmware_name)
+		kfree(priv->fname);
+	priv->fname = NULL;
+
+	priv->state = XC2028_NO_FIRMWARE;
+	memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
+
 	if (!priv->firm)
 		return;
 
@@ -299,9 +307,6 @@ static void free_firmware(struct xc2028_data *priv)
 
 	priv->firm = NULL;
 	priv->firm_size = 0;
-	priv->state = XC2028_NO_FIRMWARE;
-
-	memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
 }
 
 static int load_all_firmwares(struct dvb_frontend *fe,
@@ -890,9 +895,9 @@ read_not_reliable:
 	return 0;
 
 fail:
+	free_firmware(priv);
 	priv->state = XC2028_SLEEP;
 
-	memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
 	if (retry_count < 8) {
 		msleep(50);
 		retry_count++;
@@ -1314,11 +1319,8 @@ static int xc2028_dvb_release(struct dvb_frontend *fe)
 	mutex_lock(&xc2028_list_mutex);
 
 	/* only perform final cleanup if this is the last instance */
-	if (hybrid_tuner_report_instance_count(priv) == 1) {
+	if (hybrid_tuner_report_instance_count(priv) == 1)
 		free_firmware(priv);
-		kfree(priv->ctrl.fname);
-		priv->ctrl.fname = NULL;
-	}
 
 	if (priv)
 		hybrid_tuner_release_state(priv);
@@ -1381,19 +1383,8 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
 
 	/*
 	 * Copy the config data.
-	 * For the firmware name, keep a local copy of the string,
-	 * in order to avoid troubles during device release.
 	 */
-	kfree(priv->ctrl.fname);
-	priv->ctrl.fname = NULL;
 	memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
-	if (p->fname) {
-		priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
-		if (priv->ctrl.fname == NULL) {
-			rc = -ENOMEM;
-			goto unlock;
-		}
-	}
 
 	/*
 	 * If firmware name changed, frees firmware. As free_firmware will
@@ -1408,10 +1399,15 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
 
 	if (priv->state == XC2028_NO_FIRMWARE) {
 		if (!firmware_name[0])
-			priv->fname = priv->ctrl.fname;
+			priv->fname = kstrdup(p->fname, GFP_KERNEL);
 		else
 			priv->fname = firmware_name;
 
+		if (!priv->fname) {
+			rc = -ENOMEM;
+			goto unlock;
+		}
+
 		rc = request_firmware_nowait(THIS_MODULE, 1,
 					     priv->fname,
 					     priv->i2c_props.adap->dev.parent,
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 228/235] sg: Fix double-free when drives detach during SG_IO
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (226 preceding siblings ...)
  2017-01-27 10:56 ` [PATCH 3.12 227/235] xc2028: Fix use-after-free bug properly Jiri Slaby
@ 2017-01-27 10:56 ` Jiri Slaby
  2017-01-27 10:56 ` [PATCH 3.12 229/235] fuse: do not use iocb after it may have been freed Jiri Slaby
                   ` (8 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:56 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Calvin Owens, Martin K . Petersen, Jiri Slaby

From: Calvin Owens <calvinowens@fb.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f3951a3709ff50990bf3e188c27d346792103432 upstream.

In sg_common_write(), we free the block request and return -ENODEV if
the device is detached in the middle of the SG_IO ioctl().

Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
end up freeing rq->cmd in the already free rq object, and then free
the object itself out from under the current user.

This ends up corrupting random memory via the list_head on the rq
object. The most common crash trace I saw is this:

  ------------[ cut here ]------------
  kernel BUG at block/blk-core.c:1420!
  Call Trace:
  [<ffffffff81281eab>] blk_put_request+0x5b/0x80
  [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
  [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
  [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
  [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
  [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
  [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
  [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
  [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
  [<ffffffff81602afb>] tracesys+0xdd/0xe2
    RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0

The solution is straightforward: just set srp->rq to NULL in the
failure branch so that sg_finish_rem_req() doesn't attempt to re-free
it.

Additionally, since sg_rq_end_io() will never be called on the object
when this happens, we need to free memory backing ->cmd if it isn't
embedded in the object itself.

KASAN was extremely helpful in finding the root cause of this bug.

Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Acked-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/scsi/sg.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 291791a9be8b..0b27d293dd83 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -769,8 +769,14 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
 		return k;	/* probably out of space --> ENOMEM */
 	}
 	if (sdp->detached) {
-		if (srp->bio)
+		if (srp->bio) {
+			if (srp->rq->cmd != srp->rq->__cmd)
+				kfree(srp->rq->cmd);
+
 			blk_end_request_all(srp->rq, -EIO);
+			srp->rq = NULL;
+		}
+
 		sg_finish_rem_req(srp);
 		return -ENODEV;
 	}
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 229/235] fuse: do not use iocb after it may have been freed
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (227 preceding siblings ...)
  2017-01-27 10:56 ` [PATCH 3.12 228/235] sg: Fix double-free when drives detach during SG_IO Jiri Slaby
@ 2017-01-27 10:56 ` Jiri Slaby
  2017-01-27 10:56 ` [PATCH 3.12 230/235] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) Jiri Slaby
                   ` (7 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:56 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Robert Doebbelin, Miklos Szeredi, Jan Kara, Jiri Slaby

From: Robert Doebbelin <robert@quobyte.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 7cabc61e01a0a8b663bd2b4c982aa53048218734 upstream.

There's a race in fuse_direct_IO(), whereby is_sync_kiocb() is called on an
iocb that could have been freed if async io has already completed.  The fix
in this case is simple and obvious: cache the result before starting io.

It was discovered by KASan:

Kernel: ==================================================================
Kernel: BUG: KASan: use after free in fuse_direct_IO+0xb1a/0xcc0 at addr ffff88036c414390

Signed-off-by: Robert Doebbelin <robert@quobyte.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: bcba24ccdc82 ("fuse: enable asynchronous processing direct IO")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/fuse/file.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 8ef52e12cd57..f6314cd3e3b0 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2393,6 +2393,7 @@ fuse_direct_IO(int rw, struct kiocb *iocb, const struct iovec *iov,
 	loff_t i_size;
 	size_t count = iov_length(iov, nr_segs);
 	struct fuse_io_priv *io;
+	bool is_sync = is_sync_kiocb(iocb);
 
 	pos = offset;
 	inode = file->f_mapping->host;
@@ -2428,7 +2429,7 @@ fuse_direct_IO(int rw, struct kiocb *iocb, const struct iovec *iov,
 	 * to wait on real async I/O requests, so we must submit this request
 	 * synchronously.
 	 */
-	if (!is_sync_kiocb(iocb) && (offset + count > i_size) && rw == WRITE)
+	if (!is_sync && (offset + count > i_size) && rw == WRITE)
 		io->async = false;
 
 	if (rw == WRITE)
@@ -2440,7 +2441,7 @@ fuse_direct_IO(int rw, struct kiocb *iocb, const struct iovec *iov,
 		fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
 
 		/* we have a non-extending, async request, so return */
-		if (!is_sync_kiocb(iocb))
+		if (!is_sync)
 			return -EIOCBQUEUED;
 
 		ret = wait_on_sync_kiocb(iocb);
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 230/235] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon)
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (228 preceding siblings ...)
  2017-01-27 10:56 ` [PATCH 3.12 229/235] fuse: do not use iocb after it may have been freed Jiri Slaby
@ 2017-01-27 10:56 ` Jiri Slaby
  2017-01-27 10:56 ` [PATCH 3.12 231/235] x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq() Jiri Slaby
                   ` (6 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:56 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Al Viro, Jiri Slaby

From: Al Viro <viro@zeniv.linux.org.uk>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 6f18493e541c690169c3b1479d47d95f624161cf upstream.

and lock the right list there

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: NeilBrown <neilb@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/dcache.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index 11ded5b0b853..9a5e9082feb1 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2623,6 +2623,12 @@ static void __d_materialise_dentry(struct dentry *dentry, struct dentry *anon)
 	dentry->d_parent = dentry;
 	list_del_init(&dentry->d_child);
 	anon->d_parent = dparent;
+	if (likely(!d_unhashed(anon))) {
+		hlist_bl_lock(&anon->d_sb->s_anon);
+		__hlist_bl_del(&anon->d_hash);
+		anon->d_hash.pprev = NULL;
+		hlist_bl_unlock(&anon->d_sb->s_anon);
+	}
 	list_move(&anon->d_child, &dparent->d_subdirs);
 
 	write_seqcount_end(&dentry->d_seq);
@@ -2677,7 +2683,6 @@ struct dentry *d_materialise_unique(struct dentry *dentry, struct inode *inode)
 				 * could splice into our tree? */
 				__d_materialise_dentry(dentry, alias);
 				write_sequnlock(&rename_lock);
-				__d_drop(alias);
 				goto found;
 			} else {
 				/* Nope, but we must(!) avoid directory
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 231/235] x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (229 preceding siblings ...)
  2017-01-27 10:56 ` [PATCH 3.12 230/235] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) Jiri Slaby
@ 2017-01-27 10:56 ` Jiri Slaby
  2017-01-27 10:56 ` [PATCH 3.12 232/235] serial: 8250_pci: Detach low-level driver during PCI error recovery Jiri Slaby
                   ` (5 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:56 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Wanpeng Li, Peter Zijlstra, Thomas Gleixner, Jiri Slaby

From: Wanpeng Li <wanpeng.li@hotmail.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit b0f48706a176b71a6e54f399d7404bbeeaa7cfab upstream.

===============================
[ INFO: suspicious RCU usage. ]
4.8.0-rc6+ #5 Not tainted
-------------------------------
./arch/x86/include/asm/msr-trace.h:47 suspicious rcu_dereference_check() usage!

other info that might help us debug this:

RCU used illegally from idle CPU!
rcu_scheduler_active = 1, debug_locks = 0
RCU used illegally from extended quiescent state!
no locks held by swapper/2/0.

stack backtrace:
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.8.0-rc6+ #5
Hardware name: Dell Inc. OptiPlex 7020/0F5C5X, BIOS A03 01/08/2015
 0000000000000000 ffff8d1bd6003f10 ffffffff94446949 ffff8d1bd4a68000
 0000000000000001 ffff8d1bd6003f40 ffffffff940e9247 ffff8d1bbdfcf3d0
 000000000000080b 0000000000000000 0000000000000000 ffff8d1bd6003f70
Call Trace:
 <IRQ>  [<ffffffff94446949>] dump_stack+0x99/0xd0
 [<ffffffff940e9247>] lockdep_rcu_suspicious+0xe7/0x120
 [<ffffffff9448e0d5>] do_trace_write_msr+0x135/0x140
 [<ffffffff9406e750>] native_write_msr+0x20/0x30
 [<ffffffff9406503d>] native_apic_msr_eoi_write+0x1d/0x30
 [<ffffffff9405b17e>] smp_trace_call_function_interrupt+0x1e/0x270
 [<ffffffff948cb1d6>] trace_call_function_interrupt+0x96/0xa0
 <EOI>  [<ffffffff947200f4>] ? cpuidle_enter_state+0xe4/0x360
 [<ffffffff947200df>] ? cpuidle_enter_state+0xcf/0x360
 [<ffffffff947203a7>] cpuidle_enter+0x17/0x20
 [<ffffffff940df008>] cpu_startup_entry+0x338/0x4d0
 [<ffffffff9405bfc4>] start_secondary+0x154/0x180

This can be reproduced readily by running ftrace test case of kselftest.

Move the irq_enter() call before ack_APIC_irq(), because irq_enter() tells
the RCU susbstems to end the extended quiescent state, so that the
following trace call in ack_APIC_irq() works correctly. The same applies to
exiting_ack_irq() which calls ack_APIC_irq() after irq_exit().

[ tglx: Massaged changelog ]

Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Wanpeng Li <wanpeng.li@hotmail.com>
Link: http://lkml.kernel.org/r/1474198491-3738-1-git-send-email-wanpeng.li@hotmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 arch/x86/include/asm/apic.h | 3 +--
 arch/x86/kernel/smp.c       | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
index 29559831c94f..43849c3d6275 100644
--- a/arch/x86/include/asm/apic.h
+++ b/arch/x86/include/asm/apic.h
@@ -710,9 +710,8 @@ static inline void exiting_irq(void)
 
 static inline void exiting_ack_irq(void)
 {
-	irq_exit();
-	/* Ack only at the end to avoid potential reentry */
 	ack_APIC_irq();
+	irq_exit();
 }
 
 extern void ioapic_zap_locks(void);
diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
index 7c3a5a61f2e4..e5d895fa1fe0 100644
--- a/arch/x86/kernel/smp.c
+++ b/arch/x86/kernel/smp.c
@@ -267,8 +267,8 @@ __visible void smp_reschedule_interrupt(struct pt_regs *regs)
 
 static inline void smp_entering_irq(void)
 {
-	ack_APIC_irq();
 	irq_enter();
+	ack_APIC_irq();
 }
 
 __visible void smp_trace_reschedule_interrupt(struct pt_regs *regs)
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 232/235] serial: 8250_pci: Detach low-level driver during PCI error recovery
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (230 preceding siblings ...)
  2017-01-27 10:56 ` [PATCH 3.12 231/235] x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq() Jiri Slaby
@ 2017-01-27 10:56 ` Jiri Slaby
  2017-01-27 10:56 ` [PATCH 3.12 233/235] bnx2x: Correct ringparam estimate when DOWN Jiri Slaby
                   ` (4 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:56 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Gabriel Krisman Bertazi, Greg Kroah-Hartman, Jiri Slaby

From: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit f209fa03fc9d131b3108c2e4936181eabab87416 upstream.

During a PCI error recovery, like the ones provoked by EEH in the ppc64
platform, all IO to the device must be blocked while the recovery is
completed.  Current 8250_pci implementation only suspends the port
instead of detaching it, which doesn't prevent incoming accesses like
TIOCMGET and TIOCMSET calls from reaching the device.  Those end up
racing with the EEH recovery, crashing it.  Similar races were also
observed when opening the device and when shutting it down during
recovery.

This patch implements a more robust IO blockage for the 8250_pci
recovery by unregistering the port at the beginning of the procedure and
re-adding it afterwards.  Since the port is detached from the uart
layer, we can be sure that no request will make through to the device
during recovery.  This is similar to the solution used by the JSM serial
driver.

I thank Peter Hurley <peter@hurleysoftware.com> for valuable input on
this one over one year ago.

Signed-off-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/tty/serial/8250/8250_pci.c | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
index 3299168189cc..e93eaea14ccc 100644
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -55,6 +55,7 @@ struct serial_private {
 	unsigned int		nr;
 	void __iomem		*remapped_bar[PCI_NUM_BAR_RESOURCES];
 	struct pci_serial_quirk	*quirk;
+	const struct pciserial_board *board;
 	int			line[0];
 };
 
@@ -3451,6 +3452,7 @@ pciserial_init_ports(struct pci_dev *dev, const struct pciserial_board *board)
 		}
 	}
 	priv->nr = i;
+	priv->board = board;
 	return priv;
 
 err_deinit:
@@ -3461,7 +3463,7 @@ err_out:
 }
 EXPORT_SYMBOL_GPL(pciserial_init_ports);
 
-void pciserial_remove_ports(struct serial_private *priv)
+void pciserial_detach_ports(struct serial_private *priv)
 {
 	struct pci_serial_quirk *quirk;
 	int i;
@@ -3481,7 +3483,11 @@ void pciserial_remove_ports(struct serial_private *priv)
 	quirk = find_quirk(priv->dev);
 	if (quirk->exit)
 		quirk->exit(priv->dev);
+}
 
+void pciserial_remove_ports(struct serial_private *priv)
+{
+	pciserial_detach_ports(priv);
 	kfree(priv);
 }
 EXPORT_SYMBOL_GPL(pciserial_remove_ports);
@@ -5039,7 +5045,7 @@ static pci_ers_result_t serial8250_io_error_detected(struct pci_dev *dev,
 		return PCI_ERS_RESULT_DISCONNECT;
 
 	if (priv)
-		pciserial_suspend_ports(priv);
+		pciserial_detach_ports(priv);
 
 	pci_disable_device(dev);
 
@@ -5064,9 +5070,18 @@ static pci_ers_result_t serial8250_io_slot_reset(struct pci_dev *dev)
 static void serial8250_io_resume(struct pci_dev *dev)
 {
 	struct serial_private *priv = pci_get_drvdata(dev);
+	const struct pciserial_board *board;
 
-	if (priv)
-		pciserial_resume_ports(priv);
+	if (!priv)
+		return;
+
+	board = priv->board;
+	kfree(priv);
+	priv = pciserial_init_ports(dev, board);
+
+	if (!IS_ERR(priv)) {
+		pci_set_drvdata(dev, priv);
+	}
 }
 
 static const struct pci_error_handlers serial8250_err_handler = {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 233/235] bnx2x: Correct ringparam estimate when DOWN
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (231 preceding siblings ...)
  2017-01-27 10:56 ` [PATCH 3.12 232/235] serial: 8250_pci: Detach low-level driver during PCI error recovery Jiri Slaby
@ 2017-01-27 10:56 ` Jiri Slaby
  2017-01-27 10:56 ` [PATCH 3.12 234/235] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() Jiri Slaby
                   ` (3 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:56 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Mintz, Yuval, David S . Miller, Jiri Slaby

From: "Mintz, Yuval" <Yuval.Mintz@cavium.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 65870fa77fd7f83d7be4ed924d47ed9e3831f434 upstream.

Until interface is up [and assuming ringparams weren't explicitly
configured] when queried for the size of its rings bnx2x would
claim they're the maximal size by default.
That is incorrect as by default the maximal number of buffers would
be equally divided between the various rx rings.

This prevents the user from actually setting the number of elements
on each rx ring to be of maximal size prior to transitioning the
interface into up state.

To fix this, make a rough estimation about the number of buffers.
It wouldn't always be accurate, but it would be much better than
current estimation and would allow users to increase number of
buffers during early initialization of the interface.

Reported-by: Seymour, Shane <shane.seymour@hpe.com>
Signed-off-by: Yuval Mintz <Yuval.Mintz@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
index 97fe8e6dba79..5ef133a5a48b 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
@@ -1776,8 +1776,16 @@ static void bnx2x_get_ringparam(struct net_device *dev,
 
 	ering->rx_max_pending = MAX_RX_AVAIL;
 
+	/* If size isn't already set, we give an estimation of the number
+	 * of buffers we'll have. We're neglecting some possible conditions
+	 * [we couldn't know for certain at this point if number of queues
+	 * might shrink] but the number would be correct for the likely
+	 * scenario.
+	 */
 	if (bp->rx_ring_size)
 		ering->rx_pending = bp->rx_ring_size;
+	else if (BNX2X_NUM_RX_QUEUES(bp))
+		ering->rx_pending = MAX_RX_AVAIL / BNX2X_NUM_RX_QUEUES(bp);
 	else
 		ering->rx_pending = MAX_RX_AVAIL;
 
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 234/235] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed()
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (232 preceding siblings ...)
  2017-01-27 10:56 ` [PATCH 3.12 233/235] bnx2x: Correct ringparam estimate when DOWN Jiri Slaby
@ 2017-01-27 10:56 ` Jiri Slaby
  2017-01-27 10:56 ` [PATCH 3.12 235/235] tmpfs: clear S_ISGID when setting posix ACLs Jiri Slaby
                   ` (2 subsequent siblings)
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:56 UTC (permalink / raw)
  To: stable
  Cc: linux-kernel, Tariq Saeed, Joel Becker, Joseph Qi, Andrew Morton,
	Linus Torvalds, Jiri Slaby

From: Tariq Saeed <tariq.x.saeed@oracle.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 3d46a44a0c01b15d385ccaae24b56f619613c256 upstream.

PID: 614    TASK: ffff882a739da580  CPU: 3   COMMAND: "ocfs2dc"
  #0 [ffff882ecc3759b0] machine_kexec at ffffffff8103b35d
  #1 [ffff882ecc375a20] crash_kexec at ffffffff810b95b5
  #2 [ffff882ecc375af0] oops_end at ffffffff815091d8
  #3 [ffff882ecc375b20] die at ffffffff8101868b
  #4 [ffff882ecc375b50] do_trap at ffffffff81508bb0
  #5 [ffff882ecc375ba0] do_invalid_op at ffffffff810165e5
  #6 [ffff882ecc375c40] invalid_op at ffffffff815116fb
     [exception RIP: ocfs2_ci_checkpointed+208]
     RIP: ffffffffa0a7e940  RSP: ffff882ecc375cf0  RFLAGS: 00010002
     RAX: 0000000000000001  RBX: 000000000000654b  RCX: ffff8812dc83f1f8
     RDX: 00000000000017d9  RSI: ffff8812dc83f1f8  RDI: ffffffffa0b2c318
     RBP: ffff882ecc375d20   R8: ffff882ef6ecfa60   R9: ffff88301f272200
     R10: 0000000000000000  R11: 0000000000000000  R12: ffffffffffffffff
     R13: ffff8812dc83f4f0  R14: 0000000000000000  R15: ffff8812dc83f1f8
     ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
  #7 [ffff882ecc375d28] ocfs2_check_meta_downconvert at ffffffffa0a7edbd [ocfs2]
  #8 [ffff882ecc375d38] ocfs2_unblock_lock at ffffffffa0a84af8 [ocfs2]
  #9 [ffff882ecc375dc8] ocfs2_process_blocked_lock at ffffffffa0a85285 [ocfs2]
assert is tripped because the tran is not checkpointed and the lock level is PR.

Some time ago, chmod command had been executed. As result, the following call
chain left the inode cluster lock in PR state, latter on causing the assert.
system_call_fastpath
  -> my_chmod
   -> sys_chmod
    -> sys_fchmodat
     -> notify_change
      -> ocfs2_setattr
       -> posix_acl_chmod
        -> ocfs2_iop_set_acl
         -> ocfs2_set_acl
          -> ocfs2_acl_set_mode
Here is how.
1119 int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
1120 {
1247         ocfs2_inode_unlock(inode, 1); <<< WRONG thing to do.
..
1258         if (!status && attr->ia_valid & ATTR_MODE) {
1259                 status =  posix_acl_chmod(inode, inode->i_mode);

519 posix_acl_chmod(struct inode *inode, umode_t mode)
520 {
..
539         ret = inode->i_op->set_acl(inode, acl, ACL_TYPE_ACCESS);

287 int ocfs2_iop_set_acl(struct inode *inode, struct posix_acl *acl, ...
288 {
289         return ocfs2_set_acl(NULL, inode, NULL, type, acl, NULL, NULL);

224 int ocfs2_set_acl(handle_t *handle,
225                          struct inode *inode, ...
231 {
..
252                                 ret = ocfs2_acl_set_mode(inode, di_bh,
253                                                          handle, mode);

168 static int ocfs2_acl_set_mode(struct inode *inode, struct buffer_head ...
170 {
183         if (handle == NULL) {
                    >>> BUG: inode lock not held in ex at this point <<<
184                 handle = ocfs2_start_trans(OCFS2_SB(inode->i_sb),
185                                            OCFS2_INODE_UPDATE_CREDITS);

ocfs2_setattr.#1247 we unlock and at #1259 call posix_acl_chmod. When we reach
ocfs2_acl_set_mode.#181 and do trans, the inode cluster lock is not held in EX
mode (it should be). How this could have happended?

We are the lock master, were holding lock EX and have released it in
ocfs2_setattr.#1247.  Note that there are no holders of this lock at
this point.  Another node needs the lock in PR, and we downconvert from
EX to PR.  So the inode lock is PR when do the trans in
ocfs2_acl_set_mode.#184.  The trans stays in core (not flushed to disc).
Now another node want the lock in EX, downconvert thread gets kicked
(the one that tripped assert abovt), finds an unflushed trans but the
lock is not EX (it is PR).  If the lock was at EX, it would have flushed
the trans ocfs2_ci_checkpointed -> ocfs2_start_checkpoint before
downconverting (to NULL) for the request.

ocfs2_setattr must not drop inode lock ex in this code path.  If it
does, takes it again before the trans, say in ocfs2_set_acl, another
cluster node can get in between, execute another setattr, overwriting
the one in progress on this node, resulting in a mode acl size combo
that is a mix of the two.

Orabug: 20189959
Signed-off-by: Tariq Saeed <tariq.x.saeed@oracle.com>
Reviewed-by: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Joseph Qi <joseph.qi@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/ocfs2/file.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
index 54ba0afacf00..7201b56e8f2c 100644
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1100,6 +1100,7 @@ out:
 int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
 {
 	int status = 0, size_change;
+	int inode_locked = 0;
 	struct inode *inode = dentry->d_inode;
 	struct super_block *sb = inode->i_sb;
 	struct ocfs2_super *osb = OCFS2_SB(sb);
@@ -1145,6 +1146,7 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
 			mlog_errno(status);
 		goto bail_unlock_rw;
 	}
+	inode_locked = 1;
 
 	if (size_change && attr->ia_size != i_size_read(inode)) {
 		status = inode_newsize_ok(inode, attr->ia_size);
@@ -1225,7 +1227,10 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
 bail_commit:
 	ocfs2_commit_trans(osb, handle);
 bail_unlock:
-	ocfs2_inode_unlock(inode, 1);
+	if (status) {
+		ocfs2_inode_unlock(inode, 1);
+		inode_locked = 0;
+	}
 bail_unlock_rw:
 	if (size_change)
 		ocfs2_rw_unlock(inode, 1);
@@ -1241,6 +1246,8 @@ bail:
 		if (status < 0)
 			mlog_errno(status);
 	}
+	if (inode_locked)
+		ocfs2_inode_unlock(inode, 1);
 
 	return status;
 }
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* [PATCH 3.12 235/235] tmpfs: clear S_ISGID when setting posix ACLs
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (233 preceding siblings ...)
  2017-01-27 10:56 ` [PATCH 3.12 234/235] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() Jiri Slaby
@ 2017-01-27 10:56 ` Jiri Slaby
  2017-01-27 15:51 ` [PATCH 3.12 000/235] 3.12.70-stable review Shuah Khan
  2017-01-27 17:23 ` Guenter Roeck
  236 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 10:56 UTC (permalink / raw)
  To: stable; +Cc: linux-kernel, Gu Zheng, Al Viro, Jan Kara, Jiri Slaby

From: Gu Zheng <guzheng1@huawei.com>

3.12-stable review patch.  If anyone has any objections, please let me know.

===============

commit 497de07d89c1410d76a15bec2bb41f24a2a89f31 upstream.

This change was missed the tmpfs modification in In CVE-2016-7097
commit 073931017b49 ("posix_acl: Clear SGID bit when setting
file permissions")
It can test by xfstest generic/375, which failed to clear
setgid bit in the following test case on tmpfs:

  touch $testfile
  chown 100:100 $testfile
  chmod 2755 $testfile
  _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile

Signed-off-by: Gu Zheng <guzheng1@huawei.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/generic_acl.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/fs/generic_acl.c b/fs/generic_acl.c
index b3f3676796d3..7855cfb938f6 100644
--- a/fs/generic_acl.c
+++ b/fs/generic_acl.c
@@ -82,19 +82,21 @@ generic_acl_set(struct dentry *dentry, const char *name, const void *value,
 			return PTR_ERR(acl);
 	}
 	if (acl) {
+		struct posix_acl *old_acl;
+
 		error = posix_acl_valid(acl);
 		if (error)
 			goto failed;
 		switch (type) {
 		case ACL_TYPE_ACCESS:
-			error = posix_acl_equiv_mode(acl, &inode->i_mode);
+			old_acl = acl;
+			error = posix_acl_update_mode(inode, &inode->i_mode,
+						      &acl);
 			if (error < 0)
 				goto failed;
+			if (!acl)
+				posix_acl_release(old_acl);
 			inode->i_ctime = CURRENT_TIME;
-			if (error == 0) {
-				posix_acl_release(acl);
-				acl = NULL;
-			}
 			break;
 		case ACL_TYPE_DEFAULT:
 			if (!S_ISDIR(inode->i_mode)) {
-- 
2.11.0

^ permalink raw reply related	[flat|nested] 244+ messages in thread

* Re: [PATCH 3.12 000/235] 3.12.70-stable review
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (234 preceding siblings ...)
  2017-01-27 10:56 ` [PATCH 3.12 235/235] tmpfs: clear S_ISGID when setting posix ACLs Jiri Slaby
@ 2017-01-27 15:51 ` Shuah Khan
  2017-02-02 13:13   ` Jiri Slaby
  2017-01-27 17:23 ` Guenter Roeck
  236 siblings, 1 reply; 244+ messages in thread
From: Shuah Khan @ 2017-01-27 15:51 UTC (permalink / raw)
  To: Jiri Slaby, stable; +Cc: linux, linux-kernel, Shuah Khan

On 01/27/2017 03:55 AM, Jiri Slaby wrote:
> This is the start of the stable review cycle for the 3.12.70 release.
> There are 235 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue Jan 31 11:52:54 CET 2017.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	http://kernel.org/pub/linux/kernel/people/jirislaby/stable-review/patch-3.12.70-rc1.xz
> and the diffstat can be found below.
> 
> thanks,
> js
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 244+ messages in thread

* Re: [PATCH 3.12 000/235] 3.12.70-stable review
  2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
                   ` (235 preceding siblings ...)
  2017-01-27 15:51 ` [PATCH 3.12 000/235] 3.12.70-stable review Shuah Khan
@ 2017-01-27 17:23 ` Guenter Roeck
  2017-01-27 19:04   ` Jiri Slaby
  236 siblings, 1 reply; 244+ messages in thread
From: Guenter Roeck @ 2017-01-27 17:23 UTC (permalink / raw)
  To: Jiri Slaby; +Cc: stable, shuahkh, linux-kernel

Hi Jiri,

On Fri, Jan 27, 2017 at 11:55:00AM +0100, Jiri Slaby wrote:
> This is the start of the stable review cycle for the 3.12.70 release.
> There are 235 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue Jan 31 11:52:54 CET 2017.
> Anything received after that time might be too late.
> 

Looks like something slipped in last minute.

Build results:
	total: 128 pass: 115 fail: 13
Failed builds:
	alpha:allmodconfig
	arm:allmodconfig
	arm64:allmodconfig
	i386:allyesconfig
	i386:allmodconfig
	m68k:allmodconfig
	mips:allmodconfig
	powerpc:allmodconfig
	s390:allmodconfig
	sparc64:allmodconfig
	x86_64:allyesconfig
	x86_64:allmodconfig
	xtensa:allmodconfig

security/apparmor/lsm.c: In function 'apparmor_setprocattr':
security/apparmor/lsm.c:565:29: error: 'largs' undeclared

Guenter

^ permalink raw reply	[flat|nested] 244+ messages in thread

* Re: [PATCH 3.12 000/235] 3.12.70-stable review
  2017-01-27 17:23 ` Guenter Roeck
@ 2017-01-27 19:04   ` Jiri Slaby
  2017-01-27 20:53     ` Guenter Roeck
  0 siblings, 1 reply; 244+ messages in thread
From: Jiri Slaby @ 2017-01-27 19:04 UTC (permalink / raw)
  To: Guenter Roeck; +Cc: stable, shuahkh, linux-kernel

On 01/27/2017, 06:23 PM, Guenter Roeck wrote:
> Hi Jiri,
> 
> On Fri, Jan 27, 2017 at 11:55:00AM +0100, Jiri Slaby wrote:
>> This is the start of the stable review cycle for the 3.12.70 release.
>> There are 235 patches in this series, all will be posted as a response
>> to this one.  If anyone has any issues with these being applied, please
>> let me know.
>>
>> Responses should be made by Tue Jan 31 11:52:54 CET 2017.
>> Anything received after that time might be too late.
>>
> 
> Looks like something slipped in last minute.
> 
> Build results:
> 	total: 128 pass: 115 fail: 13
> Failed builds:
> 	alpha:allmodconfig
> 	arm:allmodconfig
> 	arm64:allmodconfig
> 	i386:allyesconfig
> 	i386:allmodconfig
> 	m68k:allmodconfig
> 	mips:allmodconfig
> 	powerpc:allmodconfig
> 	s390:allmodconfig
> 	sparc64:allmodconfig
> 	x86_64:allyesconfig
> 	x86_64:allmodconfig
> 	xtensa:allmodconfig
> 
> security/apparmor/lsm.c: In function 'apparmor_setprocattr':
> security/apparmor/lsm.c:565:29: error: 'largs' undeclared

Yes, I dropped one apparmor patch and it broke a later patch. I dropped
it 2 hours ago too, so what is building now on the machines should be
fine, hopefully.

thanks,
-- 
js
suse labs

^ permalink raw reply	[flat|nested] 244+ messages in thread

* Re: [PATCH 3.12 000/235] 3.12.70-stable review
  2017-01-27 19:04   ` Jiri Slaby
@ 2017-01-27 20:53     ` Guenter Roeck
  0 siblings, 0 replies; 244+ messages in thread
From: Guenter Roeck @ 2017-01-27 20:53 UTC (permalink / raw)
  To: Jiri Slaby; +Cc: stable, shuahkh, linux-kernel

On Fri, Jan 27, 2017 at 08:04:20PM +0100, Jiri Slaby wrote:
> On 01/27/2017, 06:23 PM, Guenter Roeck wrote:
> > Hi Jiri,
> > 
> > On Fri, Jan 27, 2017 at 11:55:00AM +0100, Jiri Slaby wrote:
> >> This is the start of the stable review cycle for the 3.12.70 release.
> >> There are 235 patches in this series, all will be posted as a response
> >> to this one.  If anyone has any issues with these being applied, please
> >> let me know.
> >>
> >> Responses should be made by Tue Jan 31 11:52:54 CET 2017.
> >> Anything received after that time might be too late.
> >>
> > 
> > Looks like something slipped in last minute.
> > 
> > Build results:
> > 	total: 128 pass: 115 fail: 13
> > Failed builds:
> > 	alpha:allmodconfig
> > 	arm:allmodconfig
> > 	arm64:allmodconfig
> > 	i386:allyesconfig
> > 	i386:allmodconfig
> > 	m68k:allmodconfig
> > 	mips:allmodconfig
> > 	powerpc:allmodconfig
> > 	s390:allmodconfig
> > 	sparc64:allmodconfig
> > 	x86_64:allyesconfig
> > 	x86_64:allmodconfig
> > 	xtensa:allmodconfig
> > 
> > security/apparmor/lsm.c: In function 'apparmor_setprocattr':
> > security/apparmor/lsm.c:565:29: error: 'largs' undeclared
> 
> Yes, I dropped one apparmor patch and it broke a later patch. I dropped
> it 2 hours ago too, so what is building now on the machines should be
> fine, hopefully.
> 
Confirmed; the latest build (v3.12.69-234-gd7f41d3 ) is clean with no failures.

Thanks,
Guenter

^ permalink raw reply	[flat|nested] 244+ messages in thread

* Re: [PATCH 3.12 000/235] 3.12.70-stable review
  2017-01-27 15:51 ` [PATCH 3.12 000/235] 3.12.70-stable review Shuah Khan
@ 2017-02-02 13:13   ` Jiri Slaby
  0 siblings, 0 replies; 244+ messages in thread
From: Jiri Slaby @ 2017-02-02 13:13 UTC (permalink / raw)
  To: Shuah Khan, stable, linux; +Cc: linux-kernel

On 01/27/2017, 04:51 PM, Shuah Khan wrote:
> On 01/27/2017 03:55 AM, Jiri Slaby wrote:
>> This is the start of the stable review cycle for the 3.12.70 release.
>> There are 235 patches in this series, all will be posted as a response
>> to this one.  If anyone has any issues with these being applied, please
>> let me know.
>>
>> Responses should be made by Tue Jan 31 11:52:54 CET 2017.
>> Anything received after that time might be too late.
>>
>> The whole patch series can be found in one patch at:
>> 	http://kernel.org/pub/linux/kernel/people/jirislaby/stable-review/patch-3.12.70-rc1.xz
>> and the diffstat can be found below.
>>
>> thanks,
>> js
>>
> 
> Compiled and booted on my test system. No dmesg regressions.

On 01/27/2017, 09:53 PM, Guenter Roeck wrote:
> Confirmed; the latest build (v3.12.69-234-gd7f41d3 ) is clean with no
failures.

Thank you both!


-- 
js
suse labs

^ permalink raw reply	[flat|nested] 244+ messages in thread

end of thread, other threads:[~2017-02-02 13:13 UTC | newest]

Thread overview: 244+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-27 10:55 [PATCH 3.12 000/235] 3.12.70-stable review Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 001/235] driver core: Delete an unnecessary check before the function call "put_device" Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 002/235] driver core: fix race between creating/querying glue dir and its cleanup Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 003/235] ext4: fix data exposure after a crash Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 004/235] locking/rtmutex: Prevent dequeue vs. unlock race Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 005/235] locking/rtmutex: Use READ_ONCE() in rt_mutex_owner() Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 006/235] perf/x86: Fix full width counter, counter overflow Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 007/235] can: raw: raw_setsockopt: limit number of can_filter that can be set Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 008/235] can: peak: fix bad memory access and free sequence Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 009/235] m68k: Fix ndelay() macro Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 010/235] hotplug: Make register and unregister notifier API symmetric Jiri Slaby
2017-01-27 10:52   ` Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 011/235] Revert "Btrfs: don't delay inode ref updates during log, replay" Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 012/235] Btrfs: fix tree search logic when replaying directory entry deletes Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 013/235] USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041 Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 014/235] USB: serial: option: add dlink dwm-158 Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 015/235] USB: serial: kl5kusb105: fix open error path Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 016/235] USB: cdc-acm: add device id for GW Instek AFG-125 Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 017/235] usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 018/235] usb: gadget: composite: correctly initialize ep->maxpacket Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 019/235] USB: UHCI: report non-PME wakeup signalling for Intel hardware Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 020/235] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 021/235] ALSA: hiface: Fix M2Tech hiFace driver sampling rate change Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 022/235] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 023/235] Btrfs: fix memory leak in reading btree blocks Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 024/235] block_dev: don't test bdev->bd_contains when it is not stable Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 025/235] crypto: caam - fix AEAD givenc descriptors Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 026/235] ext4: fix mballoc breakage with 64k block size Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 027/235] ext4: fix stack memory corruption " Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 028/235] ext4: use more strict checks for inodes_per_block on mount Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 029/235] ext4: fix in-superblock mount options processing Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 030/235] ext4: add sanity checking to count_overhead() Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 031/235] ext4: reject inodes with negative size Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 032/235] ext4: return -ENOMEM instead of success Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 033/235] f2fs: set ->owner for debugfs status file's file_operations Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 034/235] mm/vmscan.c: set correct defer count for shrinker Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 035/235] fs: exec: apply CLOEXEC before changing dumpable task flags Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 036/235] dm crypt: mark key as invalid until properly loaded Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 037/235] dm space map metadata: fix 'struct sm_metadata' leak on failed create Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 038/235] CIFS: Fix a possible memory corruption during reconnect Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 039/235] CIFS: Fix missing nls unload in smb2_reconnect() Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 040/235] CIFS: Fix a possible memory corruption in push locks Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 041/235] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 042/235] arm/xen: Use alloc_percpu rather than __alloc_percpu Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 043/235] xfs: set AGI buffer type in xlog_recover_clear_agi_bucket Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 044/235] ssb: Fix error routine when fallback SPROM fails Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 045/235] thermal: hwmon: Properly report critical temperature in sysfs Jiri Slaby
2017-01-27 10:52 ` [PATCH 3.12 046/235] drm/radeon: add additional pci revision to dpm workaround Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 047/235] drm/gma500: Add compat ioctl Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 048/235] drivers/gpu/drm/ast: Fix infinite loop if read fails Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 049/235] block: protect iterate_bdevs() against concurrent close Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 050/235] scsi: zfcp: fix use-after-"free" in FC ingress path after TMF Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 051/235] scsi: zfcp: do not trace pure benign residual HBA responses at default level Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 052/235] scsi: zfcp: fix rport unblock race with LUN recovery Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 053/235] scsi: avoid a permanent stop of the scsi device's request queue Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 054/235] s390/vmlogrdr: fix IUCV buffer allocation Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 055/235] md/raid5: limit request size according to implementation limits Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 056/235] kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF) Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 057/235] ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 058/235] IB/mad: Fix an array index check Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 059/235] IB/multicast: Check ib_find_pkey() return value Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 060/235] PCI: Check for PME in targeted sleep state Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 061/235] libceph: verify authorize reply on connect Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 062/235] nfs_write_end(): fix handling of short copies Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 063/235] powerpc/ps3: Fix system hang with GCC 5 builds Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 064/235] powerpc: Convert cmp to cmpd in idle enter sequence Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 065/235] kconfig/nconf: Fix hang when editing symbol with a long prompt Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 066/235] sg_write()/bsg_write() is not fit to be called under KERNEL_DS Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 067/235] ftrace/x86: Set ftrace_stub to weak to prevent gcc from using short jumps to it Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 068/235] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Broxton-M platforms Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 069/235] usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 070/235] usb: dwc3: pci: Add PCI ID for Intel Braswell Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 071/235] usb: dwc3: pci: add support for Intel Sunrise Point PCH Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 072/235] usb: dwc3: pci: add support for Intel Broxton SOC Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 073/235] usb: dwc3: pci: add ID for one more Intel Broxton platform Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 074/235] usb: dwc3: pci: add Intel Kabylake PCI ID Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 075/235] ALSA: hda - Fix up GPIO for ASUS ROG Ranger Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 076/235] ALSA: hda - Apply asus-mode8 fixup to ASUS X71SL Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 077/235] ARM: davinci: da850: don't add emac clock to lookup table twice Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 078/235] usb: gadgetfs: restrict upper bound on device configuration size Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 079/235] USB: gadgetfs: fix unbounded memory allocation bug Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 080/235] USB: gadgetfs: fix use-after-free bug Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 081/235] USB: gadgetfs: fix checks of wTotalLength in config descriptors Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 082/235] USB: fix problems with duplicate endpoint addresses Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 083/235] USB: dummy-hcd: fix bug in stop_activity (handle ep0) Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 084/235] usb: gadget: composite: Test get_alt() presence instead of set_alt() Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 085/235] xhci: workaround for hosts missing CAS bit Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 086/235] usb: xhci: apply XHCI_PME_STUCK_QUIRK to Intel Apollo Lake Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 087/235] xhci: free xhci virtual devices with leaf nodes first Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 088/235] USB: serial: omninet: fix NULL-derefs at open and disconnect Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 089/235] USB: serial: quatech2: fix sleep-while-atomic in close Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 090/235] USB: serial: pl2303: fix NULL-deref at open Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 091/235] USB: serial: keyspan_pda: verify endpoints at probe Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 092/235] USB: serial: spcp8x5: fix NULL-deref at open Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 093/235] USB: serial: io_ti: " Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 094/235] USB: serial: io_ti: fix another " Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 095/235] USB: serial: iuu_phoenix: fix " Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 096/235] USB: serial: garmin_gps: fix memory leak on failed URB submit Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 097/235] USB: serial: ti_usb_3410_5052: fix NULL-deref at open Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 098/235] USB: serial: io_edgeport: " Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 099/235] USB: serial: oti6858: " Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 100/235] USB: serial: cyberjack: " Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 101/235] USB: serial: kobil_sct: fix NULL-deref in write Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 102/235] USB: serial: mos7840: fix NULL-deref at open Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 103/235] USB: serial: mos7720: " Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 104/235] USB: serial: mos7720: fix use-after-free on probe errors Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 105/235] USB: serial: mos7720: fix parport " Jiri Slaby
2017-01-27 10:53 ` [PATCH 3.12 106/235] USB: serial: mos7720: fix parallel probe Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 107/235] usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 108/235] usb: dwc3: pci: add Intel Gemini Lake PCI ID Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 109/235] usb: musb: Fix trying to free already-free IRQ 4 Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 110/235] usb: hub: Move hub_port_disable() to fix warning if PM is disabled Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 111/235] ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 112/235] USB: serial: kl5kusb105: abort on open exception path Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 113/235] USB: phy: am335x-control: fix device and of_node leaks Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 114/235] USB: serial: io_ti: bind to interface after fw download Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 115/235] staging: iio: ad7606: fix improper setting of oversampling pins Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 116/235] usb: dwc3: gadget: always unmap EP0 requests Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 117/235] cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 118/235] hwmon: (ds620) Fix overflows seen when writing temperature limits Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 119/235] hwmon: (g762) Fix overflows and crash seen when writing limit attributes Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 120/235] clk: clk-wm831x: fix a logic error Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 121/235] iommu/amd: Fix the left value check of cmd buffer Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 122/235] scsi: mvsas: fix command_active typo Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 123/235] target/iscsi: Fix double free in lio_target_tiqn_addtpg() Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 124/235] mmc: mmc_test: Uninitialized return value Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 125/235] md: MD_RECOVERY_NEEDED is set for mddev->recovery Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 126/235] powerpc/pci/rpadlpar: Fix device reference leaks Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 127/235] cred/userns: define current_user_ns() as a function Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 128/235] net: ti: cpmac: Fix compiler warning due to type confusion Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 129/235] tick/broadcast: Prevent NULL pointer dereference Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 130/235] usb: gadget: composite: always set ep->mult to a sensible value Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 131/235] netvsc: reduce maximum GSO size Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 132/235] ser_gigaset: return -ENOMEM on error instead of success Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 133/235] ipv6: handle -EFAULT from skb_copy_bits Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 134/235] net, sched: fix soft lockup in tc_classify Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 135/235] net: stmmac: Fix race between stmmac_drv_probe and stmmac_open Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 136/235] drop_monitor: add missing call to genlmsg_end Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 137/235] drop_monitor: consider inserted data in genlmsg_end Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 138/235] igmp: Make igmp group member RFC 3376 compliant Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 139/235] gro: Enter slow-path if there is no tailroom Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 140/235] gro: use min_t() in skb_gro_reset_offset() Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 141/235] gro: Disable frag0 optimization on IPv6 ext headers Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 142/235] HID: hid-cypress: validate length of report Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 143/235] powerpc: Fix build warning on 32-bit PPC Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 144/235] mm/init: fix zone boundary creation Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 145/235] Input: xpad - use correct product id for x360w controllers Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 146/235] Input: i8042 - add Pegatron touchpad to noloop table Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 147/235] selftests: do not require bash to run netsocktests testcase Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 148/235] ocfs2: fix crash caused by stale lvb with fsdlm plugin Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 149/235] mm/hugetlb.c: fix reservation race when freeing surplus pages Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 150/235] KVM: x86: fix emulation of "MOV SS, null selector" Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 151/235] jump_labels: API for flushing deferred jump label updates Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 152/235] KVM: x86: flush pending lapic jump label updates on module unload Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 153/235] KVM: x86: Introduce segmented_write_std Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 154/235] USB: serial: kl5kusb105: fix line-state error handling Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 155/235] USB: serial: ch341: fix initial modem-control state Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 156/235] USB: serial: ch341: fix open error handling Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 157/235] USB: serial: ch341: fix control-message " Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 158/235] USB: serial: ch341: fix open and resume after B0 Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 159/235] i2c: fix kernel memory disclosure in dev interface Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 160/235] xhci: fix deadlock at host remove by running watchdog correctly Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 161/235] vme: Fix wrong pointer utilization in ca91cx42_slave_get Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 162/235] sysrq: attach sysrq handler correctly for 32-bit kernel Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 163/235] sysctl: Drop reference added by grab_header in proc_sys_readdir Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 164/235] drm/radeon: drop verde dpm quirks Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 165/235] USB: serial: ch341: fix resume after reset Jiri Slaby
2017-01-27 10:54 ` [PATCH 3.12 166/235] USB: serial: ch341: fix modem-control and B0 handling Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 167/235] x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 168/235] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 169/235] powerpc/ibmebus: Fix further device reference leaks Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 170/235] powerpc/ibmebus: Fix device reference leaks in sysfs interface Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 171/235] pinctrl: sh-pfc: Do not unconditionally support PIN_CONFIG_BIAS_DISABLE Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 172/235] arm64: avoid returning from bad_mode Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 173/235] IB/mlx4: Set traffic class in AH Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 174/235] IB/mlx4: Fix port query for 56Gb Ethernet links Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 175/235] perf scripting: Avoid leaking the scripting_context variable Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 176/235] ARM: dts: imx31: fix clock control module interrupts description Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 177/235] ARM: dts: imx31: move CCM device node to AIPS2 bus devices Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 178/235] ARM: dts: imx31: fix AVIC base address Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 179/235] x86/PCI: Ignore _CRS on Supermicro X8DTH-i/6/iF/6F Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 180/235] svcrpc: don't leak contexts on PROC_DESTROY Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 181/235] mmc: mxs-mmc: Fix additional cycles after transmission stop Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 182/235] mtd: nand: xway: disable module support Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 183/235] qla2xxx: Fix crash due to null pointer access Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 184/235] ubifs: Fix journal replay wrt. xattr nodes Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 185/235] clockevents/drivers/exynos_mct: Remove unneeded container_of() Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 186/235] clocksource/exynos_mct: Clear interrupt when cpu is shut down Jiri Slaby
2017-01-27 10:55   ` Jiri Slaby
2017-01-27 10:55   ` Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 187/235] ARM: 8634/1: hw_breakpoint: blacklist Scorpion CPUs Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 188/235] ARM: dts: da850-evm: fix read access to SPI flash Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 189/235] arm64/ptrace: Preserve previous registers for short regset write Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 190/235] arm64/ptrace: Avoid uninitialised struct padding in fpr_set() Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 191/235] arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 192/235] ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 193/235] ite-cir: initialize use_demodulator before using it Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 194/235] posix_acl: Clear SGID bit when setting file permissions Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 195/235] NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 196/235] vmxnet3: Wake queue from reset work Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 197/235] fs/cifs: make share unaccessible at root level mountable Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 198/235] Fix memory leaks in cifs_do_mount() Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 199/235] Compare prepaths when comparing superblocks Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 200/235] Move check for prefix path to within cifs_get_root() Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 201/235] Fix regression which breaks DFS mounting Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 202/235] apparmor: fix refcount bug in profile replacement Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 203/235] apparmor: fix replacement bug that adds new child to old parent Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 204/235] apparmor: fix uninitialized lsm_audit member Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 205/235] apparmor: exec should not be returning ENOENT when it denies Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 206/235] apparmor: fix update the mtime of the profile file on replacement Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 207/235] apparmor: fix disconnected bind mnts reconnection Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 208/235] apparmor: internal paths should be treated as disconnected Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 209/235] apparmor: fix put() parent ref after updating the active ref Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 210/235] apparmor: fix log failures for all profiles in a set Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 211/235] apparmor: fix audit full profile hname on successful load Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 212/235] apparmor: ensure the target profile name is always audited Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 213/235] apparmor: check that xindex is in trans_table bounds Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 214/235] apparmor: fix refcount race when finding a child profile Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 215/235] apparmor: add missing id bounds check on dfa verification Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 216/235] apparmor: don't check for vmalloc_addr if kvzalloc() failed Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 217/235] apparmor: fix oops in profile_unpack() when policy_db is not present Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 218/235] apparmor: fix module parameters can be changed after policy is locked Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 219/235] apparmor: do not expose kernel stack Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 220/235] apparmor: fix oops, validate buffer size in apparmor_setprocattr() Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 221/235] apparmor: fix arg_size computation for when setprocattr is null terminated Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 222/235] vfio/pci: Fix integer overflows, bitmask check Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 223/235] bna: Add synchronization for tx ring Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 224/235] [media] xc2028: avoid use after free Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 225/235] [media] xc2028: unlock on error in xc2028_set_config() Jiri Slaby
2017-01-27 10:55 ` [PATCH 3.12 226/235] block: fix use-after-free in sys_ioprio_get() Jiri Slaby
2017-01-27 10:56 ` [PATCH 3.12 227/235] xc2028: Fix use-after-free bug properly Jiri Slaby
2017-01-27 10:56 ` [PATCH 3.12 228/235] sg: Fix double-free when drives detach during SG_IO Jiri Slaby
2017-01-27 10:56 ` [PATCH 3.12 229/235] fuse: do not use iocb after it may have been freed Jiri Slaby
2017-01-27 10:56 ` [PATCH 3.12 230/235] move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) Jiri Slaby
2017-01-27 10:56 ` [PATCH 3.12 231/235] x86/apic: Order irq_enter/exit() calls correctly vs. ack_APIC_irq() Jiri Slaby
2017-01-27 10:56 ` [PATCH 3.12 232/235] serial: 8250_pci: Detach low-level driver during PCI error recovery Jiri Slaby
2017-01-27 10:56 ` [PATCH 3.12 233/235] bnx2x: Correct ringparam estimate when DOWN Jiri Slaby
2017-01-27 10:56 ` [PATCH 3.12 234/235] ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() Jiri Slaby
2017-01-27 10:56 ` [PATCH 3.12 235/235] tmpfs: clear S_ISGID when setting posix ACLs Jiri Slaby
2017-01-27 15:51 ` [PATCH 3.12 000/235] 3.12.70-stable review Shuah Khan
2017-02-02 13:13   ` Jiri Slaby
2017-01-27 17:23 ` Guenter Roeck
2017-01-27 19:04   ` Jiri Slaby
2017-01-27 20:53     ` Guenter Roeck

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.